SlideShare a Scribd company logo
1 of 87
Download to read offline
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Today’s Geek Agenda 
•Intrusion detection in your AWS environment 
•AWS-specific security features to build with 
•AWS-specific intrusion detection mechanisms w/ demos 
•Other tips, resources
• Operating System 
• Processes 
• Files 
• Packets 
• Flows ? 
Server Network Cloud
Configuration 
Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk 
Security 
Group 
VPC 
Subnet 
Amazon 
S3 Bucket 
Groups, 
Users, 
Credentials 
Applications 
Amazon RDS DB 
Instances 
Objects 
Instances 
Internet 
Gateways 
Customer 
AWS 
Traditional IDS 
This Talk
Traditional IDS in AWS 
•On premises, Amazon VPC endpoint 
Amazon VPC 
Corporate Data Center 
VPN Gateway 
Customer Gateway 
Router
VPC Subnet 
Traditional IDS in AWS 
• In cloud, as VPC NAT gateway or on-instance 
Virtual Private Cloud 
Instances 
Internet 
Gateway
Configuration 
Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk 
Security 
Group 
VPC 
Subnet 
Amazon 
S3 Bucket 
Groups, 
Users, 
Credentials 
Applications 
Amazon RDS DB 
Instances 
Objects 
Instances 
Internet 
Gateways 
Customer 
AWS 
Traditional IDS 
This Talk
Prerequisites 
•AWS Identity and Access Management (IAM) 
•Multi-Factor Authentication (MFA) 
•Amazon S3 Bucket Logging 
•And THREE more …
What’s a Role 
•Named IAM entity (name isn’t a secret) 
•Set of permissions 
•No credentials: Policy specifies who can assume
Security Role 
•You need insight when managing the security of many AWS accounts 
•Create a “security audit role” with “read” access to policies and configurations you want to monitor.
Security Role (Example Policy)
Security Role (Snippet of Example Policy)
Demonstration: Creating Security Role
Security Audit Policy Template is now available in AWS Management Console
Write-Once Storage 
•What is it good for 
–Tripwire 
–Configuration audits 
–Logs 
•Integrity for records of activity, historical configurations 
•Further enhanced by moving off-system or limiting availability to a VERY select few
Configuring Write-Once Storage 
•Bucket versioning 
•MFA delete 
•Go for the gusto: Create a second account 
–Bucket policy 
–Role
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Audit Logs via AWS CloudTrail 
•AWS CloudTrailrecords API calls in your account and delivers logs to your Amazon S3 bucket. 
•Typically, delivers an event within 15 minutes of the API call. 
•Log files are delivered approximately every 5 minutes. 
•Currently in all public regions, supporting most AWS services 
Image Source: Jeff Barr
Turning on AWS CloudTrail 
•Have a centralized write-only store? Use it!
What is in the logs? 
•Whomade the API call? 
•Whenwas the API call made? 
•What was the API call? 
•Whatwere the resources that were acted up on in the API call? 
•Wherewas the API call made from?
Who? Example 1: API Call by IAM User BobBob 
"type": "IAMUser", 
"userName": “Bob” 
Anonymized data
Who? Example 2: API Call by Federated User Alice 
"userIdentity":{ 
"type":"FederatedUser", 
"principalId":"123456789012:Alice", 
"arn":"arn:aws:sts::123456789012:federated-user/Alice", 
"accountId":"123456789012", 
"accessKeyId":"ASEXAMPLE1234WTROX8F", 
"sessionIssuer":{ 
"type":"IAMUser", 
"accountId":"123456789012", 
"userName":“Bob" 
} 
} 
Anonymized data; Partial Output
Who? Example 3: AWS Service Creating Resource on Behalf of a User 
Anonymized data 
•Elastic Beanstalk creating AWS resources on behalf of IAM user Bob 
"userIdentity": { 
"accountId": "123456789012", 
"arn": "arn:aws:iam::123456789012:user/Bob", 
"invokedBy":"elasticbeanstalk.amazonaws.com", 
"principalId": "ASEXAMPLE123XWTROX8F ", 
"type": "IAMUser", 
"userName": “Bob" 
}
Security-relevant AWS CloudTrailEvents for IDS 
•Some AWS CloudTrailevents are more interesting security-wise than others, such as … 
–Console Sign-In 
–Authorization Failure 
–Etc. 
•It makes sense to prioritize review for these.
Example 1 –Sign-In Logginghttps://console.aws.amazon.com/iam/home?state=hashArgs%23&isauthcode=true",
Example 2 –Authorization Failure
Example 3 –AWS CloudTrailTurned OFF
AWS CloudTrailSearch / Alert Solutions 
•AWS Marketplace 
•SaaS 
•Open Source
Example AWS Marketplace Solution for AWS CloudTrailSearch / Alert
Example SaaS Solution for AWS CloudTrailSearch / Alert
Example Open Source Solution for AWS CloudTrailSearch / Alert
Detecting Unauthorized Access 
•Types of access 
–Credentials 
–Publicly accessible resources 
–Cross account access
Detecting Unauthorized Access – Credentials 
•Types of credentials 
–Login profile 
–Access key 
–X509 
–CloudFront 
