Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Henrik Johansson – Security Solutions Architect
...
What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automatio...
What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automatio...
Bonus
Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://g...
Why security automation
Reduce risk of human error
Why security automation
Reduce risk of human error
- Automation is effective
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scal...
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scal...
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scal...
Why security automation
High pace of innovation is great
Why security automation
We also want to have high pace of:
Detection
Alerting
Remediation
Countermeasures
Forensics
AWS Tooling
Execution
• Lambda
Tracking
• AWS Config Rules
• Amazon CloudWatch Events
• AWS CloudTrail
• AWS Inspector
Tra...
The anatomy of security automationMode
Section Actions
Initiate
React Config Rules / CloudWatch Events / Log Parsing
Trigg...
Automatic CloudTrail Remediation
Solves:
- Verify that CloudTrail is running.
- Prevent repeated and future attempts to di...
Demo
Code highlights
Code highlights – Extract event info
Code highlights – Execution order
#1
Code highlights – Forensics
Code highlights – Countermeasure
Code highlights – Countermeasure
Code review
CloudFormation template audit
Solves:
- Users deploying infrastructure that do not conform to
security policy
- Reduce ris...
Code highlights
Code highlights - CodePipeline
Code highlights - Flow
Code highlights – Rules
Code highlights – The rules
'rule': "AllowHttp",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'riskval...
Code highlights – The rules
'rule': "SSHOpenToWorld",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'ri...
Code highlights - Evaluating
Code highlights - Evaluating
Code highlight – Risk and next step
if risk < 5:
put_job_success(job_id, 'Job succesful, minimal
or no risk detected.')
el...
Code review
AWS CIS Foundation Framework account
assessment
Solves:
- Validate AWS account against security best practices
- Integrate...
Demo
Code highlights
Code highlight - Options
Code highlight - Options
Code highlight - Control structure
Code highlight - Control structure
Code highlight - Control structure
Code highlight - Control structure
Code highlight – Result - Config
Code highlight – Result - Config
Code highlight – Result – Config - Annotation
Code highlight – Result – HTML Report
Code highlight – Result – S3 Pre-Signed URL
Code highlight – Result – S3 Pre-Signed URL
Code review
Auto MFA for IAM
Solves:
- Automatic creation and assignment of virtual MFA for new IAM
users.
- Removes time consuming ta...
Demo
Code highlights
Code highlight – Priority action
Code highlight – Create virtual MFA
Code highlight – Enable MFA
Code highlight – Enable MFA
Code highlight – Calculate tokens
Code highlight – Assign MFA
Code highlight – Assign MFA
Code highlight – Encrypt string
Code review
The tainted server – Auto isolation
Solves:
• Enforces immutable infrastructure
• Automatically isolate instances for furt...
Demo
Code highlights
Code highlight – Individual instances
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Detach Auto Scaling Group
Code highlight – Detach Auto Scaling Group
Code highlight – Identify security group
Code highlight – Identify security group
Code highlight – Identify security group
Code highlight – Identify security group
Code review
Other resources / Open Source
Some of the projects out there:
• ThreatResponse.cloud https://threatresponse.cloud
• Cloud ...
Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://g...
Related Sessions
SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
SEC311 - How to A...
Thank you!
Remember to complete
your evaluations!
Nächste SlideShare
Wird geladen in …5
×

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

2.115 Aufrufe

Veröffentlicht am

This session demonstrates 5 different security and compliance validation actions that you can perform using Amazon CloudWatch Events and AWS Config rules. This session focuses on the actual code for the various controls, actions, and remediation features, and how to use various AWS services and features to build them. The demos in this session include CIS Amazon Web Services Foundations validation; host-based AWS Config rules validation using AWS Lambda, SSH, and VPC-E; automatic creation and assigning of MFA tokens when new users are created; and automatic instance isolation based on SSH logons or VPC Flow Logs deny logs. This session focuses on code and live demos.

