SlideShare ist ein Scribd-Unternehmen logo

Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 2017

Amazon Web Services
Amazon Web Services

Infrastructure-as-Code (IaC) has emerged as an essential element of organizational DevOps practices. Tools such as AWS CloudFormation and Terraform allow software-defined infrastructure to be deployed quickly and repeatably to AWS. But the agility of CI/CD pipelines also creates new challenges in infrastructure security hardening. How do you ensure that your CloudFormation templates meet your organization's security, compliance, and governance needs before you deploy them? How do you deploy infrastructure securely to production environments, and monitor the security posture on a continuous basis? And how do you do this repeatedly without hitting a speed bump? This session provides a foundation for how to bring proven software hardening practices into the world of infrastructure deployment. We discuss how to build security and compliance tests for infrastructure analogous to unit tests for application code, and showcase how security, compliance and governance testing fit in a modern CI/CD pipeline. Session Sponsored by: Dome9

1 von 27
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automating Security and Compliance Testing of IaC for DevSecOps AWS re:INVENT November 29, 2017 R o y F e i n t u c h C o - f o u n d e r & C T O @ r o y f e i n
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When It Comes to Security, Sooner is Better (and Cheaper) “…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.” - Puppet 2017 State of DevOps Report
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional Security is Not Built for CI/CD • Too late • Too much stress
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • You can (and should) apply coding best-practices into your IaC development • You can now test your infrastructure for security and compliance before it is deployed in a live environment • Tools for static application code analysis are mature, but infrastructure analysis is still in its infancy Treat Infrastructure Code Just Like Application Code
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Commit Stage: treat CFT like any other application code; perform static code analysis (a.k.a infrastructure unit-tests) Live Stage: deploy a live-test environment and test it (a.k.a integration testing) The Plan: Multi-Staged Approach DevSecOps pipeline responsibility Production *SecOps monitoring responsibility Prep Stage: define a core set of industry best-practices, regulatory compliance, and security controls, as well as internal org governance policies Production Stage: perform continuous security and compliance assessment for production environment
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros ● Fast and cheap ○ Measured in seconds ○ Closest to the developer ○ Can be integrated as a git commit hook or IDE plugin Cons ● Difficult; technology is not 100% ● Not everything can be statically reasoned about Commit Stage (a.k.a Infrastructure Unit-Tests)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros • Can cover every test—just like in our prod env Cons • Slow (measured in multi-minutes) • Lots of mechanics and moving parts -> complexity, price Live Test (a.k.a Infrastructure Integration-Tests)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros • This is the ultimate resource we are trying to protect • Every tool and third-party service is designed to assist us here • Covers everything—including changes that occurred outside of our sanitized pipeline Cons • Yet another suite of technologies to master (these tools typically cater to OPS/GRC folks and not devs) Production Stage—Continuous Testing
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. And Now… a Graph
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implementation v.1 Source blog: https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ Code: https://github.com/Dome9/reinvent2017
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstrate DevSecOps pipeline using AWS native tools: AWS CodePipeline AWS CloudFormation AWS Lambda Amazon S3 Demo #1
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. LEVEL 1 COMPLETE! GET READY FOR THE NEXT LEVEL
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IMO, this is difficult to: write maintain review/audit Suggestion: Use standard computer language to reason about JSON structures (Python, JS...) CFT Static Analysis—RegEx ^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0.){3}0/0 ).|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF]rom[pP]ort|[tT]o[pP]ort.*).s*:s*u?.(22)) BTW: I injected five errors into this Regex. Did you spot them?
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT is flexible and dynamic (almost like a programming language): 1. Parameters • user defined • pseudo parameters (like AWS:Region) 2. Intrinsic functions 3. Conditions CFT Static Analysis—Dynamic Templates
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Dynamic Templates Port is resolved by correlating a map with a user-provided parameter (using intrinsic function)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Dynamic Templates This one is actually OK because we allow our devs to connect to their dev environments
