SlideShare una empresa de Scribd logo
1 de 48
Descargar para leer sin conexión
Augmenting Security Posture and Improving Operational Health with AWS CloudTrail (SEC323-R1) - AWS re:Invent 2018
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Augmenting Security Posture and
Improving Operational Health with
AWS CloudTrail
Sam Koppes
Senior Product Manager
Amazon Web Services
S E C 3 2 3
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
Explore AWS CloudTrail features
Securing your event log and best practices
Use cases for augmenting security analysis and operational
troubleshooting
Monitoring and automated response workflows
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Management Tools
Integrated & interoperable
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail enables…
Track activity across teams, accounts,
and organizations in one place, in a
consistent format
Explore activity using a single set of
tools, and respond to activity in minutes
As AWS innovates, new services and
features are covered automatically
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With AWS CloudTrail you can…
Simplify compliance workflows
Keep track of API usage in a single
location, simplifying audit and compliance
processes
Enhance security analysis
Perform security analysis and detect user
behavior patterns across services, users,
and accounts
Monitor data exfiltration risks
Stay alert to data exfiltration risks by
collecting activity data on Amazon Simple
Storage Service (Amazon S3) objects
through object-level API events
Perform operational
troubleshooting
Simplify root cause analysis using
CloudTrail events, to reduce time to
resolution
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail events
Integrated with over 130 AWS
services
Automatically gather usage
activity
Record event details, such as
operation, principal, request and
response attributes
Deliver events to central locations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event types
Management events
Resource control actions, such as update and delete
actions on an Amazon Elastic Compute Cloud (Amazon
EC2) instance
Generally infrequent compared to data events
Available from nearly all services
Data events
Fine-grained actions, such as reading from an object in
Amazon S3
Can be very high frequency events
Available for Amazon S3 and Amazon AWS Lambda
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Event delivery
Deliver events to Amazon S3
Optionally deliver events to Amazon
CloudWatch Logs
Central collection across accounts and
regions if desired
Delivery is typically <15 minutes at 99th
percentile
Some services have delivery times of <5 minutes at
99th percentile
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuring trails
A resource which turns on event capture
and delivery
Includes a set of event filters to define
which events you are interested in
Defines a set of delivery destinations to
select where you want the events stored
Set up through the AWS Console, API, or
AWS CommandLine Interface (AWS CLI)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design your trail architecture
Who will consume the information?
DevOps, security teams, central compliance authorities…
What types of information do I need?
Read actions, information about changes, data-level activity…
Where do I want my events delivered?
Management events only for the last 90 days, random access in
Amazon S3…
What regions do I need to be in?
Probably all!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices for trail configuration
• Create a trail in all regions in each account (Management Events only)
• Create additional trails for use cases which have specific requirements
• Deliver multiple accounts to a single bucket
• Make sure that different accounts are using their own key prefixes (should be on by default)
• Set up the bucket policy
• Key prefix-based policy with restrictions
• Monitor for data exfiltration and critical function usage
• Understand account usage patterns
• What are your top events?
• What are your trends over time?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common planning mistakes
Assumptions can lead to painful lessons
Tip: think about your perimeter and your troubleshooting story, then design your AWS
CloudTrail architecture to match. Pay attention to best practices to avoid painful
lessons.
• “I’ll turn on AWS CloudTrail, then everything will be logged.”
• “I’m logging the important regions.”
• “We don’t need all the events, we just need write events.”
• “I keep my logs in a secret Amazon S3 bucket no one knows about.”
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why secure the event logs?
Event logs establish accountability
Gaps in the logs can cover malicious
acts, or make diagnostic analysis
challenging
Accuracy and completeness help move
investigations faster
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure your event logs
Turn on log file validation
(different than encryption!)
Encrypt log data with your own
KMS key
Enable access logging for delivery
bucket
Turn on MFA for deleting data in
the AWS CloudTrail bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build a plan for implementing your strategy
Automated or manual trail provisioning
Take into account labor costs compared to
opportunities for operational mistakes
Think through the account deployment process to
address security vulnerabilities
Identify manager and consumer roles
Define who can change configurations, and who can
access event logs
Set up IAM policies for AWS CloudTrail, Amazon S3
buckets, and Amazon CloudWatch Log groups
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing organization trails
Configure trail in one account
(master), and it appears in all
member accounts
Automatically deliver events to a
central location
Automatically add trails to accounts
that are added to the org
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuring organization trails (AWS Console)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use AWS Budgets and notifications
Maintain awareness of your
spend
Identify changes in trends
React quickly if a major change
occurs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuring AWS Budgets (AWS Console)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What have we covered so far in this session?
Talked about AWS Management Tools and AWS CloudTrail
Finished an overview of AWS CloudTrail capabilities
