To implement security best practices in your AWS accounts, you must establish a security baseline and then enforce it across all accounts. In this session, you will learn how to use AWS CloudFormation and AWS Step Functions to execute security best practices, such as using AWS CloudTrail, AWS Config, Amazon VPC Flow Logs, and Amazon S3 Access logs in scenarios where you are managing many AWS accounts across an organization. Learn how to store all of these logs in a centralized logging system such as Elasticsearch or Splunk, and set up alerting and drift detection on anomalous or high risk activity. Attend this session and discover ways to use centralized IAM roles and enforce MFA across multiple accounts. https://aws.amazon.com/government-education/

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Security Automation
Will St. Clair – Solutions Architect - Education, Amazon Web Services
Kym Weiland – Director of Release Implementation, FINRA
Stephen Mele – Software Developer, FINRA
June 13, 2017

2. Agenda
• AWS governance in the enterprise
• Key configuration and control points
• Serverless computing with AWS Lambda and
AWS Step Functions
• Example: Building automation to deploy configuration
and remediate issues
• Customer case study: FINRA

3. AWS adoption patterns
• In highly federated organizations,
AWS adoption often begins flowing
from the bottom up
• In parallel, central IT often begins
establishing a formal architecture
for AWS
• Need a governance approach that:
• Meets the organization’s
requirements
• Scales to all users of AWS
• Enables use of the complete
AWS platform
Top down
adoption
Bottom up
adoption

4. Tailor governance based on impact
Higher-impact accounts are
more likely to be managed by
central or departmental IT
groups and will have more
security controls.
Low High
High
Low
Availability
Confidentiality
Lower-impact accounts still
have basic security controls,
but can be issued freely to
end users for test,
development, or low impact
research and production
workloads.

5. For high-impact workloads
• know how to map their
organization’s controls to
appropriate AWS configuration
• use AWS (and partner)
solutions to automate
monitoring and remediation
Administrators should…
For all workloads
• establish infrastructure to
analyze Cost and Usage
Reports and charge back
usage
• automate the issuance and
security of AWS accounts for
all users
• otherwise, end users doing
exploratory or low-risk
work will not be visible

6. Key configuration points
AWS CloudFormation
Amazon
CloudWatch
AWS Config
Config Rules
AWS CloudTrail
CloudWatch
Events
Manual configuration
Root MFA
Alternate contacts
IAM
Managed
Policies
Roles
Security questions
Amazon
VPC
VPC peering
Flow logs

7. Key configuration points: CloudFormation
Administrators:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAdministrators
ManagedPolicyArns:
- !Ref AssumeAdministratorRoleWithMFAPolicy
- arn:aws:iam::aws:policy/AdministratorAccess
SecurityAuditors:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAuditors
ManagedPolicyArns:
- !Ref AssumeSecurityAuditorRoleWithMFAPolicy
• Write JSON or YAML
templates to define AWS
resources
• Use to deploy:
• Identity and Access
Management policies
and roles
• Virtual Private Cloud
configurations
• etc.

8. Key Configuration Points: IAM
• Each AWS account should have centrally-managed
Managed Policies and Roles
• Roles should be configured to trust the
organization’s IdP and/or an AWS account used to
supervise managed accounts
Administrator SecurityAuditor
Departmental account
Supervisor account
Trust Policy

9. Key Configuration Points: AWS Config
• AWS Config creates Configuration Snapshots,
which are JSON documents describing the
current state of the environment
• Virtual Private Cloud configurations, running
instances, and more
• AWS Config Rules let you define conditions and
monitor whether an account is in or out of
compliance with policy
• Administrators see red/green status for defined rules

10. How do we manage all these configuration points?
Locally-run scripts
Manually
Fully automated,
composable modules
running in AWS

11. Serverless computing with AWS Lambda
Continuous
Scaling
No Servers to
Manage
Subsecond
Metering
AWS Lambda handles:
• Operations and
management
• Provisioning and
utilization
• Scaling
• Availability and fault
tolerance
Automatically scales your
application, running code in
response to each trigger
Your code runs in parallel and
processes each trigger
individually, scaling precisely
with the size of the workload
Pricing
• CPU and Network
scaled based on
RAM (128 MB to
1500 MB)
• $0.20 per
1M requests
• Price per 100ms

12. Introducing AWS Step Functions
• Write single-task Lambda
functions instead of complex
scripts
• Define your workflow logic in
one place
• Scalable, resilient, agile
• Fully managed by AWS
• No servers to run
• Doesn’t lose state

