With security-relevant services such as AWS Config, VPC Flow Logs, Amazon CloudWatch Events, and AWS Lambda, you now have the ability to programmatically wrangle security events that may occur within your AWS environment, including prevention, detection, response, and remediation. This session covers the process of automating security event response with various AWS building blocks, taking several ideas from drawing board to code, and gaining confidence in your coverage by proactively testing security monitoring and response effectiveness before anyone else does.
2. What to expect from the session
• Iteration of previous re:Invent talks
• Methodology for implementing security automation ideas
• Decision support to match AWS mechanisms to goals
• Code
• Additional resources
• Demos!
7. Building on previous talks
YouTube search
• “Intrusion Detection in the Cloud” 2014
• “Incident Response (IR) in the Cloud” 2014
• “Wrangling Security Events in The Cloud” 2015
SlideShare search
• “Enforcing Your Security Policy at Scale” 2016
8. You’ve probably seen this before
AWS foundation Services
Compute Storage Database Networking
AWS global
infrastructure
Regions
Availability
Zones
Edge
locations
Client-side data
encryption
Server-side data
encryption
Network traffic
protection
Platform, applications, IAM
Operating system, network, and firewall configuration
Customer content
Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
9. Getting from here to there
Understand
AWS
security
practice
Build strong
compliance
foundations
Integrate IAM Enable
detective
controls
Establish
network
security
Implement
data
protection
Optimize
change
management
Automate
security
functions
10.
11.
12. Putting it all together
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lambda
Amazon
Simple
Notification
Service
AWS API
endpoints
Your Staff Amazon S3
bucket
Your
security
team
AWS
IAM
role
AWS API
Your SaaS
tools
13. Questions you will need to answer
• What is my expressed security objective in words?
• Is this configuration or behavior related?
• What data, where, could help inform me?
• Do I have requisite ownership or visibility?
• What are my performance requirements?
• What mechanisms support the above?
• What is my expressed security objective in code?
14. Security objective
“I would like to push a button that launches a penetration
test on my AWS environment”
“I want to know when someone turns off AWS CloudTrail
and automatically turn it back on”
“I need to prevent my developers launching EC2 instances
from unapproved Amazon Machine Images”
50. Other AWS security resources
• Support
https://aws.amazon.com/support
• AWS Cloud Security
https://aws.amazon.com/security
• Contact the AWS security team
aws-security@amazon.com
51. Related sessions
• SAC305 “How AWS Automates Internal Compliance at
Massive Scale Using AWS Services”
• SAC316 “Security Automation: Spend Less Time
Securing Your Applications”
• SAC401 “5 Security Automation Improvements You Can
Make by Using Amazon CloudWatch Events and AWS
Config Rules”
• SAC315 “Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?”
52.
53. Summary
• Security agility with AWS more achievable than ever
• Identify and express your security goals, as code even
• Choose your own adventure, leverage Support
• And remember, when it comes to security event
response …
There are TWO ways to get practice, but you only get to
choose ONE ;)