SEC303 Automating Security in cloud Workloads with DevSecOps
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chuck Meyer
Security Specialist Solutions Architect
August 14, 2017
Automating Security in
Cloud Workloads with DevSecOps
- 2. What to expect from the session
Why security automation
Who, security team in a DevSecOps world
Where do you want security automation
When – Pre, post, and everything in between
What can you do, practical examples
How – Tools and partners
- 6. Why - Goals of DevSecOps
Pace of innovation… meets pace of security automation
Scalable infrastructure needs scalable security
Risk/rating-based actions
Automatic incident response remediation
- 7. Why security automation
Reduce risk of human error
- Automation is effective
- Automation is reliable
- Automation is scalable
Don’t worry… we still need humans
- 9. Purpose
Security is a service team, not a blocker
Security is everyone's job
Allow flexibility and freedom
but control the flow and result.
- 10. Meet the new security team
Operations Engineering
Application
Security
Compliance
- 11. Meet the new security team
Operations Engineering
Application
Security
Compliance
Development
- 14. CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
Images
Send build report to Dev
Stop everything if build failed
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Artifact Repo
Deployment templates for infrastructure
Generate
- 17. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. Cloud scale security
Infrastructure as code
• Base requirement!
• Split ownership
• Pre-deploy validation
Elastic security automation
• API driven
• Auto Scaling groups – hooks
• Execution layer scales with targets
Runtime security
• Tag-based targeting
• Rip-n-replace
• Continuous pen testing
Immutable infrastructure
• Validation and enforcement
• Integrate with managed services
…
a.k.a. all the other stuff people are really talking about
- 20. When – Control and Validate
Pre-event – When possible
• Store infrastructure in code repository
• Validate each push (git hooks)
• Use managed microservices as execution engine
• Scan cloud infrastructure templates for unwanted/risk valued
configurations
• Validate container definitions
• Validate system code early on
• Find unwanted libraries, etc.
• Force infrastructure changes through templates
• Block if needed/unsure
- 21. When – Control and Validate
Post-event – Always
• Follow-up on sensitive APIs
• IAM, security groups/firewall, encryption keys, logging, etc.
• Alert/inform
• Use source of truth
• Locked to execution function (read only)
• Validate source
• Human or machine/CICD
• Decide on remediation
- 22. When – Control and Validate
Triggers – Event based:
• Per change
• API based
• Event logs
• Per day
• Per framework
• Overall infrastructure, components, and resources
• One component, multiple frameworks
- 24. Give me some examples
Security validation in an elastic infrastructure
• Implement -> Validate -> Decide
• Terminate upon failure
Automatic Incident Response Remediation
• Auto-heal Cloudtrail logging
• Disable offenders
Integrate host-based action with cloud-based control
• Immutable infrastructure – Auto isolate instances
- 25. Example – Auto isolation – Host meets Cloud
Modify
• /etc/pam.d/sshd
Execute script upon logon
• session optional pam_exec.so /path/trigger.sh
Trigger AWS event as marker using IAM roles for EC2
#!/bin/bash
INSTANCE_ID=$(wget -q -O - http://169.254.169.254/latest/meta-data/instance-id)
REGION=$(wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone|sed 's/.{1}$//')DATE=$(date)
aws ec2 --region $REGION create-tags --resources $INSTANCE_ID --tags "Key=Tainted,Value=$DATE”
Execute Lambda function using CloudWatch Events on marker detection
• Remove from load balancer/scaling groups (will auto-heal)
• Block in/outgoing traffic using security groups and ACL
- 26. Example – Auto isolation – Host meets Cloud
Don’t forget safeguards!
• How many instances can I isolate before failure
• If isolated > x:
wake_human()
• Remember, x could be 0
- 27. Example – Log enforcement
Detect
• CloudTrail logging disabled
Priority
• Enable logging
Forensics
• Has this happened before?
Countermeasures
• If num_disabled > x: # x could be zero based on type and user
disable_user()
• Safeguard: Should I temporarily disable the user? Who is the user?
Alert!
- 30. AWS Marketplace
Discover, procure, deploy, and manage software in the cloud
• 3,600+ software listings
• 51 SaaS paid SaaS products
• Over 1,100 participating ISVs
• Deployed in 14 AWS Regions
• 100,000+ active customers
• Over 300M of deployed EC2
instances per month
• That’s 400K per hour
• Curated products
• Integrated to AWS Billing
- 31. Two ways to subscribe to SaaS products
PAY-AS-YOU-GO SUBSCRIPTIONS
(MARKETPLACE METERING SERVICE)
• Buyers can easily find and subscribe
to SaaS products in the Marketplace.
As buyers use the software, sellers
send metering records summarizing
usage to AWS.
• AWS adds to the buyer’s monthly bill,
based on metered data sent by
sellers.
• Launched November, 2016
PRE-PAID SUBSCRIPTIONS
(CONTRACTS)
• Buyers can purchase monthly, yearly, or
multi-year subscriptions that automatically
renew through a shopping-cart experience.
User provisioning and account setup
continues within the seller’s application.
• Payment occurs up front. Buyers can
increase the size of contracts at any time,
adding to their existing renewal date at the
pro-rated cost.
• Launched April, 2017
- 33. Putting it all together
AWS
CloudTrail
Amazon
CloudWatch
Events
AWS
Lambda
Amazon
Simple
Notification
Service
AWS API
endpoints
Your Staff Amazon S3
bucket
Your
security
team
AWS
IAM
role
AWS API
Your SaaS
tools
- 34. AWS Tooling
Execution
• AWS Lambda
Tracking
• AWS Config Rules
• Amazon CloudWatch Events
• AWS Step Functions
• AWS CloudTrail
• Amazon Inspector
Track/Log
• Amazon CloudWatch Logs
• Amazon DynamoDB
Alert
• Amazon SNS
Third-party open source
- 35. Cool… so I just fix things??
Well, yes... but...
- 36. Risks
Failure is always an option, now at script speed
The “We forgot to tell you…”
Overly simplified scripts
No proper alerting, logging, or follow-up on automated events
Don’t forget safeguards!
I disabled the perpetrator… and then some
How do you minimize risk of failed remediation functions?
- 38. The anatomy of remediation
Continuous /
event based
Execution
constraints
Will action
risk breaking
something
Will change
affect cost
Is there a
source of
truth
Priority
action
Forensic
Counter
measures
Alerts Log
KnowExecute
- 40. Benchmarking infrastructure
Map your infrastructure against control frameworks
Single run for single account health check
AWS Config / Config Rules for compliance tracking
Example: OSS validation for CIS AWS Foundation
Framework
• https://github.com/awslabs/aws-security-benchmark
- 43. Or maybe just this
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14",
"1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3",
"3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
- 44. Or maybe just this
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14",
"1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3",
"3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Control output based on consumer of data and post processing of result
- 45. At the end of the rainbow…
What are we trying to accomplish?
- 46. Goals
Minimize relying on humans for active security events
• Automation doesn’t sleep, eat, or need coffee in the morning
Prevent bad configurations before they are implemented
Autocorrect/remediate violations where possible
Daily/instant benchmark validation of infrastructure
• Validate against industry frameworks
• Extend to remediation
- 47. Your next step
Look through your infrastructure security runbook
• What can you automate?
• How can you validate?
- 48. OSS code to learn from
git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.
aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.
aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config
Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS
account.
Netflix/edda - Edda is a service to track changes in your cloud deployments.
ThreatResponse - Open Source Security Suite for hardening and responding in AWS.
CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more.
Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure
infrastructure.
Capitalone/cloud-custodian - Rules engine for AWS fleet management.