3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Agenda
• Talk about AWS [‘CloudTrail’, ‘Config’]
• Ponder AWS [‘CloudTrail’, ‘Config’]
• Contemplate AWS [‘CloudTrail’, ‘Config’]
– Log diving
• Correlation between [‘CloudTrail’, ‘Config’]
• Cross-account, role-based access
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
TL;DR – These are “complementary services”
AWS CloudTrail (an entity did something)
• Record of API requests and
response elements
– who did what and when,
from where
AWS Config (resources changes and
status)
• AWS account configuration
– Configuration item history
– Configuration item stream
– Configuration item
snapshots
• Optionally, a notification
whenever a resource is created,
modified, or deleted with the
resulting configuration
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CloudTrail is a web service that records AWS API calls
for your account and delivers log files to you.
AWS CloudTrail
The recorded information includes:
• The identity of the API caller
• The time of the API call
• The source IP address of the API caller
• The request parameters
• The response elements returned by the AWS service
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Increase your visibility of what happened in your AWS
environment – who did what and when, from where
• CloudTrail will record access to API calls and save logs in your
Amazon S3 bucket, no matter how those API calls were made
• Who did what and when and from what IP address
• Receive notification of log file delivery using the Amazon Simple
Notification Service (Amazon SNS)
• Rapid integration of AWS services since launch with more
supported services coming soon
• Aggregate log information into a single S3 bucket
• AWS Partner integration with log analysis tools from AlertLogic,
Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk,
and SumoLogic.
Use AWS CloudTrail to track access to APIs and IAM
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
• Security analysis
• Track changes to AWS resources
• e.g., VPC security groups and NACLs
• Compliance
• Understand AWS API call history
• Troubleshoot operational issues
• Quickly identify the most recent changes to your
environment
• AWS CloudTrail console API activity history search
• Look up API activity captured for your AWS
account in the last 7 days
• Filter with an attribute and time range
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Amazon CloudWatch Logs can monitor your system, application,
and custom log files from Amazon EC2 instances and other
sources, for example:
• Monitor your web server HTTP log files and use CloudWatch
metrics filters to identify 404 errors and count the number of
occurrences within a specified time period
• Use CloudWatch alarms to notify you when the number of
404 errors breaches whatever threshold you decide to set –
you could use this to automatically generate a ticket for
investigation
Now monitor everything with Amazon CloudWatch logs
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Config is a fully managed service that provides an inventory of
your AWS resources, lets you audit the resource configuration history,
and notifies you of resource configuration changes
AWS Config
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Continuous ChangeRecordingChanging
Resources
AWS Config
History
Stream
Snapshot (ex. 2015-06-26)
AWS Config
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Relationships
• Bi-directional map of
dependencies
automatically assigned
• Change to a resource
propagates to create
configuration items for
related resources
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Relationships
Resource Relationship Related Resource
CustomerGateway is attached to VPN Connection
Elastic IP (EIP) is attached to Network Interface
is attached to Instance
Instance contains Network Interface
is attached to ElasticIP (EIP)
is contained in Route Table
is associated with Security Group
is contained in Subnet
is attached to Volume
is contained in Virtual Private Cloud (VPC)
InternetGateway is attached to Virtual Private Cloud (VPC)
… …. …..
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Configuration item
All configuration attributes for a given
resource at a given point in time, captured
on every configuration change
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Component Description Contains
Metadata Information about this configuration
item
Version ID, configuration item ID,
time when the configuration item
was captured, state ID indicating
the ordering of the configuration
items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, resource type.
Amazon Resource Name (ARN),
Availability Zone, etc.
Relationships How the resource is related to other
resources associated with the
account
EBS volume vol-1234567 is
attached to an EC2 instance i-
a1b2c3d4
Current Configuration Information returned through a call
to the Describe or List API of the
resource
e.g., for EBS volume
state of DeleteOnTermination flag.
Type of volume. For example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are
related to the current configuration
of the resource
AWS CloudTrail event ID.
Configuration item
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Config use cases
• Security analysis
• Audit compliance
• Change management
• Troubleshooting
• Discovery
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Record correlation
AWS CloudTrail Record
{
"Records": [
{…},
"responseElements": {…},
"requestID": "27508138-3475-4b6e-9429-
88118eb1622b",
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
"eventType": "AwsApiCall",
"recipientAccountId": "222222222222"
}
]
}
AWS Config Record
{
"fileVersion": "1.0",
"configurationItems": [
{
…
"relatedEvents": [
"ac21dd8c-98fe-46f8-9fce-5b77ae607346"
],
"awsAccountId": "222222222222",
"configurationItemStatus": "ResourceDiscovered",
…
}
}
]
}
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Record correlation
AWS CloudTrail Record
{
"Records": [
{…},
"responseElements": {…},
"requestID": "27508138-3475-4b6e-9429-
88118eb1622b",
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
"eventType": "AwsApiCall",
"recipientAccountId": "222222222222"
}
]
}
AWS Config Record
{
"fileVersion": "1.0",
"configurationItems": [
{
…
"relatedEvents": [
"ac21dd8c-98fe-46f8-9fce-5b77ae607346"
],
"awsAccountId": "222222222222",
"configurationItemStatus": "ResourceDiscovered",
…
}
}
]
}
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Log diving
• This is the case of the surprise Elastic IP
(bad surprise)
– What was done?
