SlideShare a Scribd company logo

SEC303 Automating Security in cloud Workloads with DevSecOps

Amazon Web Services
Amazon Web Services

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

Related slideshows

Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
ENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWSENT308 Best Practices for Microsoft Architectures on AWS
ENT308 Best Practices for Microsoft Architectures on AWS
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
1 of 49
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chuck Meyer Security Specialist Solutions Architect August 14, 2017 Automating Security in Cloud Workloads with DevSecOps
What to expect from the session Why security automation Who, security team in a DevSecOps world Where do you want security automation When – Pre, post, and everything in between What can you do, practical examples How – Tools and partners
Terminology Disclaimer import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') = Security automation
Terminology Disclaimer import re re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]uggeds[Dd]ev)[Oo]ps') = Security automation at scale
Why?
Why - Goals of DevSecOps Pace of innovation… meets pace of security automation Scalable infrastructure needs scalable security Risk/rating-based actions Automatic incident response remediation
Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry… we still need humans
Who?
Purpose Security is a service team, not a blocker Security is everyone's job Allow flexibility and freedom but control the flow and result.
Meet the new security team Operations Engineering Application Security Compliance
Meet the new security team Operations Engineering Application Security Compliance Development
Where 3(+) places
Continuous Integration/Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis
CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Artifact Repo Deployment templates for infrastructure Generate
Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook
What about my other stuff?
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Cloud scale security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Runtime security • Tag-based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services … a.k.a. all the other stuff people are really talking about
When
When Easy All the time!
When – Control and Validate Pre-event – When possible • Store infrastructure in code repository • Validate each push (git hooks) • Use managed microservices as execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Validate system code early on • Find unwanted libraries, etc. • Force infrastructure changes through templates • Block if needed/unsure
When – Control and Validate Post-event – Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine/CICD • Decide on remediation
When – Control and Validate Triggers – Event based: • Per change • API based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
What Give me some examples
Give me some examples Security validation in an elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure Automatic Incident Response Remediation • Auto-heal Cloudtrail logging • Disable offenders Integrate host-based action with cloud-based control • Immutable infrastructure – Auto isolate instances
Example – Auto isolation – Host meets Cloud Modify • /etc/pam.d/sshd Execute script upon logon • session optional pam_exec.so /path/trigger.sh Trigger AWS event as marker using IAM roles for EC2 #!/bin/bash INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed 's/.{1}$//')DATE=$(date) aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE” Execute Lambda function using CloudWatch Events on marker detection • Remove from load balancer/scaling groups (will auto-heal) • Block in/outgoing traffic using security groups and ACL
Example – Auto isolation – Host meets Cloud Don’t forget safeguards! • How many instances can I isolate before failure • If isolated > x: wake_human() • Remember, x could be 0
Example – Log enforcement Detect • CloudTrail logging disabled Priority • Enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user? Alert!
How
SaaS Subscriptions Dozens of SaaS applications addressing multiple use cases
AWS Marketplace Discover, procure, deploy, and manage software in the cloud • 3,600+ software listings • 51 SaaS paid SaaS products • Over 1,100 participating ISVs • Deployed in 14 AWS Regions • 100,000+ active customers • Over 300M of deployed EC2 instances per month • That’s 400K per hour • Curated products • Integrated to AWS Billing
Two ways to subscribe to SaaS products PAY-AS-YOU-GO SUBSCRIPTIONS (MARKETPLACE METERING SERVICE) • Buyers can easily find and subscribe to SaaS products in the Marketplace. As buyers use the software, sellers send metering records summarizing usage to AWS. • AWS adds to the buyer’s monthly bill, based on metered data sent by sellers. • Launched November, 2016 PRE-PAID SUBSCRIPTIONS (CONTRACTS) • Buyers can purchase monthly, yearly, or multi-year subscriptions that automatically renew through a shopping-cart experience. User provisioning and account setup continues within the seller’s application. • Payment occurs up front. Buyers can increase the size of contracts at any time, adding to their existing renewal date at the pro-rated cost. • Launched April, 2017
SEC303 Automating Security in cloud Workloads with DevSecOps
Putting it all together AWS CloudTrail Amazon CloudWatch Events AWS Lambda Amazon Simple Notification Service AWS API endpoints Your Staff Amazon S3 bucket Your security team AWS IAM role AWS API Your SaaS tools
AWS Tooling Execution • AWS Lambda Tracking • AWS Config Rules • Amazon CloudWatch Events • AWS Step Functions • AWS CloudTrail • Amazon Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • Amazon SNS Third-party open source
Cool… so I just fix things?? Well, yes... but...
Risks Failure is always an option, now at script speed The “We forgot to tell you…” Overly simplified scripts No proper alerting, logging, or follow-up on automated events Don’t forget safeguards! I disabled the perpetrator… and then some How do you minimize risk of failed remediation functions?
Implement remediation framework
The anatomy of remediation Continuous / event based Execution constraints Will action risk breaking something Will change affect cost Is there a source of truth Priority action Forensic Counter measures Alerts Log KnowExecute
What else can I do?
Benchmarking infrastructure Map your infrastructure against control frameworks Single run for single account health check AWS Config / Config Rules for compliance tracking Example: OSS validation for CIS AWS Foundation Framework • https://github.com/awslabs/aws-security-benchmark
Report this way…
Or this…
Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]} Control output based on consumer of data and post processing of result
At the end of the rainbow… What are we trying to accomplish?
Goals Minimize relying on humans for active security events • Automation doesn’t sleep, eat, or need coffee in the morning Prevent bad configurations before they are implemented Autocorrect/remediate violations where possible Daily/instant benchmark validation of infrastructure • Validate against industry frameworks • Extend to remediation
Your next step Look through your infrastructure security runbook • What can you automate? • How can you validate?
OSS code to learn from git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Capitalone/cloud-custodian - Rules engine for AWS fleet management.
Thank you!

