SlideShare a Scribd company logo

Secure Configuration and Automation Overview

Amazon Web Services
Amazon Web Services

by Brad Dispensa, Sr. Solutions Architect, AWS Operating a security practice on AWS brings many new challenges that haven't been faced in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session we will cover how you can use secure configuration and automation to monitor, audit, and enforce your security policies within an AWS environment. Level 200

1 of 37
Pop-up Loft Secure configuration and automation overview Brad Dispensa, Specialist SA, Security & Compliance
Secure development and automation How do I do this and what tools do I use?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security Engineering – Then and Now
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. But, do I have to?... CostScale Reliability/ Repeatability
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Security Automation Toolbox Audit Visibility Protection Automation AWS CloudTrail Amazon CloudWatch AWS Systems Manager AWS Config AWS CodePipeline AWS WAF AWS KMSAWS Trusted Advisor AWS CloudFormation AWS Organizations AWS Lambda Amazon Inspector
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Store/ Archive Troubleshoot Monitor & Alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config and Config Rules • A continuous recording and continuous assessment service. Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change, that just occurred to a resource, compliant?
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Events AWS APIs Custom Events Service Events AWS APIs event (time-based) event (event-based) Custom Rules Targets
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Systems Manager Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Template CloudFormation Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS resources Comprehensive service support Service event aware Customizable Framework Stack creation Stack updates Error detection and rollback CloudFormation – Components & Technology
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security at Every Stage DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle Developers Customers releasetestbuild plan monitor Delivery pipeline Feedback loop Security
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. DevSecOps Pipeline #1 AWS Lambda (or AWS CodeBuild) AWS CodeCommit (or S3/GitHub) AWS CodePipeline AWS CodePipeline Developer commits CloudFormation Policy FAIL PASS Developers Stack
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline Commit Stage Test Stage Production Stage Static Code Analysis Lambda Stack Validation Lambda Create Stack Delete Stack Approve Stack Create ChangeSet Execute ChangeSet DevOps S3 Push/Pull DevSecOps Pipeline #2
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. https://aws.amazon.com/answers/devops/aws-cloudformation-validation-pipeline/ DevSecOps Pipeline #3 CodePipelineDevOps Push/Pull CodeCommit Pre-create Pre-create Lambda CodeBuild / cfn-nag Stack creation Create stacks CloudFormation Post-create Post-create Lambda SNS notification Deploy Deploy Lambda S3 bucket Manual Approval
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security Automation Output Patterns Amazon CloudWatch AWS CloudTrail VPC Flow logs AWS Config Lambda function AWS APIs AWS WAF Team collaboration (Slack etc.) Detection Alerting Remediation Countermeasures Forensics
Post deployment configuration We’re in prod… now what?
GuardDuty Threat Detection and Notification
GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account ……. . 1 Member Account 1000 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
GuardDuty Findings: Console / API AWS Management Console API / JSON Format Quickly See Threat Information Including: • Severity • Region • Count/Frequency • Threat Type • Affected Resource • Source Information • Viewable via CloudWatch Events Export Finding Data for Further Analysis Including: • Ingest into SIEM • Data Enrichment • Programmatic Response • Additional Information • ARN • Span of Time • Resource Info
ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact Meaning: “An EC2 instance is communicating with a known Bitcoin IP address that is part of a known Bitcoin domain” CryptoCurrency BitcoinTool B: EC2 / . ! DNS GuardDuty Finding: Details
GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency: detected software associated with Crypto currencies • Pentest: activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth: attack trying to hide actions / tracks • Trojan: program detected carrying out suspicious activity • Unauthorized Access: suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
GuardDuty Findings: CloudWatch Events (CWE) • GuardDuty aggregates all changes to findings that take place in five-minute intervals into a single event. • CloudWatch Events can be graphed, stored, exported, and further analyzed. Example GuardDuty Related CloudWatch Event
GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
“I need to make a change, I’ll SSH in and…” Things you don’t need to hear any more
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. • Remotely manage thousands of Windows and Linux instances running on Amazon EC2 or on-premises • Control user actions and scope with secure, granular access control • Safely execute changes with rate control to reduce blast radius • Audit every user action with change tracking Safe and secure ops at scale without SSH/RDP AWS cloud corporate data center IT Admin, DevOps Engineer Role-based Access Control
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Store and retrieve configuration secrets • Store any configuration data or parameter in hierarchies with RBAC • Option to encrypt secret data like passwords using KMS • Enforce password policies using parameter lifetime and change notifications • Use across AWS services such as Lambda, AWS CodeDeploy, and ECS parameter store instances secrets Change Notification No more storing secrets in plain text!
Move choice away from humans Automation of security binaries
event (event-based) Amazon CloudWatch AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313) https://youtu.be/x4GkAGe65vE Adversary Responder
Adversary cloudtrail:StopLogging CloudTrail
CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
Adversary Responder cloudtrail.start_logging
Permission review The role has temporary admin privileges, but we’ll fix that later…
Analyze Security, Compliance, and Operational Activity Using AWS CloudTrail and Amazon Athena Sai Sriparasa and Bob O'Dell
Access advisor is cool, but today it’s GUI access only..
select useridentity.sessioncontext.sessionIssuer.userNa me as uid, eventsource, eventname from cloudtrail_logs Where useridentity.sessioncontext.sessionIssuer.userNa me = ‘target-name’ GROUP BY useridentity.sessioncontext.sessionIssuer.userNa me, eventsource, eventname Query cloud trail data for the target user or role with Athena
https://github.com/Netflix- Skunkworks/aardvark https://github.com/Netflix/Repokid
Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS

Recommended

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 

Recommended

The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfAmazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponseAmazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategyAmazon Web Services
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise SecurityAmazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 

More Related Content

What's hot

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAmazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...Amazon Web Services
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksAmazon Web Services
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAmazon Web Services
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSHostedbyConfluent
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes EverywhereAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 

What's hot (20)

Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock Lab
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech TalksDeep Dive on Amazon GuardDuty - AWS Online Tech Talks
Deep Dive on Amazon GuardDuty - AWS Online Tech Talks
 
AWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud EncryptionAWS Security Webinar: The Key to Effective Cloud Encryption
AWS Security Webinar: The Key to Effective Cloud Encryption
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWSSecure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
Secure and Integrated - Using IAM with Amazon MSK | Mitchell Henderson, AWS
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access Management
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
 

Similar to Secure Configuration and Automation Overview

DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)Amazon Web Services
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAmazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSAmazon Web Services
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
Serverless Development Deep Dive
Serverless Development Deep DiveServerless Development Deep Dive
Serverless Development Deep DiveAmazon Web Services
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfAmazon Web Services
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfAmazon Web Services
 
AWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAmazon Web Services
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersAmazon Web Services
 

Similar to Secure Configuration and Automation Overview (20)

Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
AWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & RemediationAWS Security Week: Intro To Threat Detection & Remediation
AWS Security Week: Intro To Threat Detection & Remediation
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
AWS Security By Design
AWS Security By DesignAWS Security By Design
AWS Security By Design
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Serverless Development Deep Dive
Serverless Development Deep DiveServerless Development Deep Dive
Serverless Development Deep Dive
 
Integrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdfIntegrating-Cloud-Development-Security-And-Operations.pdf
Integrating-Cloud-Development-Security-And-Operations.pdf
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Integrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdfIntegrating_Cloud_Development_Security_And_Operations.pdf
Integrating_Cloud_Development_Security_And_Operations.pdf
 
AWS Security for Technical Decision Makers
AWS Security for Technical Decision MakersAWS Security for Technical Decision Makers
AWS Security for Technical Decision Makers
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Secure Configuration and Automation Overview

