SlideShare a Scribd company logo

Perform Diagnostics on Running Instances without Affecting Availability & Reliability (ARC313-R2) - AWS re:Invent 2018

Amazon Web Services
Amazon Web Services

This document discusses automating a "break-glass" solution for granting temporary emergency access to critical AWS resources. The solution uses AWS Identity and Access Management (IAM), Amazon Simple Notification Service (SNS), AWS Lambda, AWS Systems Manager, and AWS Service Catalog to provision temporary access. When a request is approved, the helpdesk agent gains one-time access to provision the required resources through a service catalog. The solution ensures access is removed at the end of the approved duration and auditing of all actions is performed.

1 of 21
Download to read offline
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perform Diagnostics on Running Instances without Affecting Availability & Reliability Nirav Kothari Principal Consultant – AWS Professional Services AWS A R C 3 1 3
Break-glass procedure: Granting emergency access to critical systems Break glass (which draws its name from breaking the glass to pull a fire alarm) refers to a quick means for a person who does not have access privileges to certain information to gain access when necessary
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda “Break-glass” solution automation overview Solution deep dive Part 1: Pre-requisites Part 2: AWS Identity and Access Management (IAM) Part 3: Amazon Simple Notification Service (Amazon SNS) Part 4: Amazon CloudWatch Part 5: AWS Lambda Part 6: AWS Service Catalog Part 7: AWS Systems Manager (Systems Manager)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Breakout repeats Monday, November 26 ARC313-R - [REPEAT] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 04:00 p.m. – 05:00 p.m. | Aria West, Level 3, Starvine 10, Table 5, T1 Tuesday, November 27 ARC313-R1 - [REPEAT 1] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 10:00 a.m. – 11:00 a.m. | Aria West, Level 3, Starvine 3, Table 2, T1 Wednesday, November 28 ARC313-R2 - [REPEAT 2] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 02:30 p.m. – 03:30 p.m. | Mirage, Grand Ballroom B, Table 8, T1
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What are we solving? We are solving two separate use cases 1. On-demand, temporary remote access (SSH) for Amazon Elastic Compute Cloud (Amazon EC2) instances running in a regulated production environment; if your requirement is basic shell access to an Amazon EC2 instance, you can use AWS Systems Manager; more information here: https://aws.amazon.com/blogs/aws/new-session-manager/ 2. On-demand, temporary higher-privilege access to AWS APIs, for instance network super user
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Break-glass” solution overview virtual private cloud VPC subnet VPC subnet EC2 instance Bastion host Target hosts Target hosts Users / requestor Helpdesk Agent Approver Lambda function Amazon CloudWatch Event AWS Service Catalog IAM AWS Management Console Process flow User has a need for privileged access or remote access (SSH) to a target host; user calls Helpdesk to request access Helpdesk gathers required information to create emergency change request Helpdesk reviews information with approver and gets the request approved. Upon approval Helpdesk receives MFA code for GlassBreak user Helpdesk agent logs on to AWS Management Console using this MFA code Upon successful login, CloudWatch rule generates an event Event publishes notification using Amazon SNS, sends email notification to Helpdesk agent, and triggers Lambda function Lambda function acts as a login script and adds the GlassBreak user to a group that has access to an AWS Service Catalog Helpdesk agent gets end user’s username and public key (from the user) and inputs that as a parameter and duration of access to provision AWS Service Catalog product AWS Service Catalog uses Systems Manager to create a user in the bastion host, create a *kill* Lambda function based on the duration of access requested, and remove the GlassBreak user from group that has access to AWS Service Catalog
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 1: Pre-requisites These components are required to support break-glass automation 1. A bastion host with no users allowed and AWS Systems Manager installed; Amazon AMIs have SSM agent pre-installed 2. Security group that allows remote access to bastion host with pre-approved IP addresses in source 3. An EC2 instance role that allows Systems Manager and some additional access for the automation to work, we will also add network admin functional role policy for this use case. I’m using SSM, network admin policy, and a few more permissions for this use case; we will be using bastion host at the end of duration to delete automation 4. Target host(s) that allows remote access from bastion host security group
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 2: IAM These users and roles are required 1. A pre-designated GlassBreak user with no permissions; this user account will inherit permissions later at run time 2. A group with appropriate permissions to execute AWS CloudFormation template, run a Lambda function, and access to an existing AWS Service Catalog that will be used at run time
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 3: Amazon SNS We need Amazon SNS topic for automation to work 1. SNS topic with two subscriptions 1. An email address, Helpdesk email address, to notify that the GlassBreak user has access to AWS Service Catalog that will run the automation 2. A Lambda function that will detect successful login of the GlassBreak user and add it to a group that has access to AWS Service Catalog
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 4: Amazon CloudWatch Events Create a rule that will monitor successful login by GlassBreak user and publish on an existing SNS topic 1. Imagine executing a login script
