The flexibility and scale of the AWS Cloud and the emergence of DevOps have combined to allow developers to build and deploy applications faster than ever before. Assessing these applications for security risks without slowing down the development process can be a challenge with traditional vulnerability assessment tools designed for on-premises infrastructure. Amazon Inspector, an automated security assessment service, addresses this by integrating security assessments directly into the development process of applications running on Amazon Elastic Compute Cloud (Amazon EC2). In this session, we will review Amazon Inspector for performing host security assessments and how it can become a seamless part of your devops lifecycle. We will run through a demo of setting up assessment targets and templates, installing the AWS agent, and running assessments. We will explore the findings generated by an assessment and discuss how you can automate the running of assessments. Learning Objectives: An overview and the value of Security Assessment testing with Amazon Inspector How customer sign up for, configure, and use the service Understand AWS Agent and assessment data security

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eric Fitzgerald
June 27, 2016
Amazon Inspector
Security Insight for your Application Deployments in AWS

2.  Why did we build Amazon Inspector?
 What is Amazon Inspector?
 How does it work?
 How much does it cost?
 What does it help protect against?
 How does it help me with remediation?
 What regions are supported?
 What’s next for Amazon Inspector?
What to expect from this session

3.  Better alignment with customer needs
 Increased ownership by developers
 Continuous feedback & bug discovery
 Configuration & Infrastructure is part of the code
 More frequent code rollouts
 Automation
 Better focus on operational excellence
 Cloud provides infrastructure as code
 Improved availability
 Cost optimization
DevOps & Cloud

4. Asset Owner AppSec Team
Pen Test TeamAsset
Queue Ticket for Security Review Request
Scan for Vulnerabilities
Remediate
Identify Security Issues
EngagePenTest/RedTeam
ReportIssues
🕙
🕙
Work
Backlog
Work
Backlog
Work
Backlog
Traditional Security Processes

5.  Its not about DevOps + Security
 Not enough security professionals on the planet to do this
 Security teams need their own automation to keep up with automated
deployments!
 Security as code
 Seamless integration with CI/CD pipelines
 Ability to scan and run test suites in parallel
 Ability to automate remediation
 Consumable by APN technology partners as microservices
 www.devsecops.org

6. Source Code Running Host
Continuous Integration / Continuous Deployment

7. Amazon Inspector
 Vulnerability Assessment Service
 Built from the ground up to support DevSecOps
 Automatable via API’s
 Integrates with CI/CD tools
 On-Demand Pricing model
 Static & Dynamic Rules Packages
 Generates Findings

8. “[With] any large network, I will tell you that persistence and
focus will get you in, we’ll achieve that exploitation without
the zero days,” he says. “There’s so many more vectors
that are easier, less risky and quite often more productive
than going down that route.” This includes, of course,
known vulnerabilities for which a patch is available but the
owner hasn’t installed it.
- Rob Joyce NSA TAO @ Enigma 2016
The Value of Vulnerability Assessments

9.  Simple deployment
 Low impact
 Full access
 Unique insight
Agents

10.  Chef, SaltStack, Puppet, Ansible
 AWS CodeDeploy
 EC2 user-data
 EC2 RunCommand
 cfn-init
 OpsWorks
 CloudInit
#!/bin/bash
wget https://s3-us-west-2.amazonaws.com/inspector.agent.us-west-2/latest/install
chmod a+x /home/ec2-user/install
/home/ec2-user/install
$url = "https://s3-us-west-2.amazonaws.com/aws-agent-updates-test/windows/product/AWSAgentInstall.exe"
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, "AWSInstall.exe")
& .AWSInstall.exe /quiet
Installing the Agents
Try pasting this in EC2 userdaa

11.  Red Hat Enterprise Linux (6.5 or later)
 CentOS (6.5 or later)
 Ubuntu (12.04 LTS, 14.04 LTS or later)
 Amazon Linux (2015.03 or later)
 Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support
 We get kernels at the same time you get them
 It currently takes us 1-2 weeks for build, test & validation
 We’re aiming for 1 day
New Distributions
 Takes a long time
Supported Agent Operating Systems

14. Assessments

16. Pricing
 Free Trial
 250 agent-assessments for first 90 days using the service
 Based on Agent-Assessments
 1 assessment with 10 agents = 10 agent-assessments
 5 assessments with 2 agents = 10 agent-assessments
 10 assessments with 1 agent = 10 agent-assessments
 10 Agent-Assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05

17. Web Scale
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
Service
Stack
NLB

18. CVE - Common Vulnerabilities & Exposures
 Tagged list of publicly known info security issues
 Vulnerabilities
 A mistake in software that can be used to gain unauthorized system access
 Execute commands as another user
 Pose as another entity
 Conduct a denial of service
 Exposures
 A mistake in software that allows access to information that can lead to
unauthorized system access.
 Allows an attacker to hide activities
 Enables information gathering activities

19. CIS Security Configuration Benchmarks
What are they?
 Security configuration guide
 Consensus-based development
process
 PDF versions are free via CIS
website
Inspector automates scanning instances
against the latest benchmark for that OS

20. What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does
for you now
(more in future)

21. Amazon Inspector
• Rule Packages
 Common Vulnerabilities & Exposures
 CIS Secure Configuration Benchmarks
 Security Best Practices
 Runtime Behavior Analysis

22. Rules Package Support
CVE CIS Best
Practices
Runtime
Behavior
Amazon Linux 2015.03+ ✅ ✅ ✅ ✅
Ubuntu 14.04 LTS+ ✅ ✅ ✅
CentOS 6.5+ ✅ ✅ ✅
RHEL 6.5+ ✅ ✅ ✅
Windows Server 2008 R2+ ✅ ✅ ⭕️

23. Security Best Practices
 Authentication
 Network Security
 Operating System
 Application Security
 Disable root login over SSH
 Password complexity
 Permissions for system directories
 Secure Protocols
 Data execution prevention enabled

24. Runtime Behavior Analysis
 Package analyzes machine behavior during as assessment.
 Unused listening ports
 Insecure client protocols
 Root processed with insecure permissions
 Insecure server protocols
 Impacts the severity of static findings

25. Automating Remediation
 Findings are JSON formatted and taggable
 Name of assessment target & template
 Start time, end time, status
 Name of rule packages
 Name & severity of the finding
 Description & remediation steps
 Lambda-fy your incident response
 Integrate with Jira-like services
 Integrate with Pagerduty-like services
 Integrate with EC2 SSM

26. Launch Partners

27. Regions Supported
 GA
 US West (Oregon)
 EU (Ireland)
 US East (Virginia)
 Asia Pacific (Tokyo)
 July 2016
 Asia Pacific (Sydney)
 Asia Pacific (Seoul)
 Fall 2016
 Asia Pacific (India)
 Europe (London)
 Europe (Frankfurt)

29. What’s Next for Inspector
 Reporting
 Threat Modelling
 More Rules Packages (Industry-specific, applications)
 Add/Edit Rules Packages

30. Remember to complete
your evaluations!

31. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!