  • 1. Pop-up Loft Secure configuration and automation overview Brad Dispensa, Specialist SA, Security & Compliance
  • 2. Secure development and automation How do I do this and what tools do I use?
  • 3. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security Engineering – Then and Now
  • 4. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. But, do I have to?... CostScale Reliability/ Repeatability
  • 5. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Security Automation Toolbox Audit Visibility Protection Automation AWS CloudTrail Amazon CloudWatch AWS Systems Manager AWS Config AWS CodePipeline AWS WAF AWS KMSAWS Trusted Advisor AWS CloudFormation AWS Organizations AWS Lambda Amazon Inspector
  • 6. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS CloudTrail Store/ Archive Troubleshoot Monitor & Alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls
  • 7. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Config and Config Rules • A continuous recording and continuous assessment service. Changing resources AWS Config Config Rules History, Snapshot Notifications API Access Normalized Answer the questions: How are my resources configured over time? Is a change, that just occurred to a resource, compliant?
  • 8. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Amazon CloudWatch Events AWS APIs Custom Events Service Events AWS APIs event (time-based) event (event-based) Custom Rules Targets
  • 9. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. AWS Systems Manager Components Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  • 10. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Template CloudFormation Stack JSON formatted file Parameter definition Resource creation Configuration actions Configured AWS resources Comprehensive service support Service event aware Customizable Framework Stack creation Stack updates Error detection and rollback CloudFormation – Components & Technology
  • 11. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security at Every Stage DevOps = Efficiencies that speed up this lifecycle DevSecOps = Validate building blocks without slowing lifecycle Developers Customers releasetestbuild plan monitor Delivery pipeline Feedback loop Security
  • 12. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. DevSecOps Pipeline #1 AWS Lambda (or AWS CodeBuild) AWS CodeCommit (or S3/GitHub) AWS CodePipeline AWS CodePipeline Developer commits CloudFormation Policy FAIL PASS Developers Stack
  • 13. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline Commit Stage Test Stage Production Stage Static Code Analysis Lambda Stack Validation Lambda Create Stack Delete Stack Approve Stack Create ChangeSet Execute ChangeSet DevOps S3 Push/Pull DevSecOps Pipeline #2
  • 14. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. https://aws.amazon.com/answers/devops/aws-cloudformation-validation-pipeline/ DevSecOps Pipeline #3 CodePipelineDevOps Push/Pull CodeCommit Pre-create Pre-create Lambda CodeBuild / cfn-nag Stack creation Create stacks CloudFormation Post-create Post-create Lambda SNS notification Deploy Deploy Lambda S3 bucket Manual Approval
  • 15. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Security Automation Output Patterns Amazon CloudWatch AWS CloudTrail VPC Flow logs AWS Config Lambda function AWS APIs AWS WAF Team collaboration (Slack etc.) Detection Alerting Remediation Countermeasures Forensics
  • 17. GuardDuty Threat Detection and Notification
  • 18. GuardDuty Account Relationships • Adding accounts to the services is simple and done via the console or API. • Invites accepted from an account will be designated as “Member” accounts. The requestor will be the “Master” account. Member Account ……. . 1 Member Account 1000 (max) Master Account Can Do the Following to ALL accounts: • Generate Sample Findings • Configure and View/Manage Findings • Suspend GuardDuty Service • Upload and Manage Trusted IP and Threat IP Lists (coming soon!) Can only disable own account. Member accounts must all be removed first and by the member account. Member Account Actions and Visibility is Limited to the Member Account. Each Account Billed Separately.
  • 19. GuardDuty Findings: Console / API AWS Management Console API / JSON Format Quickly See Threat Information Including: • Severity • Region • Count/Frequency • Threat Type • Affected Resource • Source Information • Viewable via CloudWatch Events Export Finding Data for Further Analysis Including: • Ingest into SIEM • Data Enrichment • Programmatic Response • Additional Information • ARN • Span of Time • Resource Info
  • 20. ThreatPurpose ThreatFamilyName ThreatFamilyVariant: ResourceTypeAffected / . ! Artifact Meaning: “An EC2 instance is communicating with a known Bitcoin IP address that is part of a known Bitcoin domain” CryptoCurrency BitcoinTool B: EC2 / . ! DNS GuardDuty Finding: Details
  • 21. GuardDuty Findings: Threat Purpose Details • Backdoor: resource compromised and capable of contacting source home • Behavior: activity that differs from established baseline • Crypto Currency: detected software associated with Crypto currencies • Pentest: activity detected similar to that generated by known pen testing tools • Recon: attack scoping vulnerabilities by probing ports, listening, database tables, etc. • Stealth: attack trying to hide actions / tracks • Trojan: program detected carrying out suspicious activity • Unauthorized Access: suspicious activity / pattern by unauthorized user Describes the primary purpose of the threat. Available at launch, more coming!
  • 22. GuardDuty Findings: CloudWatch Events (CWE) • GuardDuty aggregates all changes to findings that take place in five-minute intervals into a single event. • CloudWatch Events can be graphed, stored, exported, and further analyzed. Example GuardDuty Related CloudWatch Event
  • 23. GuardDuty Findings: Severity Levels LOW MEDIUM HIGH Suspicious or malicious activity blocked before it compromised a resource. Suspicious activity deviating from normally observed behavior. Resource compromised and actively being used for unauthorized purpose. Suggestion: Take Immediate Action(s) • Terminate instance(s) • Rotate IAM access keys Suggestion: Investigate Further • Check new software that changed the behavior of a resource • Check changes to settings • AV scan on resource (detect unauthorized software) • Examine permissions attached to IAM entity implicated Suggestion: Take Immediate Action(s) • No immediate recommended steps – but take note of info as something to address in the future
  • 24. “I need to make a change, I’ll SSH in and…” Things you don’t need to hear any more
  • 25. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. • Remotely manage thousands of Windows and Linux instances running on Amazon EC2 or on-premises • Control user actions and scope with secure, granular access control • Safely execute changes with rate control to reduce blast radius • Audit every user action with change tracking Safe and secure ops at scale without SSH/RDP AWS cloud corporate data center IT Admin, DevOps Engineer Role-based Access Control
  • 26. © 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved. Store and retrieve configuration secrets • Store any configuration data or parameter in hierarchies with RBAC • Option to encrypt secret data like passwords using KMS • Enforce password policies using parameter lifetime and change notifications • Use across AWS services such as Lambda, AWS CodeDeploy, and ECS parameter store instances secrets Change Notification No more storing secrets in plain text!
  • 27. Move choice away from humans Automation of security binaries
  • 28. event (event-based) Amazon CloudWatch AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to Execution (SEC313) https://youtu.be/x4GkAGe65vE Adversary Responder
  • 30. CloudWatch Events event Adversary { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "cloudtrail.amazonaws.com" ], "eventName": [ "StopLogging" ] } }
  • 32. Permission review The role has temporary admin privileges, but we’ll fix that later…
  • 33. Analyze Security, Compliance, and Operational Activity Using AWS CloudTrail and Amazon Athena Sai Sriparasa and Bob O'Dell
  • 34. Access advisor is cool, but today it’s GUI access only..
  • 35. select useridentity.sessioncontext.sessionIssuer.userNa me as uid, eventsource, eventname from cloudtrail_logs Where useridentity.sessioncontext.sessionIssuer.userNa me = ‘target-name’ GROUP BY useridentity.sessioncontext.sessionIssuer.userNa me, eventsource, eventname Query cloud trail data for the target user or role with Athena
  • 37. Pop-up Loft aws.amazon.com/activate Everything and Anything Startups Need to Get Started on AWS