The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I’ll also cover how we’ve used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.
Since 1985, Direct Supply has been committed to enhancing the lives of seniors and those who care for them. We help Senior Living providers create amazing environments, improve care and outcomes, optimize building operations, streamline procurement and more.
-method=AWS for IAM auth
Note the filters and actions, taking a less-heavy handed approach where we can
We’re using Custodian for lots more including deregistering old AMI’s, whitelisting AWS services, and adding a security group for patching to running ec2 instances… which leads me to...
All driven by tags on the scanner and the instances pyTenable
Tenable agent is baked into our base Linux/Windows cookbooks/images Automation is, again, driven by tags. The relevant tags are included in a tagging module
When given a new technology, developers will first look for examples to copy. We tried to ensure the first things they found were correct.
AWS Organizations, control tower
Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud
With Open Source
Cloud Village @ DEF CON 27
Technical Fellow / Chief Software Architect
Our Cloud Vision and Strategy
Infrastructure as Code
Secure by Default
Platform as a Service
No automation A few scripts
DevOps / Continuous
What went not so well...
● Lots of work before Custodian deployed
● Teams started rolling their own sans modules
● Our integration with a cloud consultancy is preventing us
from taking advantage of some newer features