The document discusses several Amazon Web Services security tools including Amazon Inspector, AWS Config, and AWS Trusted Advisor. Amazon Inspector is a vulnerability assessment service that automates security scans for EC2 instances. AWS Config allows users to automate the evaluation of AWS resource configurations against security best practices. AWS Trusted Advisor monitors AWS infrastructure and identifies security gaps and cost optimization opportunities based on known best practices.
2. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
4. • It’s not about DevOps + Security
• Not enough security professionals on the planet to do this
• Security teams need their own automation to keep up with automated
deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org
6. Red Hat Enterprise Linux (6.5 or later)
CentOS (6.5 or later)
Ubuntu (12.04 LTS, 14.04 LTS or later)
Amazon Linux (2015.03 or later)
Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support
We get kernels at the same time you get them
It currently takes us 1-2 weeks for build, test & validation
We’re aiming for 1 day
New Distributions
Takes a long time
Supported Agent Operating Systems
7. Amazon Inspector
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
8. Common Vulnerabilities & Exposures
• Tagged list of publicly known info security issues
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system
access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information gathering activities
9. CIS Security Configuration Benchmarks
What are they?
Security configuration guide
Consensus-based development
process
PDF versions are free via CIS
website
Inspector automates scanning instances
against the latest benchmark for that OS
10. What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does
for you now
(more in future)
11. Runtime Behavior Analysis
• Package analyzes machine behavior during an assessment
• Unused listening ports
• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols
• Impacts the severity of static findings
12. Pricing
• Free Trial
• 250 agent-assessments for first 90 days using the service
• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05
13. Regions Supported
GA
US West (Oregon)
EU (Ireland)
US East (Virginia)
Asia Pacific (Tokyo)
July 2016 (deployed)
Asia Pacific (Sydney)
Asia Pacific (Seoul)
Fall 2016
Asia Pacific (India)
Europe (London)
Europe (Frankfurt)
16. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
23. Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying
offending changes
25. Config Rule
• AWS managed rules
Defined by AWS
Require minimal (or no) configuration
Rules are managed by AWS
• Customer managed rules
Authored by you using AWS Lambda
Rules execute in your account
You maintain the rule
A rule that checks the validity of configurations recorded
26. Config Rules - Triggers
• Triggered by changes: Rules invoked when relevant resources
change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
e.g. EBS volumes tagged “Production” should be attached to EC2 instances
• Triggered periodically: Rules invoked at specified frequency
e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs
27. Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID}
directly from the rule itself
29. AWS managed rules
1. All EC2 instances must be inside a VPC.
2. All attached EBS volumes must be encrypted, with KMS ID.
3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic
and CloudWatch Logs.
4. All security groups in attached state should not have unrestricted
access to port 22.
5. All EIPs allocated for use in the VPC are attached to instances.
6. All resources being monitored must be tagged with specified tag
keys:values.
7. All security groups in attached state should not have unrestricted
access to these specific ports.
30. Custom rules
• Codify and automate your own practices
• Get started with samples in AWS Lambda
• Implement guidelines for security best practices and
compliance
• Use rules from different AWS Partners
• View compliance in one dashboard
31. Evidence for compliance
Many compliance audits require
access to the state of your
systems at arbitrary times (i.e.,
PCI, HIPAA).
A complete inventory of all
resources and their configuration
attributes is available for any
point in time.
But what does a jellyfish have
to do with compliance?
32. What resources exist?
Discover resources that exist in
your account
Discover resources that no longer
exist in your account
A complete inventory of all
resources and their configuration
attributes available via API and
console
33. What changed?
It is critical to be able to quickly
answer, “What has changed?”
You can quickly identify the
recent configuration changes to
your resources by using the
console or by building custom
integrations with the regularly
exported resource history files.
36. Trusted Advisor
• Trusted Advisor is a system that:
• monitors AWS infrastructure services
• identifies customer configurations
• compares them to known best practices
• opportunities exist to save money
• improve system performance
• close security gaps
AWS Trusted
Advisor
37. Trusted Advisor
• Over 2.6 Million recommendations
• More than $350M in estimated cost savings
• Over 40 checks in 4 categories
• Includes a Free Tier
38. AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for
availability, cost, performance and security.
39. AWS security tools: What to use?
AWS Security and Compliance
Security of the cloud
Services and tools to aid
security in the cloud
Service Type Use cases
On-demand
evaluations
Security insights into your
application deployments
running inside your EC2
instance
Continuous
evaluations
Codified internal best
practices, misconfigurations,
security vulnerabilities, or
actions on changes
Periodic evaluations
Cost, performance, reliability,
and security checks that apply
broadly
Inspector
Config
Rules
Trusted
Advisor
Notas del editor
View of a simple VPC
View of the same simple VPC with its entire configuration history in time series format.
This data is also stored in an S3 bucket with a complete data set representing changes to all of the configuration relationships from my account.
Every change to a resource causes a new configuration item to be created that captures the new configuration of the resource
Every change to a resource causes a new configuration item to be created that captures the new configuration of the resource
Discuss the Four Pillars of being Well Architected and how TA helps you with this.
These are the reasons most of our customers use AWS.
Give some examples of some of the checks in at least two pilars.