© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Brian Wagner, AWS Professional Services

Don “Beetle” Bailey, AWS Security

November 29, 2016

SEC313

Automating Security Event

Response

What to expect from the session

• Iteration of previous re:Invent talks

• Methodology for implementing security automation ideas

• Decision support to match AWS mechanisms to goals

• Code

• Additional resources

• Demos!

We came (with a demo) from a

land down under …!

Building on previous talks

YouTube search

• “Intrusion Detection in the Cloud” 2014

• “Incident Response (IR) in the Cloud” 2014

• “Wrangling Security Events in The Cloud” 2015

SlideShare search

• “Enforcing Your Security Policy at Scale” 2016

You’ve probably seen this before

AWS foundation Services

Compute Storage Database Networking

AWS global

infrastructureRegions

Availability

Zones Edge

locations

Client-side data

encryption

Server-side data

encryptionNetwork traffic

protection

Platform, applications, IAM

Operating system, network, and firewall configuration

Customer content

Custo

mers

Customers are

responsible for

their security IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Getting from here to there

Understand

AWS

security

practice

Build strong

compliance

foundations

Integrate IAM Enable

detective

controls

Establish

network

security

Implement

data

protection

Optimize

change

management

Automate

security

functions

Putting it all together

AWS

CloudTrail

Amazon

CloudWatch

Events

AWS

Lambda

Amazon

Simple

Notification

Service

AWS API

endpoints Your Staff Amazon S3

bucket

Your

security

team

AWS

IAM

role

AWS API

Your SaaS

tools

Questions you will need to answer

• What is my expressed security objective in words?

• Is this configuration or behavior related?

• What data, where, could help inform me?

• Do I have requisite ownership or visibility?

• What are my performance requirements?

• What mechanisms support the above?

• What is my expressed security objective in code?

Security objective

“I would like to push a button that launches a penetration

test on my AWS environment”

“I want to know when someone turns off AWS CloudTrail

and automatically turn it back on”

“I need to prevent my developers launching EC2 instances

from unapproved Amazon Machine Images”

Configuration vs behavior

Locate the right data

Establish ownership and visibility for access

Soon vs later vs whenever

Service and feature selection

Make it so

The high-level playbook …

CloudWatch

Events eventAdversary

(or Intern)

Your environment Responder

Here. We. GO!

Demo: “If someone turns

CloudTrail off, turn it back on.”

Adversary

cloudtrail:StopLogging

CloudTrail

CloudWatch

Events eventAdversary

{

"detail-type": [ "AWS API Call via CloudTrail" ],

"detail": {

"eventSource": [ "cloudtrail.amazonaws.com" ],

"eventName": [ "StopLogging" ]

}

}

Adversary Responder

cloudtrail.start_logging

Demo: “I only want approved

managed policies attached to

IAM users”

Adversary

iam.attach_user_policy(

UserName='Bill',

PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess'

)

IAM

CloudWatch

Events eventAdversary

{

"detail-type": [ "AWS API Call via CloudTrail" ],

"detail": {

"eventSource": [ "iam.amazonaws.com" ],

"eventName": [

"AttachGroupPolicy",

"AttachRolePolicy",

"AttachUserPolicy"

]

}

}

Adversary Responder

iam.detach_user_policy

Demo: “Do not allow inline IAM

policies”

Adversary

iam.put_user_policy(

UserName='Bill',

PolicyName='AdministratorAccess',

PolicyDocument=adminpolicy

)

IAM

adminpolicy = {

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "*",

"Resource": "*"

}

]

}

CloudWatch

Events eventAdversary

{

"detail-type": [ "AWS API Call via CloudTrail" ],

"detail": {

"eventSource": [ "iam.amazonaws.com" ],

"eventName": [

”PutGroupPolicy",

”PutRolePolicy",

”PutUserPolicy"

]

}

}

Adversary Responder

iam.delete_user_policy

Demo: “Only allow EC2

instances launched from

approved AMIs and with

appropriate subnets and

security groups”

ImageId=ami-f9dd458a

SubnetId=subnet-a8aa4ef0

SecurityGroups=[

GroupId=sg-45533823

]

EC2

CloudWatch

Events event

{

"detail-type": [

"EC2 Instance State-change Notification"

],

"detail": {

"state": [ "pending" ]

},

"source": [ "aws.ec2" ]

}

Responder

# check if the AMI is approved

# check if AMI is used in correct subnet

# check if AMI was launched with approved security group

DynamoDB

{

"ami": "ami-0d77397e",

"region": "eu-west-1",

"security_groups": [

"sg-cc9a3aaa"

],

"subnets": [

"subnet-ac3d7cda",

"subnet-2f9c1677"

]

},

{

"ami": "ami-f9dd458a",

"region": "eu-west-1",

"security_groups": [

"sg-ee9a3a88"

],

"subnets": [

"subnet-ad3d7cdb",

"subnet-2e9c1676"

]

}

{

'Time': int(time.time()),

'Source': 'auto.responder.level1',

'Resources': [ str(instance_id) ],

'DetailType': 'activeResponse',

'Detail': {

'instance': instance_id,

'actionsRequested': 'instanceTermination'

}

}

Event

CloudWatch

Event events

{

"detail-type": [

"activeResponse"

],

"source": [

"auto.responder.level1"

]

}

L2 responder

ec2.terminate_instances

Demo: “Alexa, launch AWS

Security Tools”

Other AWS security resources

• Support

https://aws.amazon.com/support

• AWS Cloud Security

https://aws.amazon.com/security

• Contact the AWS security team

aws-security@amazon.com

Related sessions

• SAC305 “How AWS Automates Internal Compliance at

Massive Scale Using AWS Services”

• SAC316 “Security Automation: Spend Less Time

Securing Your Applications”

• SAC401 “5 Security Automation Improvements You Can

Make by Using Amazon CloudWatch Events and AWS

Config Rules”

• SAC315 “Scaling Security Operations and Automating

Governance: Which AWS Services Should I Use?”

Summary

• Security agility with AWS more achievable than ever

• Identify and express your security goals, as code even

• Choose your own adventure, leverage Support

• And remember, when it comes to security event

response …

There are TWO ways to get practice, but you only get to

choose ONE ;)

Thank you!

Remember to complete

your evaluations!