This document summarizes a presentation about security automation improvements that can be made using Amazon CloudWatch Events and AWS Config Rules. It discusses five examples of automation: automatic CloudTrail remediation, CloudFormation template auditing, AWS CIS Foundation Framework account assessment, auto MFA for IAM users, and automatic isolation of "tainted" servers. Code examples and demonstrations are provided for each automation example. Other security automation tools and resources are also listed.
2. What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources
3. What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources
5 x Automation
• Automatic CloudTrail remediation
• CloudFormation template audit
• AWS CIS Foundation Framework
account assessment
• Auto MFA for IAM
• The tainted server – Auto isolation
5. Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark
9. Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
10. Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry…we still need humans
11. Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry…we still need humans
25. CloudFormation template audit
Solves:
- Users deploying infrastructure that do not conform to
security policy
- Reduce risk from unapproved changes to templates
Services used:
CodePipeline, CloudWatch Events, Lambda
52. Auto MFA for IAM
Solves:
- Automatic creation and assignment of virtual MFA for new IAM
users.
- Removes time consuming tasks for single and bulk operations
- No requirements of user interaction or giving permissions using IAM
policy for self service
Services used:
CloudWatch Events, Lambda and IAM
64. The tainted server – Auto isolation
Solves:
• Enforces immutable infrastructure
• Automatically isolate instances for further forensics upon events like
local SSH logons or increase Deny discovered in VPC flow logs
Services used:
CloudWatch Events, Config Rules, Lambda, VPC Flow logs and
discovery trigger
79. Other resources / Open Source
Some of the projects out there:
• ThreatResponse.cloud https://threatresponse.cloud
• Cloud Custodian https://github.com/capitalone/cloud-custodian
• Security Monkey https://github.com/Netflix/security_monkey
• FIDO https://github.com/Netflix/Fido
• CloudSploit https://github.com/cloudsploit
And many more…
80. Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark
81. Related Sessions
SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
SEC311 - How to Automate Policy Validation
SEC313 - Automating Security Event Response, from Idea to Code
to Execution
SAC315 - Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?
SEC401 - Automated Formal Reasoning About AWS Systems