Set up a secure foundation for tracking and exploring account activity
Explored how to maintain awareness of costs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The parts of an AWS CloudTrail event
Source identity
“userIdentity” attribute, identifies the
originating IAM principal or service
Event source
Identifies the endpoint where the request
originated
Request parameters
All call context passed to the API call
Response elements
The complete response from the invoked
service
{
"eventVersion": "1.05",
"userIdentity": { … },
"eventTime": "2018-10-25T05:38:46Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "DescribeInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "elasticmapreduce.amazonaws.com",
"userAgent": "elasticmapreduce.amazonaws.com",
"requestParameters": { … },
"responseElements": { … },
"requestID": "824095df-1e40-4438-9ddc-c8604ba2d5de",
"eventID": "fdcf5d5e-3e05-49b7-a33d-229e54e2110b",
"eventType": "AwsApiCall",
"recipientAccountId": "128171205400"
},
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
More details about event contents
Source identity
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIII4C2I3C…:CCSSession",
"arn": "arn:aws:sts::12817120…",
"accountId": "128171205400",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-10-25T05:38:46Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIII4C2I3CYR7URV2U",
"arn": "arn:aws:iam::12817120…",
"accountId": "128171205400",
"userName": "EMR_DefaultRole"
}
},
"invokedBy": "elasticmapreduce.amazonaws.com"
}
Request/Response information
"requestParameters": {
"roleArn": "arn:aws:iam::12817120…",
"roleSessionName": "CCSSession",
"durationSeconds": 1500
},
"responseElements": {
"credentials": {
"accessKeyId": "ASIAR3V4ZMMMFHFU42X5",
"expiration": "Oct 25, 2018 6:03:46 AM",
"sessionToken": “…“
}
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail search and browse tools
Event History (AWS Console)
Lookup-events command (CLI)
LookupEvents action (API)
All experiences support filtering
with a single filter
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Amazon Athena for SQL-style searches
Automatically import event data
into Amazon Athena table
Perform queries against
snapshots of AWS CloudTrail
data
Integrated with AWS CloudTrail
via the AWS Console
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use CloudWatch Logs Insights for light-weight
queries
Run queries against AWS CloudTrail
events in Amazon CloudWatch Logs
Provides simple or complex multi-
attribute search
Uses a streamlined simple query
language for fast query authoring
Supports common data set
manipulation commands
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding usage patterns
Baseline IAM activity
Top IAM users, root account
activity
Explore console sign-in
Explore source IP address
distribution
Investigate suspicious user
activity
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Exploring operational problems
Establish a baseline for
operational activity
Understand account-wide error
patterns
View time-slices of activity to
identify possible root causes
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enabling notifications
Learn about changes in your account activity
patterns in minutes (or less)
Set up Amazon CloudWatch metric filters to
alert on changes to IAM configuration
Use Amazon CloudWatch Alarms to configure
custom triggers and thresholds
Use AWS Config for configuration change
awareness
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated security protection
Amazon GuardDuty
Continuous monitoring of security across
your account
Identify risky activity
Provides reports, and optional alerts
through Amazon CloudWatch Events
Amazon Macie
Discover, classify, and protect sensitive data
Monitors data usage to identify risks
Raises alarms when risk is identified
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic remediation
Detect unauthorized changes to
policy
Trigger workflows to automatically
correct vulnerabilities through
Amazon CloudWatch Events
Implement custom remediation logic
using AWS Lambda
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediate data exfiltration risk
Detect changes
to Amazon S3
bucket ACLs
Automatically set ACLs
according to policy
Catch emerging
data exfiltration
vulnerabilities in
seconds
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediate unauthorized use of AWS Lambda
functions
Detect changes to
permissions
protecting function
use
Automatically set
permissions to conform
to policy
Reduce the risk of
unauthorized
function use in
seconds
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enhance your toolset with third-party offerings
• Custom log management
• Complex query capabilities
• Multi-data source views
• Automatic analysis
• Threat detection
• Operational health
monitoring
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understand AWS CloudTrail’s pricing model
Events charged based on the
number of events delivered
First copy of Management
Events is not charged! Second+
copy is $2/100k events.
Data events are $0.10/100k
events.
• Example 1
• Trail A captures read management
events. (100k events)
• Trail B captures write management
events. (100k events)
• All events are not charged!
• Example 2
• Trail A captures all management
events. (200k events)
• Trail B captures write management
events. (100k events)
• Price is $2, and only the events from
trail B are charged (second copy of
write events).
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Things to think about…
Creation of secondary trails
Understand AWS CloudTrail’s pricing model, and put policies in place in your
organization governing trail creation.
Bursts in volume due to changes in services (i.e., Amazon DynamoDB
encryption at rest)
Monitor your AWS CloudTrail events, and set up guardrails around costs.
Lambda infinite loops
Beware of automatic remediation workflows that can call themselves.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What did we cover today?
Finished a survey of AWS
CloudTrail capabilities
Set up a secure foundation for
tracking and exploring account
activity
Manage costs
Exploring events
Security analysis and
operational troubleshooting
Implementing active
monitoring
Automating response workflow
Third-party tools
Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sam Koppes
skoppes@amazon.com
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Más contenido relacionado

La actualidad más candente

Managing Container Images with Amazon ECR - AWS Online Tech Talks
Managing Container Images with Amazon ECR - AWS Online Tech TalksManaging Container Images with Amazon ECR - AWS Online Tech Talks
Managing Container Images with Amazon ECR - AWS Online Tech TalksAmazon Web Services
 
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
AWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAmazon Web Services
 
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트:: AWS S...
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트::  AWS S...AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트::  AWS S...
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트:: AWS S...Amazon Web Services Korea
 
20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrailAmazon Web Services Japan
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...Amazon Web Services Korea
 
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきか
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきかElastiCacheを利用する上でキャッシュをどのように有効に使うべきか
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきかAmazon Web Services Japan
 
Deep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIDeep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIAmazon Web Services
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesGary Silverman
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 Amazon Web Services Korea
 

La actualidad más candente (20)

AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Managing Container Images with Amazon ECR - AWS Online Tech Talks
Managing Container Images with Amazon ECR - AWS Online Tech TalksManaging Container Images with Amazon ECR - AWS Online Tech Talks
Managing Container Images with Amazon ECR - AWS Online Tech Talks
 
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...
[NEW LAUNCH!] Introducti[NEW LAUNCH!] Introduction to event-driven architectu...
 
Deep Dive on Amazon S3
Deep Dive on Amazon S3Deep Dive on Amazon S3
Deep Dive on Amazon S3
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Become an IAM Policy Ninja
Become an IAM Policy NinjaBecome an IAM Policy Ninja
Become an IAM Policy Ninja
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS CloudFormation Best Practices
AWS CloudFormation Best PracticesAWS CloudFormation Best Practices
AWS CloudFormation Best Practices
 
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트:: AWS S...
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트::  AWS S...AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트::  AWS S...
AWS 관리형 서비스를 활용하여 Kubernetes 를 위한 Devops 환경 구축하기 - 김광영, AWS솔루션즈 아키텍트:: AWS S...
 
