SlideShare a Scribd company logo

Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit

Amazon Web Services
Amazon Web Services

Topic: Easily transform compliance to code using AWS Config, Config Rules, and the Rules Development Kit Synopsis: Enterprises find that they have specific requirements imposed by their business, internal policies, or their particular auditors. As an organisation's cloud environments continue to scale and grow, how do you ensure that the number of growing resources are adhering to your security standards and compliance requirements? In this webinar, we'll learn about how to use cloud native services such as AWS config and custom config rules, to automate audits in a rapidly changing environment and ensure we achieve continuous detection of existing and newly launched AWS resources along with their levels of compliance to enterprise security requirements. Security policies and standards can be difficult to decipher by developers or the business. Using a behaviour driven development approach, we can define our security requirements to scenario based tests in Gherkin, making it easy for developers and the business to understand the requirement. Security Operations teams or developers can then build scenario based tests as well as develop the associated lambda function for their custom Config Rule. The Rules Development Kit (RDK) for Config Rules is an open-source command-line utility designed to help you shorten the development time of custom Config Rules by up to 5 times. In this session, we'll cover how to use the RDK to write unit tests and build the lambda functions for the custom Config Rule in python, and ensure it behaves as per our requirements defined in Gherkin. What to expect: -Learn AWS Config and Config Rules Concepts -Understand best practice and concepts on behaviour driven development for config rules -Learn to develop lambda functions for config rules in python using the Rules Development Kit (RDK) -Discover how to securely set up your environment for deployments This workshop is a Level 200 session and is best suited for: -Developers -DevOps -Security Architects -Engineers -Security Operations -Technical Managers

