Security@Scale

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jillian Leo
Solutions Architect
Adrian Monza
Chief, Cyber Defense Branch Information Security Division, USCIS
Session Code: 194323
Session: Security@Scale
Track: Products and Solutions

Agenda
• Challenges and Objectives you Face Everyday
• Security of and in the Cloud
• Overview of AWS Security Services
• A look at
– AWS GuardDuty
– AWS Systems Manger
– AWS Config

Key Takeaways
• Understanding security of your AWS
environment
• … & security of your workloads
• Understanding how to gain visibility into your
environment and make use of it
• How to automate remediation

Your Challenges

NIST Cyber Security Framework (CSF) Core
Identify
Protect
DetectRespond
Recover
What
processes and
assets need
protection?
What
safeguards
are
available?
What techniques
can identify
incidents?
What techniques
can contain
impacts of
incidents?
What techniques
can restore
capabilities?
https://d0.awsstatic.com/whitepapers/complianc
e/NIST_Cybersecurity_Framework_CSF.pdf

Continuous Diagnostics & Mitigation (CDM)
AWS is
working on
alignment!

International Organization for Standardization
• ISO 27103:2018 Cybersecurity and ISO and IEC
Standards
• ISO 27002:2013
Information Technology – Security techniques
Code of Practice
• ISO 27017:2015 Based on ISO 27002:2013
Information technology -- Security techniques --
Code of practice for information security controls
for cloud services

The AWS Shared Responsibility
Hopefully, you’ve seen this before…
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customers are
responsible for
security ‘in’ the Cloud
AWS is responsible for
security ‘of’ the Cloud
Customer Data
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)

AWS Identity & Access
Management (IAM)
AWS Organizations
Amazon Cognito
AWS Directory Service
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager
Server Side Encryption
Secrets Manager
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions

Aligning to AWS Services
Identify
Protect
DetectRespond
Recover
What
processes and
assets need
protection?
What
safeguards
are
available?
What techniques
can identify
incidents?
What techniques
can contain
impacts of
incidents?
What techniques
can restore
capabilities?

Identify
Amazon
CloudWatch
Amazon EC2
Systems Manager
AWS
CloudTrail
AWS
Config
Amazon
Inspector
Amazon
Macie
AWS Shield
VPC
Flow logs
Amazon
GuardDuty

Protect
Network Access Control List
Security Groups
AWS Shield
Amazon EC2
Systems Manager
AWS WAF
AWS Certificate
Manager
Amazon
CloudFront
IAM Amazon
VPC*
Amazon
EC2

Detect
Amazon
CloudWatch
Amazon EC2
Systems Manager
AWS
CloudTrail
AWS
Config
Amazon
Inspector
Amazon
MacieAWS Shield
VPC
Flow logsAmazon
GuardDuty
Event
(event-
based)
Amazon
SNS
email
notification
HTTP
notification

Respond
Rule
AWS
Config
Amazon
CloudWatch
Event
(event-
based)
State
Manager
Maintenance
Windows
InventoryAutomation documents
Parameter
Store
Run
Command
Patch
Manager
Amazon EC2
Systems Manager
AWS WAF
filtering rule
AWS Shield
Advanced
Lambda
function
Lambda
function
Lambda
function
Amazon
GuardDuty
Lambda
function

AWS CloudWatch Events
• Events for Services Not Listed
• Auto Scaling
• AWS API Call
• AWS Batch
• AWS CodeBuild
• AWS CodeCommit
• AWS CodeDeploy
• AWS CodePipeline
• AWS Management Console Sign-in
• Amazon EBS
• Amazon EC2
• AWS OpsWorks Stacks
• AWS Systems Manager
• AWS Systems Manager Parameter
Store
• AWS Systems Manager Configuration
Compliance
• Amazon EC2 Maintenance Windows
• Amazon ECS
• Amazon EMR
• Amazon GameLift
• AWS Glue Events
• Amazon GuardDuty
• AWS Health
• AWS KMS
• Amazon Macie
• Scheduled
• AWS Server Migration Service
• AWS Trusted Advisor

Recover
AWS Step
Functions
Amazon
SNS
email
notification
HTTP
notification
AWS
Lambda
Lambda
function
Amazon
CloudWatch
Event
(event-
based)
Lambda
function
Lambda
function
Lambda
function

Service Callouts

Amazon GuardDuty

Amazon GuardDuty
Threat Detection and Notification
DETECT NOTIFY
RESPOND
Reconnaissance
Instance Compromise
Account Compromise
Amazon
GuardDuty
VPC flow logs
DNS Logs
CloudTrail Events
HIGH
MEDIUM
LOW
FindingsData SourcesThreat DetectionTypes
https://aws.amazon.com/guardduty/

