Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC314) AWS for the Enterprise: Implementing Policy, Governance & Security

6,486 views

Published on

"AWS Config enables you to discover what resources are used on AWS, understand how resources are configured and gives you unprecedented visibility into changes to configurations over time – all without disrupting end user productivity. With Config Rules, you can continuously evaluate whether changes to resources are compliant with policies. You can set up predefined rules, provided and managed by AWS, or author your own rules using Amazon Lambda, and these rules are evaluated whenever relevant resources are modified. You can use this visibility and control to assess and improve your security and compliance posture.

We will dive deep into other new capabilities in AWS Config and cover how you can integrate with IT service management, configuration management, and other tools. In this session, we will look at:


AWS Config Rules – how to create and use rules that govern configuration changes recorded by AWS Config.
New capabilities in AWS Config – Usability changes, better controls and other enhancements
Mechanisms to aggregate deep visibility across AWS to gain insights into your overall security and operational posture.


This session is best suited for administrators, security-ops and developers with a focus on audit, security and compliance."

Published in: Technology

(SEC314) AWS for the Enterprise: Implementing Policy, Governance & Security

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Prashant Prahlad, Amazon Web Services October 2015 SEC314 NEW LAUNCH! AWS Config/Config Rules Using Config Rules to Improve Governance over Configuration Changes to Your Resources
  2. 2. What to expect from the session After this session, you will be able to • Start using AWS Config to gain visibility into configuration changes on your resources • Integrate with existing tools/processes and aggregate data across accounts • Config Rules: Get better control over changes by setting up rules that evaluate configurations recorded • Feature announcements for AWS Config
  3. 3. What you want to see Visibility: A foundational element for security What you’re likely to see In your datacenter…
  4. 4. Administrator pains • “I don’t know who bought this server or what’s running in there. I have great records for my services and I just support legacy systems that came in before my time, and hope it’s working correctly” – Anonymous administrator • “I have a CMDB that works most of the time. I can’t really act on this information because it’s pretty stale” – Security team at Enterprise
  5. 5. • Infrastructure = software! • Change is frequent, automated, and impactful • Resources are connected • Can’t take away powers: Self service and agility Visibility: A foundational element for security In the cloud…
  6. 6. Options: • Poll Describe APIs for changes • Maintain infrastructure to capture changes • Waste resources with a lot of duplicate data • Normalize results from different service endpoints Visibility: A foundational element for security In the cloud… Can this be cheaper, faster, and less error-prone?
  7. 7. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  8. 8. NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
  9. 9. Config Rules (preview) • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  10. 10. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  11. 11. Getting Started
  12. 12. Multi-region aggregation of delivered data Region 1 Region 2 Region 3 Common S3 bucket Amazon S3 policies should permit accounts to write Config data Amazon SQS/Amazon SNS publish/subscribe permissions should be set SNS Topic: Region 1 SNS Topic: Region 2 SNS Topic: Region 3 Common SQS queue
  13. 13. Key Concepts
  14. 14. Configuration Item All configuration attributes for a given resource at a given point in time, captured on every configuration change
  15. 15. Component Description Contains Metadata Information about this configuration item Version ID, Configuration item ID, Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN) Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i- a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource e.g. for EBS Volume State of DeleteOnTermination flag Type of volume. For example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID Configuration Item
  16. 16. Sample Configuration Item "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2014…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "12345678910", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common Attributes Relationships Related Events
