building a hyper-secure vpc on aws with puppet - puppetconf 2013
DESCRIPTION
"Building a Hyper-Secure VPC on AWS with Puppet" by Tim Nolet, Technical Architect, Xebia. Presentation Overview: This session will describe the techniques and patterns used in a real life project where the goal was to: build a VPC on AWS, make it extremely secure on all accounts, do it automated. I will describe how you can take Puppet and AWS and introduce all kinds of real life security measures, all managed by Puppet. These security measures include: Log collection and analysis (in combination with Graylog2), Transparent Proxy Hosts for DMZ separation, Host Based Firewalls to augment the non-logging AWS firewalls/security groups, CIS (Center for Internet Security) Benchmark enforcement on standard AWS Linux AMIs, change tracking with SVN. Speaker Bio: Tim Nolet is an infrastructure architect and continuous delivery consultant working for Xebia (www.xebia.com). Brought up on a steady diet of Java enterprise applications, he has helped his customers design, build and manage internet infrastructures in diverse areas of travel, retail, banking, energy and public services. Currently, he is on a mission to reap all the benefits of automated deployment and cloud engineering to deliver fast, safe and stable applications. Together with Amazon Web Services, Puppet plays a major role in this mission. Tim also smiles when you let him dive deep into performance, security and stability issues, or let him play guitar for a day.TRANSCRIPT
![Page 1: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/1.jpg)
Puppetconf2013
BuildingaHyperSecureVPConAWS
withPuppet
TimNolet
![Page 2: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/2.jpg)
ArchitectatXebia(theNetherlands)
Linux/Java/Cloud/Automation/Operations
github.com/tnolet
nl.linkedin.com/in/tnolet
![Page 3: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/3.jpg)
Holland=TheNetherlands
Image:xkcd.com
![Page 4: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/4.jpg)
![Page 5: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/5.jpg)
Itendtoramble...
![Page 6: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/6.jpg)
TheAssignment
![Page 7: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/7.jpg)
![Page 8: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/8.jpg)
TheAssignment(1)
1. BuildageneralpurposeVPConAWS
2. Standardizeapplicationdeployment
3. Applycompanysecuritypolicies
![Page 9: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/9.jpg)
TheAssignment(2)
1. DoitwithOpenSource
2. UseAWSstandards
3. Stayclosetoreferenceimplementations
![Page 10: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/10.jpg)
AWSandsecurity
IAM,MFA,HSMSSL,SSH,VPNISO27001PCI-DSSPGP
..andprobablysomemoreacronyms
![Page 11: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/11.jpg)
DesignPrinciples
AGridbasedon:
3xAvailabilityZone
3xTier:web,app,data
1xManagementsubnet
![Page 12: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/12.jpg)
![Page 13: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/13.jpg)
![Page 14: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/14.jpg)
DesignPrinciples
Referencestacks
ImplementedinCloudFormation
Provision:
EC2instances
SecurityGroups
RDSinstances
ELBloadbalancers
RDSinstances
etc.
![Page 15: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/15.jpg)
public_three_tier_stack_redundant_rds.template
![Page 16: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/16.jpg)
![Page 17: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/17.jpg)
AMIHardening
1. ApplyCISBenchmarkforRedHatLinux
2. Log+Alertonanydiscrepancies
3. MonitorYUMsecurityupdates
Benchmark:https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf
![Page 18: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/18.jpg)
CISBenchmarkModule
manifests/1_software.pp2_osservices.pp3_specialservices.pp4_network.pp5_logaudit.pp6_accessauth.pp7_user.pp8_banners.pp9_maintenance.ppinit.pp
=>
![Page 19: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/19.jpg)
Coooode!
#1.6AdditionalProcessHardening
#1.6.1RestrictCoreDumps
file{"/etc/security/limits.conf":source=>"puppet:///modules/cis_baseline/limits.conf",ensure=>"present",group=>"0",mode=>"644",owner=>"0",}
#1.6.2ConfigureExecShieldfile_line{"Execshield":path=>"/etc/sysctl.conf",line=>"kernel.exec-shield=1",}
![Page 20: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/20.jpg)
Hacking/etc/pam.d/su
Allowsonlyusersinthe`wheel`grouptouse`su`
#6.5RestrictAccesstothesuCommand
augeas{"pam.d/su":context=>"/files/etc/pam.d/su/",changes=>["ins01after*[module='pam_rootok.so'][control='sufficient'][type='auth'][last()]","set01/typeauth","set01/controlrequired","set01/modulepam_wheel.so","set01/argumentuse_uid",],onlyif=>"match*[type='auth'][control='required'][module='pam_wheel.so'][argument='use_uid']size==0",}
![Page 21: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/21.jpg)
Taggingdependentmodules
IPtablesismanagedbyitownmoduleWecheckifitisincludedusingthe`tagged`function
#4.7EnableIPtables
#CISRule4.7shouldbeenforcedthroughtheiptables/firewallmodule.#Weonlynotifyifitisnotrunning
iftagged("firewall_base"){notice("CISrule4.7EnableIPtablesisinstalledandenabled")}else{alert{"CISrule4.7EnableIPtablesisnotinstalled":}}
![Page 22: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/22.jpg)
Tags:orderisimportant
![Page 23: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/23.jpg)
ActualIPoftheGraylog2hostisinHiera
CentralLogging
Rsyslog=>Graylog2
/etc/rsyslog.conf#Forwardalllogstocentralloggingserver*.*@<%=central_log_app_server%>#udpforwarding
![Page 24: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/24.jpg)
![Page 25: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/25.jpg)
SortingSearchingAlertingGraphing
...basicallyaSIEMonthecheap
![Page 26: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/26.jpg)
Networktrafficlogging
Why?
