Center Parcs - Root Login
Nasstar deploys serverless technology to defend Center Parcs’ cloud estate
Center Parcs UK and Ireland offers short breaks for families at six forest locations. Each village is home to self-catering accommodation, the Subtropical Swimming Paradise, activities, restaurants, shops and more, all in a peaceful forest setting.
For several years, Nasstar has supported Center Parcs by managing its AWS estate. This comprises several solutions that have been strategically deployed across multiple AWS accounts, allowing the organisation to optimise operations and deliver exceptional service to its customers.
Services
AWS CloudTrail
Amazon EventBridge
Amazon Kinesis Data Firehose
Amazon S3
AWS Glue
AWS Lambda
AWS Simple Email Service (SES)
AWS Simple Notification Service (SNS)
The Brief
In line with industry best practice, the use of root user capabilities within an AWS account should be limited to exceptional circumstances. The root user controls an entire AWS estate, including critical systems such as databases, servers, and applications. Therefore, any compromise of root user credentials can have serious consequences.
As part of ongoing consultancy and collaboration between Nasstar and Center Parcs, it was recognised that a comprehensive solution was required to enhance security measures. Specifically, it was determined that a monthly report should be generated to capture any instances where the organisation's AWS accounts were accessed through the root user via the web console. This report would not only record essential information like the precise date and time of each event but would also include a reference to the unique multi-factor authentication (MFA) device utilised by staff members during the access process.
To further enhance security, an immediate alert would be dispatched to Center Parcs' internal security team whenever a root login event occurred. This ensures quick intervention to address threats and protect the business' AWS environment.
The Benefits
This resilient and scalable solution has created a cost-effective way to handle root login events while meeting stringent security audit requirements.
Cost efficiency: Using its optimisation expertise, Nasstar selected the best components for a streamlined, cost-effective deployment. The serverless architecture ensures efficient resource use and maximises Center Parcs' investment.
Security: The root access solution has provided Center Parcs’ security team with greater visibility and control. They now have monthly reports which provide detailed insights into root user access across their entire AWS estate.
With real-time notifications, Center Parcs can respond quickly to unexpected activity. This aligns with industry best practice by embracing zero-trust principles and safeguarding critical systems from unauthorised access.
Observability: To enhance observability and ensure the health of this solution, Nasstar deployed CloudWatch, an AWS monitoring tool. CloudWatch Alarms provide real-time visibility, and alerts notify support teams of unusual activity for quick investigation and response.
The Solution
Using serverless technology, Nasstar has crafted a robust solution that empowers Center Parcs’ security team. Nasstar implemented Amazon EventBridge, a real-time data change tracking service, across all AWS accounts within the Center Parcs estate. By integrating it with AWS CloudTrail, the tool now captures root login events as they unfold, making audits much easier.
To orchestrate the process, an EventBridge rule was devised to collect and dispatch events to a dedicated AWS account specifically designed for reporting and auditing. Leveraging a Custom EventBridge Bus, events are relayed from the source AWS accounts to the audit account. Another EventBridge rule then forwards messages to two targets.
The first target distributes the raw message via a Simple Notification Service (SNS) topic, delivering real-time notifications to the Center Parcs security team. This ensures awareness and immediate action when root login events occur. The second target routes the events to Amazon Kinesis Firehose, a service that captures and transforms large volumes of streaming data. These events are then stored within an S3 bucket. A Glue Crawler catalogues the metadata of each new event within the bucket and sends that data to be queried by Amazon Athena.
At the start of each month, a CloudWatch event triggers a serverless Lambda function which then queries Athena to generate the last calendar months' worth of data. Shortly afterwards, a second Lambda function is triggered that receives the generated query results which are then converted to a user-friendly report format and distributed to Amazon Simple Email Service (SES) to be shared with the security team.
Nasstar used CloudFormation to set up the needed AWS services. With version-controlled Infrastructure as Code (IaC), deployments are accurate, repeatable, and consistent.
We have gained unparalleled visibility into our AWS environment, allowing us to swiftly address potential security threats and demonstrate compliance with rigorous audit requirements, thanks to a comprehensive solution from Nasstar.