Vortrag "So verarbeiten Sie AWS Sensordaten, um Anwendungen zu sichern" von Bertram Dorn beim AWS Security Web Day 2016. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1NFtR5P
Amazon Web Services bietet verschiedenste Datenquellen für Kunden um Ereignisse, Datenströme und Aktivitäten auf der Kundeninfrastruktur nachvollziehen zu können. Diese Daten ermöglichen verschiedenste Optionen im Bereich Einbruchs-Warnung und -Prävention, Vorwarnung, Absicherung zu Zugängen und Prävention von Missbrauch der auf AWS basierenden Infrastruktur. Der Vortrag wird eine Einführung in diese Optionen geben und verschiedenste Möglichkeiten mit CloudTrail, AWS Config, VPC-Flow-Logs und S3-Logging aufzeigen. Zudem wird der Vortrag einige bewährte Verfahrensweisen demonstrieren um diese Datenströme für einfache Alarmierung zu verwenden.
2. Agenda:
• Overview
• CloudTrail
• Source
• Structure
• Analytics options
• VPC FlowLogs
• What for
• Where from
• How structured
• How to access them
• Some analytics
4. What can you answer using a CloudTrail event?
v Who made the API call?
v When was the API call made?
v What was the API call?
v Which resources were acted up on in the API call?
v Where was the API call made from and made to?
5. AWS
CloudTrail
CloudTrail
can
help
you
achieve
many
tasks
• Security
analysis
• Track
changes
to
AWS
resources,
for
example
VPC
security
groups
and
NACLs
• Compliance
– log
and
understand
AWS
API
call
history
• Prove
that
you
did
not:
• Use
the
wrong
region
• Use
services
you
don’t
want
• Troubleshoot
operational
issues
– quickly
identify
the
most
recent
changes
to
your
environment
6. AWS
CloudTrail
logs
can
be
delivered
cross-‐account
CloudTrail
can
help
you
achieve
many
tasks
• Accounts
can
send
their
trails
to
a
central
account
• Central
account
can
then
do
analytics
• Central
account
can:
• Redistribute
the
trails
• Grant
access
to
the
trails
• Filter
and
reformat
Trails
(to
meet
privacy
requirements)
13. Firewall-Requirements
• Based on NIST800, BSI-IT Grundschutz and others
– Anti-Spoofing
– Packet-Filtering (minimum) stateful/stateless
– Segregation of Duties at the management side
– Logging/Audit capabilities on the management side
– Event-Logging on processed traffic
Security Group
IAM
AWS Config CloudTrail
FlowLogs
15. The Source II
Flows
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at
instance level
Isolate network
functions
Lockdown at
network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security
Group
Security
Group
17. Structure II
Flow Logs is STATISTICAL about activity in a window of time
Start-Time
Window
End-Time Window
Number of
Packets
Number of Bytes Action