Jason Chan presented on adapting security practices for modern cloud-native software environments. He discussed how Netflix leverages AWS services like IAM, security groups, and CloudTrail to securely manage access, inventory assets, and monitor configuration changes at scale. Chan also emphasized the importance of visibility through discovery, risk prioritization, and multi-layer security testing integrated into the development pipeline. Monitoring configurations and detecting anomalies was highlighted as important for cloud security.

1. Cloud&Security&@&Ne0lix
Adap%ng(Security(for(Modern(So4ware
Jason&Chan
chan@ne'lix.com.:.@chanjbs
Sea$le&AWS&Architects&&&Engineers

3. Me
Current:(Ne*lix(Security
Product,)app,)ops,)infra,)corp,)fraud,)privacy,)abuse,)IR
Previous:
Infosec(@(VMware,(consul2ng:(@stake,(iSEC(Partners

6. 14m$users$in$1+$year

7. 14m$users$in$1+$year
150m%photos

8. 14m$users$in$1+$year
150m%photos
3"engineers

9. 14m$users$in$1+$year
150m%photos
3"engineers
$1B$acquisi+on$by$FB

11. So#.#.#.

12. idea%+%cloud%=%profit!

15. So#.#.#.

17. Goal:&Cloud&&&AWS&benefits,&securely

18. Typically,)how)do)you:

19. Create&a&user&account

20. Create&a&user&account
Inventory)your)systems

21. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config

22. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image

23. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image
Disable(a(MFA(token

24. In#AWS#.#.#.

25. CreateUser()
DescribeInstances()
AuthorizeSecurityGroupIngress()
CreateSnapshot()
Deac%vateMFADevice()

29. So#ware,)now

30. Agile

31. Microservices

32. Immutable)
Infrastructure

33. DevOps/NoOps

34. So#.#.#.#what#about#security?

41. Visibility
Knowing'the'Environment

43. Discover

44. Discover
Inventory

45. Discover
Inventory
Test

46. Discover
Inventory
Test
Report

48. Open%ELB%Example
1. Dump'list'of'ELBs'with'listeners
2. Connect'to'ELBs'from'arbitrary'Internet'IP
3. Evaluate'status'code'(200/300'or'403)
4. Compare'results'against'expected
5. Fix'anomalies,'educate'engineers,'and'update'expected'(manual)'

49. Knowing'the'Environment'/'Takeaways
Tailor'discovery'to'rate'of'change
Think&about&normaliza0on&of&discovery&data

50. Visibility
Risk%Priori)za)on

52. Connec&vity+
Analysis+via+Ne1lix+
OSS

56. Risk%Priori)za)on%-%Takeaways
What%is%measurable?%(objec3vely)
Use$as$an$input,$not$law

57. Visibility
Mul$%Layer+Security+Tes$ng

58. Deconstruc*ng,security,tes*ng

61. Ne#lix'Deployment'Pipeline

63. Integrated)tes+ng)for)CI/CD

66. Mul$%Layer+Security+Tes$ng+%+Takeaways
What%conversa-ons%can%you%avoid?
Is#there#a#pyramid#you#can#leverage?

67. Visibility
Configura)on*Monitoring

69. AWS$Op'ons

70. Bill$as$IDS
AWS$Billing$Alerts

72. CloudTrail
Logging&of&API&calls

74. {
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accessKeyId": "EXAMPLE_KEY_ID",
"accountId": "123456789012",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:22:54Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2"
}]
}
},

75. "responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}]
}
}
},
... additional entries ...
]
}

76. Trusted(Advisor
Checks'config'vs.'best'prac3ces

79. Shameless(Plug(Sec-on(of(the(Talk

80. Edda
AWS$config$history

81. What%instance%has%a%given%public%IP?
$ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
["i-0123456789","i-012345678a","i-012345678b"]

82. What%is%the%most%recent%change%to%a%security%
group?
$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"

83. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
--- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810
+++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504
@@ -1,33 +1,33 @@
{
"class" : "com.amazonaws.services.ec2.model.SecurityGroup",
"description" : "App1",
"groupId" : "sg-0123456789",
"groupName" : "app1-frontend",
"ipPermissions" : [
{
"class" : "com.amazonaws.services.ec2.model.IpPermission",
"fromPort" : 80,
"ipProtocol" : "tcp",
"ipRanges" : [
"10.10.1.1/32",
"10.10.1.2/32",
+ "10.10.1.3/32",
- "10.10.1.4/32"
],
"toPort" : 80,
"userIdGroupPairs" : [ ]
}
],
"ipPermissionsEgress" : [ ],
"ownerId" : "2345678912345",
"tags" : [ ],
"vpcId" : null
}

84. Security)Monkey

86. Configura)on*Monitoring*.*Takeaways
Config&changes&have&a&con-nuum&of&safety
Find%ways%to%observe%and%differen1ate

87. Conclusions

91. AWS$Security$Resources
h"p://&ny.cc/awssecurity

92. Thank&you!
chan@ne'lix.com.:.@chanjbs