With security-relevant services such as AWS Config, VPC Flow Logs, Amazon CloudWatch Events, and AWS Lambda, you now have the ability to programmatically wrangle security events that may occur within your AWS environment, including prevention, detection, response, and remediation. This session covers the process of automating security event response with various AWS building blocks, taking several ideas from drawing board to code, and gaining confidence in your coverage by proactively testing security monitoring and response effectiveness before anyone else does.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brian Wagner, AWS Professional Services
Don “Beetle” Bailey, AWS Security
November 29, 2016
SEC313
Automating Security Event
Response

2. What to expect from the session
• Iteration of previous re:Invent talks
• Methodology for implementing security automation ideas
• Decision support to match AWS mechanisms to goals
• Code
• Additional resources
• Demos!

3. We came (with a demo) from a
land down under …!

7. Building on previous talks
YouTube search
• “Intrusion Detection in the Cloud”  2014
• “Incident Response (IR) in the Cloud”  2014
• “Wrangling Security Events in The Cloud”  2015
SlideShare search
• “Enforcing Your Security Policy at Scale”  2016

8. You’ve probably seen this before
AWS foundation Services
Compute Storage Database Networking
AWS global
infrastructure
Regions
Availability
Zones
Edge
locations
Client-side data
encryption
Server-side data
encryption
Network traffic
protection
Platform, applications, IAM
Operating system, network, and firewall configuration
Customer content
Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

9. Getting from here to there
Understand
AWS
security
practice
Build strong
compliance
foundations
Integrate IAM Enable
detective
controls
Establish
network
security
Implement
data
protection
Optimize
change
management
Automate
security
functions

12. Putting it all together
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lambda
Amazon
Simple
Notification
Service
AWS API
endpoints
Your Staff Amazon S3
bucket
Your
security
team
AWS
IAM
role
AWS API
Your SaaS
tools

13. Questions you will need to answer
• What is my expressed security objective in words?
• Is this configuration or behavior related?
• What data, where, could help inform me?
• Do I have requisite ownership or visibility?
• What are my performance requirements?
• What mechanisms support the above?
• What is my expressed security objective in code?

14. Security objective
“I would like to push a button that launches a penetration
test on my AWS environment”
“I want to know when someone turns off AWS CloudTrail
and automatically turn it back on”
“I need to prevent my developers launching EC2 instances
from unapproved Amazon Machine Images”

15. Configuration vs behavior

16. Locate the right data

17. Establish ownership and visibility for access

18. Soon vs later vs whenever

19. Service and feature selection

20. Make it so

21. The high-level playbook …
CloudWatch
Events event
Adversary
(or Intern)
Your environment Responder

22. Here. We. GO!

23. Demo: “If someone turns
CloudTrail off, turn it back on.”

24. Adversary
cloudtrail:StopLogging
CloudTrail

25. CloudWatch
Events event
Adversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "cloudtrail.amazonaws.com" ],
"eventName": [ "StopLogging" ]
}
}

26. Adversary Responder
cloudtrail.start_logging

27. Demo: “I only want approved
managed policies attached to
IAM users”

28. Adversary
iam.attach_user_policy(
UserName='Bill',
PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess'
)
IAM

29. CloudWatch
Events event
Adversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "iam.amazonaws.com" ],
"eventName": [
"AttachGroupPolicy",
"AttachRolePolicy",
"AttachUserPolicy"
]
}
}

30. Adversary Responder
iam.detach_user_policy

31. Demo: “Do not allow inline IAM
policies”

32. Adversary
iam.put_user_policy(
UserName='Bill',
PolicyName='AdministratorAccess',
PolicyDocument=adminpolicy
)
IAM
adminpolicy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

33. CloudWatch
Events event
Adversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "iam.amazonaws.com" ],
"eventName": [
”PutGroupPolicy",
”PutRolePolicy",
”PutUserPolicy"
]
}
}

34. Adversary Responder
iam.delete_user_policy

35. Demo: “Only allow EC2
instances launched from
approved AMIs and with
appropriate subnets and
security groups”

36. ImageId=ami-f9dd458a
SubnetId=subnet-a8aa4ef0
SecurityGroups=[
GroupId=sg-45533823
]
EC2

37. CloudWatch
Events event
{
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [ "pending" ]
},
"source": [ "aws.ec2" ]
}

38. Responder
# check if the AMI is approved
# check if AMI is used in correct subnet
# check if AMI was launched with approved security group

39. DynamoDB
{
"ami": "ami-0d77397e",
"region": "eu-west-1",
"security_groups": [
"sg-cc9a3aaa"
],
"subnets": [
"subnet-ac3d7cda",
"subnet-2f9c1677"
]
},
{
"ami": "ami-f9dd458a",
"region": "eu-west-1",
"security_groups": [
"sg-ee9a3a88"
],
"subnets": [
"subnet-ad3d7cdb",
"subnet-2e9c1676"
]
}

40. {
'Time': int(time.time()),
'Source': 'auto.responder.level1',
'Resources': [ str(instance_id) ],
'DetailType': 'activeResponse',
'Detail': {
'instance': instance_id,
'actionsRequested': 'instanceTermination'
}
}
Event

41. CloudWatch
Event events
{
"detail-type": [
"activeResponse"
],
"source": [
"auto.responder.level1"
]
}

42. L2 responder
ec2.terminate_instances

43. Demo: “Alexa, launch AWS
Security Tools”

50. Other AWS security resources
• Support
https://aws.amazon.com/support
• AWS Cloud Security
https://aws.amazon.com/security
• Contact the AWS security team
aws-security@amazon.com

51. Related sessions
• SAC305 “How AWS Automates Internal Compliance at
Massive Scale Using AWS Services”
• SAC316 “Security Automation: Spend Less Time
Securing Your Applications”
• SAC401 “5 Security Automation Improvements You Can
Make by Using Amazon CloudWatch Events and AWS
Config Rules”
• SAC315 “Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?”

53. Summary
• Security agility with AWS more achievable than ever
• Identify and express your security goals, as code even
• Choose your own adventure, leverage Support
• And remember, when it comes to security event
response …
There are TWO ways to get practice, but you only get to
choose ONE ;)

54. Thank you!

55. Remember to complete
your evaluations!