13. Example: Cross-account CloudWatch Events
• CloudWatch Events enables administrators to
subscribe to events about activity in their AWS
account
• Calls to AWS APIs
• Instance lifecycle (start/stop)
• Maintenance windows and health notifications
• We’d like to automatically enable access logs for
new Amazon Simple Storage Service (S3) buckets

14. Example: Cross-account CloudWatch Events
Managed account Consolidated admin account
API call
CloudWatch event
SNS topic
Publishes event
Lambda event
handler
Subscribes to
Remediation workflow
(Step Functions state
machine)
Creates execution
SupervisorAdminRole
Assumes
Remediation task states
Invokes
Amazon S3
GET bucket logging
PUT bucket logging

15. Example: Deploy CloudFormation template
• Maintain a library of CloudFormation templates to
enable common functionality
• Standard network configurations
• Frequently deployed applications (e.g., LAMP stack)
• We’d like to automatically deploy or update a
given template in a target AWS account

16. Example: Deploy CloudFormation template
Administration Account
SupervisorAdminRole
Trust policy
roles.yaml common.yaml etc.yaml
Template library
Assume
XAcctRole
Trust policy
Apply
Template
Check
TmplStatus
Assumes
role
CloudFormation
stacks
Creates or
updates
stack
Waits for
stack
Step Functions state machines
ApplyTemplate
SupervisorLambdaRole
IAM user
UpdateManaged
Account
Invokes
Managed account

17. Example: Deploy CloudFormation template

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FINRA Development Services
June 13, 2017
FINRA Gatekeeper
Kym Weiland & Stephen Mele

19. Problem
Transparency
Governance
Devops
Access Control
Compliance
Transient Platform

20. Approach
Automation
Timely & Responsive
Auditable
Temporary
Discourage access
to servers
Group
Membership

21. SSM Documents - Create
{
"schemaVersion":"1.2",
"description":"Script for GateKeeper to create temp user.",
"parameters":{
… Parameter details here …
},
"runtimeConfig":{
"aws:runShellScript":{
"properties":[
{
"id":"0.aws:runShellScript",
"runCommand":[ "useradd -e `date -d '+2 days' '+%Y-%m-%d'` {{ userName }}",
"mkdir /home/{{ userName }}/.ssh",
"echo '{{ publicKey }}' >> /home/{{ userName }}/.ssh/authorized_keys",
"chown -R {{ userName }}:{{ userName }} /home/{{ userName }}",
"chmod -R go-rwx /home/{{ userName }}/.ssh",
"echo '{{ userName }} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/{{ userName }}" ],
"workingDirectory":"/root",
"timeoutSeconds":"{{ executionTimeout }}"
}
]
}
}
}

22. SSM Documents - Remove
{
"schemaVersion":"1.2",
"description":"Script for GateKeeper to cleanup expired users.",
"parameters":{
… Parameter details here ...
},
"runtimeConfig":{
"aws:runShellScript":{
"properties":[
{
"id":"0.aws:runShellScript",
"runCommand":[ "cut -f1 -d':' /etc/passwd | grep {{ userName }} > /dev/null && (userdel -rf {{
userName }} ; echo 'user deleted' ) || echo 'no user to delete'",
"ls /etc/sudoers.d/ | grep {{ userName }} > /dev/null && (rm -f /etc/sudoers.d/{{
userName }} ; echo 'sudo file deleted' ) || echo 'no sudo file to delete'" ],
"workingDirectory":"/root",
"timeoutSeconds":"{{ executionTimeout }}"
}
]
}
}
}

23. Solution
SSM Controlled Documents
Secure Password Generation and Distribution
Only Internal Destinations
Generated Compliant Temporary Users
Automated Removal
Integrated With Enterprise Firewalls

24. Gatekeeper High Level
Gatekeeper
App
Users
Call SSM
on VPC
Store Request
Data
Amazon EC2
Search EC2 &
AWS API
SSM
Amazon VPCs

25. Gatekeeper Detailed

26. Security Configuration
SSM document IAM role based
Approval process AWS-Tag Informed
Security Group bounded
Still tied to organization and firewall security

27. DevOps Methodology
Self Service for Delivery Teams
Allow for secured PEM file
No individual key management
Automated onboarding of fleet
Audit Trail & Reporting

28. Kym Weiland & Stephen Mele