aws re:invent 2016: automating security event response, from idea to code to execution (sec313)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brian Wagner, AWS Professional Services
Don “Beetle” Bailey, AWS Security
November 29, 2016
SEC313
Automating Security Event
Response
What to expect from the session
• Iteration of previous re:Invent talks
• Methodology for implementing security automation ideas
• Decision support to match AWS mechanisms to goals
• Code
• Additional resources
• Demos!
Building on previous talks
YouTube search
• “Intrusion Detection in the Cloud” 2014
• “Incident Response (IR) in the Cloud” 2014
• “Wrangling Security Events in The Cloud” 2015
SlideShare search
• “Enforcing Your Security Policy at Scale” 2016
You’ve probably seen this before
AWS foundation Services
Compute Storage Database Networking
AWS global
infrastructureRegions
Availability
Zones Edge
locations
Client-side data
encryption
Server-side data
encryptionNetwork traffic
protection
Platform, applications, IAM
Operating system, network, and firewall configuration
Customer content
Custo
mers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Getting from here to there
Understand
AWS
security
practice
Build strong
compliance
foundations
Integrate IAM Enable
detective
controls
Establish
network
security
Implement
data
protection
Optimize
change
management
Automate
security
functions
Putting it all together
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lambda
Amazon
Simple
Notification
Service
AWS API
endpoints Your Staff Amazon S3
bucket
Your
security
team
AWS
IAM
role
AWS API
Your SaaS
tools
Questions you will need to answer
• What is my expressed security objective in words?
• Is this configuration or behavior related?
• What data, where, could help inform me?
• Do I have requisite ownership or visibility?
• What are my performance requirements?
• What mechanisms support the above?
• What is my expressed security objective in code?
Security objective
“I would like to push a button that launches a penetration
test on my AWS environment”
“I want to know when someone turns off AWS CloudTrail
and automatically turn it back on”
“I need to prevent my developers launching EC2 instances
from unapproved Amazon Machine Images”
CloudWatch
Events eventAdversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "cloudtrail.amazonaws.com" ],
"eventName": [ "StopLogging" ]
}
}
Adversary
iam.attach_user_policy(
UserName='Bill',
PolicyArn='arn:aws:iam::aws:policy/PowerUserAccess'
)
IAM
CloudWatch
Events eventAdversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "iam.amazonaws.com" ],
"eventName": [
"AttachGroupPolicy",
"AttachRolePolicy",
"AttachUserPolicy"
]
}
}
Adversary
iam.put_user_policy(
UserName='Bill',
PolicyName='AdministratorAccess',
PolicyDocument=adminpolicy
)
IAM
adminpolicy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
CloudWatch
Events eventAdversary
{
"detail-type": [ "AWS API Call via CloudTrail" ],
"detail": {
"eventSource": [ "iam.amazonaws.com" ],
"eventName": [
”PutGroupPolicy",
”PutRolePolicy",
”PutUserPolicy"
]
}
}
Demo: “Only allow EC2
instances launched from
approved AMIs and with
appropriate subnets and
security groups”
CloudWatch
Events event
{
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [ "pending" ]
},
"source": [ "aws.ec2" ]
}
Responder
# check if the AMI is approved
# check if AMI is used in correct subnet
# check if AMI was launched with approved security group
DynamoDB
{
"ami": "ami-0d77397e",
"region": "eu-west-1",
"security_groups": [
"sg-cc9a3aaa"
],
"subnets": [
"subnet-ac3d7cda",
"subnet-2f9c1677"
]
},
{
"ami": "ami-f9dd458a",
"region": "eu-west-1",
"security_groups": [
"sg-ee9a3a88"
],
"subnets": [
"subnet-ad3d7cdb",
"subnet-2e9c1676"
]
}
{
'Time': int(time.time()),
'Source': 'auto.responder.level1',
'Resources': [ str(instance_id) ],
'DetailType': 'activeResponse',
'Detail': {
'instance': instance_id,
'actionsRequested': 'instanceTermination'
}
}
Event
CloudWatch
Event events
{
"detail-type": [
"activeResponse"
],
"source": [
"auto.responder.level1"
]
}
Other AWS security resources
• Support
https://aws.amazon.com/support
• AWS Cloud Security
https://aws.amazon.com/security
• Contact the AWS security team
Related sessions
• SAC305 “How AWS Automates Internal Compliance at
Massive Scale Using AWS Services”
• SAC316 “Security Automation: Spend Less Time
Securing Your Applications”
• SAC401 “5 Security Automation Improvements You Can
Make by Using Amazon CloudWatch Events and AWS
Config Rules”
• SAC315 “Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?”
Summary
• Security agility with AWS more achievable than ever
• Identify and express your security goals, as code even
• Choose your own adventure, leverage Support
• And remember, when it comes to security event
response …
There are TWO ways to get practice, but you only get to
choose ONE ;)