Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SID301_Using AWS Lambda as a Security Team

2,000 views

Published on

Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session, learn how your security team can leverage AWS Lambda as a tool to monitor, audit, and enforce your security policies within an AWS environment.

  • Be the first to comment

SID301_Using AWS Lambda as a Security Team

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Using AWS Lambda as a Security Team A n d r e w B a i r d B r i t t a n y D o n c a s t e r S I D 3 0 1 N o v e m b e r 2 7 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Topics Overview + demo Auditing + demo Monitoring + demo Remediation + demo
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Engineering
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Engineering
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cost-effective and efficient No infrastructure to manage Pay only for what you use Bring your own code Productivity-focused compute service to build powerful, dynamic, modular applications in the cloud Run code in standard languages Focus on business logic Benefits of AWS Lambda 1 2 3
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda: Run Code in Response to Events FUNCTION SERVICES (ANYTHING) Changes in data state Requests to endpoints Changes in resource state Node Python Java C# EVENT SOURCE
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing—Typical Goals • What is the state now? • When did the state change? • Who last updated the record of state? • How can I trust this record of state? Auditing—Typical Instrumentation • Log archiving • CMDB • Change-Review Board • Tight access control
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Immutable • Coupled with reality • Compliance-focused • Manually/process-generated • Inaccurate/out-of-date • Noise > signal W h a t t h e y s h o u l d n o t b e W h a t t h e y s h o u l d b e Audit Logs
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Auditing—re:Focus Why typical goals/instrumentation now falls short: Has the environment changed since I last reviewed it? Yes No What changed? You were eaten by a grue. ALL THE THINGS!!!
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modernizing your audit strategy: • Event-driven • Scale through code • Programmatic decisions Auditing—re:Focus (cont'd.) Does this resource (or type of resource) affect my state of compliance? Yes Is the change compliant? No Archive the Logs No Yes
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A W S C o n f i g a n d A W S C o n f i g R u l e s AWS Cl oud Trai l and Amazon Cl oud Watch L ogs Active Auditing with AWS Lambda
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudWatch Logs Subscriptions
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config & AWS Config Rules A continuous recording and continuous assessment service Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change that just occurred to a resource, compliant?
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda as Auditor App Account 1 App Account n Security Team Account
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Architecture AWS Config AWS Lambda function Amazon EC2 instance security group
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap: Auditing • Enable CloudTrail and AWS Config in all regions • Subscribe to audit-relevant logs in Amazon CloudWatch Logs • Persist in Amazon S3/Amazon Glacier (make immutable) • Audit logs play an active role in security operations (via Lambda!) BONUS: check out Cloud Custodian from Capital One! https://developer.capitalone.com/opensource-projects/cloud-custodian
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitoring So you have an SOC… • Monitoring tools and ‘connectors’ • People watching screens, waiting for alerts How much insight are you really getting?
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of Monitoring in AWS Amazon CloudWatch AWS CloudTrail Logs Events VPC Flow Logs
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patterns for Monitoring—CloudWatch Lambda function Add Context Filter Integration with other tools CloudWatch Events CloudWatch Logs
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patterns for Monitoring—CloudTrail AWS CloudTrail Lambda function Amazon S3 Bucket Add Context Filter Log Delivery Notification Integration with other tools
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patterns for Monitoring—VPC Flow Logs virtual private cloud Amazon CloudWatch Lambda function VPC Flow Logs Subscription Integration with other tools Add Context Filter
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patterns for Monitoring—Macie CloudWatch Events Lambda function
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Architecture virtual private cloud Amazon CloudWatch Lambda function VPC Flow Logs Subscription Integration with other tools Amazon Kinesis Firehose https://aws.amazon.com/blogs/security/how-to-visualize-and-refine-your-networks-security-by-adding-security-group-ids-to-your-vpc-flow-logs/ Ingest to Visualization Tool Amazon ES
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap: Monitoring • You can still use your existing tool sets • Lambda helps filter and add context to alerts
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation $$ Scale Cost Speed
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patterns for Remediation Amazon CloudWatch AWS CloudTrail VPC Flow logs AWS Config Lambda function AWS APIs AWS WAF
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Remediation Patterns What if the problem is on an Amazon EC2 Instance? • Asynchronously execute commands • No need to SSH/RDP • Commands and output logged Lambda function Amazon EC2 Systems Manager - Run Command EC2 Instances
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. If One Lambda Just Won’t Do… AWS Step Functions …makes it easy to coordinate multiple Lambda functions and visualize the execution
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Coordination of Lambda Visualize in the console Define in JSON Monitor executions
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Architecture Amazon CloudWatch Lambda function AWS APIs
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap: Remediation • Automate remediation steps where possible • For Amazon EC2 access during remediation, use Run Command • If multiple steps are involved for remediation, use AWS Step Functions for coordination
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×