Más contenido relacionado La actualidad más candente (20) Similar a Towards Full Stack Security (20) Más de Amazon Web Services (20) Towards Full Stack Security 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Towards Full Stack Security
Don Edwards
Solutions Architect, Security Specialist
2. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
3. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Traditional Security Processes
Asset Owner Security Team
AppSec EngAsset
Scan for Vulnerabilities
4. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• It’s not about DevOps + Security
• Not enough security professionals on the planet to do this
• Security teams need their own automation to keep up with automated
deployments!
• Security as code
• Seamless integration with CI/CD pipelines
• Ability to scan and run test suites in parallel
• Ability to automate remediation
• Consumable by APN technology partners as microservices
• www.devsecops.org
5. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inspector Architecture
• Assessment coordination
• Evaluation engine
• Agent installed on
EC2 Instances
6. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Red Hat Enterprise Linux (6.5 or later)
CentOS (6.5 or later)
Ubuntu (12.04 LTS, 14.04 LTS or later)
Amazon Linux (2015.03 or later)
Microsoft Windows (2012 R2, 2008 R2) - Preview
Linux Kernel Support
We get kernels at the same time you get them
It currently takes us 1-2 weeks for build, test & validation
We’re aiming for 1 day
New Distributions
Takes a long time
Supported Agent Operating Systems
7. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Inspector
• Rules Packages
• Common Vulnerabilities & Exposures
• CIS Operating System Security Configuration
Benchmarks
• Security Best Practices
• Runtime Behavior Analysis
8. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common Vulnerabilities & Exposures
• Tagged list of publicly known info security issues
• Vulnerabilities
• A mistake in software that can be used to gain unauthorized system
access
• Execute commands as another user
• Pose as another entity
• Conduct a denial of service
• Exposures
• A mistake in software that allows access to information that can lead to
unauthorized system access
• Allows an attacker to hide activities
• Enables information gathering activities
9. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CIS Security Configuration Benchmarks
What are they?
Security configuration guide
Consensus-based development
process
PDF versions are free via CIS
website
Inspector automates scanning instances
against the latest benchmark for that OS
10. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s inside a Benchmark?
What you should do…
Why you should do it…
How to do it…
How to know if you did it…
This is what Inspector does
for you now
(more in future)
11. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Runtime Behavior Analysis
• Package analyzes machine behavior during an assessment
• Unused listening ports
• Insecure client protocols
• Root processed with insecure permissions
• Insecure server protocols
• Impacts the severity of static findings
12. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing
• Free Trial
• 250 agent-assessments for first 90 days using the service
• Based on Agent-Assessments
• 1 assessment with 10 agents = 10 agent-assessments
• 5 assessments with 2 agents = 10 agent-assessments
• 10 assessments with 1 agent = 10 agent-assessments
• 10 agent-assessments = $3.00
First 250 agent-assessments:
Next 750 agent-assessments:
Next 4000 agent-assessments:
Next 45,000 agent-assessments:
All other agent-assessments:
$0.30
$0.25
$0.15
$0.10
$0.05
13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions Supported
GA
US West (Oregon)
EU (Ireland)
US East (Virginia)
Asia Pacific (Tokyo)
July 2016 (deployed)
Asia Pacific (Sydney)
Asia Pacific (Seoul)
Fall 2016
Asia Pacific (India)
Europe (London)
Europe (Frankfurt)
14. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
15. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Launch Partners
16. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
17. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NormalizeRecordChanging
Resources
AWS Config
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
18. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – VPC Example
19. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config – VPC Example
20. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules – Tenancy Enforcement Example
21. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules – Tenancy Enforcement Example
22. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules – Tenancy Enforcement Example
23. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying
offending changes
24. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NormalizeRecordChanging
Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rule
• AWS managed rules
Defined by AWS
Require minimal (or no) configuration
Rules are managed by AWS
• Customer managed rules
Authored by you using AWS Lambda
Rules execute in your account
You maintain the rule
A rule that checks the validity of configurations recorded
26. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Config Rules - Triggers
• Triggered by changes: Rules invoked when relevant resources
change
Scoped by changes to:
• Tag key/value
• Resource types
• Specific resource ID
e.g. EBS volumes tagged “Production” should be attached to EC2 instances
• Triggered periodically: Rules invoked at specified frequency
e.g. Account should have no more than 3 “PCI v3” EC2 instances; every 3 hrs
27. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evaluations
The result of evaluating a Config rule against a resource
• Report evaluation of {Rule, ResourceType, ResourceID}
directly from the rule itself
28. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS managed rules
1. All EC2 instances must be inside a VPC.
2. All attached EBS volumes must be encrypted, with KMS ID.
3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic
and CloudWatch Logs.
4. All security groups in attached state should not have unrestricted
access to port 22.
5. All EIPs allocated for use in the VPC are attached to instances.
6. All resources being monitored must be tagged with specified tag
keys:values.
7. All security groups in attached state should not have unrestricted
access to these specific ports.
29. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Custom rules
• Codify and automate your own practices
• Get started with samples in AWS Lambda
• Implement guidelines for security best practices and
compliance
• Use rules from different AWS Partners
• View compliance in one dashboard
30. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Evidence for compliance
Many compliance audits require access to the state of your
systems at arbitrary times (i.e., PCI, HIPAA).
A complete inventory of all resources and their
configuration attributes is available for any point in time.
31. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What resources exist?
Discover resources that exist in
your account
Discover resources that no longer
exist in your account
A complete inventory of all
resources and their configuration
attributes available via API and
console
32. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What changed?
It is critical to be able to quickly
answer, “What has changed?”
You can quickly identify the
recent configuration changes to
your resources by using the
console or by building custom
integrations with the regularly
exported resource history files.
33. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Supported resource types
Resource Type Resource
Amazon EC2 EC2 Instance
EC2 Elastic IP (VPC only)
EC2 Security Group
EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs
Network ACLs
Route Table
Subnet
VPN Connection
Internet Gateway
Customer Gateway
VPN Gateway
AWS CloudTrail Trail
34. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trusted Advisor
AWS Trusted
Advisor
35. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trusted Advisor
• Trusted Advisor is a system that:
• monitors AWS infrastructure services
• identifies customer configurations
• compares them to known best practices
• opportunities exist to save money
• improve system performance
• close security gaps
AWS Trusted
Advisor
36. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trusted Advisor
• Over 2.6 Million recommendations
• More than $350M in estimated cost savings
• Over 40 checks in 4 categories
• Includes a Free Tier
37. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best practices for
availability, cost, performance and security.
38. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS security tools: What to use?
AWS Security and Compliance
Security of the cloud
Services and tools to aid
security in the cloud
Service Type Use cases
On-demand
evaluations
Security insights into your
application deployments
running inside your EC2
instance
Continuous
evaluations
Codified internal best
practices, misconfigurations,
security vulnerabilities, or
actions on changes
Periodic evaluations
Cost, performance, reliability,
and security checks that apply
broadly
Inspector
Config
Rules
Trusted
Advisor