  17. 17. Sample Configuration Item "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2014-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" Configuration
  18. 18. Relationships Bi-directional map of dependencies automatically assigned Change to a resource propagates to create Configuration Items for related resources EC2 Instance Elastic IP
  19. 19. Config Rule • AWS managed rules Defined by AWS Require minimal (or no) configuration Rules are managed by AWS • Customer managed rules Authored by you using AWS Lambda Rules execute in your account You maintain the rule A rule that checks the validity of configurations recorded
  20. 20. Config Rules - Triggers • Triggered by changes: Rules invoked when relevant resources change Scoped by changes to: • Tag key/value • Resource types • Specific resource ID e.g. EBS volumes tagged “Production” should be attached to EC2 instances • Triggered periodically: Rules invoked at specified frequency e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs
  21. 21. Evaluations The result of evaluating a Config rule against a resource • Report evaluation of {Rule, ResourceType, ResourceID} directly from the rule itself
  22. 22. Config Rules - Example function evaluateCompliance(configurationItem, ruleParameters) { if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) || (configurationItem.configuration.imageId === ruleParameters.approvedImage2)) return 'COMPLIANT'; else return 'NON_COMPLIANT'; } exports.handler = function(event, context) { var invokingEvent = JSON.parse(event.invokingEvent); var ruleParameters = JSON.parse(event.ruleParameters); ... compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context); ComplianceResourceType: invokingEvent.configurationItem.resourceType, ComplianceResourceId: invokingEvent.configurationItem.resourceId, ComplianceType: compliance, .., config.putEvaluations(putEvaluationsRequest, function (err, data)
  23. 23. Use Cases
  24. 24. Use cases enabled Security analysis: Am I safe? Audit compliance: Where is the evidence? Change management: What will this change affect? Troubleshooting: What has changed? Discovery: What resources exist?
  25. 25. Am I safe? Properly configured resources are critical to security AWS Config continuously monitors configuration changes and helps you evaluate these configurations for potential security weaknesses using Config Rules
  26. 26. AWS managed rules 1. All EC2 instances must be inside a VPC. 2. All attached EBS volumes must be encrypted, with KMS ID. 3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs. 4. All security groups in attached state should not have unrestricted access to port 22. 5. All EIPs allocated for use in the VPC are attached to instances. 6. All resources being monitored must be tagged with specified tag keys:values. 7. All security groups in attached state should not have unrestricted access to these specific ports.
  27. 27. Custom rules • Codify and automate your own practices • Get started with samples in AWS Lambda • Implement guidelines for security best practices and compliance • Use rules from different AWS Partners • View compliance in one dashboard
  28. 28. Evidence for compliance Many compliance audits require access to the state of your systems at arbitrary times (i.e., PCI, HIPAA). A complete inventory of all resources and their configuration attributes is available for any point in time. But what does a jellyfish have to do with compliance?
  29. 29. AWS CLI aws config-service get-resource-config-history --resource-type AWS::EC2::VPC --resource-id vpc-47fa0322 --earlier-time 2015-10-01 ...
  30. 30. Change management: Option 1 Account 1 Account 2 Account 3 Common S3 bucket Common SNS topic Adaptor is custom software to convert JSON into CMDB’s format BMC, HP, Custom CMDB Adaptor Data pipe into existing CMDB
  31. 31. Change management: Option 2 Account 1 Account 2 Account 3 AWS Config BMC HP API AdaptorAdaptor Adaptor is custom software needed to convert JSON into CMDB’s format Use in federated form
  32. 32. What resources exist? Discover resources that exist in your account Discover resources that no longer exist in your account A complete inventory of all resources and their configuration attributes available via API and console
  33. 33. What changed? It is critical to be able to quickly answer, “What has changed?” You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files.
  34. 34. Coverage
  35. 35. Supported resource types Resource Type Resource Amazon EC2 EC2 Instance EC2 Elastic IP (VPC only) EC2 Security Group EC2 Network Interface Amazon EBS EBS Volume Amazon VPC VPCs Network ACLs Route Table Subnet VPN Connection Internet Gateway Customer Gateway VPN Gateway AWS CloudTrail Trail