AWSSecurityGroupsandNetworkACL'sdon'tloganything
![Page 27: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/27.jpg)
Networktrafficlogging
How?
Puppet+IPtables+Rsyslog+Graylog2
Extendingthepuppetlabs_firewallmodulefromtheforgehttps://forge.puppetlabs.com/puppetlabs/firewall
![Page 28: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/28.jpg)
Allow/Drop/Log
1. AlloworDropconnections2. Taginitialconnections,onbothdroppedandallowed3. Don'ttagestablishedandrelatedconnections4. LogtoGraylog2viarsyslog
![Page 29: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/29.jpg)
LetRelatedandEstablishedpassthroughunharmed
Allow/Drop/Log
firewall{"000INPUTallowrelatedandestablished":state=>["RELATED","ESTABLISHED"],action=>"accept",chain=>"INPUT",proto=>"all",}
![Page 30: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/30.jpg)
Allow/Drop/Log
firewallchain{'LOGNEW:filter:IPv4':ensure=>present,}
firewall{"100LogallNEWconnections":chain=>"LOGNEW",log_level=>"info",log_prefix=>"FIREWALLTCPINBOUND",jump=>"LOG",}
firewall{"101Accepttheconnection":chain=>"LOGNEW",action=>"accept",}
Createa"LOGNEW"chainforallNEWconnectionsTagthemwithaprefixandjumpthemtotheLOGtargetThenaccepttheconnections
![Page 31: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/31.jpg)
JumpyourallowedtraffictotheLOGNEWchain
Allow/Drop/Log
firewall{"100allowssh":state=>["NEW"],dport=>"22",proto=>"tcp",jump=>"LOGNEW"}
![Page 32: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/32.jpg)
Exceptions...
ProxiesDNSDatabaserunningnodesOtherbridgingtypenodes
![Page 33: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/33.jpg)
CustomFactertotherescue!
IPrangesmatchtheGRID
AvailabilityzoneTier
![Page 34: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/34.jpg)
Av.ZonecustomFact
defget_avzoneipaddress=Facter.value(:ipaddress)ifFacter.value(:tier)=="management"av_zone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.([012345][0-9]|6[0-2])$/)avzone="zone_1a"elsifipaddress=~(/^.*\.*\.*\.(6[5-9]|[789][0-9]|1[0-1][0-9]|12[0-6])$/)avzone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.(129|1[3-8][0-9]|190)$/)avzone="zone_1c"elseavzone="default"endend
![Page 35: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/35.jpg)
Done!
![Page 36: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/36.jpg)
Good/Bad/PlainUgly
![Page 37: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/37.jpg)
Good
Community!
![Page 38: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/38.jpg)
Good
Graylog2isgreatandextremelyflexible
![Page 39: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/39.jpg)
Good
VPCisthewaytogoonAWS
CloudFormation'spowerisincredible
![Page 40: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/40.jpg)
Bad
PerformanceoflargecatalogswithPuppet2.7
file{"/etc/somedirectory":recurse=>true,ignore=>["work","temp","log"],checksum=>none}
Hiera-GPGiscumbersometosaytheleast
![Page 41: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/41.jpg)
Bad
JSONnotationofCloudFormationtemplates
...meh
Tip:CFNDSL=RubyDSLforCloudFormationtemplates
https://github.com/howech/cfndsl
![Page 42: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/42.jpg)
Ugly
Unifiedstateandlifecyclemanagement
![Page 43: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/43.jpg)
Ugly
Everythingisautomated,butusingit'sown:
1. DSL2. Authentication/Authorization3. Paradigms4. Versioning5. Younameit...
![Page 44: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/44.jpg)
Ugly
Onesinglesourceoftruthfor:
1. Audittrail/logging2. Instancestatus3. Applicationstatus4. CRUDactionsonthewholeinfrastructure
![Page 45: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/45.jpg)
Hope?!
RightScale,Scalr,Cloudifyandsimilar?AWSOpsWorks?
![Page 46: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/46.jpg)
Hope?!
NotthirdpartyorapluginPartofthecoreNotSaaSonlyEnterprise
CloudProvisioning,ConfigurationManagementandApplicationDeployment
![Page 47: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/47.jpg)
Rantover...
![Page 48: Building a Hyper-Secure VPC on AWS with Puppet - PuppetConf 2013](https://reader033.vdocuments.mx/reader033/viewer/2022051512/54035a4b8d7f72444d8b462e/html5/thumbnails/48.jpg)
Questions?