Amazon GuardDuty: Service Benefits
• Managed Threat Detection Service
• One-Click Activation without Architectural or Performance Impact
• Continuous Monitoring of AWS Accounts and Resources
• Discover Threats Related to EC2 and IAM
• Instant On Provides Findings in Minutes
• No Agents, no Sensors, no Network Appliances
• Global Coverage, Regional Results
• Built In Anomaly Detection with Machine Learning
• Partner Integrations for Additional Protections
• Cost Effective Simple Pricing

• Remediate a Compromised Instance
• Remediate Compromised AWS Credentials
Automatic Remediation
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Events
Lambda
Function
AWS Lambda
Responding to Findings: Remediation

Systems Manager

Amazon Systems Manager
• A set of capabilities that provide...
• insight and compliance
• safe and secure operations
• automated configuration with granular control
• ...across all of your Windows and Linux workloads...
• ...running on Amazon EC2 or on-premises…
• ...at no additional charge

Why should I care?
Manage hybrid
Architecture
Cross-platform
(Windows/Linux)
Scalable and
auditable
Improve security
and compliance
Automate
repetitive tasks
Reduce TCO

Amazon Systems Manager
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter StoreParameter Store Documents

AWS Config

AWS Config & AWS Config Rules
Continuously record and assess service configurations
Changing resources
AWS Config
AWS Config Rules
History, Snapshot
Notifications
API Access
Normalized
How are my resources configured over time?

AWS Security Best Practices – Core Principles
• Shared Responsibility Model
• Visibility/Insight
• Consistency
• Automation & Infrastructure-as-Code
• Audit / Actionable /Automation
• Separation of Concerns
• Least Privilege
• Secure Data – In Transit, @ Rest
• Game Days
• Defense in Depth
Ingrained in the
DNA of a Well
Architected
Enterprise

Using Cloud Monitor to Migrate to
DevSecOps

Our Story
• Rapid Adoption
• Migration and Innovation
• Results: Speed, Features, Success
• But also:
– Scale
– Sprawl
– Snowflakes

The Beginning
• Started with one AWS Account
• Another to separate dev and prod
• Two more for the next system
• Centralized services, Networking
Prod Dev
System 2
Prod
System 2
Dev

The number of accounts quickly outgrew our ability to
monitor them

Options
• Deploy a standardized, centrally managed solution
– Slow, resource intensive to design and deploy
– Too restrictive - not a good cultural fit
– Migration path and support for current use cases?
• Establish enterprise standards
– Limited success and adoption
– Large communication challenges
– Not scalable

Our Solution
WHEN A PROBLEM COMES ALONG,
YOU MUST AUTOMATE IT,
AUTOMATE IT GOOD
(With apologies to Devo)

USCIS Cloud Monitor
• Automated enforcement of key security & ops policies
• Automated comparison and reporting vis best practices
• Cloud-native using Lambda – No infrastructure required
• Native multi-account support via Cross-Account roles
• Extensible Plugin Model:
DETECT REPORT REMEDIATE

Initial Use Case
• EC2 Tagging Policy
– What is it?
– Who administers it?
– What system is it in?
• Less than ideal compliance rates
– Security concern
– Unneeded instances a major expense

Tagging Policy Solution

Tagging Policy Solution
• “Fix the glitch”
– Stop non-compliant instances
– CloudWatch Events: Check when instances change
state
• Gradual rollout
– Extensive communications to teams
– Started with detection and reporting via SNS
– Enforcement in non-production first
– Then production

Results
• 100% compliance
• Provides immediate feedback to developers/engineers
• Significant cost savings from identifying unneeded
instances
• Extended to Amazon RDS and on-premises
• Some hiccups:
– Developer forgot a tag during a Blue/Green deployment
– Auto-scaling won the fight

Current Capabilities
• EC2 Tagging Policy
• Standardized, Enforced Logging Configuration
• S3 Public Bucket and Object Check
• Required Security Groups
• Environment “Light Switch” (EC2 Scheduler)
• IAM Best Practices: Access Key Age, MFA,
Password Policies, etc.

Future Plans
• Enforce encryption of Amazon S3, Amazon SQS,
Amazon EBS, Amazon RDS, Amazon EFS,
DynamoDB, all the things
• Enforce KMS CMK rotation
• Automated Amazon RDS configuration checks
• Automated snapshot deletion
• Remove unused EBS volumes
• Remove unused ELBs, NLBs, ALBs
• Block Internet Gateway deployment

Other @Scale Sessions to Catch
• 194319 Governance@Scale
• 194324 Management@Scale
• 194321 CICD@Scale

Please complete the session survey in
the summit mobile app.

Security@Scale

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security@Scale

Similar to Security@Scale (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Security@Scale

Editor's Notes