1 of 51
Download to read offline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Raisa Hashem Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit August 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Key Takeaways • Learn AWS Config and Config Rules Concepts • Understand best practice and concepts on Behaviour Driven Development for config rules • Learn to develop lambda functions for config rules in python using the Rules Development Kit (RDK) • Discover how to securely set up your environment for deployments
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scale consistently to all workloads Focus time and resources on value Part of day-to-day Expertise is not given to all Time-consuming for everyone Get-ready-for- the-audit mindset Traditional Compliance Continuous Compliance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code Introduction to AWS Config and Config Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts AWS Config
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts AWS Config Configuration ItemsConfiguration Recorder EC2 CloudTrail S3 …(Others)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts EC2 CloudTrail S3 …(Others) AWS Config Configuration Items 22 services, 60+ resources types Configuration Recorder
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Configuration Items 22 services, 60+ resources types
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Rules EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Rules Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Configuration Items 22 services, 60+ resources types
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Rules EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Rules Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Managed Rules – 60+ out-of-the-box rules Configuration Items 22 services, 60+ resources types
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Rules Receive Configuration Item in JSON "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2017…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "123456789012", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common Attributes Related Events Relationships
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Rules Receive Configuration Item in JSON "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2017-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" } ], "volumeType": "standard" } Current Configuration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code using Config Rules Rules Managed Rules AWS Config send the configuration item Snapshot – 22 services, 60+ resources types EC2 CloudTrail S3 … (Others) Custom Rules Managed Rules 1 Lambda function per custom Rule Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation()
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code using Config Rules Rules Managed Rules AWS Config Change Triggers send the configuration item EC2 CloudTrail S3 … (Others) Custom Rules Managed Rules 1 Lambda function per custom Rule Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation() Time Triggers No configuration item is sent Snapshot – 22 services, 60+ resources types
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda Event Provided by Config Rules { "invokingEvent": { "configurationItem": { "configurationItemCaptureTime": "2016-02-17T01:36:34.043Z", "awsAccountId": "123456789012", "configurationItemStatus": "OK", … }, "messageType": "ConfigurationItemChangeNotification" }, "ruleParameters": { "myParameterKey1": "myParameterValue1", "myParameterKey2": "myParameterValue2" }, "resultToken": "myResultToken", "eventLeftScope": false, "executionRoleArn": "arn:aws:iam::123456789012:role/config-role", "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456", "configRuleName": "change-triggered-config-rule", "configRuleId": "config-rule-0123456", "accountId": "123456789012", "version": "1.0" }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda Event Provided by Config Rules { "invokingEvent": { "configurationItem": { "configurationItemCaptureTime": "2016-02-17T01:36:34.043Z", "awsAccountId": "123456789012", "configurationItemStatus": "OK", … }, "messageType": "ConfigurationItemChangeNotification" }, "ruleParameters": { "myParameterKey1": "myParameterValue1", "myParameterKey2": "myParameterValue2" }, "resultToken": "myResultToken", "eventLeftScope": false, "executionRoleArn": "arn:aws:iam::123456789012:role/config-role", "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456", "configRuleName": "change-triggered-config-rule", "configRuleId": "config-rule-0123456", "accountId": "123456789012", "version": "1.0" }
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Choosing the right trigger(s) Use Case Recommendation AWS Config is tracking this resource type. Configuration change AWS Config is not tracking this resource. Periodic AWS Config is tracking this resource, and time matters. Configuration change and Periodic
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Designing Custom Config Rules Behaviour Driven Security Development
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Define the Use Case and Test Cases Gherkin-like documentation! Feature: Some terse yet descriptive text of what is desired Scenario: Some determinable business situation Given some precondition And some other precondition Then some testable outcome is achieved Scenario: A different situation ...
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Writing Test Cases 101 1. Cover all permutations of inputs 2. Keep distinct coverage in the test cases 3. Keep in mind that humans need to fix it (initially) 4. A reasoning approach is the future, and the future is now
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Example Write a rule checking for MFA on an IAM user
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scenarios for Rule IAM_User_MFA_Enabled Feature: In order to: enforce strong authentication As: a security Officer I want: to ensure that IAM users have MFA configured, except if whitelisted Scenarios: Scenario 1: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is listed in WhitelistedUserList Then: Return COMPLIANT Scenario 2: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is not listed in WhitelistedUserList And: The IAM User has MFA attached Then: Return COMPLIANT
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scenarios for Rule IAM_User_MFA_Enabled Continued… Scenario 3: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is not listed in WhitelistedUserList And: The IAM User has no MFA attached Then: Return NON_COMPLIANT Scenario 4: Given: WhitelistedUserList is not configured And: The IAM User has MFA attached Then: Return COMPLIANT Scenario 5: Given: WhitelistedUserList is not configured And: The IAM User has no MFA attached Then: Return NON_COMPLIANT
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Building a Custom Config Rule Diving into the code