• Easy: an EIP was created
– When was it created?
– Who created it?
– Where did it come from?
19. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What
• Starting with AWS Config
– Search for the origin of "eipalloc-184efb7d“
– Utilize the AWS Config console Resource Lookup tool
or search the AWS Config log files in Amazon S3
• AWS Config Partners http://aws.amazon.com/config/partners/
• Roll a bit of code …
• The EventID leads us to AWS CloudTrail
– "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
When
• The AWS Config log file contains a
timestamp
– "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z"
• Pivot to the specific AWS CloudTrail log
file based on:
– Timestamp
– EventID
21. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Who and where ( in the CloudTrail log)
{
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",
"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",
"accountId": "222222222222",
"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",
…
"sourceIPAddress": "198.51.100.178",
"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",
…
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
…
}
22. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Who and where ( in the CloudTrail log)
{
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",
"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",
"accountId": "222222222222",
"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",
…
"sourceIPAddress": "198.51.100.178",
"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",
…
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
…
}
• ACME corporation uses a federated identity
broker that leverages the company’s existing
Directory Services and access control
systems.
• CloudTrail logs indicate “bob” was issued a
token by the broker to use the NetManager
role.
– The RoleSessionName, “bob-
corpbroker”, was set by the broker
when generating the STS token for
“bob” via the AssumeRole API.
• “bob” connected to the EC2 API endpoint
from the IP Address 198.51.100.178.
• Federated Identity broker logs created by
ACME corporation contain additional details.
• Now we know the EIP was created by an STS
token issued from the corporation.
23. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Identity and Access Management (AWS IAM) enables you to
securely control access to AWS services and resources
• Control who can do what and when from where
• Fine-grained control of user permissions, resources, and actions
• Add multi-factor authentication
• Hardware token or smartphone apps
• Test out your new policies using the IAM policy simulator
You have fine-grained control of your AWS environment
24. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Segregate duties between roles with IAM
Region
Internet
Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
You get to choose who can
do what in your AWS
environment and from
where
AWS account
owner (master)
Network
management
Security
management
Server
management
Storage
management
Manage and operate
25. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Keep control of who can do what on AWS using your
existing directory
• AWS IAM now supports SAML 2.0
• Federate with on-premises directories like Active
Directory or another SAML 2.0 compliant identity
provider
• Use Active Directory users and groups in AWS for
authentication and authorization
• For example, a ‘Network Administrators’ AD security
group can have access to create and manage on-
premises and AWS EC2 instances or Elastic IP addresses
Federate AWS IAM with your existing directories
26. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Notes de l'éditeur
When was each launched?
41 services shown of the 48
When was each launched?
They help you answer 4 of the 5 Whys: Who What When Where, but not why. We will let you know when the AWS Psychic service launches.
Someone always needs to take a call so now you can split.
CloudTrail covers 4 of the 5 Ws – We are researching mechanisms into the use of Amazon Machine Learning to investigation the WHY
CloudTrail Processing library on GitHub
no matter how those API calls were made -> console, SDK, CLI, cross-account, federation
UNSUPPORTED SERVICES:
S3
Mobile Analytics
Cognito
WorkMail
EFS
AppStream
Machine Learning
SimpleDb
Import/Export
WAM
Regional service with the option to deliver global service logs to each region – enable global services in one region unless you need duplicate logs
CloudTrail integration with CloudWatch logs is available in All Public Region with South America (Sao Paulo) coming soon
No setup needed
S3
Mobile Analytics
Cognito
WorkMail
EFS
AppStream
EML
No setup needed
Every change to a resource causes a new configuration item to be created that captures the new configuration of the resource
Security Analysis: Am I safe?
Audit Compliance: Where is the evidence?
Change Management: What will this change affect?
Troubleshooting: What has changed? What did I have before things went side-ways?
Discovery: What resources exist?
Who is buried in Grants Tomb?
Logs from an EC2:AllocatesAddress API action are less verbose than EC2:RunInstances is
This could easily have been a more complex issue such as the termination of a critical compute instance
Segregate
s and responsibilities to a fine-grained level that is probably in excess of what you can do in a physical environment
User A can change firewalls tagged ‘development’ only
User B can snapshot database storage volumes, but cannot access those volumes
All of this can be federated back to the existing enterprise directory – you do not need to setup a new directory within AWS. Your users sign into the existing directory (using existing authentication and MFA solutions), then are granted a temporary role within AWS to perform whatever duty they have been allocated. This role exists for a configurable period of time.
One even more awesome feature is that your EC2 instances themselves can have roles within identity and access management, to restrict what AWS APIs the instance can call. Thus, an attacker cannot use an EC2 instance to upload data to S3, if the role assigned to the instance does not include S3 API permissions.
AWS IAM also includes full multi-factor authentication for users, using either hardware Gemalto tokens, or soft tokens running on all three major phone platforms.
Enterprises segregate important duties to reduce risk of accidental or malicious changes
AWS allows fine-grained segregation across virtually all aspects of the service
For example, you can segregate
Who can change network configuration
Who can change firewalls
Who can change how the VPC connects to the Internet or back to your corporate premises
Who can start and stop servers
Who can snapshot and restore storage volumes
AWS IAM offers a programmatic level of control and granularity that would not be possible to implement in traditional on-premise environments