What is AWS Cloud Workload Protection Platform (CWPP)?

This blog explains how to protect the AWS cloud with CWPP. We will discuss the essential components, strategies, and best practices for workload protection and how to secure the cloud with AWS CWPP.
By SentinelOne September 12, 2024

The security of digital assets has never been more important, especially in today’s cloud-centric environment. It is the very foundation of cloud security and a staple within AWS CWPP (Cloud Workload Protection Platform). According to Cybersecurity Ventures, cybercrime damage will hit $10.5 trillion in 2025. Moreover, according to a recent report, 82% of all data breaches relate to the human factor, including social attacks, errors, and misuse.

AWS CWPP acts as a defender of the AWS cloud infrastructure. AWS CWPP offers all the help one needs, ranging from finding vulnerabilities to dealing with threats/threat actors efficiently. It takes steps to keep them from happening in the first place, so your cloud operations operate smoothly and securely.

AWS CWPP provides a high level of security for cloud workloads and applications based on the security tools and cloud-native infrastructure. The given security solution helps protect workloads correctly without distracting from compliance tasks, which is gaining relevance with an increasing number of complex requirements in data protection on both federal and corporate levels.

This blog will discuss the AWS Cloud Workload Protection Platform, or CWPP, which helps secure cloud-based assets. The blog describes the platform’s architecture, components, approaches to network security, protection of containers and serverless applications, its data protection measures, access management, real-life use cases, monitoring, and logging, as well as implementation best practices. The solutions offer powerful tools that assist in keeping cloud infrastructure secure and protected.

Before we dive deep, it’s worth noting that there is no standalone product termed ‘CWPP’ with AWS; the notion references an integrated use of multiple AWS security solutions within AWS that protect cloud workloads, hence CWPP.

Core Architecture of AWS CWPP

AWS CWPP is a powerful and extensible framework that offers end-to-end protection in the AWS landscape. To understand AWS CWPP better, let’s take a closer look at its architecture.

Distributed Agent-Based System

The AWS CWPP uses a distributed agent model to monitor and protect any cloud resources you have in the Amazon Cloud. Agents are small software components deployed throughout your AWS infrastructure. They are local watchdogs that collect details about the state and action of your resources. They search for possible vulnerabilities by analyzing the local data. This distributed implementation means that any malicious or evasion behaviors will be detected and responded to in real time, no matter the size or complexity of the cloud environment.

Central Management Console

As the agents do their work across your infrastructure, all of these findings will come to a common point in the management console. This console is the brain of AWS CWPP. It is the single place where all their data converges, offering them an integrated view of security posture. You use this console to view alerts, investigate incidents, and correlate behavior during the incident to create organizational security policies.

Integration with AWS Services

The integration enables the sharing of priority threat data and coordinated responses for improved security. It includes built-in settings to work with AWS Identity and Access Management (IAM) permissions for fine-grained access control.

Data Flow and Processing Pipeline

At the core of AWS CWPP is its mature data flow and processing pipeline.  The data is collected from different sources, such as  Distributed agents, AWS Service logs, and Network traffic. This data is fed to CWPP’s processing engine. They analyze the data using advanced algorithms and machine learning models in search of patterns, anomalies, or potential threats. The processed data, in turn, flows through various components of the CWPP. A portion of that data goes to the central console for visualization and reporting. Others may be set up to trigger automated replies and notifications. This pipeline enables you to always have the latest security data, driving your ability to make informed decisions and respond quickly to these threats.

Key Components of AWS CWPP

The backbone of AWS CWPP is made up of the following four elements:

  • Amazon GuardDuty

GuardDuty is AWS CWPP’s ever-watchful security guard. This tool keeps an eye on all of your AWS accounts and workloads for any signs of malicious activity or unauthorized behavior. GuardDuty includes machine learning, anomaly detection, and integrated threat intelligence. Its abilities extend to things such as an API call from a recognized malicious IP address, any effort to transfer data, and instances that are communicating with a recognized command-and-control server.