–Temporary Security Credentials 
•Attachment points 
–Root account 
–IAM users 
•You want to know what credentials are out there with access to your account.
Demonstration: Checking Credentials
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
IAM Credentials Report
Detecting Unauthorized Access – Public 
•Publically accessible resources (NOT by default, but could be configured as such) 
–Amazon S3 Bucket 
–Amazon S3 Anonymous Objects 
–Amazon SQS Open / Public Queues 
•You want to keep track of which resources are readable (or writable even) to the world
Detecting Unauthorized Access –Cross Account 
•Resources that support resource policies 
–Amazon S3 Buckets 
–Amazon SQS queues 
–Amazon SNS topics 
•You want to pay particular attention to any resources that have resource policies allowing cross account access.
CHECKING FOR CROSS-ACCOUNT ACCESS TO RESOURCES
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Detecting Unauthorized Access –Roles 
•What is a role 
–Name 
–AssumeRolePolicy 
–Capabilities 
•You want to look at what roles are present in the account and who can assume them
CHECKING FOR ROLES
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Detecting Unauthorized Access – Effective Access 
•Ways of expressing * (IMPLICIT *) 
–PutUserPolicy 
–Credential creation 
–PassRole* 
•You want to look out for policies that could be used to gain all access (IAM APIs) 
•Using IAM Policy Simulator … 
https://policysim.aws.amazon.com/
{ 
"Statement": [ 
{ 
"Sid": "Stmt1383555181147", 
”NotAction": ”*", 
"Effect": "Allow", 
"Resource": "*" 
}, 
{ 
"Sid": "Stmt1383555193395", 
"Action": ["iam:PutUserPolicy"], 
"Effect": "Allow", 
"Resource": "*" 
}, 
] 
} 
{ 
"Statement": [ 
{ 
"Sid": "Stmt1383555181147", 
"Action": ”ec2:*", 
"Effect": "Allow", 
"Resource": "*" 
}, 
{ 
"Sid": "Stmt1383555193395", 
"Action": ["s3:*",”iam:PassRole”], 
"Effect": "Allow", 
"Resource": "*" 
}, 
] 
}
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
{ 
"Statement": [ 
{ 
"Sid": "Stmt1383555181147", 
”NotAction": ”*", 
"Effect": "Allow", 
"Resource": "*" 
}, 
{ 
"Sid": "Stmt1383555193395", 
"Action": ["iam:PutUserPolicy"], 
"Effect": "Allow", 
"Resource": "*" 
}, 
] 
} 
{ 
"Statement": [ 
{ 
"Sid": "Stmt1383555181147", 
"Action": ”ec2:*", 
"Effect": "Allow", 
"Resource": "*" 
}, 
{ 
"Sid": "Stmt1383555193395", 
"Action": ["s3:*",”iam:PassRole”], 
"Effect": "Allow", 
"Resource": "*" 
}, 
] 
}
Detecting Unauthorized Access – Effective Access 
•Dump the output of various configuration APIs into write-once storage 
•Pay attention to changes 
•Some examples for grabbing this data … https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
Using Security Role for Amazon S3 Audit (Bucket Policies) https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
Account Configuration Change Security Alerts 
•Dump all the users, groups, roles, attached permissions, credsfor all users 
•Amazon S3 bucket, Amazon SQS queue, Amazon SNS topic policies 
•Amazon EC2 security group configuration 
•All goes to flat file, write-once Amazon S3 object 
•Diff and detect changeshttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
Demonstration: Intrusion Detection Scripthttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
Example Usage 
SecConfig.py [-h] -a ACCESS_KEY_ID -k SECRET_ACCESS_KEY  
[-t SECURITY_TOKEN] [-r ROLE] [-v] [-d] 
-h, --help show this help message and exit 
-a ACCESS_KEY_ID, --access_key_idACCESS_KEY_ID 
access key id 
-k SECRET_ACCESS_KEY, --secret_access_keySECRET_ACCESS_KEY 
secret access key 
-t SECURITY_TOKEN, --security_tokenSECURITY_TOKEN 
security token (for use with temporary security 
credentials) 
-r ROLE, --role ROLEroleto assume 
-v, --verbose enable verbose mode 
-d, --debug enable debug mode
Example Output 
iam:accountsummary, AccountMFAEnabled, , 1 
iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQ 
iam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQ 
iam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Q 
iam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQ 
iam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWA 
iam:useringroup, ClassicRTTUser, , ClassicRTTGrp 
iam:userpolicy, ClassicRTTUser, PowerUserAccess-ClassicRTTUser-201306251128, 3be1369a6334b59ecbe24496a45a6c792ea8468bf29f31d30f5d5efc645b2197 
iam:userpolicy, audit, ReadOnlyAccess-audit-201310221803, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001d 
iam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141348, 08504c15956913f7a75aadc895ef2b92368826916f95027a128388e60cda61d4 
