Easily Govern and Audit your AWS Resources
-
Upload
amazon-web-services -
Category
Technology
-
view
1.346 -
download
0
Transcript of Easily Govern and Audit your AWS Resources
Easily Govern and Audit your AWS Resources
Liron Dor
Technical Account Manager
Topics
CloudTrail.
Config.
Config Rules.New
Improving AWS Account Visibility
Re:Invent 2013 Re:Invent 2014 Re:Invent 2015
CloudTrail
Identify Individual Preforming
Actions Within the Account
Config
Identify Which configuration
changes have been made
Config Rules
Set Up Rules to Check
Configuration Changes
What is CloudTrail
CloudTrail continuously recording API Calls.
Deliver and Store log files.
View 7 Days Log through Management Console / API and Use Filter.
Monitor and receive alarms through CloudWatch.
Use cases enabled by CloudTrail
Perform security analysis.
Troubleshoot operational issues.
Compliance aid for auditors.
Automate correction actions on detected issues.
What can you answer using a CloudTrail event?
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
What does an event look like?{
"eventVersion": "1.01",
"userIdentity": {
"type": "IAMUser", // Who?
"principalId": "AIDAJDPLRKLG7UEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice", //Who?
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-03-18T14:29:23Z"
}
}
},
"eventTime": "2014-03-18T14:30:07Z", //When?
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging", //What?
"awsRegion": "us-west-2",//Where to?
"sourceIPAddress": "72.21.198.64", // Where from?
"userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",
"requestParameters": {
"name": "Default“ // Which resource?
},// more event details
}
Using CloudWatch Logs and Alarms
Log specific event recorded by CloudTrail.
Receive notification from CloudWatch Alarms.
Popular examples based on customer feedback:
Changes to Security groups and VPCs.
Changes to IAM policies or S3 bucket policies.
Changes to EC2 instances.
Failed AWS Management Console sign-in events.
Demo – CloudTrail and CloudWatch Logs
What does an email notification look like?
Additional CloudTrail Capabilities
Aggregate log files across multiple accounts in one bucket.
Encrypted CloudTrail log files using SSE-KMS
Validate the integrity of log files New
New
CloudTrail Take Away
Turn on CloudTrail for all your accounts in all regions.
Use CloudTrail for Security and Operational issues.
Use CloudWatch Log Alarms for events detection.
Checkout Partner Solutions.
Consider Utilizing Additional Logs: ELB Logs, VPC Flow Logs, S3 Logs.
AWS Config
Record configuration changes continuously.
Capturing the state of your AWS resources using “Configuration Items”.
“Configuration Item” contains all configuration attributes for a resource.
Capturing the relationship between resources.
Discover Resources that exists / deleted from your account.
AWS Config Rules
Validate configuration record.
Enforce Customers Best Practices and Procedures.
The Config rule evaluation result is always compliant or non compliant.
AWS Config Rules Types and Triggers
2 Rule Types:
AWS Managed Rules.
Custom Rules.
Supported Rule Triggers:
By Change (Resource ID, Resource type or Specific Tag).
Periodically.
Config & Config Rules Use Cases
Security Analysis – Am I safe?
Audit Compliance – Where is the evidence?
Change Management – What will this change affect?
Troubleshoot – What has changed?
Resource Discovery – What resources exist?
Demo – Config Rules
Thank You