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introducing the Rule Development Kit (RDK) The fastest way to develop, and easiest way to test custom AWS Config Rules Designed to support your first Config Rule, enterprise-grade Rule development, and CI/CD pipelines. Open source software, maintained by AWS. Documentation and contributions at https://github.com/awslabs/aws-config-rdk $ pip install rdkEasy install via pip:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deploy Debug Write Tests Write Code Test Setup Enables a Natural Development Workflow for Config Rules
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Before coding… Element Decision Goal Define what you want to do: use cases, test cases. Scope and trigger Define a trigger: on change, on time, or both. Define what you want to track. Parameters Define the parameters. Decide whether a parameter is optional or mandatory. Evaluation Define on which resource type you want to report.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Before coding… Element Decision Goal Stated in Gherkin-like documentation Scope and trigger Trigger: change Scope: AWS::IAM::User Parameters Parameters: WhitelistedUserList Mandatory or Optional: optional Evaluation Resource type: AWS::IAM::User
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Demo - RDK
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM_User_MFA_Enabled Custom Rule Writing test cases
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark config_client_mock = MagicMock() sts_client_mock = MagicMock() iam_client_mock = MagicMock() def build_invoking_event(configurationItemStatus, userName, userId): return json.dumps({ "configurationItemDiff":"SomeDifference", "notificationCreationTime":"SomeTime", "messageType": "ConfigurationItemChangeNotification", "recordVersion":"SomeVersion", "configurationItem":{ "resourceType":"AWS::IAM::User", "resourceName": userName, "configurationItemStatus":configurationItemStatus, "resourceId": userId, "configurationItemCaptureTime":"2018-02-20T06:56:55.533Z", "configuration":{ "userName": userName, "userId": userId } } }) Build the invoking event with the Configuration Item:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark class Scenario_1_TestWhitelistedUser(unittest.TestCase): def test_Scenario_1_user_is_whitelisted(self): ruleParam = '{ "WhitelistedUserList" : "AIDAIDFOUX2OSRO6DO7XM, AIDAIDFOUX2OSRO6DO7XN"}' invokingEvent = build_invoking_event("ResourceDiscovered", "Testuser", "AIDAIDFOUX2OSRO6DO7XN") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XN')) assert_successful_evaluation(self, response, resp_expected) Define each test case based on Gherkin scenarios:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark class Scenario_2_to_5_TestMFA(unittest.TestCase): def constructMFADeviceList(self,UserName): deviceList = { 'MFADevices': [{'UserName': 'CompliantUser', 'SerialNumber': 'ARN:IAM'}]} return deviceList def test_Scenario_2_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(side_effect=self.constructMFADeviceList) ruleParam = '{ "WhitelistedUserList" : "AIDAICVB3PKAQMPEGDW2C"}' invokingEvent=build_invoking_event("ResourceDiscovered", "compliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM')) assert_successful_evaluation(self, response, resp_expected, 1)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def test_Scenario_3_Non_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(return_value={"MFADevices":[]}) ruleParam = '{ "WhitelistedUserList" : "AIDAICVB3PKAQMPEGDW2C"}' invokingEvent=build_invoking_event("ResourceDiscovered", "nonCompliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('NON_COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM’, annotation='No MFA Device detected')) assert_successful_evaluation(self, response, resp_expected, 1) def test_Scenario_4_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(side_effect=self.constructMFADeviceList) invokingEvent=build_invoking_event("ResourceDiscovered", "compliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM')) assert_successful_evaluation(self, response, resp_expected, 1)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def test_Scenario_5_Non_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(return_value={"MFADevices":[]}) invokingEvent=build_invoking_event("ResourceDiscovered", "nonCompliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('NON_COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM’, annotation='No MFA Device detected')) assert_successful_evaluation(self, response, resp_expected, 1)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM_User_MFA_Enabled Custom Rule Writing the rule
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def evaluate_compliance(event, configuration_item, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### iam_user_name = configuration_item["resourceName"] iam_user_id = configuration_item["resourceId"] if ”WhitelistedUserList" in valid_rule_parameters: if iam_user_id in valid_rule_parameters[”WhitelistedUserList"].split(","): return build_evaluation_from_config_item(configuration_item, "COMPLIANT", "User is whitelisted") iam_client = get_client("iam", event) result = iam_client.list_mfa_devices(UserName=iam_user_name) if result["MFADevices"]: return build_evaluation_from_config_item(configuration_item, "COMPLIANT") return build_evaluation_from_config_item(configuration_item, "NON_COMPLIANT", "No MFA Device detected") Define rule logic:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def evaluate_parameters(rule_parameters): if WhitelistedUserList' in rule_parameters: for user_id in rule_parameters['whitelist'].split(","): if not user_id.isalnum(): raise ValueError("User ID's should be alphanumeric.") if not user_id.startswith("AIDA"): raise ValueError("User ID's should start with the string 'AIDA'") valid_rule_parameters = rule_parameters return valid_rule_parameters Validate parameter:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Demo – Config Rule Deploy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Secure Multi-account Deployments Account Structure, IAM Roles, and Deployment Methods
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Multi-Account Structure for Secure Deployment SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Config Rule X Config Rule Y Config Rule X Config Rule Y
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y "s3:PutObject*”, "sns:Publish”, "config:Put*", "config:Get*", "config:List*", "config:Describe*" Permissions include List and describe resources along with:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role Stackset Execution Role Stackset Execution Role
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role Stackset Execution Role Stackset Execution Role
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Continuous Compliance Design Build & Test DeployAnalyse Respond Security Requirements
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Summary • Use AWS Config and Custom Config Rules to transform your compliance to code • Implement Behaviour Driven Development to help easily define business requirements as security controls • Fast-track Config Rules development using the Rules Development Kit (RDK) • Isolate Config Rule Lambda functions in a SecOps Account for secure scaled deployments
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Q&APresenter: Raisa Hashem Q&A Speaker: Aparna Elangovan, Paul Hawkins Thank you!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark

