The document summarizes an AWS user group meetup happening on November 7th, 2018. It includes an agenda with three presentations on AWS Secrets Manager, AI driven cloud security, and best practices for cloud management. There will be pizza and drinks during a break between the first two presentations. The event is sponsored by PolarSeven, Palo Alto Networks, and CloudHealth.

1. November 7th 2018
#74PRESENTS

2. Sponsors

3. What’s On Tonight
6:00 pm
1. PolarSeven
“AWS Secrets Manager” - Kishore Pandian
6:20 pm
2. Palo Alto Networks
“AI Driven Cloud Security” - Craig Dent
6:40 pm
Break
Have some pizza & beer, on us!
7:20 pm
3. CloudHealth
“Best Practices for Cloud Management” - Nick Cannone
7:40 pm Networking

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sydney Nov 20 &Melbourne Nov 21, AWS Offices
• AWS TechShift - exclusive event for software companies, independent
software vendors (ISVs), application developers and SaaS businesses
• Over 14 Business & Technical sessions – Learn how to improve the way
you build and deliver software for global success
• Guest Speakers: TechnologyOne, SafetyCulture, Atlassian
• Network, visit AWS booths & have the opportunity to win an Amazon
Echo, AWS DeepLens, AWS credits & more….
REGISTER TODAY!
https://aws.amazon.com/events/techshift/australia/

5. Presentation 1
Kishore Pandian
Cloud Consultant
“AWS Secrets Manager”

6. Intro
Kishore Pandian
Cloud Engineer
“AWS Secrets Manager”

7. Secrets Manager
What is a Secret?
● Passwords
● Encryption keys
● SSH Keys
● Access and Secret Access key ID
● Any data you want to be secret..

8. Secrets Manager
Challenges with traditional method
● Available solution too complex and expensive
● Unreliable rotation leading to outages
● Too many users with unnecessary access to
secrets

9. Secrets Manager
Key Features
● Rotate Secrets safely: Built in for RDS, Extensible
with lambda, has versioning for roll back
● Fine-grained IAM policies
● Encrypted by default
● Pay as you go

10. Secrets Manager
AWS Secrets manager allows customers to rotate,
manage, retrieve database credentials,API keys and
other secrets throughout the lifecycle
● IT Admins: Store and manage secrets securely and
at scale
● Security Admins: Audit and monitor the use of
secrets and rotate secrets
● Developers: Avoid credentials in the application

11. Secrets Manager

12. Demo
Demo:
Store and retrieve an SSH key

13. Secrets Manager
Use-case
Connect to database from application code
● DBA loads application specific credentials to secrets
manager
● DevOps engineer deploys application with an IAM role
● Application bootstrapping retrieves secret from secrets
manger and connects to the database

14. Workflow

15. Access Control
● IAM Policies using Resource names
● IAM Policies using Tags

16. Access control
IAM using Resource name

17. Access control
IAM using Tags

18. Audit using Cloudtrail

19. Pricing
PER SECRET PER MONTH
● $0.40 per secret per month. For secrets that are stored
for less than a month, the price is prorated (based on the
number of hours.)
PER 10,000 API CALLS
● $0.05 per 10,000 API calls.

20. Pricing
Monthly Cost
$6.00 :
15 secrets (2 SSH keys * 1 load balancer + 2 SSH keys * 2 web
servers + 2 SSH keys * 2 app servers + 5 database credentials
* 1 database) @ $0.40 / secret / month
$0.02 :
4,040 API calls (2 SSH keys/server * 5 servers * 1 API call/day * 30 days
+ 5 database credentials * 1 database * 24 API calls/day * 30 days
+ 5 database credentials * 1 database * 7 API calls/week * 4 weeks)
@ $0.05/10,000 calls
$6.02 Total (per month)

21. As you get started
Things to keep in mind
● No plain text secrets
● Unique secrets per region, per environment, per account
● Rotate secrets regularly
● Control permissions
● Monitor and audit use, Delete unused secrets
● No charges for versioning of a secret, no charge for default encryption

22. Contact Us
hello@polarseven.com

23. Presentation 2
Craig Dent
Consulting Engineer
“AI Driven Cloud Security”

24. AI Driven Cloud Security
for AWS Meetup
Craig Dent
Systems Engineer Specialist

25. Security in Public Cloud is a Shared Responsibility
2 | © 2018, Palo Alto Networks. All Rights Reserved.
The Shared Responsibility Model
Hubs
Switches
Routers
Hypervisor
Data Center
Responsible
for security “of”
the cloud
Cloud Service Provider
Resource Configurations
Users & Credentials
Networks
Hosts & Containers
Data Security
Responsible
for security “in”
the cloud
Organization

26. The Problems We Can Help You Solve
3 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Network
Security
Real-time network visibility and incident investigations
Suspicious/malicious traffic detection
Virtual firewall for in-line protection
Data Security
Users &
Credentials
Account & access key compromise detection
Anomalous insider activity detection
Privileged activity monitoring
Configurations /
Control Plane
Compliance scanning (CIS, PCI, GDPR, etc.)
Storage, snapshots, & image configuration monitoring
VPC, security groups & firewall configuration monitoring
IAM configuration monitoring
Hosts &
Containers
Runtime security
Configuration monitoring (for cloud native)
Vulnerable image detection
Visibility,Detection&Response DLP / Storage scanning

27. Advanced API-Based Offering
4 | © 2016, Palo Alto Networks. Confidential and Proprietary.
APIs
Resource
Configurations
User
Activity
Network
Traffic
Host Activity &
Vulnerabilities
THIRD PARTY FEEDS
APIs
COLLECTION, AGGREGATION & NORMALIZATION SERVICE
DETECTIONSignature Based ML Assisted
Cloud CMDB
Compliance
Reporting
Threat Detection
& Response
3rd Party AppsStorage DLP
Scanning

28. Use Cases

29. UEBA Example
6 | © 2018, Palo Alto Networks. All Rights Reserved.
Developer
accidentally leaks
cloud access keys on
GitHub.
Hacker attempts to
log in and steal data
from the cloud
account.
RedLock detects key
usage from an unusual
location, performing
unusual activities.
RedLock alerts the
SOC team and also
provides full history of
all activities
associated with this
key.