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT is flexible and dynamic (almost like a programming language): Parameters • user defined • pseudo parameters (like AWS:Region) Intrinsic functions Conditions CFT Simulator project on github https://github.com/Dome9/cft-simulator CFT Static Analysis—Dynamic Templates
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Same outcome can be represented in multiple ways: Because the syntax permits Because of default implicit behavior CFT static analysis—Multiple Representations This means that, in addition to understanding the CFT syntax, we must also fully understand the domain we are reasoning about and the CFT default behaviors Example: a few ways to control the IP address of an EC2 instance ● NIC can be defined with instance-level network properties ● NIC can be defined as an embedded resource of instance with the NetworkInterfaces property ● NIC can be defined as a "root" resource and be attached to an instance via Ref intrinsic function ● A "root" NIC resource can be attached with the NetworkInterfaceAttachment resource via the InstanceId property ● Public IP can be assigned to the NIC by setting the AssociatePublicIpAddress property to true on the NIC properties (only when defining it as embedded resource of instance) ● Public IP can be assigned by creating an ElasticIP Resource and associating it using the 'InstanceId' property ● An ElasticIP can be associated with the ElasticIPAssociation resource ● A public IP can be assigned to the primary NIC based on a subnet behavior (the MapPublicIpOnLaunch property of subnet)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Multiple Representations Here, the rules are defined externally to the security group resource
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Reasoning About Our Domain Someone didn’t properly whitelist our NOC IP address Oops! Forgot about port ranges...
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Word/Excel: policy language for humans 2. RegEx for static CFT eval 3. Python-Boto/AWS SDK to assess live environment 4. Continuous monitoring and alerting: Config rules/ CloudTrail/CloudWatch Alerts, SIEM tools, cloud configuration monitoring tools, security monitoring and alerting tools... Multiple Technologies Challenge
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. /^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22).*[cC]idr[iI] p.s*:s*u?.((0.){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF] rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22))/ My CFT Regex for n in regions: client = boto3.client('ec2', region_name=n) response = client.describe_security_groups( Filters=[{'Name': 'tag:aws:cloudformation:stack-name', 'Values': [stackName]}]) for m in response['SecurityGroups']: if "72.21.196.67/32" not in str(m['IpPermissions']): for o in m['IpPermissions']: try: if int(o['FromPort']) <= 22 <= int(o['ToPort']): result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(m['GroupId'])) except: if str(o['IpProtocol']) == "-1": result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(n) + " : " + str(m['GroupId'])) My Python Boto Script My production Alerting Mechanisms “You shall not have SSH ports exposed to the internet” My org policy, section 1.2 Multiple Technologies Challenge
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instance should have tags with [key='owner'] SecurityGroup should not have inboundRules with [port=22 and scope='0.0.0.0/0'] SecurityGroup where name='default' should not have inboundRules Introducing GSL Governance Specification Language Purpose-built language to reason about cloud security and compliance Guess what these rules say… Concise, human-readable policies eliminate errors in translation and simplify security, compliance, and governance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Static CFT assessments built into CI pipeline 2. On-demand assessments for test/staging env via Assessments API 3. Always-on, continuous monitoring for Production env Implementation v.2—Compliance Engine All driven from the same GSL policy file!
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance-Engine CFN Deploy Test env CFT Validator Assess Test env Delete Test stack CFN Execute Prod Change set Production System Continuous Monitoring AWS CodePipeline Commit Stage Live Test Stage Production Stage DevSecOps Pipeline v.2
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstrating a CI/CD Pipeline Using Native AWS Services + Dome9 Compliance Engine... DevSecOps v.2 Demo
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. You are welcome to booth #2107 to continue the discussion Thank you! www.dome9.com

Empfohlen

The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
Amazon Web Services
 
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
Amazon Web Services
 
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Amazon Web Services
 
Engineering the IoT at AWS - IOT402 - re:Invent 2017
Engineering the IoT at AWS - IOT402 - re:Invent 2017Engineering the IoT at AWS - IOT402 - re:Invent 2017
Engineering the IoT at AWS - IOT402 - re:Invent 2017
Amazon Web Services
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
 