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 5: AWS Lambda Two separate Lambda functions are used in this solution 1. The first Lambda function will be pre-installed and will be triggered by an event. This is an event generated by CloudWatch Events rule upon detecting a successful login from GlassBreak (pre-designated) user  Think of this as a login script 2. The second Lambda function will be deployed by AWS Service Catalog that will accept end user’s public key and duration of the access. Lambda function will be scheduled based on the duration, and it would perform a clean-up of all the resources deployed by this automation  Think of this as a clean-up script
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 6: AWS Service Catalog AWS Service Catalog to execute process automation 1. AWS Service Catalog will accept requestor public key and duration for the privileged access 2. Take these parameters and create user with end-user provided public key on bastion host; this will allow the requestor to log in to bastion host using their private key 3. AWS Service Catalog will take the duration of access parameter and create a Lambda function that will perform a clean-up at the end of duration 4. Upon successful completion, this AWS Service Catalog will remove GlassBreak user from the group that has access to this AWS Service Catalog, run one time
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 7: AWS Systems Manager Systems Manager is used for two functions 1. When AWS Service Catalog is executed, it uses Systems Manager to insert user- provided public key in the bastion host’s *authorized_keys* file; this will allow user to log in to bastion host using their own private keys 2. A shell script deployed through AWS Service Catalog to delete (self-delete) the AWS CloudFormation template (that is, “Service Catalog”)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional details Given the nature of temporary access required, automation has these features 1. The designated user will never have any permissions; upon successful login, governed by a two-factor authentication, they will get one-time run access to automation 2. Automation will accept duration of access as a mandatory field; this is to ensure that users have privileged access only for the duration that was approved; if they need to extend their session, they will have to go through this entire process again 3. Automation ensures that every time a new user is added to bastion host, a log file is updated for audit 4. Run once access to GlassBreak user is provided through an AWS Service Catalog, additional auditing and tracking capabilities 5. AWS Service Catalog will remove the GlassBreak user from group to ensure that the Helpdesk agent can run this automation only one time 6. AWS Service Catalog creates a self-destructing Lambda function to ensure everything deployed with this automation self-cleans at the end of the duration 7. To allow multiple users access at the same time and to ensure that there might not be a first in-first out, all function names are dynamically assigned in the code
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Optimization options Break-glass solution and this lab were designed to use AWS native services. 1. If your organization has SSH key management solution, you can update the AWS Service Catalog to ask for duration only; you can automate key vending from your current key management implementation 2. Duration of access is parameterized to allow any duration between 5 and 60 mins; update it as per your organization requirement 3. Solution assumes that end user will use AWS Command Line Interface (AWS CLI) for privilege access; after access to bastion host is granted, if they prefer UI access, consider workspaces to replace bastion host or grant role to the userID 4. You can add Amazon SNS notification in the clean-up function to notify you when the end-user access is revoked 5. This solution assumes that you have a bastion host that’s always running, with specific functional roles such as EC2 admins, network admins, etc., you can create bastion host with individual functional roles for your environment, or automate the solution to accept privilege required as a parameter and provision bastion host at run time 6. You can enable session logging on bastion host for additional logging and auditing purposes; please refer to https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Break glass” summary slide Request routed for approval Approver shares MFA code Lambda adds user to group Helpdesk logs in as GlassBreak user User request CWE detects login Helpdesk notified and Lambda triggered Helpdesk runs AWS Service Catalog Accepts end user’s pub key and duration Systems Manager creates user on bastion host Clean up Lambda function scheduled based on duration User gains access to AWS Service Catalog Approved? Check duration?GlassBreak user removed from group Run Cleanup function Terminate GlassBreak user’s SSH session Systems Manager deletes end user from bastion host Delete AWS Service Catalog provisioned product End Helpdesk gathers information 1 1 Wait 2 2 3 3
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Acronyms used in this document Acronym Description Requestor An end user/user that is requesting temporary privilege access Helpdesk or Helpdesk agent Support staff that receives the request routes it through organizational approval process and runs AWS Service Catalog that would grant temporary access to end user Approver A designated approver in your organization authorized to approve an emergency change request EC2 Amazon EC2 service; more information can be found here https://aws.amazon.com/ec2/ IAM AWS Identity and Access Management (IAM) service; more information can be found here https://aws.amazon.com/iam/ Systems Manager AWS Systems Manager service; more information can be found here https://aws.amazon.com/systems-manager/?nc2=h_m1 AWS Service Catalog AWS Service Catalog service; more information can be found here https://aws.amazon.com/servicecatalog/?nc2=h_m1 CloudWatch Events Part of Amazon CloudWatch service; more information can be found here https://aws.amazon.com/cloudwatch/?nc2=h_m1 Lambda AWS Lambda service; more information can be found here https://aws.amazon.com/lambda/?nc2=h_m1
Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nirav Kothari kotharin@amazon.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)WinWire Technologies Inc
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 