Recommended

Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Security@Scale
Security@ScaleSecurity@Scale
Security@ScaleAmazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityAmazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 

Recommended

Modernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesModernize Your Threat Detection and Remediation Process Using Cloud Services
Modernize Your Threat Detection and Remediation Process Using Cloud ServicesAmazon Web Services
 
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftIntro to Threat Detection & Remediation on AWS: AWS Security Week at the SF Loft
Intro to Threat Detection & Remediation on AWS: AWS Security Week at the SF LoftAmazon Web Services
 
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...
Orion Health CISO & Ops Unite for a Secure DevOps Practice (SEC308-S) - AWS r...Amazon Web Services
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Security@Scale
Security@ScaleSecurity@Scale
Security@ScaleAmazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityAmazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Amazon Web Services
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...Amazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 
Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Amazon Web Services
 

More Related Content

What's hot

Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Amazon Web Services
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...Amazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Amazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon Web Services
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Amazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitAmazon Web Services
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopAmazon Web Services
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitAmazon Web Services
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSAmazon Web Services
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Amazon Web Services
 

What's hot (20)

Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
Augmenting Security Posture and Improving Operational Health with AWS CloudTr...
 
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
Visualise and Voice-Enable Your Security - AWS Summit Sydney 2018
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech TalksAmazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
Amazon GuardDuty - Let's Attack My Account! - AWS Online Tech Talks
 
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Anaheim AWS Summit
 
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
Threat Detection & Remediation Workshop
Threat Detection & Remediation WorkshopThreat Detection & Remediation Workshop
Threat Detection & Remediation Workshop
 
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS SummitThreat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
Threat Detection and Mitigation at Scale on AWS - SID301 - Chicago AWS Summit
 
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Best Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWSBest Practices for Encrypting Data on AWS
Best Practices for Encrypting Data on AWS
 
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...
 

Similar to Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit

Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Amazon Web Services
 
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Amazon Web Services
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Amazon Web Services
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Amazon Web Services
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Amazon Web Services
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Amazon Web Services
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...Amazon Web Services
 
Serverless Architectural Patterns - GOTO Amsterdam
Serverless Architectural Patterns - GOTO AmsterdamServerless Architectural Patterns - GOTO Amsterdam
Serverless Architectural Patterns - GOTO AmsterdamBoaz Ziniman
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...Amazon Web Services
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDutyAmazon Web Services
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 

Similar to Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit (20)

Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...Easily transform compliance to code using AWS Config, Config Rules, and the R...
Easily transform compliance to code using AWS Config, Config Rules, and the R...
 
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
Set Up Compliance Automation Using AWS Management Tools (SEC317) - AWS re:Inv...
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
Building the Technical Foundation for Your Security Practice (GPSCT205) - AWS...
 
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
Discuss How to Secure Your Virtual Data Center in the Cloud (NET210-R1) - AWS...
 
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
 
Serverless Architectural Patterns - GOTO Amsterdam
Serverless Architectural Patterns - GOTO AmsterdamServerless Architectural Patterns - GOTO Amsterdam
Serverless Architectural Patterns - GOTO Amsterdam
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
 