20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail20210119 AWS Black Belt Online Seminar AWS CloudTrail
20210119 AWS Black Belt Online Seminar AWS CloudTrail
 
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트::  A...
실전! AWS 하이브리드 네트워킹 (AWS Direct Connect 및 VPN 데모 세션) - 강동환, AWS 솔루션즈 아키텍트:: A...
 
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきか
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきかElastiCacheを利用する上でキャッシュをどのように有効に使うべきか
ElastiCacheを利用する上でキャッシュをどのように有効に使うべきか
 
Deep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLIDeep Dive - Advanced Usage of the AWS CLI
Deep Dive - Advanced Usage of the AWS CLI
 
Introduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best PracticesIntroduction to AWS VPC, Guidelines, and Best Practices
Introduction to AWS VPC, Guidelines, and Best Practices
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
 

Similar a Augmenting Security Posture and Improving Operational Health with AWS CloudTrail (SEC323-R1) - AWS re:Invent 2018

Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Amazon Web Services
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAmazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018Amazon Web Services
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Amazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018Amazon Web Services
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Amazon Web Services
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Amazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Amazon Web Services
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Amazon Web Services
 
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...Automated Monitoring of Best Practices and Operational Health of Your AWS Res...
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...Amazon Web Services
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityAmazon Web Services
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Amazon Web Services
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitAmazon Web Services
 

Similar a Augmenting Security Posture and Improving Operational Health with AWS CloudTrail (SEC323-R1) - AWS re:Invent 2018 (20)

Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
Enabling Governance, Compliance, Operational, and Risk Auditing with AWS Mana...
 
An Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your ApplicationsAn Active Case Study on Insider Threat Detection in your Applications
An Active Case Study on Insider Threat Detection in your Applications
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018
Operations for Containerized Applications (CON334-R1) - AWS re:Invent 2018
 
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
Control for Your Cloud Environment Using AWS Management Tools (ENT226-R1) - A...
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Analyzing Streams
Analyzing StreamsAnalyzing Streams
Analyzing Streams
 
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018
Real Time Data Ingestion & Analysis - AWS Summit Sydney 2018
 
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018
 
Enterprise Security
Enterprise SecurityEnterprise Security
Enterprise Security
 
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...
 
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
Evolve Your Incident Response Process and Powers for AWS - SID306 - Chicago A...
 
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...Automated Monitoring of Best Practices and Operational Health of Your AWS Res...
Automated Monitoring of Best Practices and Operational Health of Your AWS Res...
 
Visualise and Voice-Enable Your Security
Visualise and Voice-Enable Your SecurityVisualise and Voice-Enable Your Security
Visualise and Voice-Enable Your Security
 
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
Best Practices to Secure Data Lake on AWS (ANT327) - AWS re:Invent 2018
 
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS SummitThreat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
Threat detection and mitigation at AWS - SEC301 - Santa Clara AWS Summit
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Augmenting Security Posture and Improving Operational Health with AWS CloudTrail (SEC323-R1) - AWS re:Invent 2018

