navigating the aws compliance framework | aws security roadshow dublin
TRANSCRIPT
Navigating the AWS Compliance Framework
Ronan Guilfoyle
Solutions Architect
Amazon Web Services Ireland
Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized
Network/OS/App Controls
Request reports at:
aws.amazon.com/compliance/#contact
ISO
27000
ISO
9001
Agenda:• Overview
• CloudTrail
• Source
• Structure
• Analytics options
• VPC FlowLogs
• What for
• Where from
• How structured
• How to access them
• Some analytics
What can you answer using a CloudTrail event?
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
AWS CloudTrail
CloudTrail can help you achieve many tasks
• Security analysis
• Track changes to AWS resources, for example
VPC security groups and NACLs
• Compliance – log and understand AWS API call
history
• Prove that you did not:
• Use the wrong region
• Use services you don’t want
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
AWS CloudTrail logs can be delivered cross-account
CloudTrail can help you achieve many tasks
• Accounts can send their trails to a central
account
• Central account can then do analytics
• Central account can:
• Redistribute the trails
• Grant access to the trails
• Filter and reformat Trails (to meet privacy
requirements)
Turn on CloudTrail using AWS CLI
• Step 1: Create a trail
•
$ aws cloudtrail create-trail --region=eu-central-1 \
• --name ITAuditandOpsTrail --s3-bucket mybucket
• Step 2: Start logging on the trail
• $ aws cloudtrail start-logging --region=eu-central-1 \
• --name ITAuditandOpsTrail
What does an event look like?•
{
• "eventVersion": "1.01",
• "userIdentity": {
• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",
• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",
• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
• "userName": "Alice",
• "sessionContext": {
• "attributes": {
• "mfaAuthenticated": "false",
• "creationDate": "2014-03-18T14:29:23Z"
• }
• }
• },
• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",
• "eventName": "StartLogging", //What?
• "awsRegion": "us-west-2",//Where to?
• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",
• "requestParameters": {
• "name": "Default“ // Which resource?• },
// more event details
• }
Firewall-Requirements
• Based on NIST800, BSI-IT Grundschutz and others
– Anti-Spoofing
– Packet-Filtering (minimum) stateful/stateless
– Segregation of Duties at the management side
– Logging/Audit capabilities on the management side
– Event-Logging on processed traffic
Security Group
IAM
AWS Config CloudTrail
FlowLogs
The Source I
CloudWatch
Logs
LogGroup
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
The Source II
Flows
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at
instance level
Isolate network
functions
Lockdown at
network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security
Group
Security
Group
Structure I
Event-
Version
AccoutNumber
ENI-ID
Source-IP
Destionation-IP
SourcePort
Destination-Port
Proto-Number
Number of
Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
Structure II
Flow Logs is STATISTICAL about activity in a window of time
Start-Time
Window
End-Time Window
Number of
Packets
Number of Bytes Action
How To Access
CloudWatch
Logs
LogGroup
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
Start
End
TIME
Some Analytics
Time -> 1 Month
2 Public IPs
('Number of Source IPs: ', 48604)
('Number of Destionation IPs: ', 5373)
('Number of Source Ports: ', 64363)
('Number of Destionation Ports: ', 64348)
('Number of Bytes IPs: ', 887551682.0)
('Number of Packets IPs: ', 8400707.0)