Weitere ähnliche Inhalte Ähnlich wie Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 2017 (20) Mehr von Amazon Web Services (20) Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automating Security and Compliance
Testing of IaC for DevSecOps
AWS re:INVENT
November 29, 2017
R o y F e i n t u c h
C o - f o u n d e r & C T O
@ r o y f e i n
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
When It Comes to Security, Sooner is Better (and Cheaper)
“…high-performing development teams
spend 50 percent less time remediating
security issues” when they address
security throughout the SDLC, instead
of “retrofitting security at the end.”
- Puppet 2017 State of DevOps Report
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Traditional Security is Not Built for CI/CD
• Too late
• Too much stress
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• You can (and should) apply coding best-practices into your IaC
development
• You can now test your infrastructure for security and compliance
before it is deployed in a live environment
• Tools for static application code analysis are mature, but infrastructure
analysis is still in its infancy
Treat Infrastructure Code Just Like Application Code
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Commit Stage: treat CFT like any other application code; perform static
code analysis (a.k.a infrastructure unit-tests)
Live Stage: deploy a live-test environment and test it (a.k.a integration testing)
The Plan: Multi-Staged Approach
DevSecOps pipeline responsibility
Production *SecOps monitoring responsibility
Prep Stage: define a core set of industry best-practices, regulatory compliance,
and security controls, as well as internal org governance policies
Production Stage: perform continuous security and compliance assessment
for production environment
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pros
● Fast and cheap
○ Measured in seconds
○ Closest to the developer
○ Can be integrated as a git commit hook or IDE plugin
Cons
● Difficult; technology is not 100%
● Not everything can be statically reasoned about
Commit Stage (a.k.a Infrastructure Unit-Tests)
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pros
• Can cover every test—just like in our prod env
Cons
• Slow (measured in multi-minutes)
• Lots of mechanics and moving parts -> complexity, price
Live Test (a.k.a Infrastructure Integration-Tests)
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pros
• This is the ultimate resource we are trying to protect
• Every tool and third-party service is designed to assist us here
• Covers everything—including changes that occurred outside of our
sanitized pipeline
Cons
• Yet another suite of technologies to master (these tools typically cater
to OPS/GRC folks and not devs)
Production Stage—Continuous Testing
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
And Now…
a Graph
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implementation v.1
Source blog: https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/
Code: https://github.com/Dome9/reinvent2017
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demonstrate DevSecOps pipeline
using AWS native tools:
AWS CodePipeline
AWS CloudFormation
AWS Lambda
Amazon S3
Demo #1
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEVEL 1 COMPLETE!
GET READY FOR THE NEXT LEVEL
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IMO, this is difficult to:
write
maintain
review/audit
Suggestion:
Use standard computer language to reason about JSON structures (Python, JS...)
CFT Static Analysis—RegEx
^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0.){3}0/0
).|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF]rom[pP]ort|[tT]o[pP]ort.*).s*:s*u?.(22))
BTW: I injected five errors into this
Regex. Did you spot them?
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT is flexible and dynamic (almost like a programming
language):
1. Parameters
• user defined
• pseudo parameters (like AWS:Region)
2. Intrinsic functions
3. Conditions
CFT Static Analysis—Dynamic Templates
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT Static Analysis—Dynamic Templates
Port is resolved by correlating a map with a
user-provided parameter (using intrinsic function)
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT Static Analysis—Dynamic Templates
This one is actually OK because we allow our
devs to connect to their dev environments
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT is flexible and dynamic (almost like a programming
language):
Parameters
• user defined
• pseudo parameters (like AWS:Region)
Intrinsic functions
Conditions
CFT Simulator project on github
https://github.com/Dome9/cft-simulator
CFT Static Analysis—Dynamic Templates
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Same outcome can be represented in
multiple ways:
Because the syntax permits
Because of default implicit behavior
CFT static analysis—Multiple Representations
This means that, in addition to understanding
the CFT syntax, we must also fully understand
the domain we are reasoning about and the
CFT default behaviors
Example: a few ways to control the IP address of an EC2 instance
● NIC can be defined with instance-level network properties
● NIC can be defined as an embedded resource of instance
with the NetworkInterfaces property
● NIC can be defined as a "root" resource and be attached to
an instance via Ref intrinsic function
● A "root" NIC resource can be attached with the
NetworkInterfaceAttachment resource via the InstanceId
property
● Public IP can be assigned to the NIC by setting the
AssociatePublicIpAddress property to true on the NIC
properties (only when defining it as embedded resource of
instance)
● Public IP can be assigned by creating an ElasticIP
Resource and associating it using the 'InstanceId' property
● An ElasticIP can be associated with the
ElasticIPAssociation resource
● A public IP can be assigned to the primary NIC based on a
subnet behavior (the MapPublicIpOnLaunch property of
subnet)
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT Static Analysis—Multiple Representations
Here, the rules are defined externally to the security
group resource
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CFT Static Analysis—Reasoning About Our Domain
Someone didn’t properly whitelist our NOC IP
address
Oops! Forgot about port ranges...
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Word/Excel: policy language for humans
2. RegEx for static CFT eval
3. Python-Boto/AWS SDK to assess live environment
4. Continuous monitoring and alerting: Config rules/
CloudTrail/CloudWatch Alerts, SIEM tools, cloud
configuration monitoring tools, security monitoring and
alerting tools...
Multiple Technologies Challenge
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
/^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22).*[cC]idr[iI]
p.s*:s*u?.((0.){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF]
rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22))/
My CFT Regex
for n in regions: client = boto3.client('ec2', region_name=n) response = client.describe_security_groups(
Filters=[{'Name': 'tag:aws:cloudformation:stack-name', 'Values': [stackName]}]) for m in
response['SecurityGroups']: if "72.21.196.67/32" not in str(m['IpPermissions']): for o in
m['IpPermissions']: try: if int(o['FromPort']) <= 22 <= int(o['ToPort']): result = False failReason = "Found
Security Group with port 22 open to the wrong source IP range" offenders.append(str(m['GroupId'])) except:
if str(o['IpProtocol']) == "-1": result = False failReason = "Found Security Group with port 22 open to the
wrong source IP range" offenders.append(str(n) + " : " + str(m['GroupId']))
My Python Boto Script
My production Alerting Mechanisms
“You shall not have SSH ports exposed to the internet”
My org policy, section 1.2
Multiple Technologies Challenge
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Instance should have tags with [key='owner']
SecurityGroup should not have inboundRules with [port=22 and scope='0.0.0.0/0']
SecurityGroup where name='default' should not have inboundRules
Introducing GSL
Governance Specification Language
Purpose-built language to reason about cloud security and compliance
Guess what
these rules
say…
Concise, human-readable policies eliminate errors in translation and simplify
security, compliance, and governance
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Static CFT assessments built into CI pipeline
2. On-demand assessments for test/staging env via Assessments API
3. Always-on, continuous monitoring for Production env
Implementation v.2—Compliance Engine
All driven from the same GSL policy file!
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance-Engine
CFN Deploy
Test env
CFT Validator
Assess
Test env
Delete
Test stack
CFN Execute
Prod Change set
Production
System
Continuous
Monitoring
AWS CodePipeline
Commit Stage Live Test Stage Production Stage
DevSecOps Pipeline v.2
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demonstrating a CI/CD Pipeline
Using Native AWS Services +
Dome9 Compliance Engine...
DevSecOps v.2 Demo
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You are welcome to booth #2107
to continue the discussion
Thank you!
www.dome9.com