Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Managing infrastructure as code has become an important process in scaling software organizations. This brings many software development processes and ideas to operations, including version control, automated testing, configuration management and reliable duplication. Programmable infrastructure becomes invaluable as application services grows, in quantity and granularity, in a growing company.
Automating the provisioning, configuration and deployment of complex applications requires some design choices on top of AWS services. This presentation discusses how to implement modularity, reliability and security into continuous delivery pipelines ("DevSecOps"). Learn how to automate application delivery using AWS CloudFormation and other tools from Amazon Web Services.

  • Be the first to comment

  • Be the first to like this


  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. O S L O 19-04-03
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. O S L O 19-04-03 Integrating Cloud Development, Security and Operations (DevSecOps) Paul Ahlgren Senior Partner Solutions Architect, Nordics & Baltics AWS B A R 1
  3. 3. What to expect from the session Why security automation Who – security team in a DevSecOps world Where do you want security automation When – pre, post, and everything in between What can you do, practical examples How – tools and partners
  4. 4. import re'([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') = Security automation at scale
  5. 5. Teams that practice CI/CD ship code faster, and with more confidence 5x Lower change failure rate 440x Faster from commit to deploy 46x More frequent deployments 44% More time spent on new features Source: Puppet 2017 State of DevOps Report
  6. 6. Amazon “primitives” graph, 2009
  7. 7. = 60 million deployments a year = 1.9 deployments / second Thousands of teams + Microservices architectures + Multiple environments + Continuous delivery?
  8. 8. Why - Goals of DevSecOps Pace of innovation… meets pace of security automation Scalable infrastructure needs scalable security Risk/rating based actions Automatic incident response remediation
  9. 9. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry… we still need humans
  10. 10. Who?
  11. 11. Purpose Security is a service team, not a blocker Security is everyone's job Allow flexibility and freedom but control the flow and result.
  12. 12. Meet the new security team Operations Engineering Application Security Compliance
  13. 13. Meet the new security team Operations Engineering Application Security Compliance Development
  14. 14. Where? 3(+) places
  15. 15. Continuous Integration / Continuous Deployment 1. Security OF the CI/CD Pipeline • Access roles • Hardening build servers/nodes 2. Security IN the CI/CD Pipeline • Artifact validation • Static code analysis
  16. 16. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/master Dev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Artifact Repo Deployment templates for infrastructure Generate
  17. 17. Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook
  18. 18. What about my other stuff?
  19. 19. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Cloud scale security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Run time security • Tag-based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services … a.k.a. all the other stuff people are really talking about
  20. 20. When?
  21. 21. Easy All the time!
  22. 22. When – Control and Validate Pre-event - When possible • Store infrastructure in code repository • Validate each push (git hooks) • Use managed microservices as execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Validate system code early on • Find unwanted libraries, etc. • Force infrastructure changes through templates • Block if needed/unsure
  23. 23. Demo
  24. 24. When – Control and Validate Post-event - Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine/CICD • Decide on remediation
  25. 25. When – Control and Validate Triggers – Event based: • Per change • API based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
  26. 26. What? Give me some examples
  27. 27. Give me some examples Automatic Incident Response Remediation • Autoheal Cloudtrail logging • Disable offenders Integrate host-based action with cloud-based control • Immutable infrastructure – Auto isolate instances
  28. 28. User SSH ALLOWED EC2 Instance CloudWatch Events AWS Lambda Tag Updated Remove Access ISOLATED HOST X Example – Auto isolation – Host meets Cloud DynamoDB Is there a ticket? 1 2 3 4 5 6
  29. 29. Example – Auto isolation – Host meets Cloud Modify • /etc/pam.d/sshd Execute script upon logon • session optional /path/ Trigger AWS event as marker using IAM roles for EC2 #!/bin/bash INSTANCE_ID=$(wget -q -O - REGION=$(wget -q -O -|sed 's/.{1}$//')DATE=$(date) aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE” Execute Lambda function using CloudWatch Events on marker detection • Remove from load balancer/scaling groups (will auto-heal) • Block in/outgoing traffic using security groups and ACL
  30. 30. Demo
  31. 31. Example – Auto isolation – Host meets Cloud Don’t forget safeguards! • How many instances can I isolate before failure • If isolated > x: wake_human() • Remember, x could be 0
  32. 32. Example – Log enforcement Detect • CloudTrail logging disabled Priority • Enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user? Alert!
  33. 33. Demo
  34. 34. How?
  35. 35. ®® SaaS Subscriptions Dozens of SaaS applications addressing multiple use cases
  36. 36. AWS Tools
  37. 37. AWS CloudTrail
  38. 38. NormalizeRecord AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config Store History
  39. 39. Sample AWS Config Event
  40. 40. Sample Custom AWS Config Rule
  41. 41. Sample AWS Config Rule
  42. 42. Putting it all together AWS CloudTrail Amazon CloudWatch Events AWS Lambda Amazon Simple Notification Service AWS API endpoints Your Staff Amazon S3 bucket Your security team IAM role AWS API Your SaaS tools
  43. 43. Cool… so I just fix things?? Well, yes... but...
  44. 44. Implement remediation framework
  45. 45. The anatomy of remediation Continuous / event based Execution constraints Will action risk breaking something Will change affect cost Is there a source of truth Priority action Forensic Counter measures Alerts Log KnowExecute
  46. 46. What else can I do?
  47. 47. Benchmarking infrastructure Map your infrastructure against control frameworks Single run for single account health check AWS Config / Config Rules for compliance tracking Example: OSS validation for CIS AWS Foundation Framework •
  48. 48. At the end of the day… What are we trying to accomplish?
  49. 49. Goals Prevent bad configurations before they are implemented Autocorrect/remediate violations where possible
  50. 50. OSS Code to learn from git-secrets - Prevents you from committing passwords and other sensitive information to a Git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Capitalone/cloud-custodian - Rules engine for AWS fleet management.
  51. 51. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Speaker Name Contact information
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.