transparency and control with aws cloudtrail and aws config

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Transparency and Control with AWS CloudTrail and AWS Config

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.


Amazon Web Services (AWS)Your Applications

AWS Infrastructure

Foundation Services

Deployment & Management

Application Services

Amazon EC2

AWS Lambda

Compute Storage & Content Delivery

Amazon S3

AWS Storage Gateway

Amazon EBS

Amazon Glacier

Amazon CloudFront

Database

Amazon RDS

Amazon DynamoDB

Amazon Elasticache

Amazon Redshift

Networking

Amazon VPC

AWS Direct Connect

Amazon Route 53

Administration & Security

AWS Directory Service

AWS Config

Deployment & Management

AWS Elastic Beanstalk

AWS OpsWorks

AWS CloudFormation

AWS Code

Deploy

Analytics

Amazon EMR

Amazon Kinesis

AWS Data Pipeline

Application Services

Amazon SQS

Amazon SWF

Amazon AppStream

Amazon Elastic Transcoder

Amazon SES

Amazon CloudSearch

Mobile Services

Amazon Mobile

Analytics

Amazon Cognito

Amazon SNS

Enterprise Applications

Amazon WorkDocs

Amazon WorkSpaces

Amazon WorkMail

AWS Identity and Access

Management

AWS Trusted Advisor

AWS CloudTrail

Amazon CloudWatch

AWS CloudHSM


Agenda• Talk about AWS [‘CloudTrail’, ‘Config’]• Ponder AWS [‘CloudTrail’, ‘Config’]• Contemplate AWS [‘CloudTrail’, ‘Config’]

– Log diving• Correlation between [‘CloudTrail’, ‘Config’]• Cross-account, role-based access


TL;DR – These are “complementary services”

AWS CloudTrail (an entity did something)

• Record of API requests and response elements– who did what and when,

from where

AWS Config (resources changes and status)

• AWS account configuration– Configuration item history – Configuration item stream– Configuration item

snapshots• Optionally, a notification

whenever a resource is created, modified, or deleted with the resulting configuration


AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.

AWS CloudTrail

The recorded information includes:

• The identity of the API caller

• The time of the API call

• The source IP address of the API caller

• The request parameters

• The response elements returned by the AWS service


Increase your visibility of what happened in your AWS environment – who did what and when, from where• CloudTrail will record access to API calls and save logs in your

Amazon S3 bucket, no matter how those API calls were made• Who did what and when and from what IP address• Receive notification of log file delivery using the Amazon Simple

Notification Service (Amazon SNS)• Rapid integration of AWS services since launch with more

supported services coming soon• Aggregate log information into a single S3 bucket• AWS Partner integration with log analysis tools from AlertLogic,

Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk, and SumoLogic.

Use AWS CloudTrail to track access to APIs and IAM


AWS CloudTrail logs can be used for many powerful use cases

CloudTrail can help you achieve many tasks• Security analysis

• Track changes to AWS resources• e.g., VPC security groups and NACLs

• Compliance• Understand AWS API call history

• Troubleshoot operational issues• Quickly identify the most recent changes to your

environment

• AWS CloudTrail console API activity history search• Look up API activity captured for your AWS

account in the last 7 days

• Filter with an attribute and time range


Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances and other sources, for example:

• Monitor your web server HTTP log files and use CloudWatch metrics filters to identify 404 errors and count the number of occurrences within a specified time period

• Use CloudWatch alarms to notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation

Now monitor everything with Amazon CloudWatch logs


AWS Config is a fully managed service that provides an inventory of your AWS resources, lets you audit the resource configuration history, and notifies you of resource configuration changes

AWS Config


Continuous ChangeRecordingChanging Resource

s

AWS Config

History

Stream

Snapshot (ex. 2015-06-26)

AWS Config


Relationships

• Bi-directional map of dependencies automatically assigned

• Change to a resource propagates to create configuration items for related resources

Example: Security Group sg-10dk8ej and EC2 instance i-123a3d9 are “associated with” each other


Relationships

Resource Relationship Related ResourceCustomerGateway is attached to VPN ConnectionElastic IP (EIP) is attached to Network Interface is attached to InstanceInstance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC)InternetGateway is attached to Virtual Private Cloud (VPC)… …. …..