iam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141416, 76c7d1e7027c934815dd4c69db072992cd2912af59a513ddc633223b7fe01ebb 
iam:userpolicy, ec2test, ReadOnlyAccess-ec2test-201310231957, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001d 
iam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff 
iam:userpolicy, quux, mypolicy, 2ad665ca145f5d107be53beecc7c0092461d76c1b9588cae4e0b0f4cbdbc5083 
iam:grouppolicy, test, CloudFrontFullAccess-test-201310291053, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73 
iam:assumerolepolicy, ClassicRTTRole, arn:aws:iam::923022406781:role/ClassicRTTRole, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73 
iam:assumerolepolicy, jenkins, arn:aws:iam::923022406781:role/jenkins, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff 
iam:assumerolepolicy, ltest, arn:aws:iam::923022406781:role/ltest, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 
iam:assumerolepolicy, security_audit, arn:aws:iam::923022406781:role/security_audit, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 
iam:assumerolepolicy, uascr, arn:aws:iam::923022406781:role/uascr, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb 
iam:rolepolicy, ClassicRTTRole, PowerUserAccess-ClassicRTTRole-201306251129, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff 
iam:rolepolicy, jenkins, ReadOnlyAccess-jenkins-201303291802, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 
iam:rolepolicy, security_audit, ReadOnlyAccess-security_audit-201311061949, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb 
iam:rolepolicy, uascr, AmazonDynamoDBFullAccess-uascr-201210111714, 75cc727843ed2bc783bf9c325300ff307d9b2594b2a53d88b59e609e39af1a89 
s3:bucketpolicy, caec.us, , NoSuchBucketPolicy 
s3:bucketpolicy, cf-templates-g5zg6nnco317-us-east-1, , NoSuchBucketPolicy 
s3:bucketpolicy, dcslides, , NoSuchBucketPolicy 
s3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicy 
s3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20 
s3:bucketpolicy, gbr-testv, , NoSuchBucketPolicy 
s3:bucketpolicy, gbrcrypto, , NoSuchBucketPolicy 
s3:bucketpolicy, gbrcrypto-logs, , NoSuchBucketPolicy 
s3:bucketpolicy, gregroth.desktop.amazon.com, , NoSuchBucketPolicy 
s3:bucketpolicy, logs.s3.caec.us, , NoSuchBucketPolicy 
s3:bucketpolicy, s3.caec.us, , NoSuchBucketPolicysqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicy 
sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9 
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0 
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
Example Output (Snippet) 
iam:accountsummary, AccountMFAEnabled, , 1 
iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQ 
iam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQ 
iam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Q 
iam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQ 
iam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWA 
iam:accesskey, mbp-r-managed, Active, AKIAJKVVGIG7L5UC5OGQ 
iam:accesskey, quux, Active, AKIAJR7ZICS26O32EPBQ 
iam:accesskey, test, Active, AKIAINTUMS4ITD5CJVSA 
iam:useringroup, ClassicRTTUser, , ClassicRTTGrp
Example Output (Snippet) 
s3:bucketpolicy, dcslides, , NoSuchBucketPolicy 
s3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicy 
s3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20 
sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicy 
sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9 
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0 
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
Example Diff, Something to Look Into 
< iam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff 
--- 
> iam:userpolicy, mbp-r-managed, ReadOnlyAccess-mbp-r-managed-201311111559, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb 
> iam:userpolicy, mbp-r-managed, one, 1cc602178f7e876c6d38cbaa8c4adde19b1c3e5a89e6f13c29df5688eb73f50fhttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
Advanced Warning on Billing / Usage Example
Example OK vsUH-OH Billing Trend / Graph
Billing Alerts 
•No need to wait until end of month to become aware of unexpected utilization 
•Establish a baseline of known good billing over time; set your thresholds (overall or service specific) 
•Investigate alerts to determine r00t (?) cause 
•Simplest cloud IDS mechanism, and FREE* 
* Setup of 10 alarms and receipt of 1 K notifications
Enable Monitoring of Your Estimated Charges
Creating A Billing Alarm –Select “By Service”
Creating A Billing Alarm –Select Sevice(eg. Amazon EC2), Create Alarm
Creating A Billing Alarm –Enter Name, Description, Set Threshold
Creating A Billing Alarm –Set Alarm, Notification, Create Alarm
Example Billing Alert via CLI