Empfohlen

The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
The IoT Offering Explained in Plain English - IOT201 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
NEW LAUNCH! AWS Greengrass and Amazon FreeRTOS: Connectivity and Security at ...
Amazon Web Services
 
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
NEW LAUNCH! Gain Operational Insights and Take Action on AWS Resources with A...
Amazon Web Services
 
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Amazon Web Services
 
Engineering the IoT at AWS - IOT402 - re:Invent 2017
Engineering the IoT at AWS - IOT402 - re:Invent 2017Engineering the IoT at AWS - IOT402 - re:Invent 2017
Engineering the IoT at AWS - IOT402 - re:Invent 2017
Amazon Web Services
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Amazon Web Services
 
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
Amazon Web Services
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
Amazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Amazon Web Services
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated Workload
Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Amazon Web Services
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Amazon Web Services
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
Amazon Web Services
 
Introduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
Introduction to AWS Fargate & Amazon Elastic Container Service for KubernetesIntroduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
Introduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
Amazon Web Services
 
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
Amazon Web Services
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
Amazon Web Services
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
 
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
Amazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
Amazon Web Services
 
Building Secure Services using Containers
Building Secure Services using ContainersBuilding Secure Services using Containers
Building Secure Services using Containers
Amazon Web Services
 
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdfDEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Amazon Web Services
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Amazon Web Services
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
Amazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Amazon Web Services
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Amazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
Amazon Web Services
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
 

Was ist angesagt? (20)

Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
Optimizing Costs as You Scale on AWS - ENT302 - re:Invent 2017
 
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
 
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
NEW LAUNCH! Amazon Neptune Overview and Customer Use Cases - DAT319 - re:Inve...
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection - SID341 ...
 
WPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated WorkloadWPS205_Is AWS GovCloud Right for your Regulated Workload
WPS205_Is AWS GovCloud Right for your Regulated Workload
 
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
User Management and App Authentication with Amazon Cognito - SID343 - re:Inve...
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
Introduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
Introduction to AWS Fargate & Amazon Elastic Container Service for KubernetesIntroduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
Introduction to AWS Fargate & Amazon Elastic Container Service for Kubernetes
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
 
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
NEW LAUNCH! AWS DeepLens workshop: Building Computer Vision Applications - MC...
 
SID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security TeamSID301_Using AWS Lambda as a Security Team
SID301_Using AWS Lambda as a Security Team
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
NEW LAUNCH! AWS IoT Analytics from Consumer IoT to Industrial IoT - IOT211 - ...
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
 

Ähnlich wie Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 2017

DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdfDEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
Amazon Web Services
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
Amazon Web Services
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Amazon Web Services
 
UC2010_BRS1280_Eastman_Chemical_Johnston
UC2010_BRS1280_Eastman_Chemical_JohnstonUC2010_BRS1280_Eastman_Chemical_Johnston
UC2010_BRS1280_Eastman_Chemical_Johnston
H Eddie Newton
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
Amazon Web Services
 
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
Amazon Web Services
 

Ähnlich wie Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 2017 (20)

Building Secure Services using Containers
Building Secure Services using ContainersBuilding Secure Services using Containers
Building Secure Services using Containers
 
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdfDEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
DEV305_Manage Your Applications with AWS Elastic Beanstalk.pdf
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWSIOT311_Customer Stories of Things, Cloud, and Analytics on AWS
IOT311_Customer Stories of Things, Cloud, and Analytics on AWS
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
 
UC2010_BRS1280_Eastman_Chemical_Johnston
UC2010_BRS1280_Eastman_Chemical_JohnstonUC2010_BRS1280_Eastman_Chemical_Johnston
UC2010_BRS1280_Eastman_Chemical_Johnston
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Real-time Analytics using Data from IoT Devices - AWS Online Tech Talks
Real-time Analytics using Data from IoT Devices - AWS Online Tech TalksReal-time Analytics using Data from IoT Devices - AWS Online Tech Talks
Real-time Analytics using Data from IoT Devices - AWS Online Tech Talks
 
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
透過最新的 AWS 服務在 2019 年為您的業務轉型 (Level 200)
 
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...
 
DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)DevSecOps 的規模化實踐 (Level: 300-400)
DevSecOps 的規模化實踐 (Level: 300-400)
 
MCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and GluonMCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and Gluon
 
Attacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous DeliveryAttacking Pipelines--Security meets Continuous Delivery
Attacking Pipelines--Security meets Continuous Delivery
 
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
Massively Parallel Data Processing with PyWren and AWS Lambda - SRV424 - re:I...
 
The "Holy Grail" of Dev/Ops
The "Holy Grail" of Dev/OpsThe "Holy Grail" of Dev/Ops
The "Holy Grail" of Dev/Ops
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Automating Security and Compliance Testing of Infrastructure-as-Code for DevSecOps - SID317 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automating Security and Compliance Testing of IaC for DevSecOps AWS re:INVENT November 29, 2017 R o y F e i n t u c h C o - f o u n d e r & C T O @ r o y f e i n
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When It Comes to Security, Sooner is Better (and Cheaper) “…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.” - Puppet 2017 State of DevOps Report
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional Security is Not Built for CI/CD • Too late • Too much stress
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • You can (and should) apply coding best-practices into your IaC development • You can now test your infrastructure for security and compliance before it is deployed in a live environment • Tools for static application code analysis are mature, but infrastructure analysis is still in its infancy Treat Infrastructure Code Just Like Application Code
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Commit Stage: treat CFT like any other application code; perform static code analysis (a.k.a infrastructure unit-tests) Live Stage: deploy a live-test environment and test it (a.k.a integration testing) The Plan: Multi-Staged Approach DevSecOps pipeline responsibility Production *SecOps monitoring responsibility Prep Stage: define a core set of industry best-practices, regulatory compliance, and security controls, as well as internal org governance policies Production Stage: perform continuous security and compliance assessment for production environment
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros ● Fast and cheap ○ Measured in seconds ○ Closest to the developer ○ Can be integrated as a git commit hook or IDE plugin Cons ● Difficult; technology is not 100% ● Not everything can be statically reasoned about Commit Stage (a.k.a Infrastructure Unit-Tests)
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros • Can cover every test—just like in our prod env Cons • Slow (measured in multi-minutes) • Lots of mechanics and moving parts -> complexity, price Live Test (a.k.a Infrastructure Integration-Tests)
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pros • This is the ultimate resource we are trying to protect • Every tool and third-party service is designed to assist us here • Covers everything—including changes that occurred outside of our sanitized pipeline Cons • Yet another suite of technologies to master (these tools typically cater to OPS/GRC folks and not devs) Production Stage—Continuous Testing
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. And Now… a Graph
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implementation v.1 Source blog: https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ Code: https://github.com/Dome9/reinvent2017
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstrate DevSecOps pipeline using AWS native tools: AWS CodePipeline AWS CloudFormation AWS Lambda Amazon S3 Demo #1
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. LEVEL 1 COMPLETE! GET READY FOR THE NEXT LEVEL
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IMO, this is difficult to: write maintain review/audit Suggestion: Use standard computer language to reason about JSON structures (Python, JS...) CFT Static Analysis—RegEx ^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0.){3}0/0 ).|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF]rom[pP]ort|[tT]o[pP]ort.*).s*:s*u?.(22)) BTW: I injected five errors into this Regex. Did you spot them?
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT is flexible and dynamic (almost like a programming language): 1. Parameters • user defined • pseudo parameters (like AWS:Region) 2. Intrinsic functions 3. Conditions CFT Static Analysis—Dynamic Templates
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Dynamic Templates Port is resolved by correlating a map with a user-provided parameter (using intrinsic function)