More Related Content

SEC303 Automating Security in cloud Workloads with DevSecOps

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chuck Meyer Security Specialist Solutions Architect August 14, 2017 Automating Security in Cloud Workloads with DevSecOps
  • 2. What to expect from the session Why security automation Who, security team in a DevSecOps world Where do you want security automation When – Pre, post, and everything in between What can you do, practical examples How – Tools and partners
  • 6. Why - Goals of DevSecOps Pace of innovation… meets pace of security automation Scalable infrastructure needs scalable security Risk/rating-based actions Automatic incident response remediation
  • 7. Why security automation Reduce risk of human error - Automation is effective - Automation is reliable - Automation is scalable Don’t worry… we still need humans
  • 9. Purpose Security is a service team, not a blocker Security is everyone's job Allow flexibility and freedom but control the flow and result.
  • 10. Meet the new security team Operations Engineering Application Security Compliance
  • 11. Meet the new security team Operations Engineering Application Security Compliance Development
  • 13. Continuous Integration/Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis
  • 14. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Artifact Repo Deployment templates for infrastructure Generate
  • 15. Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook
  • 16. What about my other stuff?
  • 17. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Cloud scale security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Runtime security • Tag-based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services … a.k.a. all the other stuff people are really talking about
  • 18. When
  • 20. When – Control and Validate Pre-event – When possible • Store infrastructure in code repository • Validate each push (git hooks) • Use managed microservices as execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Validate system code early on • Find unwanted libraries, etc. • Force infrastructure changes through templates • Block if needed/unsure
  • 21. When – Control and Validate Post-event – Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine/CICD • Decide on remediation
  • 22. When – Control and Validate Triggers – Event based: • Per change • API based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
  • 23. What Give me some examples
  • 24. Give me some examples Security validation in an elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure Automatic Incident Response Remediation • Auto-heal Cloudtrail logging • Disable offenders Integrate host-based action with cloud-based control • Immutable infrastructure – Auto isolate instances
  • 25. Example – Auto isolation – Host meets Cloud Modify • /etc/pam.d/sshd Execute script upon logon • session optional pam_exec.so /path/trigger.sh Trigger AWS event as marker using IAM roles for EC2 #!/bin/bash INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id) REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed 's/.{1}$//')DATE=$(date) aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE” Execute Lambda function using CloudWatch Events on marker detection • Remove from load balancer/scaling groups (will auto-heal) • Block in/outgoing traffic using security groups and ACL
  • 26. Example – Auto isolation – Host meets Cloud Don’t forget safeguards! • How many instances can I isolate before failure • If isolated > x: wake_human() • Remember, x could be 0
  • 27. Example – Log enforcement Detect • CloudTrail logging disabled Priority • Enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user? Alert!
  • 28. How
  • 29. SaaS Subscriptions Dozens of SaaS applications addressing multiple use cases