Veröffentlicht in: Technologie
  • Automatic creation of parsers https://adrenaline-studios.com/ There are special applications for creating syntax analyzers, which are called generators. Just load in language grammar generator (vocabulary and syntax rules), and it will automatically create an analyzer. To create a parser you need a deep understanding of the principles of its work, and do not manually so simple, so generators are quite useful.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Henrik Johansson – Security Solutions Architect 12/01/16 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules SAC401
  2. 2. What to expect from the session Bonus! Why security automation Tooling The anatomy of automation Demo & code 5 x Automation Other resources
  3. 3. What to expect from the session Bonus! Why security automation Tooling The anatomy of automation Demo & code 5 x Automation Other resources 5 x Automation • Automatic CloudTrail remediation • CloudFormation template audit • AWS CIS Foundation Framework account assessment • Auto MFA for IAM • The tainted server – Auto isolation
  4. 4. Bonus
  5. 5. Bonus Code available for download as Open Source on GitHub at: http://github.com/awslabs/aws-security-automation https://github.com/awslabs/aws-security-benchmark
  6. 6. Why security automation Reduce risk of human error
  7. 7. Why security automation Reduce risk of human error - Automation is effective
  8. 8. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable
  9. 9. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable
  10. 10. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
  11. 11. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry…we still need humans
  12. 12. Why security automation High pace of innovation is great
  13. 13. Why security automation We also want to have high pace of: Detection Alerting Remediation Countermeasures Forensics
  14. 14. AWS Tooling Execution • Lambda Tracking • AWS Config Rules • Amazon CloudWatch Events • AWS CloudTrail • AWS Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • SNS Third party Open Source
  15. 15. The anatomy of security automationMode Section Actions Initiate React Config Rules / CloudWatch Events / Log Parsing Trigger Lambda Learn Lambda / CloudWatch Logs Execution Priority Action Restart service, delete user, etc. Forensics Discover: Who/where/when, allowed to execute? Countermeasure Disable access keys, isolate instance, etc. Alert Text/Page, email, ticket system Logging Database, ticket system, encrypt data?
  16. 16. Automatic CloudTrail Remediation Solves: - Verify that CloudTrail is running. - Prevent repeated and future attempts to disable CloudTrail Services used: Lambda, CloudTrail, CloudWatch Events
  17. 17. Demo
  18. 18. Code highlights
  19. 19. Code highlights – Extract event info
  20. 20. Code highlights – Execution order #1
  21. 21. Code highlights – Forensics
  22. 22. Code highlights – Countermeasure
  23. 23. Code highlights – Countermeasure
  24. 24. Code review
  25. 25. CloudFormation template audit Solves: - Users deploying infrastructure that do not conform to security policy - Reduce risk from unapproved changes to templates Services used: CodePipeline, CloudWatch Events, Lambda
  26. 26. Code highlights
  27. 27. Code highlights - CodePipeline
  28. 28. Code highlights - Flow
  29. 29. Code highlights – Rules
  30. 30. Code highlights – The rules 'rule': "AllowHttp", 'category': "SecurityGroup", 'ruletype': "regex", 'active': "Y", 'riskvalue': "3", 'ruledata': "^.*Ingress.*[fF]rom[pP]ort.s*:s*u?.(80)"
  31. 31. Code highlights – The rules 'rule': "SSHOpenToWorld", 'category': "SecurityGroup", 'ruletype': "regex", 'active': "Y", 'riskvalue' ”7", 'ruledata': "^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort) .s*:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0 .){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3 }0/0).*([fF]rom[pP]ort|[tT]o[pP]ort).s*: s*u?.(22))"
  32. 32. Code highlights - Evaluating
  33. 33. Code highlights - Evaluating
  34. 34. Code highlight – Risk and next step if risk < 5: put_job_success(job_id, 'Job succesful, minimal or no risk detected.') elif 5 <= risk < 10: put_job_success(job_id, 'Job succesful, medium risk detected, manual approval needed.') elif risk >= 10: put_job_failure(job_id, 'Function exception: Failed filters '+str(failedRules))
  35. 35. Code review
  36. 36. AWS CIS Foundation Framework account assessment Solves: - Validate AWS account against security best practices - Integrate with AWS Config - Create report for easy and secure consumption Services used: Lambda, Config Rules References: AWS CIS Foundation Framework validation
  37. 37. Demo
  38. 38. Code highlights
  39. 39. Code highlight - Options
  40. 40. Code highlight - Options
  41. 41. Code highlight - Control structure
  42. 42. Code highlight - Control structure
  43. 43. Code highlight - Control structure
  44. 44. Code highlight - Control structure
  45. 45. Code highlight – Result - Config
  46. 46. Code highlight – Result - Config
  47. 47. Code highlight – Result – Config - Annotation
  48. 48. Code highlight – Result – HTML Report
  49. 49. Code highlight – Result – S3 Pre-Signed URL
  50. 50. Code highlight – Result – S3 Pre-Signed URL
  51. 51. Code review
  52. 52. Auto MFA for IAM Solves: - Automatic creation and assignment of virtual MFA for new IAM users. - Removes time consuming tasks for single and bulk operations - No requirements of user interaction or giving permissions using IAM policy for self service Services used: CloudWatch Events, Lambda and IAM
  53. 53. Demo
  54. 54. Code highlights
  55. 55. Code highlight – Priority action
  56. 56. Code highlight – Create virtual MFA
  57. 57. Code highlight – Enable MFA
  58. 58. Code highlight – Enable MFA
  59. 59. Code highlight – Calculate tokens
  60. 60. Code highlight – Assign MFA
  61. 61. Code highlight – Assign MFA
  62. 62. Code highlight – Encrypt string
  63. 63. Code review
  64. 64. The tainted server – Auto isolation Solves: • Enforces immutable infrastructure • Automatically isolate instances for further forensics upon events like local SSH logons or increase Deny discovered in VPC flow logs Services used: CloudWatch Events, Config Rules, Lambda, VPC Flow logs and discovery trigger
  65. 65. Demo
  66. 66. Code highlights
  67. 67. Code highlight – Individual instances
  68. 68. Code highlight – Get tainted
  69. 69. Code highlight – Get tainted
  70. 70. Code highlight – Get tainted
  71. 71. Code highlight – Get tainted
  72. 72. Code highlight – Detach Auto Scaling Group
  73. 73. Code highlight – Detach Auto Scaling Group
  74. 74. Code highlight – Identify security group
  75. 75. Code highlight – Identify security group
  76. 76. Code highlight – Identify security group
  77. 77. Code highlight – Identify security group
  78. 78. Code review
  79. 79. Other resources / Open Source Some of the projects out there: • ThreatResponse.cloud https://threatresponse.cloud • Cloud Custodian https://github.com/capitalone/cloud-custodian • Security Monkey https://github.com/Netflix/security_monkey • FIDO https://github.com/Netflix/Fido • CloudSploit https://github.com/cloudsploit And many more…
  80. 80. Bonus Code available for download as Open Source on GitHub at: http://github.com/awslabs/aws-security-automation https://github.com/awslabs/aws-security-benchmark
  81. 81. Related Sessions SEC301 - Audit Your AWS Account Against Industry Best Practices: The CIS AWS Benchmarks SEC311 - How to Automate Policy Validation SEC313 - Automating Security Event Response, from Idea to Code to Execution SAC315 - Scaling Security Operations and Automating Governance: Which AWS Services Should I Use? SEC401 - Automated Formal Reasoning About AWS Systems
  82. 82. Thank you!
  83. 83. Remember to complete your evaluations!

×