© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Fitzgerald
June 27, 2016
Amazon InspectorSecurity Insight for your Application Deployments in AWS
Why did we build Amazon Inspector? What is Amazon Inspector? How does it work? How much does it cost? What does it help protect against? How does it help me with remediation? What regions are supported? What’s next for Amazon Inspector?
What to expect from this session
Better alignment with customer needs Increased ownership by developers
Continuous feedback & bug discovery Configuration & Infrastructure is part of the code More frequent code rollouts Automation Better focus on operational excellence
Cloud provides infrastructure as code Improved availability Cost optimization
DevOps & Cloud
Asset Owner AppSec Team
Pen Test TeamAsset
Queue Ticket for Security Review Request
Scan for Vulnerabilities
Report Issues
Remediate
Identify Security Issues
Engage P
en Test/Red Team
Rep
ort I
ssue
s
��
��
Work Backlog
Work Backlog
Work Backlog
Traditional Security Processes
Its not about DevOps + Security Not enough security professionals on the planet to do this
Security teams need their own automation to keep up with automated deployments! Security as code Seamless integration with CI/CD pipelines Ability to scan and run test suites in parallel Ability to automate remediation Consumable by APN technology partners as microservices www.devsecops.org
Continuous Integration / Continuous Deployment
Amazon Inspector
Vulnerability Assessment Service Built from the ground up to support DevSecOps Automatable via API’s Integrates with CI/CD tools On-Demand Pricing model Static & Dynamic Rules Packages Generates Findings
“[With] any large network, I will tell you that persistence and focus will get you in, we’ll achieve that exploitation without the zero days,” he says. “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.” This includes, of course, known vulnerabilities for which a patch is available but the owner hasn’t installed it.
- Rob Joyce NSA TAO @ Enigma 2016
The Value of Vulnerability Assessments
Simple deployment Low impact Full access Unique insight
Agents
Chef, SaltStack, Puppet, Ansible AWS CodeDeploy EC2 user-data EC2 RunCommand cfn-init OpsWorks CloudInit
#!/bin/bashwget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/installchmod a+x /home/ec2-user/install/home/ec2-user/install
$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"$wc = New-Object System.Net.WebClient$wc.DownloadFile($url, "AWSInstall.exe")& .\AWSInstall.exe /quiet
Installing the AgentsTry pasting this in EC2 userdaa
Red Hat Enterprise Linux (6.5 or later) CentOS (6.5 or later) Ubuntu (12.04 LTS, 14.04 LTS or later) Amazon Linux (2015.03 or later) Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support We get kernels at the same time you get them It currently takes us 1-2 weeks for build, test & validation We’re aiming for 1 day
New Distributions Takes a long time
Supported Agent Operating Systems
Assessments
Pricing Free Trial
250 agent-assessments for first 90 days using the service
Based on Agent-Assessments 1 assessment with 10 agents = 10 agent-assessments 5 assessments with 2 agents = 10 agent-assessments 10 assessments with 1 agent = 10 agent-assessments 10 Agent-Assessments = $3.00
First 250 agent-assessments:Next 750 agent-assessments:Next 4000 agent-assessments:Next 45,000 agent-assessments:All other agent-assessments:
$0.30$0.25$0.15$0.10$0.05
Web Scale
Service Stack
Service Stack
Service Stack
Service Stack
Service Stack
Service Stack
Service Stack
NLB
CVE - Common Vulnerabilities & Exposures
Tagged list of publicly known info security issues
Vulnerabilities A mistake in software that can be used to gain unauthorized system access Execute commands as another user Pose as another entity Conduct a denial of service
Exposures A mistake in software that allows access to information that can lead to
unauthorized system access. Allows an attacker to hide activities Enables information gathering activities
CIS Security Configuration Benchmarks
What are they? Security configuration guide Consensus-based development
process PDF versions are free via CIS
website
Inspector automates scanning instances against the latest benchmark for that OS
What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does for you now
(more in future)
Amazon Inspector
• Rule PackagesCommon Vulnerabilities & ExposuresCIS Secure Configuration BenchmarksSecurity Best PracticesRuntime Behavior Analysis
Rules Package Support
CVE CIS Best Practices
RuntimeBehavior
Amazon Linux 2015.03+ ✅ ✅ ✅ ✅
Ubuntu 14.04 LTS+ ✅ ✅ ✅
CentOS 6.5+ ✅ ✅ ✅
RHEL 6.5+ ✅ ✅ ✅
Windows Server 2008 R2+ ✅ ✅ ⭕️
Security Best Practices
Authentication Network Security Operating System Application Security
Disable root login over SSH Password complexity Permissions for system directories Secure Protocols Data execution prevention enabled
Runtime Behavior Analysis
Package analyzes machine behavior during as assessment.
Unused listening ports Insecure client protocols Root processed with insecure permissions Insecure server protocols
Impacts the severity of static findings
Automating Remediation
Findings are JSON formatted and taggable Name of assessment target & template Start time, end time, status Name of rule packages Name & severity of the finding Description & remediation steps
Lambda-fy your incident response Integrate with Jira-like services Integrate with Pagerduty-like services Integrate with EC2 SSM
Launch Partners
Regions Supported GA
US West (Oregon) EU (Ireland) US East (Virginia) Asia Pacific (Tokyo)
July 2016 Asia Pacific (Sydney) Asia Pacific (Seoul)
Fall 2016 Asia Pacific (India) Europe (London) Europe (Frankfurt)
What’s Next for Inspector
Reporting Threat Modelling More Rules Packages (Industry-specific, applications) Add/Edit Rules Packages
Remember to complete your evaluations!
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
![AWS CWI Libro Inspector de Soldadura [1]](https://cdn.vdocuments.mx/doc/165x107/577c7f481a28abe054a3e7ae/aws-cwi-libro-inspector-de-soldadura-1.jpg)