Assuming You Anticipate ~ $1 K / Month … 
$1000 
$750 
$500 
$250 
Week 1 
Week 2 
Week 3 
Week 4 
= OK!
“Early” Alerts Are “Interesting” … 
$1000 
$750 
$500 
$250 
Week 1 
Week 2 
Week 3 
Week 4 
= OK! 
= Hmm …
More than One “Early” Alert …? 
$1000 
$750 
$500 
$250 
Week 1 
Week 2 
Week 3 
Week 4 
= OK! 
= Hmm … 
= Uh-Oh!
Create Your Own Meter-based Alerts? 
•Use: programmatic access to billing data 
•You have more info about the types and locations of charges 
•Allows for looking for unexpected usage per region
>$0 Usage Unexpected Region Alert Examplehttps://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
Trusted Advisor 
•Inspects AWS environment; can identify and help close security gaps, enable security features, examine permissions 
–Open security groups 
–Bucket policy 
–IAM, passwords, MFA 
https://aws.amazon.com/premiumsupport/trustedadvisor/
Trusted Advisor Dashboard Example
Trusted Advisor Security Checks Example
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014
Trusted Advisor Checks via API 
•AWS Support API includes Trusted Advisor checks 
–List checks and their descriptions 
–Get check results 
–Specify checks to refresh 
–Get refresh status of checks 
http://docs.aws.amazon.com/awssupport/latest/APIReference/Welcome.html
Alternate Security POC 
•For security notifications, Support will utilize the contact information you provide AWS 
•Consider adding a security-specific contact for your account 
•Security POC = contact information for your organization’s security team 
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html
Rebuild Frequency 
•Difficult for adversary to maintain persistence when an EC2 instance does not 
•Breaking in repeatedly will be noisy, more likely to detect 
•Auditing a system is easiest soon after creation 
•Rebuild everything every day
Support for Security 
•AWS support is the one-stop shop for AWS customers, for ANY concerns, including security-related 
•If support can not immediately address your concern, they will escalate internally to the appropriate technical team, AWS security included 
https://aws.amazon.com/support
Other re:InventTalks 
•SEC305 “IAM Best Practices” 
•SEC303 “Mastering Access Control Policies” 
•SEC306 “Turn On Cloudtrail” 
•SEC404 “Incident Response in The Cloud” 
•If missed, keep an eye on YouTube … 
http://www.youtube.com/user/AmazonWebServices
Security Best Practices Whitepaper 
•Help for designing security infrastructure and configuration for your AWS environment 
•High-level guidance for … 
–Managing accounts, users, groups roles 
–Managing OS-level access to instances 
–Securing your data, OS, apps, infrastructure 
–Managing security monitoring, auditing, alerting, incident response 
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
AWS Security Resources 
•AWS Security Blog 
http://blogs.aws.amazon.com/security/ 
•AWS Security Center 
https://aws.amazon.com/security 
•Contact the AWS security teamaws-security@amazon.com
Pre-ReqReminders with References 
•AWS Identity and Access Management (IAM) 
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html 
•Multi-Factor Authentication (MFA) 
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html 
•Amazon S3 Bucket Logging 
http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html 
•Roles for EC2 
http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html 
•Amazon S3 Bucket Versioning with MFA Delete 
http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html 
http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
Billing Alerts and Billing Data 
•Monitoring your AWS charges 
http://docs.amazonwebservices.com/AmazonCloudWatch/latest/DeveloperGuide/monitor_estimated_charges_with_cloudwatch.html 
•Amazon CloudWatchCommand Line Interface Reference 
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CLIReference.html 
•Programmatic Access to Billing Datahttp://docs.aws.amazon.com/awsaccountbilling/latest/about/programaccess. html
Key Takeaways 
•Beyond traditional host-or network-based intrusion detection, there is intrusion detection for the cloud 
•AWS provides a variety of mechanisms and support that you can and should leverage to monitor key security controls 
•Tinker, give us feedback, and approach our partners about incorporating some ideas here
Downloads 
•Example Intrusion Detection Script 
https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py 
•Regional Billing Alert Scripthttps://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
Please give us your feedback on this session. 
Complete session evaluations and earn re:Invent swag. 
http://bit.ly/awsevals

