Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Towards Full Stack Security

Look at the various services and the features that you can employee, such as AWS Inspector, AWS Trusted Advisor, AWS Config and Config Rules and CloudTrail).

Towards Full Stack Security

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Towards Full Stack Security Don Edwards Solutions Architect, Security Specialist
  2. 2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Inspector • Vulnerability Assessment Service • Built from the ground up to support DevSecOps • Automatable via APIs • Integrates with CI/CD tools • On-Demand Pricing model • Static & Dynamic Rules Packages • Generates Findings
  3. 3. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional Security Processes Asset Owner Security Team AppSec EngAsset Scan for Vulnerabilities
  4. 4. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • It’s not about DevOps + Security • Not enough security professionals on the planet to do this • Security teams need their own automation to keep up with automated deployments! • Security as code • Seamless integration with CI/CD pipelines • Ability to scan and run test suites in parallel • Ability to automate remediation • Consumable by APN technology partners as microservices • www.devsecops.org
  5. 5. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inspector Architecture • Assessment coordination • Evaluation engine • Agent installed on EC2 Instances
  6. 6. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.  Red Hat Enterprise Linux (6.5 or later)  CentOS (6.5 or later)  Ubuntu (12.04 LTS, 14.04 LTS or later)  Amazon Linux (2015.03 or later)  Microsoft Windows (2012 R2, 2008 R2) - Preview Linux Kernel Support  We get kernels at the same time you get them  It currently takes us 1-2 weeks for build, test & validation  We’re aiming for 1 day New Distributions  Takes a long time Supported Agent Operating Systems
  7. 7. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Inspector • Rules Packages • Common Vulnerabilities & Exposures • CIS Operating System Security Configuration Benchmarks • Security Best Practices • Runtime Behavior Analysis
  8. 8. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common Vulnerabilities & Exposures • Tagged list of publicly known info security issues • Vulnerabilities • A mistake in software that can be used to gain unauthorized system access • Execute commands as another user • Pose as another entity • Conduct a denial of service • Exposures • A mistake in software that allows access to information that can lead to unauthorized system access • Allows an attacker to hide activities • Enables information gathering activities
  9. 9. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CIS Security Configuration Benchmarks What are they?  Security configuration guide  Consensus-based development process  PDF versions are free via CIS website Inspector automates scanning instances against the latest benchmark for that OS
  10. 10. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What’s inside a Benchmark? What you should do… Why you should do it… How to do it… How to know if you did it… This is what Inspector does for you now (more in future)
  11. 11. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Runtime Behavior Analysis • Package analyzes machine behavior during an assessment • Unused listening ports • Insecure client protocols • Root processed with insecure permissions • Insecure server protocols • Impacts the severity of static findings
  12. 12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pricing • Free Trial • 250 agent-assessments for first 90 days using the service • Based on Agent-Assessments • 1 assessment with 10 agents = 10 agent-assessments • 5 assessments with 2 agents = 10 agent-assessments • 10 assessments with 1 agent = 10 agent-assessments • 10 agent-assessments = $3.00 First 250 agent-assessments: Next 750 agent-assessments: Next 4000 agent-assessments: Next 45,000 agent-assessments: All other agent-assessments: $0.30 $0.25 $0.15 $0.10 $0.05
  13. 13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regions Supported  GA  US West (Oregon)  EU (Ireland)  US East (Virginia)  Asia Pacific (Tokyo)  July 2016 (deployed)  Asia Pacific (Sydney)  Asia Pacific (Seoul)  Fall 2016  Asia Pacific (India)  Europe (London)  Europe (Frankfurt)
  14. 14. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  15. 15. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Launch Partners
  16. 16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  17. 17. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
  18. 18. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – VPC Example
  19. 19. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – VPC Example
  20. 20. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config Rules – Tenancy Enforcement Example
  21. 21. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config Rules – Tenancy Enforcement Example
  22. 22. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config Rules – Tenancy Enforcement Example
  23. 23. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  24. 24. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  25. 25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rule • AWS managed rules Defined by AWS Require minimal (or no) configuration Rules are managed by AWS • Customer managed rules Authored by you using AWS Lambda Rules execute in your account You maintain the rule A rule that checks the validity of configurations recorded
  26. 26. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Config Rules - Triggers • Triggered by changes: Rules invoked when relevant resources change Scoped by changes to: • Tag key/value • Resource types • Specific resource ID e.g. EBS volumes tagged “Production” should be attached to EC2 instances • Triggered periodically: Rules invoked at specified frequency e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs
  27. 27. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evaluations The result of evaluating a Config rule against a resource • Report evaluation of {Rule, ResourceType, ResourceID} directly from the rule itself
  28. 28. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS managed rules 1. All EC2 instances must be inside a VPC. 2. All attached EBS volumes must be encrypted, with KMS ID. 3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs. 4. All security groups in attached state should not have unrestricted access to port 22. 5. All EIPs allocated for use in the VPC are attached to instances. 6. All resources being monitored must be tagged with specified tag keys:values. 7. All security groups in attached state should not have unrestricted access to these specific ports.
  29. 29. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Custom rules • Codify and automate your own practices • Get started with samples in AWS Lambda • Implement guidelines for security best practices and compliance • Use rules from different AWS Partners • View compliance in one dashboard
  30. 30. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Evidence for compliance Many compliance audits require access to the state of your systems at arbitrary times (i.e., PCI, HIPAA). A complete inventory of all resources and their configuration attributes is available for any point in time.
  31. 31. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What resources exist? Discover resources that exist in your account Discover resources that no longer exist in your account A complete inventory of all resources and their configuration attributes available via API and console
  32. 32. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What changed? It is critical to be able to quickly answer, “What has changed?” You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files.
  33. 33. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Supported resource types Resource Type Resource Amazon EC2 EC2 Instance EC2 Elastic IP (VPC only) EC2 Security Group EC2 Network Interface Amazon EBS EBS Volume Amazon VPC VPCs Network ACLs Route Table Subnet VPN Connection Internet Gateway Customer Gateway VPN Gateway AWS CloudTrail Trail
  34. 34. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trusted Advisor AWS Trusted Advisor
  35. 35. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trusted Advisor • Trusted Advisor is a system that: • monitors AWS infrastructure services • identifies customer configurations • compares them to known best practices • opportunities exist to save money • improve system performance • close security gaps AWS Trusted Advisor
  36. 36. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Trusted Advisor • Over 2.6 Million recommendations • More than $350M in estimated cost savings • Over 40 checks in 4 categories • Includes a Free Tier
  37. 37. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Trusted Advisor Leverage Trusted Advisor to analyze your AWS resources for best practices for availability, cost, performance and security.
  38. 38. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS security tools: What to use? AWS Security and Compliance Security of the cloud Services and tools to aid security in the cloud Service Type Use cases On-demand evaluations Security insights into your application deployments running inside your EC2 instance Continuous evaluations Codified internal best practices, misconfigurations, security vulnerabilities, or actions on changes Periodic evaluations Cost, performance, reliability, and security checks that apply broadly Inspector Config Rules Trusted Advisor

×