Recommended

Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)WinWire Technologies Inc
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
AWS Technical Essentials Day
AWS Technical Essentials DayAWS Technical Essentials Day
AWS Technical Essentials DayAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAMKnoldus Inc.
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAMAmazon Web Services
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAnoop Nair
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentalsAmazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
AWS IAM
AWS IAMAWS IAM
AWS IAMDiego Pacheco
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...Amazon Web Services
 

More Related Content

What's hot

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAmazon Web Services
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAnoop Nair
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control TowerCloudHesive
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSAmazon Web Services
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWSAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 

What's hot (20)

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
Aligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWSAligning to the NIST Cybersecurity Framework in the AWS
Aligning to the NIST Cybersecurity Framework in the AWS
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Azure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - AjayAzure AD Presentation - @ BITPro - Ajay
Azure AD Presentation - @ BITPro - Ajay
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
Introduction to Incident Response on AWS
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 

Similar to Perform Diagnostics on Running Instances without Affecting Availability & Reliability (ARC313-R2) - AWS re:Invent 2018

Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...Amazon Web Services
 
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...Amazon Web Services
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...Amazon Web Services
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Amazon Web Services
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless AppsAmazon Web Services
 
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...Amazon Web Services
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Cloud Security-how to create serverless applications
Cloud Security-how to create serverless applicationsCloud Security-how to create serverless applications
Cloud Security-how to create serverless applicationsAmazon Web Services
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security FeaturesAmazon Web Services
 
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS SummitThirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS SummitAmazon Web Services
 
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access ManagementAWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access ManagementAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...Amazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 

Similar to Perform Diagnostics on Running Instances without Affecting Availability & Reliability (ARC313-R2) - AWS re:Invent 2018 (20)

Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
Inventory and Patch Management Using AWS Systems Manager (ARC332) - AWS re:In...
 
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...
Mythical Mysfits: Management and Ops with AWS Fargate (CON322-R1) - AWS re:In...
 
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
How Nubank Automates Fine-Grained Security with IAM, AWS Lambda, and CI/CD (F...
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...
Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Cloud Security-how to create serverless applications
Cloud Security-how to create serverless applicationsCloud Security-how to create serverless applications
Cloud Security-how to create serverless applications
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security Features
 
AWSM2C3.pptx
AWSM2C3.pptxAWSM2C3.pptx
AWSM2C3.pptx
 
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS SummitThirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
 
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access ManagementAWSome Day 2016 - Module 3: Security, Identity, and Access Management
AWSome Day 2016 - Module 3: Security, Identity, and Access Management
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
Hands-On with Advanced AWS CloudFormation Techniques and New Features (DEV335...
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Perform Diagnostics on Running Instances without Affecting Availability & Reliability (ARC313-R2) - AWS re:Invent 2018

