Post on 16-Apr-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Henrik Johansson – Security Solutions Architect
12/01/16
5 Security Automation Improvements You
Can Make by Using Amazon CloudWatch
Events and AWS Config RulesSAC401
What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources
What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources
5 x Automation
• Automatic CloudTrail remediation
• CloudFormation template audit
• AWS CIS Foundation Framework
account assessment
• Auto MFA for IAM
• The tainted server – Auto isolation
Bonus
Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark
Why security automation
Reduce risk of human error
Why security automation
Reduce risk of human error
- Automation is effective
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry…we still need humans
Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry…we still need humans
Why security automation
High pace of innovation is great
Why security automation
We also want to have high pace of:
Detection
Alerting
Remediation
Countermeasures
Forensics
AWS Tooling
Execution
• Lambda
Tracking
• AWS Config Rules
• Amazon CloudWatch Events
• AWS CloudTrail
• AWS Inspector
Track/Log
• Amazon CloudWatch Logs
• Amazon DynamoDB
Alert
• SNS
Third party Open Source
The anatomy of security automationM
od
e
Section Actions
Initia
te
React Config Rules / CloudWatch Events / Log Parsing
Trigger Lambda
Learn Lambda / CloudWatch Logs
Exe
cu
tio
n
Priority Action Restart service, delete user, etc.
Forensics Discover: Who/where/when, allowed to execute?
Countermeasure Disable access keys, isolate instance, etc.
Alert Text/Page, email, ticket system
Logging Database, ticket system, encrypt data?
Automatic CloudTrail Remediation
Solves:
- Verify that CloudTrail is running.
- Prevent repeated and future attempts to disable CloudTrail
Services used:
Lambda, CloudTrail, CloudWatch Events
Demo
Code highlights
Code highlights – Extract event info
Code highlights – Execution order
#1
Code highlights – Forensics
Code highlights – Countermeasure
Code highlights – Countermeasure
Code review
CloudFormation template audit
Solves:
- Users deploying infrastructure that do not conform to
security policy
- Reduce risk from unapproved changes to templates
Services used:
CodePipeline, CloudWatch Events, Lambda
Code highlights
Code highlights - CodePipeline
Code highlights - Flow
Code highlights – Rules
Code highlights – The rules
'rule': "AllowHttp",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'riskvalue': "3",
'ruledata':
"^.*Ingress.*[fF]rom[pP]ort.\s*:\s*u?.(80)"
Code highlights – The rules
'rule': "SSHOpenToWorld",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'riskvalue' ”7",
'ruledata':
"^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort)
.\s*:\s*u?.(22).*[cC]idr[iI]p.\s*:\s*u?.((0
\.){3}0\/0)|[cC]idr[iI]p.\s*:\s*u?.((0\.){3
}0\/0).*([fF]rom[pP]ort|[tT]o[pP]ort).\s*:\
s*u?.(22))"
Code highlights - Evaluating
Code highlights - Evaluating
Code highlight – Risk and next step
if risk < 5:
put_job_success(job_id, 'Job succesful, minimal
or no risk detected.')
elif 5 <= risk < 10:
put_job_success(job_id, 'Job succesful, medium
risk detected, manual approval needed.')
elif risk >= 10:
put_job_failure(job_id, 'Function exception:
Failed filters '+str(failedRules))
Code review
AWS CIS Foundation Framework account
assessment
Solves:
- Validate AWS account against security best practices
- Integrate with AWS Config
- Create report for easy and secure consumption
Services used:
Lambda, Config Rules
References:
AWS CIS Foundation Framework validation
Demo
Code highlights
Code highlight - Options
Code highlight - Options
Code highlight - Control structure
Code highlight - Control structure
Code highlight - Control structure
Code highlight - Control structure
Code highlight – Result - Config
Code highlight – Result - Config
Code highlight – Result – Config - Annotation
Code highlight – Result – HTML Report
Code highlight – Result – S3 Pre-Signed URL
Code highlight – Result – S3 Pre-Signed URL
Code review
Auto MFA for IAM
Solves:
- Automatic creation and assignment of virtual MFA for new IAM
users.
- Removes time consuming tasks for single and bulk operations
- No requirements of user interaction or giving permissions using IAM
policy for self service
Services used:
CloudWatch Events, Lambda and IAM
Demo
Code highlights
Code highlight – Priority action
Code highlight – Create virtual MFA
Code highlight – Enable MFA
Code highlight – Enable MFA
Code highlight – Calculate tokens
Code highlight – Assign MFA
Code highlight – Assign MFA
Code highlight – Encrypt string
Code review
The tainted server – Auto isolation
Solves:
• Enforces immutable infrastructure
• Automatically isolate instances for further forensics upon events like
local SSH logons or increase Deny discovered in VPC flow logs
Services used:
CloudWatch Events, Config Rules, Lambda, VPC Flow logs and
discovery trigger
Demo
Code highlights
Code highlight – Individual instances
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Get tainted
Code highlight – Detach Auto Scaling Group
Code highlight – Detach Auto Scaling Group
Code highlight – Identify security group
Code highlight – Identify security group
Code highlight – Identify security group
Code highlight – Identify security group
Code review
Other resources / Open Source
Some of the projects out there:
• ThreatResponse.cloud https://threatresponse.cloud
• Cloud Custodian https://github.com/capitalone/cloud-custodian
• Security Monkey https://github.com/Netflix/security_monkey
• FIDO https://github.com/Netflix/Fido
• CloudSploit https://github.com/cloudsploit
And many more…
Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark
Related Sessions
SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
SEC311 - How to Automate Policy Validation
SEC313 - Automating Security Event Response, from Idea to Code
to Execution
SAC315 - Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?
SEC401 - Automated Formal Reasoning About AWS Systems
Thank you!
Remember to complete
your evaluations!