Five New Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules - SID405 - re:Invent 2017

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Five New Security Automation
Improvements You Can Make by
Using Amazon CloudWatch Events
and AWS Config Rules
N o v e m b e r 3 0 , 2 0 1 7
S I D 4 0 5
Henrik Johansson

What to expect from this session
• Bonus
• Security automation primer
• Guardrails and why you shouldn’t nuke yourself
• Code, code and code
• Takeaways

Bonus - Code will be available as OSS
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark

Security automation primer
Why?

Reliability

Reliability
Efficiency

Reliability
Efficiency
Scalability

Reliability Efficiency Scalability
Try clicking the same icon 1000 times

At 3 a.m.

At 3 a.m.
On a Monday

At 3 a.m.
On a Monday
Now ask yourself, during the 1000 clicks, when did the icon change?

At 3am
On a Monday
Now ask yourself, during the 1000 clicks, when did the icon change?
Now do it on Tuesday again!

Security automation and compliance
Focus on the evidence
Map evidence specific controls
Deliver not just the what but also the how
Enable you compliance team!
(Yes, they are your friends)

What else?
Detection
Alerting
Remediation
Countermeasures
Forensics

Primer - Testing incidents
How do I test/verify?
1. Generate the issue
• Use test accounts
• Try different scenarios, sources, account types
• Not always suitable or practical
• CloudWatch Event samples:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html
1. Lambda test event
• Create your own test data (JSON) based on #1
• Samples in AWS documentation

Guardrails
Or how to avoid doing the attacker’s job…
just faster

Framework
Don’t just fix and forget
Standardization matters!
Use managed services and/or AI/ML where possible
Limits and Alerts are good together

Have a framework - ExampleMode
Section Actions
Initiate
React Config Rules/CloudWatch Events/Log Parsing
Trigger Lambda
Learn Lambda/CloudWatch Logs
Execution
Priority Action Restart service, delete user, and so on
Forensics Discover: Who/where/when, allowed to execute?
Countermeasure Disable access keys, isolate instance, and so on
Alert Text/Page, email, ticket system
Logging Database, ticket system, encrypt data?

Code, Code and Code

#tbt
re:Invent 2016: SAC401
Repos:
https://github.com/awslabs/aws-security-automation
Major changes done:
AutoMFA now supports self service
CIS Benchmark bug fixes
…Stay tuned

Demo time!

1Serverless security automation…without the code

Problem statement
We need to be able to initiate a chain of events when a activity that are sensitive to
us are detected.
• How do we alert our different teams as quickly as possible?
• How do we take multiple actions without having to build a task/state solution?

Code highlights

Code highlights
Hmm…where’s the code?

Code highlights
Security automation
!=
Python | Node | Java | <Insert hip name here>

Amazon CloudWatch Events

Keep in mind
Driven by API activity
Only Read/Write events
Read-only like List, Get, or Describe are not supported
But supports a number of services…

Auto Scaling
AWS Certificate Manager
AWS CloudFormation
Amazon CloudFront
AWS CloudHSM
Amazon CloudSearch
AWS CloudTrail
Amazon CloudWatch
Amazon CloudWatch Events
Amazon CloudWatch Logs
AWS CodeDeploy
AWS CodePipeline
Amazon Cognito Identity
Amazon Cognito Sync
AWS Config
AWS Data Pipeline
AWS Device Farm
AWS Direct Connect
AWS Directory Service
AWS Database Migration Service
Amazon DynamoDB
Amazon Elastic Container Registry
Amazon Elastic Container Service
Amazon EC2 Systems Manager
Amazon ElastiCache
AWS Elastic Beanstalk
Amazon Elastic Compute Cloud
Amazon Elastic
Elastic Load Balancing
Amazon EMR
Amazon Elastic Transcoder
Amazon Elasticsearch Service
Amazon GameLift
Amazon Glacier
File System
AWS Identity and Access Management [US
East (N. Virginia) only]
AWS Identity and Access Management [US
East (N. Virginia) only]
Amazon Inspector
AWS IoT
AWS Key Management Service
Amazon Kinesis
Amazon Kinesis Firehose
AWS Lambda
Amazon Machine Learning
AWS OpsWorks
Amazon Polly
Amazon Redshift
Amazon Relational Database Service
Amazon Route 53
AWS Security Token Service
Amazon Simple Email Service
Amazon Simple Notification Service
Amazon Simple Queue Service
Amazon Simple Storage Service
Amazon Simple Workflow Service
AWS Step Functions
AWS Storage Gateway
AWS Support
AWS WAF
Amazon WorkDocs
Amazon WorkSpaces
Supports

Not just API

Event patterns – key to optimizing
Events in Amazon CloudWatch Events are represented as JSON objects
Remember:
• For a pattern to match an event, the event must contain all the field names listed
in the pattern
• The field names must appear in the event with the same nesting structure
• Fields not mentioned are ignored; meaning "*": "*" wildcard for fields not
mentioned
• Character-by-character matching (no normalization)
• The values being matched follow JSON rules: quotes, numbers, and unquoted
keywords true, false, and null
• Number matching is at the string representation level. For example, 300, 300.0,
and 3.0e2 are not considered equal