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
 
SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty SID304 Threat Detection and Remediation with Amazon GuardDuty
SID304 Threat Detection and Remediation with Amazon GuardDuty
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Raisa Hashem Easily Transform Compliance to Code using AWS Config, Config Rules, and the Rules Development Kit August 2018
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Key Takeaways • Learn AWS Config and Config Rules Concepts • Understand best practice and concepts on Behaviour Driven Development for config rules • Learn to develop lambda functions for config rules in python using the Rules Development Kit (RDK) • Discover how to securely set up your environment for deployments
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scale consistently to all workloads Focus time and resources on value Part of day-to-day Expertise is not given to all Time-consuming for everyone Get-ready-for- the-audit mindset Traditional Compliance Continuous Compliance
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code Introduction to AWS Config and Config Rules
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts AWS Config
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts AWS Config Configuration ItemsConfiguration Recorder EC2 CloudTrail S3 …(Others)
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts EC2 CloudTrail S3 …(Others) AWS Config Configuration Items 22 services, 60+ resources types Configuration Recorder
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Concepts EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Configuration Items 22 services, 60+ resources types
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Rules EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Rules Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Configuration Items 22 services, 60+ resources types
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark AWS Config Rules EC2 CloudTrail S3 …(Others) AWS Config Configuration Recorder Delivery Channel Configuration Snapshots Rules Rule 1 on AWS::CloudTrail::Trail Rule 2 on AWS::S3::Bucket Rule 3 on AWS::EC2::InternetGateway Managed Rules – 60+ out-of-the-box rules Configuration Items 22 services, 60+ resources types
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Rules Receive Configuration Item in JSON "configurationItemVersion": "1.0", "configurationItemCaptureTime": "2017…", "configurationStateID": “….", "configurationItemStatus": "OK", "resourceId": "vol-ce676ccc", "arn": "arn:aws:us-west-………", "accountId": "123456789012", "availibilityZone": "us-west-2b", "resourceType": "AWS::EC2::Volume", "resourceCreationTime": "2014-02..", "tags": {}, "relationships": [ { "resourceId": "i-344c463d", "resourceType": "AWS::EC2::Instance", "name": "Attached to Instance" } ], "relatedEvents": [ "06c12a39-eb35-11de-ae07-db69edbb1e4", ], Metadata Common Attributes Related Events Relationships
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Rules Receive Configuration Item in JSON "configuration": { "volumeId": "vol-ce676ccc", "size": 1, "snapshotId": "", "availabilityZone": "us-west-2b", "state": "in-use", "createTime": "2017-02-……", "attachments": [ { "volumeId": "vol-ce676ccc", "instanceId": "i-344c463d", "device": "/dev/sdf", "state": "attached", "attachTime": "2014-03-", "deleteOnTermination": false } ], "tags": [ { "tagName": "environment", "tagValue": "PROD" } ], "volumeType": "standard" } Current Configuration
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code using Config Rules Rules Managed Rules AWS Config send the configuration item Snapshot – 22 services, 60+ resources types EC2 CloudTrail S3 … (Others) Custom Rules Managed Rules 1 Lambda function per custom Rule Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation()
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Compliance-as-Code using Config Rules Rules Managed Rules AWS Config Change Triggers send the configuration item EC2 CloudTrail S3 … (Others) Custom Rules Managed Rules 1 Lambda function per custom Rule Run Send the configuration item Send the parameters Read additional configuration(s) via describe() call Report the result via PutEvaluation() Time Triggers No configuration item is sent Snapshot – 22 services, 60+ resources types
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda Event Provided by Config Rules { "invokingEvent": { "configurationItem": { "configurationItemCaptureTime": "2016-02-17T01:36:34.043Z", "awsAccountId": "123456789012", "configurationItemStatus": "OK", … }, "messageType": "ConfigurationItemChangeNotification" }, "ruleParameters": { "myParameterKey1": "myParameterValue1", "myParameterKey2": "myParameterValue2" }, "resultToken": "myResultToken", "eventLeftScope": false, "executionRoleArn": "arn:aws:iam::123456789012:role/config-role", "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456", "configRuleName": "change-triggered-config-rule", "configRuleId": "config-rule-0123456", "accountId": "123456789012", "version": "1.0" }
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Lambda Event Provided by Config Rules { "invokingEvent": { "configurationItem": { "configurationItemCaptureTime": "2016-02-17T01:36:34.043Z", "awsAccountId": "123456789012", "configurationItemStatus": "OK", … }, "messageType": "ConfigurationItemChangeNotification" }, "ruleParameters": { "myParameterKey1": "myParameterValue1", "myParameterKey2": "myParameterValue2" }, "resultToken": "myResultToken", "eventLeftScope": false, "executionRoleArn": "arn:aws:iam::123456789012:role/config-role", "configRuleArn": "arn:aws:config:us-east-2:123456789012:config-rule/config-rule-0123456", "configRuleName": "change-triggered-config-rule", "configRuleId": "config-rule-0123456", "accountId": "123456789012", "version": "1.0" }