More Related Content

What's hot

AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...Amazon Web Services
 
Account Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAccount Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAmazon Web Services
 
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceJP Bourget
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014Amazon Web Services
 
Building Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesBuilding Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesAmazon Web Services
 
AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day Amazon Web Services
 
Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAmazon Web Services
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon CognitoAmazon Web Services
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
 
AWS APAC Webinar Week - Getting The Most From EC2
AWS APAC Webinar Week - Getting The Most From EC2AWS APAC Webinar Week - Getting The Most From EC2
AWS APAC Webinar Week - Getting The Most From EC2Amazon Web Services
 
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...Amazon Web Services
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Amazon Web Services
 
Updating Security Operations For The Cloud
Updating Security Operations For The CloudUpdating Security Operations For The Cloud
Updating Security Operations For The CloudMark Nunnikhoven
 

What's hot (20)

AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...
 
Account Separation and Mandatory Access Control
Account Separation and Mandatory Access ControlAccount Separation and Mandatory Access Control
Account Separation and Mandatory Access Control
 
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...
AWS re:Invent 2016: Workshop: Choose Your Own SAML Adventure: A Self-Directed...
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Grabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/RackspaceGrabbing Forensic Images from EC2/Rackspace
Grabbing Forensic Images from EC2/Rackspace
 
Federation
FederationFederation
Federation
 
Crypto Options in AWS
Crypto Options in AWSCrypto Options in AWS
Crypto Options in AWS
 
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014
 
Monitoring and Alerting
Monitoring and AlertingMonitoring and Alerting
Monitoring and Alerting
 
Building Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar SeriesBuilding Serverless Chat Bots - AWS August Webinar Series
Building Serverless Chat Bots - AWS August Webinar Series
 
AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day AWS Security in Plain English – AWS Security Day
AWS Security in Plain English – AWS Security Day
 
Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...Managing your identities in the cloud with AWS and Microsoft Active Directory...
Managing your identities in the cloud with AWS and Microsoft Active Directory...
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS EncryptionAWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
AWS June Webinar Series - Deep Dive: Protecting Your Data with AWS Encryption
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
AWS APAC Webinar Week - Getting The Most From EC2
AWS APAC Webinar Week - Getting The Most From EC2AWS APAC Webinar Week - Getting The Most From EC2
AWS APAC Webinar Week - Getting The Most From EC2
 
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:In...
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Updating Security Operations For The Cloud
Updating Security Operations For The CloudUpdating Security Operations For The Cloud
Updating Security Operations For The Cloud
 

Similar to (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014

(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The CloudAmazon Web Services
 
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale Amazon Web Services
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security Amazon Web Services
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)Amazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsAmazon Web Services
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 

Similar to (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014 (20)

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud(SEC308) Wrangling Security Events In The Cloud
(SEC308) Wrangling Security Events In The Cloud
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
AWS Intro
AWS IntroAWS Intro
AWS Intro
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Best Practices for Security at Scale
Best Practices for Security at Scale Best Practices for Security at Scale
Best Practices for Security at Scale
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security
 
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
AWS re:Invent 2016: Securing Enterprise Big Data Workloads on AWS (SEC308)
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS OrganizationsSEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
SEC302 Becoming an AWS Policy Ninja using AWS IAM and AWS Organizations
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301Enforcing Your Security Policy at Scale - Technical 301
Enforcing Your Security Policy at Scale - Technical 301
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 

Recently uploaded (20)

Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 

(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014

  • 2. Today’s Geek Agenda •Intrusion detection in your AWS environment •AWS-specific security features to build with •AWS-specific intrusion detection mechanisms w/ demos •Other tips, resources
  • 3. • Operating System • Processes • Files • Packets • Flows ? Server Network Cloud
  • 4. Configuration Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk Security Group VPC Subnet Amazon S3 Bucket Groups, Users, Credentials Applications Amazon RDS DB Instances Objects Instances Internet Gateways Customer AWS Traditional IDS This Talk
  • 5. Traditional IDS in AWS •On premises, Amazon VPC endpoint Amazon VPC Corporate Data Center VPN Gateway Customer Gateway Router
  • 6. VPC Subnet Traditional IDS in AWS • In cloud, as VPC NAT gateway or on-instance Virtual Private Cloud Instances Internet Gateway
  • 7. Configuration Amazon S3 Amazon EC2 Amazon VPC IAM Amazon RDS Elastic Beanstalk Security Group VPC Subnet Amazon S3 Bucket Groups, Users, Credentials Applications Amazon RDS DB Instances Objects Instances Internet Gateways Customer AWS Traditional IDS This Talk
  • 8. Prerequisites •AWS Identity and Access Management (IAM) •Multi-Factor Authentication (MFA) •Amazon S3 Bucket Logging •And THREE more …
  • 9. What’s a Role •Named IAM entity (name isn’t a secret) •Set of permissions •No credentials: Policy specifies who can assume
  • 10. Security Role •You need insight when managing the security of many AWS accounts •Create a “security audit role” with “read” access to policies and configurations you want to monitor.
  • 12. Security Role (Snippet of Example Policy)
  • 14. Security Audit Policy Template is now available in AWS Management Console
  • 15. Write-Once Storage •What is it good for –Tripwire –Configuration audits –Logs •Integrity for records of activity, historical configurations •Further enhanced by moving off-system or limiting availability to a VERY select few
  • 16. Configuring Write-Once Storage •Bucket versioning •MFA delete •Go for the gusto: Create a second account –Bucket policy –Role
  • 19. Audit Logs via AWS CloudTrail •AWS CloudTrailrecords API calls in your account and delivers logs to your Amazon S3 bucket. •Typically, delivers an event within 15 minutes of the API call. •Log files are delivered approximately every 5 minutes. •Currently in all public regions, supporting most AWS services Image Source: Jeff Barr
  • 20. Turning on AWS CloudTrail •Have a centralized write-only store? Use it!
  • 21. What is in the logs? •Whomade the API call? •Whenwas the API call made? •What was the API call? •Whatwere the resources that were acted up on in the API call? •Wherewas the API call made from?
  • 22. Who? Example 1: API Call by IAM User BobBob "type": "IAMUser", "userName": “Bob” Anonymized data
  • 23. Who? Example 2: API Call by Federated User Alice "userIdentity":{ "type":"FederatedUser", "principalId":"123456789012:Alice", "arn":"arn:aws:sts::123456789012:federated-user/Alice", "accountId":"123456789012", "accessKeyId":"ASEXAMPLE1234WTROX8F", "sessionIssuer":{ "type":"IAMUser", "accountId":"123456789012", "userName":“Bob" } } Anonymized data; Partial Output
  • 24. Who? Example 3: AWS Service Creating Resource on Behalf of a User Anonymized data •Elastic Beanstalk creating AWS resources on behalf of IAM user Bob "userIdentity": { "accountId": "123456789012", "arn": "arn:aws:iam::123456789012:user/Bob", "invokedBy":"elasticbeanstalk.amazonaws.com", "principalId": "ASEXAMPLE123XWTROX8F ", "type": "IAMUser", "userName": “Bob" }
  • 25. Security-relevant AWS CloudTrailEvents for IDS •Some AWS CloudTrailevents are more interesting security-wise than others, such as … –Console Sign-In –Authorization Failure –Etc. •It makes sense to prioritize review for these.
  • 26. Example 1 –Sign-In Logginghttps://console.aws.amazon.com/iam/home?state=hashArgs%23&isauthcode=true",
  • 28. Example 3 –AWS CloudTrailTurned OFF
  • 29. AWS CloudTrailSearch / Alert Solutions •AWS Marketplace •SaaS •Open Source
  • 30. Example AWS Marketplace Solution for AWS CloudTrailSearch / Alert
  • 31. Example SaaS Solution for AWS CloudTrailSearch / Alert
  • 32. Example Open Source Solution for AWS CloudTrailSearch / Alert
  • 33. Detecting Unauthorized Access •Types of access –Credentials –Publicly accessible resources –Cross account access
  • 34. Detecting Unauthorized Access – Credentials •Types of credentials –Login profile –Access key –X509 –CloudFront –Temporary Security Credentials •Attachment points –Root account –IAM users •You want to know what credentials are out there with access to your account.
  • 38. Detecting Unauthorized Access – Public •Publically accessible resources (NOT by default, but could be configured as such) –Amazon S3 Bucket –Amazon S3 Anonymous Objects –Amazon SQS Open / Public Queues •You want to keep track of which resources are readable (or writable even) to the world
  • 39. Detecting Unauthorized Access –Cross Account •Resources that support resource policies –Amazon S3 Buckets –Amazon SQS queues –Amazon SNS topics •You want to pay particular attention to any resources that have resource policies allowing cross account access.
  • 40. CHECKING FOR CROSS-ACCOUNT ACCESS TO RESOURCES
  • 42. Detecting Unauthorized Access –Roles •What is a role –Name –AssumeRolePolicy –Capabilities •You want to look at what roles are present in the account and who can assume them
  • 45. Detecting Unauthorized Access – Effective Access •Ways of expressing * (IMPLICIT *) –PutUserPolicy –Credential creation –PassRole* •You want to look out for policies that could be used to gain all access (IAM APIs) •Using IAM Policy Simulator … https://policysim.aws.amazon.com/
  • 46. { "Statement": [ { "Sid": "Stmt1383555181147", ”NotAction": ”*", "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1383555193395", "Action": ["iam:PutUserPolicy"], "Effect": "Allow", "Resource": "*" }, ] } { "Statement": [ { "Sid": "Stmt1383555181147", "Action": ”ec2:*", "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1383555193395", "Action": ["s3:*",”iam:PassRole”], "Effect": "Allow", "Resource": "*" }, ] }