  • 1.
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perform Diagnostics on Running Instances without Affecting Availability & Reliability Nirav Kothari Principal Consultant – AWS Professional Services AWS A R C 3 1 3
  • 3. Break-glass procedure: Granting emergency access to critical systems Break glass (which draws its name from breaking the glass to pull a fire alarm) refers to a quick means for a person who does not have access privileges to certain information to gain access when necessary
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda “Break-glass” solution automation overview Solution deep dive Part 1: Pre-requisites Part 2: AWS Identity and Access Management (IAM) Part 3: Amazon Simple Notification Service (Amazon SNS) Part 4: Amazon CloudWatch Part 5: AWS Lambda Part 6: AWS Service Catalog Part 7: AWS Systems Manager (Systems Manager)
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Breakout repeats Monday, November 26 ARC313-R - [REPEAT] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 04:00 p.m. – 05:00 p.m. | Aria West, Level 3, Starvine 10, Table 5, T1 Tuesday, November 27 ARC313-R1 - [REPEAT 1] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 10:00 a.m. – 11:00 a.m. | Aria West, Level 3, Starvine 3, Table 2, T1 Wednesday, November 28 ARC313-R2 - [REPEAT 2] Perform Diagnostics on Running Instances without Affecting Availability/Reliability 02:30 p.m. – 03:30 p.m. | Mirage, Grand Ballroom B, Table 8, T1
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What are we solving? We are solving two separate use cases 1. On-demand, temporary remote access (SSH) for Amazon Elastic Compute Cloud (Amazon EC2) instances running in a regulated production environment; if your requirement is basic shell access to an Amazon EC2 instance, you can use AWS Systems Manager; more information here: https://aws.amazon.com/blogs/aws/new-session-manager/ 2. On-demand, temporary higher-privilege access to AWS APIs, for instance network super user
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Break-glass” solution overview virtual private cloud VPC subnet VPC subnet EC2 instance Bastion host Target hosts Target hosts Users / requestor Helpdesk Agent Approver Lambda function Amazon CloudWatch Event AWS Service Catalog IAM AWS Management Console Process flow User has a need for privileged access or remote access (SSH) to a target host; user calls Helpdesk to request access Helpdesk gathers required information to create emergency change request Helpdesk reviews information with approver and gets the request approved. Upon approval Helpdesk receives MFA code for GlassBreak user Helpdesk agent logs on to AWS Management Console using this MFA code Upon successful login, CloudWatch rule generates an event Event publishes notification using Amazon SNS, sends email notification to Helpdesk agent, and triggers Lambda function Lambda function acts as a login script and adds the GlassBreak user to a group that has access to an AWS Service Catalog Helpdesk agent gets end user’s username and public key (from the user) and inputs that as a parameter and duration of access to provision AWS Service Catalog product AWS Service Catalog uses Systems Manager to create a user in the bastion host, create a *kill* Lambda function based on the duration of access requested, and remove the GlassBreak user from group that has access to AWS Service Catalog
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 1: Pre-requisites These components are required to support break-glass automation 1. A bastion host with no users allowed and AWS Systems Manager installed; Amazon AMIs have SSM agent pre-installed 2. Security group that allows remote access to bastion host with pre-approved IP addresses in source 3. An EC2 instance role that allows Systems Manager and some additional access for the automation to work, we will also add network admin functional role policy for this use case. I’m using SSM, network admin policy, and a few more permissions for this use case; we will be using bastion host at the end of duration to delete automation 4. Target host(s) that allows remote access from bastion host security group
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 2: IAM These users and roles are required 1. A pre-designated GlassBreak user with no permissions; this user account will inherit permissions later at run time 2. A group with appropriate permissions to execute AWS CloudFormation template, run a Lambda function, and access to an existing AWS Service Catalog that will be used at run time
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 3: Amazon SNS We need Amazon SNS topic for automation to work 1. SNS topic with two subscriptions 1. An email address, Helpdesk email address, to notify that the GlassBreak user has access to AWS Service Catalog that will run the automation 2. A Lambda function that will detect successful login of the GlassBreak user and add it to a group that has access to AWS Service Catalog
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 4: Amazon CloudWatch Events Create a rule that will monitor successful login by GlassBreak user and publish on an existing SNS topic 1. Imagine executing a login script
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 5: AWS Lambda Two separate Lambda functions are used in this solution 1. The first Lambda function will be pre-installed and will be triggered by an event. This is an event generated by CloudWatch Events rule upon detecting a successful login from GlassBreak (pre-designated) user  Think of this as a login script 2. The second Lambda function will be deployed by AWS Service Catalog that will accept end user’s public key and duration of the access. Lambda function will be scheduled based on the duration, and it would perform a clean-up of all the resources deployed by this automation  Think of this as a clean-up script