  • AWS Security Hub

Security Hub provides a comprehensive view of your security state within AWS and can integrate well with third-party tools. It collects the data and then processes it for insights that can help to find out security concerns. It goes one step further and validates your environment against industry security standards & best practices. One of the biggest benefits of Security Hub is that it can provide you with aggregation, organization & priorities in a standardized form.

  • Amazon Inspector

Automated Security Assessment with Amazon Inspector helps in continuous monitoring and analysis of the AWS account-level behavior for possible malicious activities. It assists in increasing the security & compliance of your applications deployed on AWS by automatically checking them against best practices and exposure to vulnerabilities. There are two types of inspector assessments.

  1. Network assessments scan the network accessibility of your EC2 instances and the security risks associated with them.
  2. Host assessments analyze the vulnerabilities and misconfigurations in your EC2 instances.
  • AWS Config

AWS Config gives us a very broad look at the configuration of AWS resources in our account, such as what is related to whom and how they were once configured. It will monitor your AWS resource configuration and maintain historical data so that you can check its current state against what is desirable. One of AWS Config’s greatest benefits is its ability to help you understand how changing a particular resource may impact other resources.

AWS CWPP Network Security Strategies

The crucial aspect of protecting the cloud is protection with robust measures provided by AWS CWPP for the network infrastructure. The following services ensure that the network is protected against attacks.

1. AWS Network Firewall integration

A network firewall enables you to create a stateful firewall with built-in evasion prevention. You can identify policies at the level of source and destination IP, source and destination port, and protocol.

At this level of control, you can implement defense-in-depth security strategies. In addition to other CWPP components, your CWPP can use Network Firewall logs to improve threat detection.

2. Security Groups and Network ACLs

Security groups and network Access Control Lists are the cornerstones of AWS network security. CWPP helps you manage Security Groups and Network ACLs.

Security Groups serve as virtual firewalls around Amazon EC2 instances to control inbound and outbound traffic at the instance level. Network ACLs act in a similar manner but at the level of the subnet from the virtual firewall.

3. VPC Flow Logs Analysis

VPC (Virtual Private Cloud) flow logs record information about all the traffic transmitted via your VPC. Combined with CWPP, this data can be used to provide insights into network traffic patterns and potential security vulnerabilities.

With the aid of its advanced analytical systems, CWPP can detect traffic behavior that appears to be an anomaly, potentially indicating a security issue. For example, it can identify unusual communication behavior, data exfiltration activities, or direct communication with malicious IP addresses. Using the information from the VPC flow logs in a postmortem analysis can also help with forensics.

4. DDoS Protection Mechanisms

The CWPP uses AWS Shield, an in-house DDoS security facility, for attack mitigation. Using the AWS Shield Regular tier, which is already included in the CWPP, your resources are automatically protected from the main network and transportation DDoS attacks.  For sophisticated attacks, the AWS Shield Advanced tier is used, which offers a more detailed DDoS response framework.

When it comes to DDoS protection, CWPP may also provide real-time DDoS threat alerts. It observes traffic data and notifies you of any traffic spikes or other signals that indicate possible DDoS attempts. CWPP can also interact with AWS WAF to create customized security policies to protect your software from the most typical and frequent DDoS strikes.

Container and Serverless Protection with AWS CWPP

AWS Cloud Workload Protection (CWPP) provides complete protection for your container and serverless workloads, keeping modern applications secure. Some of the essential features in this domain are as follows:

ECR Image Scanning with Clair

Amazon ECR is a fully managed container registry. It’s used to store, manage, and deploy Docker images. With the release of AWS CWPP, automated scanning for container images is available through integration with ECR using Clair (an open-source vulnerability scanner).

Once you push an image to ECR, the image is scanned. This scan checks any known and new vulnerabilities that are disclosed in operating system packages, language dependencies, etc. Results are then available inside ECR and can be combined with the other CWPP components.

ECS and EKS Runtime Monitoring

AWS provides Amazon Elastic Container Service (ECS) and Amazon Kubernetes Service (EKS) for container orchestration. In ECS, CWPP works with the AWS Fargate agent to observe running container behavior. It reports suspicious processes, unusual network connections, and a potential increase in privileges.

