chicago aws meetup
TRANSCRIPT
Updates, Security & MonitoringScott Paddock - Security Solutions Architect
Preface
• Healthcare and Life Sciences are highly regulated
• Success in compliance efforts involves focused architecture
• AWS has resources to help support you.
• This deck focuses on security and monitoring, but there are
more tools to enable success.
• Please feel free to connect with us for more information
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
AWS Key Management Server (KMS)
New! Thick client for encryption using KMS• Description: A thick client in Java that enables customers to encrypt data
locally in their applications using keys in KMS• Customer Value: Currently, customers have to use their own encryption client
to encrypt data in their applications using keys in KMS. With this client, customers will have an end-to-end encryption and key management solution using KMS.
[Just in case] What is AWS Config?
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes
Continuous ChangeRecordingChanging Resources History
Stream
Snapshot (ex. 2014-11-05)AWS Config
AWS Config New Features
Region Expansion - Launched • Description: Availability in public regions PDX, DUB, NRT, FRA
Special Regions - Description: Availability in special regions, such as Gov Cloud, BJS,…
Selective Resources -• Description: Select a subset of AWS resources for AWS Config to track• Customer Value: Customers can monitor (and pay for) only a subset of
resources in the account
AWS CloudTrail Roadmap
Turn on CloudTrail in all regions from one region – Description: Turning on CloudTrail in one region will ensure that activity in all regions will be delivered to one bucket and one CloudWatch Logs log group optionally.
Support for log file attestation - Description: Customers can receive a log digest file and answer whether a log file has been modified or deleted
AWS Identity & Access Management (IAM)
Preview of SMS Multi-Factor Authentication (MFA) – Description: This release enables customers to use the text messaging functionality of a mobile phone to verify the identity of IAM users using MFA.
Customer Value: SMS MFA provides an easy-to-use, easy-to-administer, and familiar option that works on all devices that can receive a text message.
Policy Simulator Enhancements – Description: Policy simulator APIs, support of resource-level policies within the policy simulator, and service-specific simulations (for example, enhanced EC2 simulations).
Customer Value: Enable executing the policy simulator programmatically through CLI or SDK to provide an easier way to audit IAM settings. Improved understanding and testing of permissions.
IAM – Even MoreService Last Accessed Data – Description: The IAM console now displays service last accessed data that shows the hour when an IAM entity (a user, group, or role) last accessed an AWS service.
Customer Value: Knowing if and when an IAM entity last exercised a permission can help you remove unnecessary rights and tighten your IAM policies with less effort.
IAM Console Search – Description: Search for users, groups, roles, policies, identity providers, help topics, etc. Also search for users by access key ID.
Customer Value: A single place to find the IAM object you are looking for in the console.
AWS STS Active by Default in All AWS Regions – Description: AWS Security Token Service (STS) is now active by default in all AWS regions, which means that applications and services can call AWS STS in a region geographically closer to you.
Customer Value: Optimized latencies, availability, and performance for applications using AWS STS.
CloudWatch CloudWatch Dashboards - Description: Customers can compose and save collections of graphs, alarms, and metrics. Dashboards can be shared with other users. Templates available for common use cases.