  • 30. AWS Marketplace Discover, procure, deploy, and manage software in the cloud • 3,600+ software listings • 51 SaaS paid SaaS products • Over 1,100 participating ISVs • Deployed in 14 AWS Regions • 100,000+ active customers • Over 300M of deployed EC2 instances per month • That’s 400K per hour • Curated products • Integrated to AWS Billing
  • 31. Two ways to subscribe to SaaS products PAY-AS-YOU-GO SUBSCRIPTIONS (MARKETPLACE METERING SERVICE) • Buyers can easily find and subscribe to SaaS products in the Marketplace. As buyers use the software, sellers send metering records summarizing usage to AWS. • AWS adds to the buyer’s monthly bill, based on metered data sent by sellers. • Launched November, 2016 PRE-PAID SUBSCRIPTIONS (CONTRACTS) • Buyers can purchase monthly, yearly, or multi-year subscriptions that automatically renew through a shopping-cart experience. User provisioning and account setup continues within the seller’s application. • Payment occurs up front. Buyers can increase the size of contracts at any time, adding to their existing renewal date at the pro-rated cost. • Launched April, 2017
  • 33. Putting it all together AWS CloudTrail Amazon CloudWatch Events AWS Lambda Amazon Simple Notification Service AWS API endpoints Your Staff Amazon S3 bucket Your security team AWS IAM role AWS API Your SaaS tools
  • 34. AWS Tooling Execution • AWS Lambda Tracking • AWS Config Rules • Amazon CloudWatch Events • AWS Step Functions • AWS CloudTrail • Amazon Inspector Track/Log • Amazon CloudWatch Logs • Amazon DynamoDB Alert • Amazon SNS Third-party open source
  • 35. Cool… so I just fix things?? Well, yes... but...
  • 36. Risks Failure is always an option, now at script speed The “We forgot to tell you…” Overly simplified scripts No proper alerting, logging, or follow-up on automated events Don’t forget safeguards! I disabled the perpetrator… and then some How do you minimize risk of failed remediation functions?
  • 38. The anatomy of remediation Continuous / event based Execution constraints Will action risk breaking something Will change affect cost Is there a source of truth Priority action Forensic Counter measures Alerts Log KnowExecute
  • 39. What else can I do?
  • 40. Benchmarking infrastructure Map your infrastructure against control frameworks Single run for single account health check AWS Config / Config Rules for compliance tracking Example: OSS validation for CIS AWS Foundation Framework • https://github.com/awslabs/aws-security-benchmark
  • 43. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
  • 44. Or maybe just this {"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]} Control output based on consumer of data and post processing of result
  • 45. At the end of the rainbow… What are we trying to accomplish?
  • 46. Goals Minimize relying on humans for active security events • Automation doesn’t sleep, eat, or need coffee in the morning Prevent bad configurations before they are implemented Autocorrect/remediate violations where possible Daily/instant benchmark validation of infrastructure • Validate against industry frameworks • Extend to remediation
  • 47. Your next step Look through your infrastructure security runbook • What can you automate? • How can you validate?
  • 48. OSS code to learn from git-secrets - Prevents you from committing passwords and other sensitive information to a git repository. aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks. aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account. Netflix/edda - Edda is a service to track changes in your cloud deployments. ThreatResponse - Open Source Security Suite for hardening and responding in AWS. CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more. Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Capitalone/cloud-custodian - Rules engine for AWS fleet management.