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Choosing the right trigger(s) Use Case Recommendation AWS Config is tracking this resource type. Configuration change AWS Config is not tracking this resource. Periodic AWS Config is tracking this resource, and time matters. Configuration change and Periodic
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Designing Custom Config Rules Behaviour Driven Security Development
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Define the Use Case and Test Cases Gherkin-like documentation! Feature: Some terse yet descriptive text of what is desired Scenario: Some determinable business situation Given some precondition And some other precondition Then some testable outcome is achieved Scenario: A different situation ...
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Writing Test Cases 101 1. Cover all permutations of inputs 2. Keep distinct coverage in the test cases 3. Keep in mind that humans need to fix it (initially) 4. A reasoning approach is the future, and the future is now
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Example Write a rule checking for MFA on an IAM user
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scenarios for Rule IAM_User_MFA_Enabled Feature: In order to: enforce strong authentication As: a security Officer I want: to ensure that IAM users have MFA configured, except if whitelisted Scenarios: Scenario 1: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is listed in WhitelistedUserList Then: Return COMPLIANT Scenario 2: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is not listed in WhitelistedUserList And: The IAM User has MFA attached Then: Return COMPLIANT
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Scenarios for Rule IAM_User_MFA_Enabled Continued… Scenario 3: Given: WhitelistedUserList is configured And: The IAM User’s UniqueID is not listed in WhitelistedUserList And: The IAM User has no MFA attached Then: Return NON_COMPLIANT Scenario 4: Given: WhitelistedUserList is not configured And: The IAM User has MFA attached Then: Return COMPLIANT Scenario 5: Given: WhitelistedUserList is not configured And: The IAM User has no MFA attached Then: Return NON_COMPLIANT
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Building a Custom Config Rule Diving into the code
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Introducing the Rule Development Kit (RDK) The fastest way to develop, and easiest way to test custom AWS Config Rules Designed to support your first Config Rule, enterprise-grade Rule development, and CI/CD pipelines. Open source software, maintained by AWS. Documentation and contributions at https://github.com/awslabs/aws-config-rdk $ pip install rdkEasy install via pip:
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deploy Debug Write Tests Write Code Test Setup Enables a Natural Development Workflow for Config Rules
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Before coding… Element Decision Goal Define what you want to do: use cases, test cases. Scope and trigger Define a trigger: on change, on time, or both. Define what you want to track. Parameters Define the parameters. Decide whether a parameter is optional or mandatory. Evaluation Define on which resource type you want to report.
  • 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Before coding… Element Decision Goal Stated in Gherkin-like documentation Scope and trigger Trigger: change Scope: AWS::IAM::User Parameters Parameters: WhitelistedUserList Mandatory or Optional: optional Evaluation Resource type: AWS::IAM::User
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Demo - RDK
  • 30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM_User_MFA_Enabled Custom Rule Writing test cases
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark config_client_mock = MagicMock() sts_client_mock = MagicMock() iam_client_mock = MagicMock() def build_invoking_event(configurationItemStatus, userName, userId): return json.dumps({ "configurationItemDiff":"SomeDifference", "notificationCreationTime":"SomeTime", "messageType": "ConfigurationItemChangeNotification", "recordVersion":"SomeVersion", "configurationItem":{ "resourceType":"AWS::IAM::User", "resourceName": userName, "configurationItemStatus":configurationItemStatus, "resourceId": userId, "configurationItemCaptureTime":"2018-02-20T06:56:55.533Z", "configuration":{ "userName": userName, "userId": userId } } }) Build the invoking event with the Configuration Item:
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark class Scenario_1_TestWhitelistedUser(unittest.TestCase): def test_Scenario_1_user_is_whitelisted(self): ruleParam = '{ "WhitelistedUserList" : "AIDAIDFOUX2OSRO6DO7XM, AIDAIDFOUX2OSRO6DO7XN"}' invokingEvent = build_invoking_event("ResourceDiscovered", "Testuser", "AIDAIDFOUX2OSRO6DO7XN") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XN')) assert_successful_evaluation(self, response, resp_expected) Define each test case based on Gherkin scenarios:
