AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Henrik Johansson – Security Solutions Architect
12/01/16
5 Security Automation Improvements You
Can Make by Using Amazon CloudWatch
Events and AWS Config Rules
SAC401

What to expect from the session
Bonus!
Why security automation
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources

What to expect from the session
Bonus!
Tooling
The anatomy of automation
Demo & code 5 x Automation
Other resources
5 x Automation
• Automatic CloudTrail remediation
• CloudFormation template audit
• AWS CIS Foundation Framework
account assessment
• Auto MFA for IAM
• The tainted server – Auto isolation

Bonus
Code available for download
as Open Source on GitHub at:
http://github.com/awslabs/aws-security-automation
https://github.com/awslabs/aws-security-benchmark

Reduce risk of human error

- Automation is effective

- Automation is reliable

- Automation is scalable

- Automation is scalable
Don’t worry…we still need humans

High pace of innovation is great

We also want to have high pace of:
Detection
Alerting
Remediation
Countermeasures
Forensics

AWS Tooling
Execution
• Lambda
Tracking
• AWS Config Rules
• Amazon CloudWatch Events
• AWS CloudTrail
• AWS Inspector
Track/Log
• Amazon CloudWatch Logs
• Amazon DynamoDB
Alert
• SNS
Third party Open Source

The anatomy of security automationMode
Section Actions
Initiate
React Config Rules / CloudWatch Events / Log Parsing
Trigger Lambda
Learn Lambda / CloudWatch Logs
Execution
Priority Action Restart service, delete user, etc.
Forensics Discover: Who/where/when, allowed to execute?
Countermeasure Disable access keys, isolate instance, etc.
Alert Text/Page, email, ticket system
Logging Database, ticket system, encrypt data?

Automatic CloudTrail Remediation
Solves:
- Verify that CloudTrail is running.
- Prevent repeated and future attempts to disable CloudTrail
Services used:
Lambda, CloudTrail, CloudWatch Events

Code highlights – Extract event info

Code highlights – Execution order
#1

Code highlights – Countermeasure

CloudFormation template audit
Solves:
- Users deploying infrastructure that do not conform to
security policy
- Reduce risk from unapproved changes to templates
Services used:
CodePipeline, CloudWatch Events, Lambda

Code highlights - CodePipeline

Code highlights – The rules
'rule': "AllowHttp",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'riskvalue': "3",
'ruledata':
"^.*Ingress.*[fF]rom[pP]ort.s*:s*u?.(80)"

Code highlights – The rules
'rule': "SSHOpenToWorld",
'category': "SecurityGroup",
'ruletype': "regex",
'active': "Y",
'riskvalue' ”7",
'ruledata':
"^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort)
.s*:s*u?.(22).*[cC]idr[iI]p.s*:s*u?.((0
.){3}0/0)|[cC]idr[iI]p.s*:s*u?.((0.){3
}0/0).*([fF]rom[pP]ort|[tT]o[pP]ort).s*:
s*u?.(22))"

Code highlight – Risk and next step
if risk < 5:
put_job_success(job_id, 'Job succesful, minimal
or no risk detected.')
elif 5 <= risk < 10:
put_job_success(job_id, 'Job succesful, medium
risk detected, manual approval needed.')
elif risk >= 10:
put_job_failure(job_id, 'Function exception:
Failed filters '+str(failedRules))

AWS CIS Foundation Framework account
assessment
Solves:
- Validate AWS account against security best practices
- Integrate with AWS Config
- Create report for easy and secure consumption
Services used:
Lambda, Config Rules
References:
AWS CIS Foundation Framework validation

Code highlight - Control structure

Code highlight – Result - Config

Code highlight – Result – Config - Annotation

Code highlight – Result – HTML Report

Code highlight – Result – S3 Pre-Signed URL

Auto MFA for IAM
Solves:
- Automatic creation and assignment of virtual MFA for new IAM
users.
- Removes time consuming tasks for single and bulk operations
- No requirements of user interaction or giving permissions using IAM
policy for self service
Services used:
CloudWatch Events, Lambda and IAM

Code highlight – Priority action

Code highlight – Create virtual MFA

Code highlight – Calculate tokens

Code highlight – Encrypt string

The tainted server – Auto isolation
Solves:
• Enforces immutable infrastructure
• Automatically isolate instances for further forensics upon events like
local SSH logons or increase Deny discovered in VPC flow logs
Services used:
CloudWatch Events, Config Rules, Lambda, VPC Flow logs and
discovery trigger

Code highlight – Individual instances

Code highlight – Get tainted

Code highlight – Detach Auto Scaling Group

Code highlight – Identify security group

Other resources / Open Source
Some of the projects out there:
• ThreatResponse.cloud https://threatresponse.cloud
• Cloud Custodian https://github.com/capitalone/cloud-custodian
• Security Monkey https://github.com/Netflix/security_monkey
• FIDO https://github.com/Netflix/Fido
• CloudSploit https://github.com/cloudsploit
And many more…

Related Sessions
SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
SEC311 - How to Automate Policy Validation
SEC313 - Automating Security Event Response, from Idea to Code
to Execution
SAC315 - Scaling Security Operations and Automating
Governance: Which AWS Services Should I Use?
SEC401 - Automated Formal Reasoning About AWS Systems

Remember to complete
your evaluations!

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)

More Related Content

AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules (SAC401)