{
“source”: [ “aws.ec2” ],
“detail-type”: [ “EC2 Instance State-change Notification” ],
“detail”: {
“state”: [ “pending” ]
}
}
Find what you need

{
"source": [ "aws.ec2" ],
"detail-type": [ "EC2 Instance State-change Notification" ],
"detail": {
"state": [ "pending" ]
}
}
Or:
"resources": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-b188560f",
]
Find what you need

{
"detail": {
"eventType": [ "AwsApiCall" ],
"userIdentity": {
"userName": [ "IAM-API-RW" ]
}
}
}
Find what you need

Multiple targets

Demo

2Live user activity tracker for IR scenarios

Problem statement
When we have either a red team event or a real IR scenario we need to know what a
suspected user is doing in near real time. This so we can follow our incident
response playbook around when to disable a users access with minimal risk to
security and availability of our services without alerting the attacker.
• How do we track what the user is doing as close to real time as possible?
• How can we integrate with our existing tools for team collaboration when working
with security incidents?
• How can the process start automatically based on other risk based solutions?
Note: Always use approved communication channels for sensitive content

Question
Q: Can’t I build a permanent function to consume a Kinesis stream or
similar?

Take Control

Need whitelisting?

Extract what you need
Not all info is available
all the time

Capture critical info

Don’t overdo it

Adapt to the data

Reduce need for modules
Don’t store sensitive info locally

Security automation Parameter Store

How to trigger?

Alerts
Slack
Email using
Amazon SNS
Amazon Chime

3Exposed keys remediation using Trusted Advisor

Problem statement
Exposed keys pose a great security risk from availability and financial perspective.
• How do we detect and handle exposed keys to make sure they are not being used
for malicious activity?
• How do we improve our reaction time between detection and reaction?
• How do we ensure the right team gets notified?
• How do we prevent interference to our CICD pipelines?
Callout: https://github.com/awslabs/git-secrets

Shared responsibility and you
Tools like Trusted Advisor are a good help to manage your side of the shared responsibility
model
Ref: https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/#security
“To additionally protect your account from excessive charges, AWS temporarily limits your ability
to create some AWS resources”
“Note: This check does not guarantee the identification of exposed access keys or compromised
EC2 instances. You are ultimately responsible for the safety and security of your access keys and
AWS resources.”

Tl;dr
You need to secure your resources

Tie to support
CaseID available at Personal Health Dashboard
https://phd.aws.amazon.com/phd/home#/dashboard/

Don’t store sensitive data in code

Remember to check vital info

Very simple forensics example

Don’t forget temp credentials

Logging for history and forensics

Takeaways

4Auto remediate world accessible
S3 buckets using Amazon Macie

Problem statement
Admins with high enough AWS Identity and Access Management (IAM) permissions
can change the ACL of S3 buckets that contain sensitive or regulated data to be
world readable or writable.
• How do we allow public buckets for non sensitive data?
• How do we automatically remediate overly open permissions for sensitive or
regulated data?
• How do we ensure the right team gets notified?

Multi service challenge
Identify Classify Evaluate Remediate
Macie Lambda

Other methods?
Config Rules | CloudWatch Events
No data classification integration

What to remediate
Buckets only, not objects

Event data from other services

Whitelist support
Or use:
DDB
Parameter Store
Other

Find all users

5Multi-account remediation hub

Problem statement
We have multiple accounts that we need to enable automatic remediation for in
order to quickly resolve known and identified risks
• How do we enable remediation across multiple accounts without decentralizing
our Lambda functions for easier management?
• Callout: AWS CloudFormation StackSets
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-
cfnstacksets.html

Event bus
Create a CloudWatch Events Bus in security account

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789123:root”
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Allow assuming role in monitored account

Create rule in monitored account

Create rule in security account
Remember:
CaSe SensitiVe

Account is now crucial info

Easier than you think!

Step 1…Least needed and multi service

Step 2…get credentials

Step 3…fix it!

Step 4…

Step 4…Nope…
It’s that easy to do multi account remediation

General takeaways
Have guardrails if using remediation
Learn from others…OSS
Always review code and test, test, test…
Multi account strategy is not an excuse to not automate!
Tie into existing/established communications systems (if secure!!)

Other OSS projects
Some of the projects out there:
• ThreatResponse.cloud https://threatresponse.cloud
• Cloud Custodian https://github.com/capitalone/cloud-custodian
• Security Monkey https://github.com/Netflix/security_monkey
• FIDO https://github.com/Netflix/Fido
• CloudSploit https://github.com/cloudsploit
• StreamAlert https://github.com/airbnb/streamalert
And many more…
Have a security automation project/repo…let me know!

Code will be available
http://github.com/awslabs/aws-security-automation

Related sessions
SID404 - Amazon Inspector – Automating the “Sec” in DevSecOps
SID301 - Using AWS Lambda as a Security Team
SID302 - Force Multiply Your Security Team with Automation and Alexa
SID314 - IAM Policy Ninja
SID319 - Incident Response in the Cloud
SID324 - Automating DDoS Response in the Cloud

Thank you!

Five New Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules - SID405 - re:Invent 2017

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Five New Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules - SID405 - re:Invent 2017

Similaire à Five New Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules - SID405 - re:Invent 2017 (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Five New Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules - SID405 - re:Invent 2017