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 6: AWS Service Catalog AWS Service Catalog to execute process automation 1. AWS Service Catalog will accept requestor public key and duration for the privileged access 2. Take these parameters and create user with end-user provided public key on bastion host; this will allow the requestor to log in to bastion host using their private key 3. AWS Service Catalog will take the duration of access parameter and create a Lambda function that will perform a clean-up at the end of duration 4. Upon successful completion, this AWS Service Catalog will remove GlassBreak user from the group that has access to this AWS Service Catalog, run one time
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s break it down . . . Part 7: AWS Systems Manager Systems Manager is used for two functions 1. When AWS Service Catalog is executed, it uses Systems Manager to insert user- provided public key in the bastion host’s *authorized_keys* file; this will allow user to log in to bastion host using their own private keys 2. A shell script deployed through AWS Service Catalog to delete (self-delete) the AWS CloudFormation template (that is, “Service Catalog”)
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional details Given the nature of temporary access required, automation has these features 1. The designated user will never have any permissions; upon successful login, governed by a two-factor authentication, they will get one-time run access to automation 2. Automation will accept duration of access as a mandatory field; this is to ensure that users have privileged access only for the duration that was approved; if they need to extend their session, they will have to go through this entire process again 3. Automation ensures that every time a new user is added to bastion host, a log file is updated for audit 4. Run once access to GlassBreak user is provided through an AWS Service Catalog, additional auditing and tracking capabilities 5. AWS Service Catalog will remove the GlassBreak user from group to ensure that the Helpdesk agent can run this automation only one time 6. AWS Service Catalog creates a self-destructing Lambda function to ensure everything deployed with this automation self-cleans at the end of the duration 7. To allow multiple users access at the same time and to ensure that there might not be a first in-first out, all function names are dynamically assigned in the code
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Optimization options Break-glass solution and this lab were designed to use AWS native services. 1. If your organization has SSH key management solution, you can update the AWS Service Catalog to ask for duration only; you can automate key vending from your current key management implementation 2. Duration of access is parameterized to allow any duration between 5 and 60 mins; update it as per your organization requirement 3. Solution assumes that end user will use AWS Command Line Interface (AWS CLI) for privilege access; after access to bastion host is granted, if they prefer UI access, consider workspaces to replace bastion host or grant role to the userID 4. You can add Amazon SNS notification in the clean-up function to notify you when the end-user access is revoked 5. This solution assumes that you have a bastion host that’s always running, with specific functional roles such as EC2 admins, network admins, etc., you can create bastion host with individual functional roles for your environment, or automate the solution to accept privilege required as a parameter and provision bastion host at run time 6. You can enable session logging on bastion host for additional logging and auditing purposes; please refer to https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Break glass” summary slide Request routed for approval Approver shares MFA code Lambda adds user to group Helpdesk logs in as GlassBreak user User request CWE detects login Helpdesk notified and Lambda triggered Helpdesk runs AWS Service Catalog Accepts end user’s pub key and duration Systems Manager creates user on bastion host Clean up Lambda function scheduled based on duration User gains access to AWS Service Catalog Approved? Check duration?GlassBreak user removed from group Run Cleanup function Terminate GlassBreak user’s SSH session Systems Manager deletes end user from bastion host Delete AWS Service Catalog provisioned product End Helpdesk gathers information 1 1 Wait 2 2 3 3
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Acronyms used in this document Acronym Description Requestor An end user/user that is requesting temporary privilege access Helpdesk or Helpdesk agent Support staff that receives the request routes it through organizational approval process and runs AWS Service Catalog that would grant temporary access to end user Approver A designated approver in your organization authorized to approve an emergency change request EC2 Amazon EC2 service; more information can be found here https://aws.amazon.com/ec2/ IAM AWS Identity and Access Management (IAM) service; more information can be found here https://aws.amazon.com/iam/ Systems Manager AWS Systems Manager service; more information can be found here https://aws.amazon.com/systems-manager/?nc2=h_m1 AWS Service Catalog AWS Service Catalog service; more information can be found here https://aws.amazon.com/servicecatalog/?nc2=h_m1 CloudWatch Events Part of Amazon CloudWatch service; more information can be found here https://aws.amazon.com/cloudwatch/?nc2=h_m1 Lambda AWS Lambda service; more information can be found here https://aws.amazon.com/lambda/?nc2=h_m1
  • 20. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Nirav Kothari kotharin@amazon.com
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.