  • 48. { "Statement": [ { "Sid": "Stmt1383555181147", ”NotAction": ”*", "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1383555193395", "Action": ["iam:PutUserPolicy"], "Effect": "Allow", "Resource": "*" }, ] } { "Statement": [ { "Sid": "Stmt1383555181147", "Action": ”ec2:*", "Effect": "Allow", "Resource": "*" }, { "Sid": "Stmt1383555193395", "Action": ["s3:*",”iam:PassRole”], "Effect": "Allow", "Resource": "*" }, ] }
  • 49. Detecting Unauthorized Access – Effective Access •Dump the output of various configuration APIs into write-once storage •Pay attention to changes •Some examples for grabbing this data … https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
  • 50. Using Security Role for Amazon S3 Audit (Bucket Policies) https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
  • 51. Account Configuration Change Security Alerts •Dump all the users, groups, roles, attached permissions, credsfor all users •Amazon S3 bucket, Amazon SQS queue, Amazon SNS topic policies •Amazon EC2 security group configuration •All goes to flat file, write-once Amazon S3 object •Diff and detect changeshttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
  • 52. Demonstration: Intrusion Detection Scripthttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
  • 53. Example Usage SecConfig.py [-h] -a ACCESS_KEY_ID -k SECRET_ACCESS_KEY [-t SECURITY_TOKEN] [-r ROLE] [-v] [-d] -h, --help show this help message and exit -a ACCESS_KEY_ID, --access_key_idACCESS_KEY_ID access key id -k SECRET_ACCESS_KEY, --secret_access_keySECRET_ACCESS_KEY secret access key -t SECURITY_TOKEN, --security_tokenSECURITY_TOKEN security token (for use with temporary security credentials) -r ROLE, --role ROLEroleto assume -v, --verbose enable verbose mode -d, --debug enable debug mode
  • 54. Example Output iam:accountsummary, AccountMFAEnabled, , 1 iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQ iam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQ iam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Q iam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQ iam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWA iam:useringroup, ClassicRTTUser, , ClassicRTTGrp iam:userpolicy, ClassicRTTUser, PowerUserAccess-ClassicRTTUser-201306251128, 3be1369a6334b59ecbe24496a45a6c792ea8468bf29f31d30f5d5efc645b2197 iam:userpolicy, audit, ReadOnlyAccess-audit-201310221803, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001d iam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141348, 08504c15956913f7a75aadc895ef2b92368826916f95027a128388e60cda61d4 iam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141416, 76c7d1e7027c934815dd4c69db072992cd2912af59a513ddc633223b7fe01ebb iam:userpolicy, ec2test, ReadOnlyAccess-ec2test-201310231957, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001d iam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff iam:userpolicy, quux, mypolicy, 2ad665ca145f5d107be53beecc7c0092461d76c1b9588cae4e0b0f4cbdbc5083 iam:grouppolicy, test, CloudFrontFullAccess-test-201310291053, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73 iam:assumerolepolicy, ClassicRTTRole, arn:aws:iam::923022406781:role/ClassicRTTRole, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73 iam:assumerolepolicy, jenkins, arn:aws:iam::923022406781:role/jenkins, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff iam:assumerolepolicy, ltest, arn:aws:iam::923022406781:role/ltest, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 iam:assumerolepolicy, security_audit, arn:aws:iam::923022406781:role/security_audit, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 iam:assumerolepolicy, uascr, arn:aws:iam::923022406781:role/uascr, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb iam:rolepolicy, ClassicRTTRole, PowerUserAccess-ClassicRTTRole-201306251129, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff iam:rolepolicy, jenkins, ReadOnlyAccess-jenkins-201303291802, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80 iam:rolepolicy, security_audit, ReadOnlyAccess-security_audit-201311061949, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb iam:rolepolicy, uascr, AmazonDynamoDBFullAccess-uascr-201210111714, 75cc727843ed2bc783bf9c325300ff307d9b2594b2a53d88b59e609e39af1a89 s3:bucketpolicy, caec.us, , NoSuchBucketPolicy s3:bucketpolicy, cf-templates-g5zg6nnco317-us-east-1, , NoSuchBucketPolicy s3:bucketpolicy, dcslides, , NoSuchBucketPolicy s3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicy s3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20 s3:bucketpolicy, gbr-testv, , NoSuchBucketPolicy s3:bucketpolicy, gbrcrypto, , NoSuchBucketPolicy s3:bucketpolicy, gbrcrypto-logs, , NoSuchBucketPolicy s3:bucketpolicy, gregroth.desktop.amazon.com, , NoSuchBucketPolicy s3:bucketpolicy, logs.s3.caec.us, , NoSuchBucketPolicy s3:bucketpolicy, s3.caec.us, , NoSuchBucketPolicysqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicy sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9 sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0 sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
  • 55. Example Output (Snippet) iam:accountsummary, AccountMFAEnabled, , 1 iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQ iam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQ iam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Q iam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQ iam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWA iam:accesskey, mbp-r-managed, Active, AKIAJKVVGIG7L5UC5OGQ iam:accesskey, quux, Active, AKIAJR7ZICS26O32EPBQ iam:accesskey, test, Active, AKIAINTUMS4ITD5CJVSA iam:useringroup, ClassicRTTUser, , ClassicRTTGrp