Customer Value: Provides operational view on a single screen to increase visibility and speed troubleshooting by summarizing data and allowing users to focus on what’s important. Templates make it easier to get started; customization adds flexibility and control
On-Instance Software Agent – Description: Customers can install and run a software agent that publishes system and application metrics to CloudWatch, including OS performance/utilization and metrics for popular applications. Customers can also create plugins to send additional data
Customer Value: Provides a simple tool to publish data not available in logs
AWS Virtual Private Cloud (VPC)
S3 Endpoints in VPC - • Description: Ability to access S3 from their VPC through a private endpoint, eliminating the
need of internet gateway. This also limits S3 bucket accessibility only from a certain VPC• Customer Value: Allows customers more secure access to S3 without the need of internet
gateway
VPC Flow Logging - • Description: Allows users to log traffic that is accepted, denied, or all, by security groups or
network ACLs. They can apply this logging to an interface, a subnet, or a VPC• Customer Value: Allows customers to create records for auditing purposes as well as providing
a tool for trouble shooting and attack detection
AWS VPC (continued)
Managed Network Address Translation (NAT) -• Description: Users will have access to a managed NAT service that will allow backend servers
to connect to the internet or other AWS services• Customer Value: Allows customers secure access as the backend servers don’t need a public
IP address, allowing for unlimited bandwidth. This is also built with redundancy, so there are no concerns of a single point of failure
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
AWS CloudTrail & CloudWatch
AWSCloudTrail
Amazon CloudWatch
Enable globally for all AWS Regions Encryption & Integrity Validation Archive & Forward
Amazon CloudWatch Logs Metrics & Filters Alarms & Notifications
VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
Flow Log Record Structure
Event-Version
Account Number
ENI-ID
Source-IP
Destination-IP
SourcePort
Destination-Port
Protocol Number
Number of Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
VPC Flow Logs
• Amazon Elasticsearch Service
• Amazon CloudWatch Logs subscriptions
VPC Flow Logs – CloudWatch Alarms
AWS Config & Config Rules
AWSConfig
Amazon Config Rules
Record configuration changes continuously
Time-series view of resource changes
Archive & Compare
Enforce best practices Automatically roll-back unwanted
changes Trigger additional workflow
AWS Config – VPC Example
AWS Config Rules – Tenancy Enforcement Example
AWS Config Rules – Tenancy Enforcement Example
AWS Config Rules – Tenancy Enforcement Example
AWS Config Partners
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
What are we looking for?
Billing
API activity
Changes to resources
Application activity
Network activity
Detailed Billing
Billing Information logged Daily in S3
Also Visible in the Billing Console
Alarms can be set on Billing Info to Alert on Unexpected Activity
Sample Records
ItemDescriptionUsageStartDate
UsageEndDate
UsageQuantity
CurrencyCode
CostBeforeTax
Credits
TaxAmount
TaxType
TotalCost
$0.000 per GB - regional data transfer under the monthly global free tier
01.04.14 00:00
30.04.14 23:59
0.00000675 USD 0.00 0.0
0.000000
None
0.000000
$0.05 per GB-month of provisioned storage - US West (Oregon)
01.04.14 00:00
30.04.14 23:59
1.126.666.554 USD 0.56 0.0
0.000000
None
0.560000
First 1,000,000 Amazon SNS API Requests per month are free
01.04.14 00:00
30.04.14 23:59 10.0 USD 0.00 0.0
0.000000
None
0.000000
First 1,000,000 Amazon SQS Requests per month are free
01.04.14 00:00
30.04.14 23:59 4153.0 USD 0.00 0.0
0.000000
None
0.000000
$0.00 per GB - EU (Ireland) data transfer from US West (Northern California)
01.04.14 00:00
30.04.14 23:59
0.00003292 USD 0.00 0.0
0.000000
None
0.000000
$0.000 per GB - data transfer out under the monthly global free tier
01.04.14 00:00
30.04.14 23:59 0.02311019USD 0.00 0.0
0.000000
None
0.000000
First 1,000,000 Amazon SNS API Requests per month are free
01.04.14 00:00
30.04.14 23:59 88.0 USD 0.00 0.0
0.000000
None
0.000000
$0.000 per GB - data transfer out under the monthly global free tier
01.04.14 00:00
30.04.14 23:59 3.3E-7 USD 0.00 0.0
0.000000
None
0.000000
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
AWS CloudTrail
CloudTrail can help you achieve many tasks
Security analysisTrack changes to AWS resources, for example VPC security groups and NACLsCompliance – log and understand AWS API call historyProve that you did not:
Use the wrong regionUse services you don’t want
Troubleshoot operational issues – quickly identify the most recent changes to your environment
AWS CloudTrail logs can be delivered cross-account
CloudTrail can help achieve many tasksAccounts can send their trails to a central account
Central account can then do analytics
Central account can:‣ Redistribute the trails‣ Grant access to the trails‣ Filter and reformat Trails (to meet privacy
requirements)
Where is the evidence?Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA)
A complete inventory of all resources and their configuration attributes at AWS API level is available for any point in time
AWS Config Resources
A resource is an AWS object you can create, update or delete on AWS
Examples include Amazon EC2 instances, Security Groups, Network ACLs, VPCs and subnets
Amazon EC2Instance, ENI...
Amazon EBSVolumes
AWS CloudTrailLog
Amazon VPCVPC, Subnet...
