Ryan Holland (Cloud Platform Solution Director, Alert Logic) and Pat McDowell (Partner Solution Architect, Amazon Web Services)'s presentation on AWS security services like AWS Inspector, AWS WAF, and AWS Config Rules at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
3. Network Access Control
• Security Groups provide Stateful firewalls
around each Amazon EC2 Instance
• NACLs provide stateless firewalls around
subnets
• VPC Flow Logs provide traffic visibility
• No Broadcast, VIPs, Layer 2, or Network Taps
5. More tools to move fast and stay safe
• Amazon Inspector
• AWS WAF
• AWS Config Rules
6. The easy (Vulnerabilities) matter
"[With] any large network, I will tell you that
persistence and focus will get you in, we'll achieve that
exploitation without the zero days," he says. "There's
so many more vectors that are easier, less risky and
quite often more productive that going down that
route." This includes, of course, known vulnerabilities
for which a patch is available but the owner hasn't
installed it.
- Rob Joyce NSA TAO @ Enigma 2016
8. Amazon Inspector Rule Sets
CVE
Security Best Practices
Run Time Behavior Analysis
CIS Operating System Security Configuration
Benchmarks
9. Amazon Inspector and Alert Logic
• Amazon Inspector makes it easy to do the right
thing BEFORE your app goes into production
• Pairs point-in-time, host-based scans with
continous, whitelisted network scans
• Layering AWS Inspector Assessments, Alert
Logic Cloud Insight and Cloud Defender
provides full spectrum security visibility and
response
16. AWS Config Rules Benefits
Continuous monitoring for
unexpected changes
Shared Compliance
across your organization
Simplified management of
configuration changes
17. AWS Config Rules Features
Flexible Rules evaluated continuously and
retroactively
Dashboard and Reports for Common Goals
Customizable Remediation
API Automation
18. Advanced Compliance with Config Rules
• Open Source Rules
– https://github.com/awslabs/aws-config-rules
• Enforce encryption on all volumes
• Ensure CloudTrail is enabled globally for bucket X
• Confirm that no users have MFA disabled
• Create a rule that no security group can permit
0.0.0.0/0
• No Root Access Keys or logins without MFA
• All Instances Must be in VPC-ID X
19. AWS Config Rules and Alert Logic
• Lambda function used to add Config Rules
violations to Cloud Insight platform as
remediation tasks.
• Tight integration with JIRA to allow automatic
ticket routing to asset owner and validation
when tickets are closed.
Why we built Inspector
What uses cases does it cover
Makes it easy to do the very basics, which gives you a lot
Easier Barrier to entry
AL CI = Builds on top of basic primitives we offer
Checks both OS + Apps
CVE – Most Common Targets
Security Best Practices – From AWS AppSec, e.g. SSH allows root logins
Run Time Bheavior Analysis – Long Running Analysis, can affect the severity of the findings
CIS – Industry Standard guide to hardening your OS, biggest customer ask we had
Emphasize dev-test
AL is for prod
AL also has IDS, no concept of IDS on AWS natively
Can Programmatically add rules from logs you mined
# of 400 errors -> Bad Bot and you can automatically ingest those Bad Ips
Sources from other Systems (E.g. FinServ)
Make the ‘Rules’ Part of your ‘Infrastructure as Code’
AWS WAF can protect the edge, AL can do it at the origin
->Provides intelligence and complex rules/logic that our WAF does not come out of the box with
->Auto-Scales to meet your needs
Config: . It allows you to get an inventory of all resources in AWS, discover new and deleted resources, record those changes continuously, and get notified when configurations change.
Author custom rules using AWS Lambda
Puts Guard Rails into place across the Enterprise/Production
If something falls out of compliance, automatically, rolls back to compliance standards set
You can not do this on premises.
Lambda Functions are the custom rules that get triggered
Triggers are Time or Resource Based.
Invoked automatically for continuous assessment (single pane of glass)
Use dashboard for visualizing compliance and identifying offending changes
For the AWS Config Rules service we have created a custom Lambda function that allows Cloud Insight to ingest violations of rules that have been created and we present these as remediation tasks along side other remediations for a particular asset in AWS. One key part of how these remediations are presented is that the AWS metadata and other information we collect from the environment is used to help provide the best means for remediating a violation, for example if multiple instances are launched without a required tag or using encrypted volumes and they are all part of the same AutoScaling group by understanding the environment and maintaining a continuously updated asset model we direct the remediation to update that ASLC/G rather than the individual instances since in that case simply applying a fix to the instances will not fix the root of the issue. Also as I touched on previously our API and integrations with tools such as JIRA allows violations from Config Rules as well as any other remediations to be directed automatically to the owner of the instance through a ticket in JIRA and the plugin is bi-directional meaning that when the owner marks the ticket as closed we will go and validate that the remediation has actually been completed and if needed re-open the ticket. this automation means that your security teams don’t need to spend time tracking down who owns a particular instance and to perform manual validation of the fix once the tickets are marked complete.