  • 33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark class Scenario_2_to_5_TestMFA(unittest.TestCase): def constructMFADeviceList(self,UserName): deviceList = { 'MFADevices': [{'UserName': 'CompliantUser', 'SerialNumber': 'ARN:IAM'}]} return deviceList def test_Scenario_2_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(side_effect=self.constructMFADeviceList) ruleParam = '{ "WhitelistedUserList" : "AIDAICVB3PKAQMPEGDW2C"}' invokingEvent=build_invoking_event("ResourceDiscovered", "compliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event, {}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM')) assert_successful_evaluation(self, response, resp_expected, 1)
  • 34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def test_Scenario_3_Non_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(return_value={"MFADevices":[]}) ruleParam = '{ "WhitelistedUserList" : "AIDAICVB3PKAQMPEGDW2C"}' invokingEvent=build_invoking_event("ResourceDiscovered", "nonCompliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent, rule_parameters=ruleParam) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('NON_COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM’, annotation='No MFA Device detected')) assert_successful_evaluation(self, response, resp_expected, 1) def test_Scenario_4_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(side_effect=self.constructMFADeviceList) invokingEvent=build_invoking_event("ResourceDiscovered", "compliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM')) assert_successful_evaluation(self, response, resp_expected, 1)
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def test_Scenario_5_Non_Compliant_User(self): iam_client_mock.list_mfa_devices = MagicMock(return_value={"MFADevices":[]}) invokingEvent=build_invoking_event("ResourceDiscovered", "nonCompliantUser", "AIDAIDFOUX2OSRO6DO7XM") lambda_event = build_lambda_configurationchange_event(invoking_event=invokingEvent) response = rule.lambda_handler(lambda_event,{}) resp_expected = [] resp_expected.append(build_expected_response('NON_COMPLIANT', 'AIDAIDFOUX2OSRO6DO7XM’, annotation='No MFA Device detected')) assert_successful_evaluation(self, response, resp_expected, 1)
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark IAM_User_MFA_Enabled Custom Rule Writing the rule
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def evaluate_compliance(event, configuration_item, valid_rule_parameters): ############################### # Add your custom logic here. # ############################### iam_user_name = configuration_item["resourceName"] iam_user_id = configuration_item["resourceId"] if ”WhitelistedUserList" in valid_rule_parameters: if iam_user_id in valid_rule_parameters[”WhitelistedUserList"].split(","): return build_evaluation_from_config_item(configuration_item, "COMPLIANT", "User is whitelisted") iam_client = get_client("iam", event) result = iam_client.list_mfa_devices(UserName=iam_user_name) if result["MFADevices"]: return build_evaluation_from_config_item(configuration_item, "COMPLIANT") return build_evaluation_from_config_item(configuration_item, "NON_COMPLIANT", "No MFA Device detected") Define rule logic:
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark def evaluate_parameters(rule_parameters): if WhitelistedUserList' in rule_parameters: for user_id in rule_parameters['whitelist'].split(","): if not user_id.isalnum(): raise ValueError("User ID's should be alphanumeric.") if not user_id.startswith("AIDA"): raise ValueError("User ID's should start with the string 'AIDA'") valid_rule_parameters = rule_parameters return valid_rule_parameters Validate parameter:
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Demo – Config Rule Deploy
  • 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Secure Multi-account Deployments Account Structure, IAM Roles, and Deployment Methods
  • 41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Multi-Account Structure for Secure Deployment SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Config Rule X Config Rule Y Config Rule X Config Rule Y
  • 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y
  • 43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y
  • 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Cross-Account IAM Roles SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y "s3:PutObject*”, "sns:Publish”, "config:Put*", "config:Get*", "config:List*", "config:Describe*" Permissions include List and describe resources along with:
  • 45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role
  • 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role Stackset Execution Role Stackset Execution Role
  • 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Deployment Using Cloudformation Stacksets SecOps Publisher Account App Account A App Account B Rule X Lambda Function Rule Y Lambda Function Lambda Role Config Service Role Config Service Role Config Rule X Config Rule Y Config Rule X Config Rule Y Rule X Stackset Rule Y Stackset Stackset Admin Role Stackset Execution Role Stackset Execution Role
  • 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Continuous Compliance Design Build & Test DeployAnalyse Respond Security Requirements
  • 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Summary • Use AWS Config and Custom Config Rules to transform your compliance to code • Implement Behaviour Driven Development to help easily define business requirements as security controls • Fast-track Config Rules development using the Rules Development Kit (RDK) • Isolate Config Rule Lambda functions in a SecOps Account for secure scaled deployments
  • 50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark Q&APresenter: Raisa Hashem Q&A Speaker: Aparna Elangovan, Paul Hawkins Thank you!
  • 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark