The document discusses several Amazon Web Services security tools including Amazon Inspector, AWS Config, and AWS Trusted Advisor. Amazon Inspector is a vulnerability assessment service that automates security scans for EC2 instances. AWS Config allows users to automate the evaluation of AWS resource configurations against security best practices. AWS Trusted Advisor monitors AWS infrastructure and identifies security gaps and cost optimization opportunities based on known best practices.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solutions Architect, Security Specialist
November 3rd, 2016
Towards Full Stack Security
Don Edwards

2. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings

3. Traditional Security Processes
Asset Owner Security Team
AppSec EngAsset
Scan for Vulnerabilities

4. • It’s not about DevOps + Security
• Not enough security professionals on the planet to do this
• Security teams need their own automation to keep up with automated
deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org

5. Inspector Architecture
• Assessment coordination
• Evaluation engine
• Agent installed on
EC2 Instances

6.  Red Hat Enterprise Linux (6.5 or later)
 CentOS (6.5 or later)
 Ubuntu (12.04 LTS, 14.04 LTS or later)
 Amazon Linux (2015.03 or later)
 Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support
 We get kernels at the same time you get them
 It currently takes us 1-2 weeks for build, test & validation
 We’re aiming for 1 day
New Distributions
 Takes a long time
Supported Agent Operating Systems

7. Amazon Inspector
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis

8. Common Vulnerabilities & Exposures
• Tagged list of publicly known info security issues
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system
access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information gathering activities

9. CIS Security Configuration Benchmarks
What are they?
 Security configuration guide
 Consensus-based development
process
 PDF versions are free via CIS
website
Inspector automates scanning instances
against the latest benchmark for that OS

10. What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does
for you now
(more in future)

11. Runtime Behavior Analysis
• Package analyzes machine behavior during an assessment
• Unused listening ports
• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols
• Impacts the severity of static findings

12. Pricing
• Free Trial
• 250 agent-assessments for first 90 days using the service
• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05

13. Regions Supported
 GA
 US West (Oregon)
 EU (Ireland)
 US East (Virginia)
 Asia Pacific (Tokyo)
 July 2016 (deployed)
 Asia Pacific (Sydney)
 Asia Pacific (Seoul)
 Fall 2016
 Asia Pacific (India)
 Europe (London)
 Europe (Frankfurt)

15. Launch Partners

16. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

17. NormalizeRecordChanging
Resources
AWS Config
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History

18. AWS Config – VPC Example

19. AWS Config – VPC Example

20. AWS Config Rules – Tenancy Enforcement Example

21. AWS Config Rules – Tenancy Enforcement Example

22. AWS Config Rules – Tenancy Enforcement Example

23. Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying
offending changes

24. NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules

25. Config Rule
• AWS managed rules
Defined by AWS
Require minimal (or no) configuration
Rules are managed by AWS
• Customer managed rules
Authored by you using AWS Lambda
Rules execute in your account
You maintain the rule
A rule that checks the validity of configurations recorded

26. Config Rules - Triggers
• Triggered by changes: Rules invoked when relevant resources
change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
e.g. EBS volumes tagged “Production” should be attached to EC2 instances
• Triggered periodically: Rules invoked at specified frequency
e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs

27. Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID}
directly from the rule itself

28. Config Rules - Example
function evaluateCompliance(configurationItem, ruleParameters) {
if((configurationItem.configuration.imageId === ruleParameters.approvedImage1) ||
(configurationItem.configuration.imageId === ruleParameters.approvedImage2))
return 'COMPLIANT';
else return 'NON_COMPLIANT';
}
exports.handler = function(event, context) {
var invokingEvent = JSON.parse(event.invokingEvent);
var ruleParameters = JSON.parse(event.ruleParameters);
...
compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context);
ComplianceResourceType: invokingEvent.configurationItem.resourceType,
ComplianceResourceId: invokingEvent.configurationItem.resourceId,
ComplianceType: compliance,
..,
config.putEvaluations(putEvaluationsRequest, function (err, data)

29. AWS managed rules
1. All EC2 instances must be inside a VPC.
2. All attached EBS volumes must be encrypted, with KMS ID.
3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic
and CloudWatch Logs.
4. All security groups in attached state should not have unrestricted
access to port 22.
5. All EIPs allocated for use in the VPC are attached to instances.
6. All resources being monitored must be tagged with specified tag
keys:values.
7. All security groups in attached state should not have unrestricted
access to these specific ports.

30. Custom rules
• Codify and automate your own practices
• Get started with samples in AWS Lambda
• Implement guidelines for security best practices and
compliance
• Use rules from different AWS Partners
• View compliance in one dashboard

31. Evidence for compliance
Many compliance audits require
access to the state of your
systems at arbitrary times (i.e.,
PCI, HIPAA).
A complete inventory of all
resources and their configuration
attributes is available for any
point in time.
But what does a jellyfish have
to do with compliance?

32. What resources exist?
Discover resources that exist in
your account
Discover resources that no longer
exist in your account
A complete inventory of all
resources and their configuration
attributes available via API and
console

33. What changed?
It is critical to be able to quickly
answer, “What has changed?”
You can quickly identify the
recent configuration changes to
your resources by using the
console or by building custom
integrations with the regularly
exported resource history files.

34. Supported resource types
Resource Type Resource
Amazon EC2 EC2 Instance
EC2 Elastic IP (VPC only)
EC2 Security Group
EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs
Network ACLs
Route Table
Subnet
VPN Connection
Internet Gateway
Customer Gateway
VPN Gateway
AWS CloudTrail Trail

35. Trusted Advisor
AWS Trusted
Advisor

36. Trusted Advisor
• Trusted Advisor is a system that:
• monitors AWS infrastructure services
• identifies customer configurations
• compares them to known best practices
• opportunities exist to save money
• improve system performance
• close security gaps
AWS Trusted
Advisor

37. Trusted Advisor
• Over 2.6 Million recommendations
• More than $350M in estimated cost savings
• Over 40 checks in 4 categories
• Includes a Free Tier

38. AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for
availability, cost, performance and security.

39. AWS security tools: What to use?
AWS Security and Compliance
Security of the cloud
Services and tools to aid
security in the cloud
Service Type Use cases
On-demand
evaluations
Security insights into your
application deployments
running inside your EC2
instance
Continuous
evaluations
Codified internal best
practices, misconfigurations,
security vulnerabilities, or
actions on changes
Periodic evaluations
Cost, performance, reliability,
and security checks that apply
broadly
Inspector
Config
Rules
Trusted
Advisor