  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Augmenting Security Posture and Improving Operational Health with AWS CloudTrail Sam Koppes Senior Product Manager Amazon Web Services S E C 3 2 3
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect from this session Explore AWS CloudTrail features Securing your event log and best practices Use cases for augmenting security analysis and operational troubleshooting Monitoring and automated response workflows
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Management Tools Integrated & interoperable
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail enables… Track activity across teams, accounts, and organizations in one place, in a consistent format Explore activity using a single set of tools, and respond to activity in minutes As AWS innovates, new services and features are covered automatically
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. With AWS CloudTrail you can… Simplify compliance workflows Keep track of API usage in a single location, simplifying audit and compliance processes Enhance security analysis Perform security analysis and detect user behavior patterns across services, users, and accounts Monitor data exfiltration risks Stay alert to data exfiltration risks by collecting activity data on Amazon Simple Storage Service (Amazon S3) objects through object-level API events Perform operational troubleshooting Simplify root cause analysis using CloudTrail events, to reduce time to resolution
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail events Integrated with over 130 AWS services Automatically gather usage activity Record event details, such as operation, principal, request and response attributes Deliver events to central locations
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Event types Management events Resource control actions, such as update and delete actions on an Amazon Elastic Compute Cloud (Amazon EC2) instance Generally infrequent compared to data events Available from nearly all services Data events Fine-grained actions, such as reading from an object in Amazon S3 Can be very high frequency events Available for Amazon S3 and Amazon AWS Lambda
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Event delivery Deliver events to Amazon S3 Optionally deliver events to Amazon CloudWatch Logs Central collection across accounts and regions if desired Delivery is typically <15 minutes at 99th percentile Some services have delivery times of <5 minutes at 99th percentile
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Configuring trails A resource which turns on event capture and delivery Includes a set of event filters to define which events you are interested in Defines a set of delivery destinations to select where you want the events stored Set up through the AWS Console, API, or AWS CommandLine Interface (AWS CLI)
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Design your trail architecture Who will consume the information? DevOps, security teams, central compliance authorities… What types of information do I need? Read actions, information about changes, data-level activity… Where do I want my events delivered? Management events only for the last 90 days, random access in Amazon S3… What regions do I need to be in? Probably all!
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best practices for trail configuration • Create a trail in all regions in each account (Management Events only) • Create additional trails for use cases which have specific requirements • Deliver multiple accounts to a single bucket • Make sure that different accounts are using their own key prefixes (should be on by default) • Set up the bucket policy • Key prefix-based policy with restrictions • Monitor for data exfiltration and critical function usage • Understand account usage patterns • What are your top events? • What are your trends over time?
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common planning mistakes Assumptions can lead to painful lessons Tip: think about your perimeter and your troubleshooting story, then design your AWS CloudTrail architecture to match. Pay attention to best practices to avoid painful lessons. • “I’ll turn on AWS CloudTrail, then everything will be logged.” • “I’m logging the important regions.” • “We don’t need all the events, we just need write events.” • “I keep my logs in a secret Amazon S3 bucket no one knows about.”
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why secure the event logs? Event logs establish accountability Gaps in the logs can cover malicious acts, or make diagnostic analysis challenging Accuracy and completeness help move investigations faster
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure your event logs Turn on log file validation (different than encryption!) Encrypt log data with your own KMS key Enable access logging for delivery bucket Turn on MFA for deleting data in the AWS CloudTrail bucket
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Build a plan for implementing your strategy Automated or manual trail provisioning Take into account labor costs compared to opportunities for operational mistakes Think through the account deployment process to address security vulnerabilities Identify manager and consumer roles Define who can change configurations, and who can access event logs Set up IAM policies for AWS CloudTrail, Amazon S3 buckets, and Amazon CloudWatch Log groups
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introducing organization trails Configure trail in one account (master), and it appears in all member accounts Automatically deliver events to a central location Automatically add trails to accounts that are added to the org
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Configuring organization trails (AWS Console)
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use AWS Budgets and notifications Maintain awareness of your spend Identify changes in trends React quickly if a major change occurs
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Configuring AWS Budgets (AWS Console)
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What have we covered so far in this session? Talked about AWS Management Tools and AWS CloudTrail Finished an overview of AWS CloudTrail capabilities Set up a secure foundation for tracking and exploring account activity Explored how to maintain awareness of costs