AWS Config Resources (continued)Resource Type Resource Elements
Amazon EC2 EC2 InstanceEC2 Elastic IP (VPC only)EC2 Security GroupEC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCsNetwork ACLsRoute TableSubnetVPN ConnectionInternet GatewayCustomer GatewayVPN Gateway
AWS CloudTrail Trail
Relationships
Bi-directional map of dependencies automatically assigned
Change to a resource propagates to create Configuration Items for related resources
Example: Security Group sg-10dk8ej and EC2 instance i-123a3d9 are “associated with” each other
Relationships
Resource Relationship Related ResourceCustomerGateway is attached to VPN ConnectionElastic IP (EIP) is attached to Network Interface is attached to InstanceInstance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC)InternetGateway is attached to Virtual Private Cloud (VPC)… …. …..
Component Description Contains
Metadata Information about this configuration item
Version ID, Configuration item ID, Time when the configuration item was captured, State ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon Resource Name (ARN)Availability Zone, etc.
Relationships How the resource is related to other resources associated with the account
EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to the Describe or List API of the resource
e.g. for EBS VolumeState of DeleteOnTermination flagType of volume. For example, gp2, io1, or standard
Related Events The AWS CloudTrail events that are related to the current configuration of the resource
AWS CloudTrail event ID
AWS Config Configuration Items
Essentially, “Lambda Integration for Config”Apply detailed checks to the state of your configuration, at the point when it changesRaise alerts if anything is outside compliance with your defined policy
‣ Eg if there’s unencrypted non-root EBS volumes‣ …or eg if any taggable resources aren’t tagged appropriately
We have a library of pre-built rules – or build your ownSee also Re:Invent (SEC308) “Wrangling Security Events in the Cloud” (https://www.youtube.com/watch?v=uc1Q0XCcCv4)Feature is available right now
AWS Config Rules
Full visibility of your AWS environmentCloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made
Who did what and when and from where (IP address)CloudTrail support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShiftEasily Aggregate all instance log information – CloudWatch Logs agent scrapes files from EC2 instances and sends them to S3Also enables alerting with SNS on “strings of interest”, just like regular CloudWatchCloudWatch Logs used as delivery mechanism for Flow Logging
Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic
Monitoring: Get consistent visibility of logs
Elasticsearch, Kibana and CloudWatch Logs integration• Push CloudTrail to CloudWatch Logs:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
• Push CloudWatch Logs to Elasticsearch: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CWL_ES_Stream.html
• Put a Kibana front-end on it: https://aws.amazon.com/blogs/aws/cloudwatch-logs-subscription-consumer-elasticsearch-kibana-dashboards/
Examples
Agenda
• What’s new• Services that help security monitoring• What to look out for• Building upon each other• This just in…
Or should that be…
AWS Inspector
• What is Inspector?• Vulnerability Assessment Service• Built from the ground up to support
Dev/Ops Model• Automatable via API’s• AWS Context Aware• Integrated with CI/CD tools• CVE & CIS Rules Packages
Why?Securing infrastructure is often expensive and hard to do effectively.
• Inspector is automated, repeatable, and designed to reduce cost.
• Use AWS security knowledge to strengthen customer servers, services, and infrastructure.
• Delivery of actionable findings that are carefully explained and help their resolution.
AWS Inspector
Rule packages• CVE (common vulnerabilities and exposures)
• 1000+ Rules Evaluated• CIS (Center for Internet Security Benchmarks)
• OS Hardening• Vulnerability• Patch• Inventory• Compliance
• AWS Security Best Practices• App Sec Learnings
AWS Inspector
How?1. Install as a service on your Amazon EC2 instances.2. Tag the instances with application-specific information.3. Configure Inspector application and assessment.4. Start Inspector.5. Exercise and test your service.6. Stop Inspector or wait for the configurable timeout.7. Look at findings and fix as appropriate.
AWS Inspector
More: https://aws.amazon.com/inspector/
Logs→metrics→alerts→actions
AWS Config
CloudWatch / CloudWatch Logs
CloudWatch alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC Flow Logs
Amazon SNS
email notification
HTTP/S notification
SMS notifications
Mobile push notifications
API calls from most services
Monitoring data from
AWS services
Custom metrics
Thank you!