Securing AWS with Event Driven Security Hunter Lynne AWS Community Day | Midwest 2020

2. Agenda
• Risk-based security
• AWS security design principles
• Automation
• Event driven architecture overview
• Demos
• AWS Security certification info
• Q&A

3. Risk-based Security
• Risk-based approach
• What is being protected and why?
• What level of controls are required to protect the asset?
• How are controls tested? How often?
• Asset identification and data classification must be completed first
• Perform a risk assessment to get a clear understanding of the risks
and weaknesses in your environment

4. Design Principles
• AWS security design principles
• Implement strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events

5. Automation
• AWS Well Architected Framework Security Pillar states:
“Automated, software-based security mechanisms improve your ability to
securely scale more rapidly and cost effectively. Create secure architectures,
including the implementation of controls that are defined and managed as
code, in version-controlled templates.”
• Shift from detective to preventive control model that remediates
problems proactively

6. Event Driven Architecture Overview
• Use events (change in state) to trigger other services
• Three components
• Event producers (publisher)
• Event routers (filter)
• Event consumers (end service/function)
• Automation reduces number of manual processes; this reduces risk

7. Demo 1 – New User and EC2 Notification
Baseline, repeatable build
1. Create trail in CloudTrail
a. Configure CloudWatch Logs in trail
2. Configure SNS
a. Create topic and subscription; confirm email address

8. Demo 1 – New User and EC2 Notification
With baseline CloudTrail trail configured, add events
1. Configure CloudWatch Events
a. Configure rule
b. IAM: “CreateUser” (CloudTrail API generated)
c. EC2: Select “Stopped” (built-in)
2. Others based on risk profile and controls needed
3. Test

9. Demo 2 – Re-Enable CloudTrail Logging
With baseline CloudTrail trail configured, add event driven functions
1. Configure custom role in IAM
a. Create custom role
b. Policies: CloudWatch (CreateLogGroup, CreateLogStreams, PutLogEvents) and
AWSCloudTrailFullAccess
2. Create function in Lambda
a. Use custom role
b. Add Python code that evaluates setting and re-enables logging
3. Configure CloudWatch Event rule
a. CloudTrail “StopLogging” event
b. Lambda function
c. SNS topic
4. Test

10. Demo 3 – Enforce S3 Bucket Encryption
With baseline CloudTrail trail configured, add event driven functions
1. Configure custom Lambda role in IAM
2. Create function in Lambda
a. Use custom role
b. Add Python code that evaluates setting and re-enables encryption
c. Setup trigger for CloudWatch Events
3. Configure CloudWatch Event rule
a. Lambda function
b. SNS topic
4. Test

11. AWS Security Certification Info
• AWS Well-Architected Framework – Security Pillar
• AWS Security Best Practices
• AWS Best Practices for DDoS Resiliency
• Security at Scale: Logging in AWS
• AWS Key Management Service Best Practices
• AWS Key Management Service Cryptographic Details

12. AWS Security Certification Info
• Developer Guides
• AWS Config
• AWS CloudTrail
• Amazon CloudWatch
• Amazon CloudWatch Events
• Amazon CloudWatch Logs
• IAM
• KMS
• Organizations
• S3
• VPC
• Videos
• Re:Invent presentations on
YouTube
• Become an IAM Policy Master in
60 Minutes or Less – Brigid
Johnson
• Deep Dive into AWS Encryption
Services – Ken Beer
• FAQs
• IAM
• KMS

13. Helpful Links
• Open Guide to AWS
• https://github.com/open-guides/og-aws
• AWS docs
• https://docs.aws.amazon.com/
• AWS architecture center
• https://aws.amazon.com/architecture
• AWS console
• https://console.aws.amazon.com
• Lab it up!