To help prevent unexpected access to your AWS resources, it is critical to maintain strong identity and access policies and track, effectively detect, and react to changes. In this session you will learn how to use AWS Identity and Access Management (IAM) to control access to AWS resources and integrate your existing authentication system with IAM. We will cover how to deploy and control AWS infrastructure using code templates, including change management policies with AWS CloudFormation. Further, effectively detecting and reacting to changes in posture or adverse actions requires the ability to monitor and process events. There are several services within AWS that enable this kind of monitoring such as CloudTrail, CloudWatch Events, and the AWS service APIs. We learn how Netflix utilizes a combination of these services to operationalize monitoring of their deployments at scale, and discuss changes made as Netflix’s deployment has grown over the years.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:Invent
Best Practices for
Managing Security Operations on AWS
W i l l B e n g t s o n – N e t f l i x - S e n i o r S e c u r i t y E n g i n e e r
A r m a n d o L e i t e – A W S - P r i n c i p a l S e c u r i t y A r c h i t e c t
S I D 2 0 6
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blast radius
Segregate
Classify
AWS Account as the boundary
• Highest degree of segregation
• By data classification
• Business unit
• Workload
• Functional
In-VPC
• SGs, NACLs
• AWS IAM Resource level
constraints
VPC as the boundary (single account)
• Equivalent to separate networks
• Peering, Routing (+all above)
• AWS IAM similar to previous
Flexibility
Innovation
Right-sizing

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
App A.1
App B.1
App A.2
App B.2
Logging
Agg.
Other
(1..N)
SecOps
TeamBTeamAShared
Regardless of boundary,
consider:
- How to aggregate
logging
- SecOps dedicated
account
BU A BU B
Logging
Agg.
SecOps
Conf A.2
Pub A.2
App A.1
App A.2

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From To

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation + AWS Organizations

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Battery of test cases Spec review

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Commit phase: source-control changes
• Static code analysis: analyze the CFN templates against a set of security rules
Acceptance phase: dev environment
• Dynamic analysis: run template in sandbox/acceptance test environment
Capacity/integration/staging phases: pre-prod environment
• Load, performance, penetration, and failover testing
Production phase: prod environment
• Deploy...

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitor FixControl Monitor Fix

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Signal
Noise
Gather Remediate
Do Nothing
Correct
Alert
Enrich
Stop
Measure
Spectrum of options

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API calls (CloudTrail) are
logged
StopTrail/Change Turn back on
Control Monitor Fix
SSH only from bastion
subnet
Create/Change SGs
validate source if port == 22
Change SG via Lambda
All instances in patch up to
date for XXX
EC2 Systems Manager +
AWS Config rules
Patch via Systems Manager
No root access CloudWatch Logs + Syslog Isolate and investigate
No public objects in S3 Object level logging in
CloudTrail
Make object private

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://aws.amazon.com/blogs/security/how-to-detect-and-
automatically-remediate-unintended-permissions-in-amazon-
s3-object-acls-with-cloudwatch-events/

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection
Rest:
- KMS
- CloudHSM
Transit
- VPN
- ACM
*Thu, 3:15 p.m.
SID330 AWS Key Management Service Architecture Best Practices

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter Store Documents

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
*Security Incident Response
Simulations
S.I.R.S.

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jam Sessions @ The Park (Linq)
Security Jam
Tuesday the 28th
Jam Lounge:
Wednesday and Thursday (from 8 a.m.)
Go bananas!

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecture Visibility Audit
W i l l B e n g t s o n - N e t f l i x S e c O p s
N e t f l i x S e c u r i t y T o o l s a n d O p e r a t i o n s

29. Architecture
Visibility
Auditing

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

31. Our security operations center is not
bright dashboards that we watch all day
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

33. CloudTrail CloudWatch SDKs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

34. CloudTrail CloudWatch SDKs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Netflix is BIG

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
> 100,000 instances

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
> 33% USinternet traffic

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000s of changes

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000,000+ events/minute

47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000,000+ events/minute
in only two accounts

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple accounts

49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

54. Awwwdit
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

56. Historical
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tag, you’re it!
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object
ACLs with CloudWatch Events
https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-
unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/
Implementing DevSecOps Using AWS CodePipeline
https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-
codepipeline/
Automating Governance repo:
https://github.com/awslabs/automating-governance-sample
Tuesday, 27th November. 8 a.m.— Security Jam (HAC05)
(Extra seating added – bring a laptop!)

58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Tue start 8 a.m.—Security Jam
Wed start 11 a.m.—Analytics Jam
Thur start 11 a.m.—All-In Jam
Jam Lounge
Wed and Thur from 8 a.m.
Drop by at any time
William Bengtson@Netflix
Armando Leite@AWS
Your turn! Just need a laptop!

59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Tue start 8 a.m.—Security Jam
Wed start 11 a.m.—Analytics Jam
Thur start 11 a.m.—All-In Jam
Jam Lounge
Wed and Thur from 8 a.m.
Drop by at any time
William Bengtson@Netflix
Armando Leite@AWS
Your turn! Just need a laptop!