Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

1,973 views

Published on

This session demonstrates 5 different security and compliance validation actions that you can perform using Amazon CloudWatch Events and AWS Config rules. This session focuses on the actual code for the various controls, actions, and remediation features, and how to use various AWS services and features to build them. The demos in this session include CIS Amazon Web Services Foundations validation; host-based AWS Config rules validation using AWS Lambda, SSH, and VPC-E; automatic creation and assigning of MFA tokens when new users are created; and automatic instance isolation based on SSH logons or VPC Flow Logs deny logs. This session focuses on code and live demos.

Published in: Technology

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Henrik Johansson – Security Solutions Architect 12/01/16 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules SAC401
  2. 2. What to expect from the session Bonus! Why security automation Tooling The anatomy of automation Demo & code 5 x Automation Other resources
  3. 3. What to expect from the session Bonus! Why security automation Tooling The anatomy of automation Demo & code 5 x Automation Other resources 5 x Automation • Automatic CloudTrail remediation • CloudFormation template audit • AWS CIS Foundation Framework account assessment • Auto MFA for IAM • The tainted server – Auto isolation
  4. 4. Bonus
  5. 5. Bonus Code available for download as Open Source on GitHub at: http://github.com/awslabs/aws-security-automation https://github.com/awslabs/aws-security-benchmark
  6. 6. Why security automation Reduce risk of human error
  7. 7. Why security automation Reduce risk of human error - Automation is effective
  8. 8. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable
  9. 9. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable
  10. 10. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
  11. 11. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
  12. 12. Why security automation High pace of innovation is great
  13. 13. Why security automation We also want to have high pace of: Detection Alerting Remediation Countermeasures Forensics
  14. 14. AWS Tooling Execution • Lambda Tracking • AWS Config Rules • Amazon CloudWatch Events • AWS CloudTrail • AWS Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • SNS Third party Open Source
  15. 15. The anatomy of security automationMode Section Actions Initiate React Config Rules / CloudWatch Events / Log Parsing Trigger Lambda Learn Lambda / CloudWatch Logs Execution Priority Action Restart service, delete user, etc. Forensics Discover: Who/where/when, allowed to execute? Countermeasure Disable access keys, isolate instance, etc. Alert Text/Page, email, ticket system Logging Database, ticket system, encrypt data?
  16. 16. Automatic CloudTrail Remediation Solves: - Verify that CloudTrail is running. - Prevent repeated and future attempts to disable CloudTrail Services used: Lambda, CloudTrail, CloudWatch Events
  17. 17. Demo
  18. 18. Code highlights
  19. 19. Code highlights – Extract event info
  20. 20. Code highlights – Execution order #1
  21. 21. Code highlights – Forensics
  22. 22. Code highlights – Countermeasure
  23. 23. Code highlights – Countermeasure
  24. 24. Code review
  25. 25. CloudFormation template audit Solves: - Users deploying infrastructure that do not conform to security policy - Reduce risk from unapproved changes to templates Services used: CodePipeline, CloudWatch Events, Lambda
  26. 26. Code highlights
  27. 27. Code highlights - CodePipeline
  28. 28. Code highlights - Flow
  29. 29. Code highlights – Rules
  30. 30. Code highlights – The rules 'rule': "AllowHttp", 'category': "SecurityGroup", 'ruletype': "regex", 'active': "Y", 'riskvalue': "3", 'ruledata': "^.*Ingress.*[fF]rom[pP]ort.s*:s*u?.(80)"