  36. 36. AWS Identity and Access Management • Gain visibility into users, groups, roles, and policies • Answer • What policies did user joe have on May 30, 2014? • Did anything change in the “dbUser” policy I created? • Who used the “dbUser” policy between November 10 and November 15? • Config Rules • Create Config rules that check or validate policies attached to users, groups, or roles • Establish strong governance on changes to policy documents
  37. 37. Amazon EC2 Dedicated Hosts • Gain visibility into Amazon EC2 hosts which run your instances • Use data for assessing compliance with OS licensing See CMP203: EC2 Enhancements for the Enterprise Thursday, October 8, 1:30pm – 2:30pm Palazzo H
  38. 38. Supported resource types Resource Type Resource Amazon EC2 EC2 Instance EC2 Elastic IP (VPC only) EC2 Security Group EC2 Network Interface Amazon EBS EBS Volume Amazon VPC VPCs Network ACLs Route Table Subnet VPN Connection Internet Gateway Customer Gateway VPN Gateway AWS CloudTrail Trail Identity and Access Management IAM Users IAM Groups IAM Roles IAM Customer Managed Policies Amazon EC2 Dedicated Hosts
  39. 39. AWS Config: Nine public AWS regions US East (N. Virginia) US West (Oregon) US West (N.California) South America (Sao Paulo) EU (Ireland) EU (Frankfurt) Asia Pacific (Tokyo) Asia Pacific (Sydney) Asia Pacific (Singapore)
  40. 40. AWS Config Rules preview: US East (N. Virginia) US East (N. Virginia)
  41. 41. Growing Ecosystem
  42. 42. https://aws.amazon.com/config/partners/loggly
  43. 43. Example: Splunk app for AWS
  44. 44. Config Rules: Partners we are working with
  45. 45. Pricing
  46. 46. AWS Config pricing Pay one time only per configuration item (CI) recorded: $0.003 per CI (all regions) Amazon S3/Amazon SNS charges applicable. No additional charges for CI storage or retrieval via APIs.
  47. 47. Config Rules pricing Priced based on number of active rules per month $2.00 per active rule per month with account-level allowance of 20,000 evaluations per active rule. Overage of $0.0001 per evaluation • Evaluation: Single result reported for the rule/resource. Evaluations are shared across rules in account. • Active rule: Rule with at least one evaluation that month • Customer managed rules may incur additional charges from AWS Lambda
  48. 48. Pricing example 2,500 CIs per month from all configuration changes 5 active Config rules, reporting total 100 evaluations/day Total evaluations per month = 100*30 = 3,000 evaluations Allowance for 5 Config rules = 5 * 20,000 = 100,000 evaluations Config configuration items: 2,500 * $0.003 = $7.5 5 active Config rules : 5 * $2.0 = $10.0 Evaluation charges : $0 Total charges $17.5
  49. 49. AWS security tools: What to use? AWS Security and Compliance Security of the cloud Services and tools to aid security in the cloud Service Type Use cases On-demand evaluations Security insights into your application deployments running inside your EC2 instance Continuous evaluations Codified internal best practices, misconfigurations, security vulnerabilities, or actions on changes Periodic evaluations Cost, performance, reliability, and security checks that apply broadly Inspector Config Rules Trusted Advisor
  50. 50. AWS Config: In 2015 (Recap) General Availability – Feb 2015 AWS Config general availability Optional + Email friendly notifications - March 2015 Turn off SNS notifications, or use filter notifications in email New Regions - April 2015 Description: All 9 public AWS regions New Partner: LogStorage - April 2015 Integration with AWS Config for Enterprise Management (Japan) Selective Resource - June 2015 Select a subset of AWS resources for AWS Config to track Discovery and Inventory – Aug 2015 New API and console to discover existing and deleted resources by simply providing resource type New Partner: Loggly – Oct 2015 Analyze, track, and alert on AWS Config details with Loggly Config Rules – Oct 2015 (Preview) Rules to evaluate and report results IAM resources – (Announced) Track historical and current configurations for users, groups, roles, and policies EC2 Dedicated Hosts– (Announced) Track usage of dedicated hosts for assessing compliance with licensing
  51. 51. Don’t forget • Sign up for the Config Rules preview NOW! • https://aws.amazon.com/config/preview • Contact us via AWS Config forums https://forums.aws.amazon.com/forum.jspa?forumID=184 • Enjoy re:Play!
  52. 52. Remember to complete your evaluations!
  53. 53. Thank you!
  54. 54. Questions?

×