For EKS, CWPP integrates as a DaemonSet to ensure that each node in your Kubernetes cluster is monitored. It provides insight into how containers communicate with each other and can detect violations of policy or security threats, such as unauthorized access to the Kubernetes API server and cryptocurrency mining.

Fargate-Specific Security Controls

AWS Fargate is a container-based serverless computing service compatible with ECS and EKS. CWPP provides a set of security methods specifically designed for this compute engine. CWPP watches your Fargate job definitions to make you aware of overly permissive Amazon IAM roles or open ports. It verifies your policy by examining the network settings of your Fargate job. One significant quality is its ability to maintain runtime rules exclusive to your Fargate workloads.

Lambda Function Security

AWS Lambda is the leading product in serverless computing, so it only makes sense to have a holistic approach to secure your AWS Lambda functions with CWPP. CWPP can find vulnerabilities and misconfigurations in your Lambda function code networks. This involves static code analysis and looking for hardcoded secrets, permissive IAM roles, and known vulnerabilities in function dependencies.

AWS CWPP Data Protection Strategies

Let’s discuss some of the data protection strategies that come along with AWS CWPP.

#1. KMS Integration For Encryption

AWS Key Management Service (KMS) is at the core of data protection in AWS, and CWPP integrates closely with KMS to provide encryption capabilities. The platform uses KMS to handle encryption keys for various AWS services.

It tracks the usage of different API keys and notices in case of any unusual patterns. This can indicate that someone has copied the key, and it might have fallen into the wrong hands. The platform also ensures you use KMS as it should be used.

#2. S3 Bucket Policy Analysis

Amazon S3 object storage is a highly popular AWS service, and securing your S3 buckets to prevent data loss is essential. The CWPP platform ensures your S3 bucket policies are continuously audited to find any misconfigurations. It might also alert you for an S3 bucket that’s publicly accessible with read or write permissions.

#3. DynamoDB Encryption and Monitoring

CWPP has protection features for Amazon DynamoDB. It makes sure your DynamoDB tables are encrypted, tracks the way they are accessed, and may suggest best practices for any security risk (if needed). CWPP scans all your DynamoDB tables to ensure that they are encrypted at rest. It checks the encryption settings similarly based on your security policies and industry best practices.

#4. Data Access Pattern Analysis

AWS CWPP provides you with more holistic data access pattern analysis across your AWS environment. This visibility ensures that you are able to notice security risks at the application level across all services instead of just one.

CWPP goes through logs of access in different AWS services. It uses these to stitch together what typical data accesses might look like for your environment. It actually relies on machine learning algorithms to spot odd behavior in these patterns.

AWS CWPP Approach to Access Management

Access management is central to cloud security, and AWS CWPP best practices ensure that only the correct people and processes access your resources. Let’s explore the main pillars of CWPP’s access management strategy.

  • IAM Role and Policy Management

AWS Identity and Access Management (IAM) is the bedrock of access control in AWS, and CWPP is no exception. The platform continuously audits IAM roles and policies for over-permissive settings or violations of best practices.  The platform also tracks IAM policy changes over time and warns you about sudden increases in permitted activities, especially for sensitive resources. This makes it possible to identify and investigate inappropriate or dangerous changes in your access controls, which otherwise might escape detection.

  • Access Analyzer Functionality

AWS IAM Access Analyzer is a standalone tool that identifies resources in your organization that are shared with outside entities. CWPP ties together Access Analyzer’s functionality with a broader security context. It does so by correlating potential external access with other security events, making it easy to spot and respond to potential security incidents.

  • Temporary Credential Management

Temporary security credentials are a prominent feature of AWS, offering fine-grained access control. CWPP monitors and tracks temporary credential usage across your entire AWS environment. It may present you with signs that temporary credentials are being used in ways or places you wouldn’t anticipate, leading to further contention. It also helps you maintain tight security standards.

  • Principle of Least Privilege Enforcement

CWPP provides a means for us to apply the principle of least privilege across the AWS environment, which is a fundamental concept in AWS.

CWPP tracks and keeps checking the permissions that have been given to users, roles, or resources against actual usage patterns. This will identify any over-permissions and enable these permissions to be locked down, allowing you to limit your attack surface.