  • 56. Example Output (Snippet) s3:bucketpolicy, dcslides, , NoSuchBucketPolicy s3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicy s3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20 sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicy sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9 sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0 sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
  • 57. Example Diff, Something to Look Into < iam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff --- > iam:userpolicy, mbp-r-managed, ReadOnlyAccess-mbp-r-managed-201311111559, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb > iam:userpolicy, mbp-r-managed, one, 1cc602178f7e876c6d38cbaa8c4adde19b1c3e5a89e6f13c29df5688eb73f50fhttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
  • 58. Advanced Warning on Billing / Usage Example
  • 59. Example OK vsUH-OH Billing Trend / Graph
  • 60. Billing Alerts •No need to wait until end of month to become aware of unexpected utilization •Establish a baseline of known good billing over time; set your thresholds (overall or service specific) •Investigate alerts to determine r00t (?) cause •Simplest cloud IDS mechanism, and FREE* * Setup of 10 alarms and receipt of 1 K notifications
  • 61. Enable Monitoring of Your Estimated Charges
  • 62. Creating A Billing Alarm –Select “By Service”
  • 63. Creating A Billing Alarm –Select Sevice(eg. Amazon EC2), Create Alarm
  • 64. Creating A Billing Alarm –Enter Name, Description, Set Threshold
  • 65. Creating A Billing Alarm –Set Alarm, Notification, Create Alarm
  • 67. Assuming You Anticipate ~ $1 K / Month … $1000 $750 $500 $250 Week 1 Week 2 Week 3 Week 4 = OK!
  • 68. “Early” Alerts Are “Interesting” … $1000 $750 $500 $250 Week 1 Week 2 Week 3 Week 4 = OK! = Hmm …
  • 69. More than One “Early” Alert …? $1000 $750 $500 $250 Week 1 Week 2 Week 3 Week 4 = OK! = Hmm … = Uh-Oh!
  • 70. Create Your Own Meter-based Alerts? •Use: programmatic access to billing data •You have more info about the types and locations of charges •Allows for looking for unexpected usage per region
  • 71. >$0 Usage Unexpected Region Alert Examplehttps://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
  • 72. Trusted Advisor •Inspects AWS environment; can identify and help close security gaps, enable security features, examine permissions –Open security groups –Bucket policy –IAM, passwords, MFA https://aws.amazon.com/premiumsupport/trustedadvisor/
  • 74. Trusted Advisor Security Checks Example
  • 76. Trusted Advisor Checks via API •AWS Support API includes Trusted Advisor checks –List checks and their descriptions –Get check results –Specify checks to refresh –Get refresh status of checks http://docs.aws.amazon.com/awssupport/latest/APIReference/Welcome.html
  • 77. Alternate Security POC •For security notifications, Support will utilize the contact information you provide AWS •Consider adding a security-specific contact for your account •Security POC = contact information for your organization’s security team http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html
  • 78. Rebuild Frequency •Difficult for adversary to maintain persistence when an EC2 instance does not •Breaking in repeatedly will be noisy, more likely to detect •Auditing a system is easiest soon after creation •Rebuild everything every day
  • 79. Support for Security •AWS support is the one-stop shop for AWS customers, for ANY concerns, including security-related •If support can not immediately address your concern, they will escalate internally to the appropriate technical team, AWS security included https://aws.amazon.com/support
  • 80. Other re:InventTalks •SEC305 “IAM Best Practices” •SEC303 “Mastering Access Control Policies” •SEC306 “Turn On Cloudtrail” •SEC404 “Incident Response in The Cloud” •If missed, keep an eye on YouTube … http://www.youtube.com/user/AmazonWebServices
  • 81. Security Best Practices Whitepaper •Help for designing security infrastructure and configuration for your AWS environment •High-level guidance for … –Managing accounts, users, groups roles –Managing OS-level access to instances –Securing your data, OS, apps, infrastructure –Managing security monitoring, auditing, alerting, incident response http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
  • 82. AWS Security Resources •AWS Security Blog http://blogs.aws.amazon.com/security/ •AWS Security Center https://aws.amazon.com/security •Contact the AWS security teamaws-security@amazon.com
  • 83. Pre-ReqReminders with References •AWS Identity and Access Management (IAM) http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html •Multi-Factor Authentication (MFA) http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html •Amazon S3 Bucket Logging http://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html •Roles for EC2 http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html •Amazon S3 Bucket Versioning with MFA Delete http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html http://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
  • 84. Billing Alerts and Billing Data •Monitoring your AWS charges http://docs.amazonwebservices.com/AmazonCloudWatch/latest/DeveloperGuide/monitor_estimated_charges_with_cloudwatch.html •Amazon CloudWatchCommand Line Interface Reference http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CLIReference.html •Programmatic Access to Billing Datahttp://docs.aws.amazon.com/awsaccountbilling/latest/about/programaccess. html
  • 85. Key Takeaways •Beyond traditional host-or network-based intrusion detection, there is intrusion detection for the cloud •AWS provides a variety of mechanisms and support that you can and should leverage to monitor key security controls •Tinker, give us feedback, and approach our partners about incorporating some ideas here
  • 86. Downloads •Example Intrusion Detection Script https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py •Regional Billing Alert Scripthttps://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
  • 87. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag. http://bit.ly/awsevals