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Dynamic Templates This one is actually OK because we allow our devs to connect to their dev environments
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT is flexible and dynamic (almost like a programming language): Parameters • user defined • pseudo parameters (like AWS:Region) Intrinsic functions Conditions CFT Simulator project on github https://github.com/Dome9/cft-simulator CFT Static Analysis—Dynamic Templates
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Same outcome can be represented in multiple ways: Because the syntax permits Because of default implicit behavior CFT static analysis—Multiple Representations This means that, in addition to understanding the CFT syntax, we must also fully understand the domain we are reasoning about and the CFT default behaviors Example: a few ways to control the IP address of an EC2 instance ● NIC can be defined with instance-level network properties ● NIC can be defined as an embedded resource of instance with the NetworkInterfaces property ● NIC can be defined as a "root" resource and be attached to an instance via Ref intrinsic function ● A "root" NIC resource can be attached with the NetworkInterfaceAttachment resource via the InstanceId property ● Public IP can be assigned to the NIC by setting the AssociatePublicIpAddress property to true on the NIC properties (only when defining it as embedded resource of instance) ● Public IP can be assigned by creating an ElasticIP Resource and associating it using the 'InstanceId' property ● An ElasticIP can be associated with the ElasticIPAssociation resource ● A public IP can be assigned to the primary NIC based on a subnet behavior (the MapPublicIpOnLaunch property of subnet)
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Multiple Representations Here, the rules are defined externally to the security group resource
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CFT Static Analysis—Reasoning About Our Domain Someone didn’t properly whitelist our NOC IP address Oops! Forgot about port ranges...
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Word/Excel: policy language for humans 2. RegEx for static CFT eval 3. Python-Boto/AWS SDK to assess live environment 4. Continuous monitoring and alerting: Config rules/ CloudTrail/CloudWatch Alerts, SIEM tools, cloud configuration monitoring tools, security monitoring and alerting tools... Multiple Technologies Challenge
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. /^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22).*[cC]idr[iI] p.s*:s*u?.((0.){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3}0/0).*([fF] rom[pP]ort|[tT]o[pP]ort).s*:s*u?.(22))/ My CFT Regex for n in regions: client = boto3.client('ec2', region_name=n) response = client.describe_security_groups( Filters=[{'Name': 'tag:aws:cloudformation:stack-name', 'Values': [stackName]}]) for m in response['SecurityGroups']: if "72.21.196.67/32" not in str(m['IpPermissions']): for o in m['IpPermissions']: try: if int(o['FromPort']) <= 22 <= int(o['ToPort']): result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(m['GroupId'])) except: if str(o['IpProtocol']) == "-1": result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(n) + " : " + str(m['GroupId'])) My Python Boto Script My production Alerting Mechanisms “You shall not have SSH ports exposed to the internet” My org policy, section 1.2 Multiple Technologies Challenge
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Instance should have tags with [key='owner'] SecurityGroup should not have inboundRules with [port=22 and scope='0.0.0.0/0'] SecurityGroup where name='default' should not have inboundRules Introducing GSL Governance Specification Language Purpose-built language to reason about cloud security and compliance Guess what these rules say… Concise, human-readable policies eliminate errors in translation and simplify security, compliance, and governance
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Static CFT assessments built into CI pipeline 2. On-demand assessments for test/staging env via Assessments API 3. Always-on, continuous monitoring for Production env Implementation v.2—Compliance Engine All driven from the same GSL policy file!
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Compliance-Engine CFN Deploy Test env CFT Validator Assess Test env Delete Test stack CFN Execute Prod Change set Production System Continuous Monitoring AWS CodePipeline Commit Stage Live Test Stage Production Stage DevSecOps Pipeline v.2
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demonstrating a CI/CD Pipeline Using Native AWS Services + Dome9 Compliance Engine... DevSecOps v.2 Demo
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. You are welcome to booth #2107 to continue the discussion Thank you! www.dome9.com