AWS CWPP Real-World Use Cases

For you to understand the power and applicability of AWS CWPP, let’s discuss a few real-world use cases of AWS CWPP.

  1. Financial Services Compliance: Suppose a large bank uses AWS CWPP to maintain compliance with strict financial regulations. CWPP’s continuous monitoring and automated compliance can check and ensure all customer data is encrypted, access controls are properly implemented, and configuration changes are immediately flagged for review.
  2. E-commerce Platform Security: In an e-commerce business, the security team can use CWPP on its containerized, elastic infrastructure. The platform scans the production containers to ensure each deployment is free from critical vulnerabilities. The continuous network control builds software rules logic that automatically responds to DDoS attacks before they even happen.
  3. Multi-cloud Enterprise Security: A large enterprise deploying a multi-cloud strategy will have consolidated security from CWPP across AWS & on-premises. The single pane of glass central management console will allow them the ability to monitor security throughout their hybrid infrastructure.
  4. Media and Entertainment Industry Security: Due to the rapid increase in streaming service usage, it has become vulnerable to attacks that violate the security of its content and customers. That is why CWPP has become a valuable asset in the protection of user data and content. AWS CWPP protects the streaming service platform from hacking and piracy, which threatens business development.
  5. Education Sector Data Protection: Data breaches in schools result not only in safety concerns but also in financial and reputational penalties. A vast university system with multiple campuses and tens of thousands of students can use AWS to comply with FERPA and protect its student and research data.

Monitoring and Logging with AWS CWPP

AWS CWPP extends AWS native monitoring and logging capabilities to provide visibility into activity across the entire infrastructure. Let’s explore how CWPP uses these tools.

CloudWatch Integration

CWPP is a custom-built platform designed to monitor your AWS environment by applying monitoring on top of the AWS CloudWatch service. CWPP uses CloudWatch APIs to collect the metrics of your AWS resources. It configures custom security metrics to check when things such as failed logins, invocation of a sensitive API, or abnormal network traffic might be happening. CloudWatch Alarms notifies you of possible security issues. They may be static threshold-based alarms or machines using anomaly detection algorithms.

CloudTrail for Audit Logging

AWS CloudTrail provides a record of actions performed by a user, role, or AWS service. CWPP integrates deeply with CloudTrail to enable comprehensive audit logging. The CWPP module ensures that CloudTrail is enabled for all regions in your AWS accounts and that log file validation is enabled.

Ensuring the integrity of the audit logs is critical for forensic investigations and compliance requirements. The platform constantly monitors the CloudTrail logs for any suspicious activity. This may include unauthorized API calls, changes in the rules of the security group, or changes in the IAM policies.

Best Practices for AWS CWPP Implementation

Some of the best practices that should be followed for AWS CWPP implementation are as follows:

1. Implement least-privilege access

Analyze IAM roles and policies with the help of CWPP to discover unused or unnecessary permissions, so you have full control over what our resources can do. Companies can take advantage of the integration with the IAM Access Analyzer to discover open resources in AWS accounts. It can also be used to monitor privilege escalation attempts and uncharacteristic permissions.

2. Encrypt data at rest and in transit

When using AWS CWPP, it is important to protect your data with encryption. To do that, manage encryption keys across your environment, encrypted by AWS KMS and integrated with CWPP. Encrypt all data at rest, including S3 buckets, EBS volumes, and RDS instances.

3. Continuous monitoring and alerting

With CWPP, you can improve your security posture as it provides real-time monitoring, so you stay absolutely on top of things. CloudWatch alarms can be used for security-specific metrics, using CWPP to personalize these based on your environment and threat model. Use a CWPP to set up alerts via multiple channels (email, SMS, and Slack) in order to respond quickly when threats are detected.

4. Regular Vulnerability Assessments

The first step to strong security with AWS CWPP is proactively identifying vulnerabilities. Set up regular automated scans with Amazon Inspector together with CWPP to detect vulnerabilities in your EC2 instances and container images.

5. Implement Multi-layer Security

Always use CWPP to manage several layers of network security, including security groups, Network ACL, and AWS WAF rules. CWPP provides insight on current malware protection from antivirus, host firewalls, and other endpoint security tools. Combine network-based protections with a layered approach to protecting the hosts themselves against web-based threats.