30. User & Entity Behavior Monitoring (UEBA)
7 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
App Servers
Cloud Configuration
settings RedLock CSP
admin baseline
(modelling) DB
CSP audit
trail logs
RedLock alerting and analytics
Unusual admin
activity / location
CI/CD pipeline
tools / automation
CSP admins

31. Network Monitoring Example
8 | © 2018, Palo Alto Networks. All Rights Reserved.
User creates a
security group but
leaves it open.
RedLock discovers it, sees it is associated with a VM running
MongoDB, and then determines the database is receiving
internet traffic coming from a known malicious IP address.
RedLock
automatically moves
the database to a
private security group
to remediate risk.

32. Network Monitoring & Analytics
9 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
App Servers
Malicious users
Misconfigured
App Servers
CSP
Flow
Logs
RedLock alerting and analytics
End users

33. Configuration Monitoring
10 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
End users
App Servers
Cloud Configuration
settings
CI/CD pipeline
tools / automation
Un-authorized change
Authorized change
RedLock alerting, analytics & remediation
Non CI/CD
pipeline user

34. RedLock Query Language (RQL)
11 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
Find all EC2 instances with a public IP address
Find all DB instances receiving traffic from public IP addresses
Find suspicious user activities in the last 30 days
Find VM’s with no tags
Find VPCs with internet Gateway attached
Find changes done by non-authorized pipeline user.
Find public exposed storage buckets
Identify application workloads receiving traffic from suspicious
IP addresses.
RQL examples
Question
Answer

35. Break & Networking
• Refresh your drink
• Grab some pizza
• Make new contacts
• Enter the prize draw!

36. Presentation 3
Nick Cannone
“Best Practices for Cloud Management”

37. Best Practices for Cloud
Management
Developing a mature Cloud Operations Framework
Nick Cannone

38. 2 © 2018 CLOUDHEALTH®
TECHNOLOGIES INC.
The Leader in Multicloud Management
Enterprise scale & global presence
GLOBAL OFFICES
HQ: Boston, MA
SAN FRANCISCO
SYDNEY
AMSTERDAM
LONDON
TEL AVIV
SINGAPORE
PARIS
FORRESTER CLOUD COST MONITORING & OPTIMIZATION WAVE
LEADER
VMWARE + CHT: FORRESTER HYBRID CLOUD MANAGEMENT WAVE
LEADER / STRONG PERFORMER
VMWARE ANNOUCES CH ACQUISITION
AUG. 27, 2018
“We will make
CloudHealth the
cloud operations
platform of choice
for the industry.”
- Pat Gelsinger, CEO VMware
ANNUAL CLOUD SPEND MANAGED
$5B+
DAILY ASSETS MANAGED
1.8B
MONTHLY AVERAGE SAVINGS
25%+
DAILY REPORTS GENERATED
14K
CUSTOMERS | PARTNERS
3,800+ | 150+

39. 3 © 2018 CLOUDHEALTH®
TECHNOLOGIES INC.
Driving increased value at each stage of the your customer’s cloud adoption journey.
Your Business Partner for Customer Success
Support business KPIs
Increase ROI
Facilitate stakeholder collaboration
Drive continuous optimization
Deliver enterprise-class,
Cloud Financial showback Increase predictability & improve TCO

40. 4 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
When initially embarking on the journey of
developing mature cloud operations you start
with the basics of Cost & Visibility:
• Accurately allocate costs & find unused
resources (Zombie infrastructure)
• Before you can worry about anything else
you need to know what you have, where
it came from and if it’s actually being
used
• This could be tying costs back to a
project, business unit, or the team that
spun that resource up
Stage 1 - Beginning the Journey

41. 5 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
Now that we know where the resources came
from, and allocate costs back we can look at
the next stage encompassing two areas:
• Cost and Visibility:
• Optimize costs & Infrastructure
-
• Security Compliance:
• We’ve addressed misconfiguration of
Infrastructure; what about security
Stage 2 - Establishing Cloud Operations

42. 6 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
Scalability of best practices:
• Cost & Visibility
• Giving responsibility back to the teams
-
• Security Compliance
• Different environments/applications
have different requirements
-
• Governance
• Proactive, not reactive
Stage 3 - Developing a Framework

43. 7 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.
These final stages are typically seen only
amongst the most advanced users globally
• Cost & Visibility
• Business wide strategy
-
• Security Compliance
• Automated remediation
-
• Governance
• Cloud Center of Excellence
-
• Service Integration
• KPIs
Stage 4 - Mastery of Best Practices

44. 8 © 2017 CLOUDHEALTH®
TECHNOLOGIES I NC.

45. Thank you!

46. Draw Prize
This weeks winner is :

47. Thanks For Coming
Join Us Next Month for our final Meetup of 2018!
We will be hosting an open panel night, with speakers from our sponsors,
amazon and more.
Be sure to come along!
>> Register @ http://www.meetup.com/AWS-Sydney/ <<