Easily Govern and Audit your AWS Resources

Liron Dor

Technical Account Manager

Topics

CloudTrail.

Config.

Config Rules.New

Improving AWS Account Visibility

Re:Invent 2013 Re:Invent 2014 Re:Invent 2015

CloudTrail

Identify Individual Preforming

Actions Within the Account

Config

Identify Which configuration

changes have been made

Config Rules

Set Up Rules to Check

Configuration Changes

What is CloudTrail

CloudTrail continuously recording API Calls.

Deliver and Store log files.

View 7 Days Log through Management Console / API and Use Filter.

Monitor and receive alarms through CloudWatch.

Use cases enabled by CloudTrail

Perform security analysis.

Troubleshoot operational issues.

Compliance aid for auditors.

Automate correction actions on detected issues.

What can you answer using a CloudTrail event?

Who made the API call?

When was the API call made?

What was the API call?

Which resources were acted up on in the API call?

Where was the API call made from and made to?

What does an event look like?{

"eventVersion": "1.01",

"userIdentity": {

"type": "IAMUser", // Who?

"principalId": "AIDAJDPLRKLG7UEXAMPLE",

"arn": "arn:aws:iam::123456789012:user/Alice", //Who?

"accountId": "123456789012",

"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

"userName": "Alice",

"sessionContext": {

"attributes": {

"mfaAuthenticated": "false",

"creationDate": "2014-03-18T14:29:23Z"

}

}

},

"eventTime": "2014-03-18T14:30:07Z", //When?

"eventSource": "cloudtrail.amazonaws.com",

"eventName": "StartLogging", //What?

"awsRegion": "us-west-2",//Where to?

"sourceIPAddress": "72.21.198.64", // Where from?

"userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",

"requestParameters": {

"name": "Default“ // Which resource?

},// more event details

}

Using CloudWatch Logs and Alarms

Log specific event recorded by CloudTrail.

Receive notification from CloudWatch Alarms.

Popular examples based on customer feedback:

Changes to Security groups and VPCs.

Changes to IAM policies or S3 bucket policies.

Changes to EC2 instances.

Failed AWS Management Console sign-in events.

Demo – CloudTrail and CloudWatch Logs

What does an email notification look like?

Additional CloudTrail Capabilities

Aggregate log files across multiple accounts in one bucket.

Encrypted CloudTrail log files using SSE-KMS

Validate the integrity of log files New

New

CloudTrail Take Away

Turn on CloudTrail for all your accounts in all regions.

Use CloudTrail for Security and Operational issues.

Use CloudWatch Log Alarms for events detection.

Checkout Partner Solutions.

Consider Utilizing Additional Logs: ELB Logs, VPC Flow Logs, S3 Logs.

AWS Config

Record configuration changes continuously.

Capturing the state of your AWS resources using “Configuration Items”.

“Configuration Item” contains all configuration attributes for a resource.

Capturing the relationship between resources.

Discover Resources that exists / deleted from your account.

AWS Config Rules

Validate configuration record.

Enforce Customers Best Practices and Procedures.

The Config rule evaluation result is always compliant or non compliant.

AWS Config Rules Types and Triggers

2 Rule Types:

AWS Managed Rules.

Custom Rules.

Supported Rule Triggers:

By Change (Resource ID, Resource type or Specific Tag).

Periodically.

Config & Config Rules Use Cases

Security Analysis – Am I safe?

Audit Compliance – Where is the evidence?

Change Management – What will this change affect?

Troubleshoot – What has changed?

Resource Discovery – What resources exist?

Demo – Config Rules

Thank You