Configuration item

All configuration attributes for a given resource at a given point in time, captured on every configuration change


Component Description Contains

Metadata Information about this configuration item

Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.

Common Attributes Resource attributes Resource ID, tags, resource type. Amazon Resource Name (ARN),Availability Zone, etc.

Relationships How the resource is related to other resources associated with the account

EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4

Current Configuration Information returned through a call to the Describe or List API of the resource

e.g., for EBS volumestate of DeleteOnTermination flag.Type of volume. For example, gp2, io1, or standard

Related Events The AWS CloudTrail events that are related to the current configuration of the resource

AWS CloudTrail event ID.

Configuration item


AWS Config use cases

• Security analysis• Audit compliance• Change management• Troubleshooting• Discovery


Record correlation AWS CloudTrail Record{

"Records": [

{…},

"responseElements": {…},

"requestID": "27508138-3475-4b6e-9429-88118eb1622b",

"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",

"eventType": "AwsApiCall",

"recipientAccountId": "222222222222"

}

]

}

AWS Config Record{

"fileVersion": "1.0",

"configurationItems": [

{

…

"relatedEvents": [

"ac21dd8c-98fe-46f8-9fce-5b77ae607346"

],

"awsAccountId": "222222222222",

"configurationItemStatus": "ResourceDiscovered",

…

}

}

]

}


Log diving• This is the case of the surprise Elastic IP

(bad surprise)– What was done?

• Easy: an EIP was created

– When was it created?– Who created it?– Where did it come from?


What• Starting with AWS Config

– Search for the origin of "eipalloc-184efb7d“– Utilize the AWS Config console Resource Lookup tool or

search the AWS Config log files in Amazon S3• AWS Config Partners http://aws.amazon.com/config/partners/ • Roll a bit of code …

• The EventID leads us to AWS CloudTrail– "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",

http://aws.amazon.com/config/partners/

http://aws.amazon.com/config/partners/


When• The AWS Config log file contains a

timestamp– "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z"

• Pivot to the specific AWS CloudTrail log file based on:– Timestamp– EventID


Who and where ( in the CloudTrail log){

"Records": [

{

"eventVersion": "1.02",

"userIdentity": {

"type": "AssumedRole",

"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",

"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",

"accountId": "222222222222",

"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",

…

"sourceIPAddress": "198.51.100.178",

"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",

…


…

}


Who and where ( in the CloudTrail log){

"Records": [

{

"eventVersion": "1.02",

"userIdentity": {

"type": "AssumedRole",

"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",

"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",

"accountId": "222222222222",

"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",

…

"sourceIPAddress": "198.51.100.178",

"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",

…


…

}

• ACME corporation uses a federated identity broker that leverages the company’s existing Directory Services and access control systems.

• CloudTrail logs indicate “bob” was issued a token by the broker to use the NetManager role.

– The RoleSessionName, “bob-corpbroker”, was set by the broker when generating the STS token for “bob” via the AssumeRole API.

• “bob” connected to the EC2 API endpoint from the IP Address 198.51.100.178.

• Federated Identity broker logs created by ACME corporation contain additional details.

• Now we know the EIP was created by an STS token issued from the corporation.


AWS Identity and Access Management (AWS IAM) enables you to

securely control access to AWS services and resources• Control who can do what and when from where• Fine-grained control of user permissions, resources, and actions• Add multi-factor authentication

• Hardware token or smartphone apps• Test out your new policies using the IAM policy simulator

You have fine-grained control of your AWS environment


Segregate duties between roles with IAM

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

You get to choose who can do what in your AWS environment and from where

AWS account owner (master)

Network management

Security management

Server management

Storage management

Manage and operate


Keep control of who can do what on AWS using your

existing directory• AWS IAM now supports SAML 2.0• Federate with on-premises directories like Active

Directory or another SAML 2.0 compliant identity

provider• Use Active Directory users and groups in AWS for

authentication and authorization• For example, a ‘Network Administrators’ AD security

group can have access to create and manage on-

premises and AWS EC2 instances or Elastic IP addresses

Federate AWS IAM with your existing directories


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


transparency and control with aws cloudtrail and aws config

Technology

aws api

aws government

aws environment

amazon route

aws config resources

amazon s3 bucket

nonprofit symposium

supported services