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The parts of an AWS CloudTrail event Source identity “userIdentity” attribute, identifies the originating IAM principal or service Event source Identifies the endpoint where the request originated Request parameters All call context passed to the API call Response elements The complete response from the invoked service { "eventVersion": "1.05", "userIdentity": { … }, "eventTime": "2018-10-25T05:38:46Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeInstances", "awsRegion": "us-east-1", "sourceIPAddress": "elasticmapreduce.amazonaws.com", "userAgent": "elasticmapreduce.amazonaws.com", "requestParameters": { … }, "responseElements": { … }, "requestID": "824095df-1e40-4438-9ddc-c8604ba2d5de", "eventID": "fdcf5d5e-3e05-49b7-a33d-229e54e2110b", "eventType": "AwsApiCall", "recipientAccountId": "128171205400" },
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. More details about event contents Source identity "userIdentity": { "type": "AssumedRole", "principalId": "AROAIII4C2I3C…:CCSSession", "arn": "arn:aws:sts::12817120…", "accountId": "128171205400", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-10-25T05:38:46Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROAIII4C2I3CYR7URV2U", "arn": "arn:aws:iam::12817120…", "accountId": "128171205400", "userName": "EMR_DefaultRole" } }, "invokedBy": "elasticmapreduce.amazonaws.com" } Request/Response information "requestParameters": { "roleArn": "arn:aws:iam::12817120…", "roleSessionName": "CCSSession", "durationSeconds": 1500 }, "responseElements": { "credentials": { "accessKeyId": "ASIAR3V4ZMMMFHFU42X5", "expiration": "Oct 25, 2018 6:03:46 AM", "sessionToken": “…“ }
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail search and browse tools Event History (AWS Console) Lookup-events command (CLI) LookupEvents action (API) All experiences support filtering with a single filter
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon Athena for SQL-style searches Automatically import event data into Amazon Athena table Perform queries against snapshots of AWS CloudTrail data Integrated with AWS CloudTrail via the AWS Console
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use CloudWatch Logs Insights for light-weight queries Run queries against AWS CloudTrail events in Amazon CloudWatch Logs Provides simple or complex multi- attribute search Uses a streamlined simple query language for fast query authoring Supports common data set manipulation commands
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding usage patterns Baseline IAM activity Top IAM users, root account activity Explore console sign-in Explore source IP address distribution Investigate suspicious user activity
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Exploring operational problems Establish a baseline for operational activity Understand account-wide error patterns View time-slices of activity to identify possible root causes
  • 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enabling notifications Learn about changes in your account activity patterns in minutes (or less) Set up Amazon CloudWatch metric filters to alert on changes to IAM configuration Use Amazon CloudWatch Alarms to configure custom triggers and thresholds Use AWS Config for configuration change awareness
  • 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated security protection Amazon GuardDuty Continuous monitoring of security across your account Identify risky activity Provides reports, and optional alerts through Amazon CloudWatch Events Amazon Macie Discover, classify, and protect sensitive data Monitors data usage to identify risks Raises alarms when risk is identified
  • 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automatic remediation Detect unauthorized changes to policy Trigger workflows to automatically correct vulnerabilities through Amazon CloudWatch Events Implement custom remediation logic using AWS Lambda
  • 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediate data exfiltration risk Detect changes to Amazon S3 bucket ACLs Automatically set ACLs according to policy Catch emerging data exfiltration vulnerabilities in seconds
  • 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remediate unauthorized use of AWS Lambda functions Detect changes to permissions protecting function use Automatically set permissions to conform to policy Reduce the risk of unauthorized function use in seconds
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enhance your toolset with third-party offerings • Custom log management • Complex query capabilities • Multi-data source views • Automatic analysis • Threat detection • Operational health monitoring
  • 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understand AWS CloudTrail’s pricing model Events charged based on the number of events delivered First copy of Management Events is not charged! Second+ copy is $2/100k events. Data events are $0.10/100k events. • Example 1 • Trail A captures read management events. (100k events) • Trail B captures write management events. (100k events) • All events are not charged! • Example 2 • Trail A captures all management events. (200k events) • Trail B captures write management events. (100k events) • Price is $2, and only the events from trail B are charged (second copy of write events).
  • 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Things to think about… Creation of secondary trails Understand AWS CloudTrail’s pricing model, and put policies in place in your organization governing trail creation. Bursts in volume due to changes in services (i.e., Amazon DynamoDB encryption at rest) Monitor your AWS CloudTrail events, and set up guardrails around costs. Lambda infinite loops Beware of automatic remediation workflows that can call themselves.
  • 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What did we cover today? Finished a survey of AWS CloudTrail capabilities Set up a secure foundation for tracking and exploring account activity Manage costs Exploring events Security analysis and operational troubleshooting Implementing active monitoring Automating response workflow Third-party tools
  • 47. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sam Koppes skoppes@amazon.com
  • 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.