  31. 31. Code highlights – The rules 'rule': "SSHOpenToWorld", 'category': "SecurityGroup", 'ruletype': "regex", 'active': "Y", 'riskvalue' ”7", 'ruledata': "^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort) .s*:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0 .){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3 }0/0).*([fF]rom[pP]ort|[tT]o[pP]ort).s*: s*u?.(22))"
  32. 32. Code highlights - Evaluating
  33. 33. Code highlights - Evaluating
  34. 34. Code highlight – Risk and next step if risk < 5: put_job_success(job_id, 'Job succesful, minimal or no risk detected.') elif 5 <= risk < 10: put_job_success(job_id, 'Job succesful, medium risk detected, manual approval needed.') elif risk >= 10: put_job_failure(job_id, 'Function exception: Failed filters '+str(failedRules))
  35. 35. Code review
  36. 36. AWS CIS Foundation Framework account assessment Solves: - Validate AWS account against security best practices - Integrate with AWS Config - Create report for easy and secure consumption Services used: Lambda, Config Rules References: AWS CIS Foundation Framework validation
  37. 37. Demo
  38. 38. Code highlights
  39. 39. Code highlight - Options
  40. 40. Code highlight - Options
  41. 41. Code highlight - Control structure
  42. 42. Code highlight - Control structure
  43. 43. Code highlight - Control structure
  44. 44. Code highlight - Control structure
  45. 45. Code highlight – Result - Config
  46. 46. Code highlight – Result - Config
  47. 47. Code highlight – Result – Config - Annotation
  48. 48. Code highlight – Result – HTML Report
  49. 49. Code highlight – Result – S3 Pre-Signed URL
  50. 50. Code highlight – Result – S3 Pre-Signed URL
  51. 51. Code review
  52. 52. Auto MFA for IAM Solves: - Automatic creation and assignment of virtual MFA for new IAM users. - Removes time consuming tasks for single and bulk operations - No requirements of user interaction or giving permissions using IAM policy for self service Services used: CloudWatch Events, Lambda and IAM
  53. 53. Demo
  54. 54. Code highlights
  55. 55. Code highlight – Priority action
  56. 56. Code highlight – Create virtual MFA
  57. 57. Code highlight – Enable MFA
  58. 58. Code highlight – Enable MFA
  59. 59. Code highlight – Calculate tokens
  60. 60. Code highlight – Assign MFA
  61. 61. Code highlight – Assign MFA
  62. 62. Code highlight – Encrypt string
  63. 63. Code review
  64. 64. The tainted server – Auto isolation Solves: • Enforces immutable infrastructure • Automatically isolate instances for further forensics upon events like local SSH logons or increase Deny discovered in VPC flow logs Services used: CloudWatch Events, Config Rules, Lambda, VPC Flow logs and discovery trigger
  65. 65. Demo
  66. 66. Code highlights
  67. 67. Code highlight – Individual instances
  68. 68. Code highlight – Get tainted
  69. 69. Code highlight – Get tainted
  70. 70. Code highlight – Get tainted
  71. 71. Code highlight – Get tainted
  72. 72. Code highlight – Detach Auto Scaling Group
  73. 73. Code highlight – Detach Auto Scaling Group
  74. 74. Code highlight – Identify security group
  75. 75. Code highlight – Identify security group
  76. 76. Code highlight – Identify security group
  77. 77. Code highlight – Identify security group
  78. 78. Code review
  79. 79. Other resources / Open Source Some of the projects out there: • ThreatResponse.cloud https://threatresponse.cloud • Cloud Custodian https://github.com/capitalone/cloud-custodian • Security Monkey https://github.com/Netflix/security_monkey • FIDO https://github.com/Netflix/Fido • CloudSploit https://github.com/cloudsploit And many more…
  80. 80. Bonus Code available for download as Open Source on GitHub at: http://github.com/awslabs/aws-security-automation https://github.com/awslabs/aws-security-benchmark
  81. 81. Related Sessions SEC301 - Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks SEC311 - How to Automate Policy Validation SEC313 - Automating Security Event Response, from Idea to Code to Execution SAC315 - Scaling Security Operations and Automating Governance: Which AWS Services Should I Use? SEC401 - Automated Formal Reasoning About AWS Systems
  82. 82. Thank you!
  83. 83. Remember to complete your evaluations!

×