6. Protect and Analyze Logs

To maintain detailed audit logs, enable AWS CloudTrail across all regions and services. For centralizing these logs and running a real-time analysis on these, AWS CloudWatch should be used.

7. Unify Cloud and On-Premises Security

In order to use a hybrid cloud, protection should be implemented both on the cloud and on-premises environments. To establish a dedicated network connection between them AWS Direct Connect can be used.

8. Manage Users with Federated Single Sign-On (SSO)

To enable a central access management system, integrate AWS Single Sign-On with your environment and implement multi-factor authentication(MFA) for all the user accounts. Use federation to integrate your on-premises identity management to AWS.

9. Implement Network Segmentation

To isolate different network environments running different applications, Amazon VPC can be used to create those. To control any incoming and outgoing traffic between these environments, security groups and network access control lists(ACLs) should be used. If the segmentation is done between on-premises networks and VPCs, AWS Transit Gateway can be used for their central management.

Why SentinelOne for AWS CWPP?

  1. AI-powered Autonomous Protection: The SentinelOne platform, powered by advanced AI, offers real-time and autonomous security for all AWS workloads. This automated detection and resolution of vulnerabilities reduces the response time to security incidents, thus reducing downtime.
  2. Visibility and Control: The platform offers deep visibility and control in all AWS environments including EC2 instances, containers, and Kubernetes clusters. This enables the detection of misconfigured workloads that might be vulnerable.
  3. Cloud-Native and Behavioral AI: SentinelOne is cloud built, cloud-delivered, and cloud-native. It is designed to integrate seamlessly with AWS, where behavior AI is built to identify any deviations.
  4. Unified Platform with Automatic Remediation: The platform comes with the best-preventing precision and accuracy in real-time with low false positives. One single solution to prevent endpoint threats and cloud security. No complex multi-device deployments are needed. SentinelOne can automatically return devices to their pre-attack state.

Conclusion

For modern cloud security systems, the AWS Cloud Workload Protection Platform (CWPP) is an integral piece that provides organizations with 360-degree protection if they are operating within the AWS ecosystem.

CWPP is important because it provides ongoing monitoring, detection of threats, and automated response. Using powerful analytics and advanced machine learning helps organizations continuously keep up with the changing cyber threat landscape. It is designed to be fully elastic, which means that as you scale up your cloud infrastructure, so will its security capabilities.

FAQs

1. What is CWPP in AWS?

Cloud Workload Protection Platform is a complete security solution for the AWS environment that secures cloud-based workloads, applications, and data. It takes all the security services usable on AWS to provide continuous monitoring, threat detection, forensic investigation, and automated response.

2. What is the difference between CASB and CWPP?

CASB and CWPP, though both are cloud security solutions, differ in their purposes. CASB is about protecting a user’s use of Software-as-a-Service applications. In other words, CASB is a guardian of what happens between a user and a cloud service. It monitors user activity and enforces corporation security policies. CWPP, on the other hand, is about protecting cloud-based workloads, including IaaS and PaaS environments. It guards “the end” instead of “the means” or usage and offers protection as long as the workload operates in the cloud.

3. How does AWS CWPP integrate with other AWS security services?

AWS CWPP includes tight integrations with AWS security services. This integration improves threat detection, centralized security management, and vulnerability analysis and adds additional capabilities such as access control (least privilege), audit logging, and monitoring.

4. What types of threats can AWS CWPP detect?

AWS CWPP detects a wide range of threats, including malware, unauthorized access attempts, insider threats, data exfiltration, misconfigurations, compliance violations, and abnormal behaviors. It also identifies network-based attacks and vulnerabilities in containers and serverless functions. Using machine learning and behavioral analytics, AWS CWPP can adapt to recognize new or previously unknown threats, providing comprehensive protection for cloud environments.

Your Cloud Security—Fully Assessed in 30 Minutes.

Meet with a SentinelOne expert to evaluate your cloud security posture across multi-cloud environments, uncover cloud assets, misconfigurations, secret scanning, and prioritize risks with Verified Exploit Paths.