Detective Controls: Gain Visibility and Record Change

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
CAF Detective Controls: Gain Visibility and Record Change
Balaji Palanisamy,
Senior Consultant
Professional Services

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Learning about Detective Controls
• Overview of Cloud Adoption Framework
• CAF Security Perspective
• Why Detect?
• What to Detect ?
• Aggregating audit trails
• Enforcing Detective controls
• Resources

Overview of Cloud Adoption Framework
• Guidance for organizations adopting the cloud
– Helps coordinate different aspects of adoption
– Helps understand the how the organization will change
• 6 Perspectives

• Common Roles:
– CISO
– IT Security Managers
– IT Security Analysts
• 5 Core Epics
CAF Security Perspective

Remaining Epics
• Resilience
• DevSecOps
• Compliance Validation
• Configuration & Vulnerability
Management
• Security Big Data
CAF Security Perspective

Why Detect?
My Application

What to Detect?
• Billing
• API Activity
• Changes to Resources
• Application Activity
• Network Activity

Billing
• Billing Information logged daily to S3
• Also Visible in the Billing Console
• Alarms can be set to alert on thresholds and unusual
activity

Sample Records
ItemDescription
UsageStart
Date
UsageEnd
Date
UsageQuanti
ty
Currency
Code
CostBefor
eTax
Cred
its
TaxAm
ount
TaxTy
pe
TotalCo
st
$0.000 per GB - regional data transfer under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.00000675 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.05 per GB-month of provisioned storage - US West
(Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.5
54 USD 0.56 0.0
0.0000
00 None
0.56000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 10.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SQS Requests per month are free
01.04.14
00:00
30.04.14
23:59 4153.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.00 per GB - EU (Ireland) data transfer from US West
(Northern California)
01.04.14
00:00
30.04.14
23:59 0.00003292 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 0.02311019 USD 0.00 0.0
0.0000
00 None
0.00000
0
First 1,000,000 Amazon SNS API Requests per month are
free
01.04.14
00:00
30.04.14
23:59 88.0 USD 0.00 0.0
0.0000
00 None
0.00000
0
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:59 3.3E-7 USD 0.00 0.0
0.0000
00 None
0.00000
0

Introduction to AWS CloudTrail
Store/
archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On a growing
set of AWS
services around
the world..
CloudTrail is
continuously
recording
API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket

Use cases enabled by CloudTrail
• IT and security administrators can perform security analysis
• IT administrators and DevOps engineers can attribute changes on
AWS resources to the identity, time and other critical details of
who made the change
• DevOps engineers can troubleshoot operational issues
• IT auditors can use log files as a compliance aid

AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

AWS Config

• Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and identifying offending changes
AWS Config Rules

Supported Services
• Amazon EC2, ELB, IAM, RDS, S3 etc.
• http://docs.aws.amazon.com/config/latest/developerguide/resource
-config-reference.html

Relationships
• Bi-directional map of
dependencies automatically
assigned
• Change to a resource propagates
to create Configuration Items for
related resources
Example: Security Group sg-10dk8ej and
EC2 instance i-123a3d9 are “associated
with” each other

Relationships
Resource Relationship Related Resource
CustomerGateway is attached to VPN Connection
Elastic IP (EIP) is attached to Network Interface
is attached to Instance
Instance contains Network Interface
is attached to ElasticIP (EIP)
is contained in Route Table
is associated with Security Group
is contained in Subnet
is attached to Volume
is contained in Virtual Private Cloud (VPC)
InternetGateway is attached to Virtual Private Cloud (VPC)
… …. …..

Configuration Item
All AWS API configuration attributes for a given resource at a given point in
time, captured on every configuration change.

Component Description Contains
Metadata Information about this configuration item Version ID, Configuration item ID, Time when
the configuration item was captured, State
ID indicating the ordering of the
configuration items of a resource, MD5Hash,
etc.
Common Attributes Resource attributes Resource ID, tags, Resource type. Amazon
Resource Name (ARN)
Availability Zone, etc.
Relationships How the resource is related to other
resources associated with the account
EBS volume vol-1234567 is attached to an
EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to the
Describe or List API of the resource
e.g. for EBS Volume
State of DeleteOnTermination flag
Type of volume. For example, gp2,
io1, or standard
Related Events The AWS CloudTrail events that are related
to the current configuration of the resource
AWS CloudTrail event ID
Configuration Item

Essentially, “Lambda Integration for Config”
Apply detailed checks to the state of your configuration, at the point when it
changes
Raise alerts if anything is outside compliance with your defined policy
‣ Eg if there’s unencrypted non-root EBS volumes
‣ …or eg if any taggable resources aren’t tagged appropriately
We have a library of pre-built rules – or build your own
See also Re:Invent (SEC308) “Wrangling Security Events in the Cloud”
(https://www.youtube.com/watch?v=uc1Q0XCcCv4)
Feature is available right now
Introducing Config Rules

AWS Config Rules
(Example—instances must be tagged with a data classification)

VPC Flow Logs

Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()

Other Audit Trails
• Amazon CloudWatch Logs

Other Audit Trails
• Amazon CloudWatch Events

Other Audit Trails
• AWS Service Specific Logs
– Amazon S3 Access logs
– Amazon RDS logs
– Amazon Redshift logs

Partners

AWS CloudTrail logs can be delivered cross-account
• Accounts can send their trails to a
central account
• Central account can then do
analytics
• Central account can:
– Redistribute the trails
– Grant access to the trails
– Filter and reformat Trails (to meet
privacy requirements)

Enforcing Detective Controls

Resources
• Elasticsearch, Kibana and CloudWatch Logs integration
– Push CloudTrail to CloudWatch Logs:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-
cloudwatch-logs.html
– Push CloudWatch Logs to Elasticsearch:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CWL_ES_St
ream.html
– Put a Kibana front-end on it: https://aws.amazon.com/blogs/aws/cloudwatch-logs-
subscription-consumer-elasticsearch-kibana-dashboards/
•

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Detective Controls: Gain Visibility and Record Change

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Detective Controls: Gain Visibility and Record Change

Similar a Detective Controls: Gain Visibility and Record Change (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Detective Controls: Gain Visibility and Record Change