Post on 30-May-2020
@MargoCroninSenior Solutions ArchitectAmazon Web Services
Security Automation on AWS
DEV OPSSec
AWS Pace of Innovation
0
250
500
750
1000
1250
1500
2010 2012 2014 2017
Launches
1,430 new features/services launched in 2017
61159
516
1430
Deployments at amazon.com
Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=Security automation
Terminology Disclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=Security automation
at scale
A fundamental principle of DevOps is automation!
People make mistakes
People bend the rules People act with malice
Machines don’tstill
4 steps to enable Security automation
at scale
Step 1 Establish your level of Trust
…. Select & configure your tools based on your level of Trust
0 100?
AWS KMSAWS Managed KeysAWS Secret ManagerAWS CloudHSM
Customer Managed KeysHardware Security Module
Customer Managed KeysAWS Key Management Service
Step 1 Establish your level of Trust….
TRUST
0
Deploy Kubernetes NativelyYou manage:- Etcd- Worker nodes- Masters
TRUST
Elastic Kubernetes Service- Kubernetes endpoint- Managed master nodes- Native integration with AWS
TRUST
Photo by Jp Valery on Unsplash
Elastic Kubernetes ServiceAPI endpoint authenticationEtcd volumes encrypted
TRUST
More to Automate
TRUST
MoreAutomated
But no matter where you are on the trust scale, plan to integrate security automation
Step 2Security by Design
What to Expect from the Session
SecurityOwnership
Security EpicsIdentity & Access
Mgt
Config & Vulner -ability
Analysis
Incidence Response
Infra-structure Security
Logging & Monitoring
Data Protection
Secure CI/CD
Privacy by Design
- Every member of your team is a security owner
- Decompose Epics to functional stories
- Create security related acceptance criteria
- Same CI/CD pipeline to roll out security features
Step 3What are you securing?
Step 3 What are you securing
1. Security of the CI/CD Pipeline• Access roles• Hardening build servers/nodes
2. Security in the CI/CD Pipeline• Artifact validation• Static code analysis
CI/CD for DevOps
Version Control CI Server
Package Builder
Deploy ServerCommit to
Git/masterDev
Get / PullCode
Images
Send build report to DevStop everything if build failed
Distributed BuildsRun Tests in parallel
Staging Env
Test EnvCodeConfigTests
Prod Env
Push
Config InstallCreate
Artifact RepoDeployment templates for infrastructure
Generate
Version Control CI Server
Package Builder
Promote ProcessBlock creds
From gitDev
Get / PullCode
Images
Log for audit
Staging Env
Test EnvCodeConfigTests
Prod Env
Audit/Validate
Config Checksum
ContinuousScan
CI/CD for DevSecOps
Send build report to SecurityStop everything if audit/validation failed
Deployment templates for infrastructure
Scan hook
Infrastructure as CodeWrite, Version, Store, Deploy your Infrastructure as Code- AWS CloudFormation - Terraform
Mean Time To RecoverImmutable infrastructure
Step 4Automate Responses
Long Love
Log Love
Event Log Love
Log Love
What are you doing based on your logs?
Putting it all together
Amazon CloudWatch
AWSCloudTrail
role
Your SaaS tools
AmazonSimple
Notification Service
Your security
team
AWS API AWS clouduser bucket
AWSLambda
2
Use logging services to prevent as well as protect
Your security
team
Malicious IPs
Amazon CloudFront
AWS WAF bucket
Elastic Load Balancing
Web Servers
Amazon CloudWatch
stack
AWSLambda
1
3
4
Ubiquitous logging:Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and upload to AmazonRedshift
Amazon EC2 instances
Analyze with standardBI tools
Archive to Amazon Glacier
AWS CloudTrail
Encrypted end to end!
Ubiquitous logging: What are we looking for?
• Unused permissions• Overuse of privileged accounts• Usage of keys• Anomalous logins• Policy violations• System abuse….• Collect data once, many use cases
4 Steps to enable security automation at scale
- Establish your level of Trust- Security by Design - Security of and in the CI/CD pipeline- Automated Responses
KEY TAKEAWAYS
Automation doesn’t sleep, eat, or need coffee in the morning
Security is not an “afterthought” Automate security at cloud scale