@MargoCroninSenior Solutions ArchitectAmazon Web Services

Security Automation on AWS

DEV OPSSec

AWS Pace of Innovation

0

250

500

750

1000

1250

1500

2010 2012 2014 2017

Launches

1,430 new features/services launched in 2017

61159

516

1430

Deployments at amazon.com

Terminology Disclaimer

import re

re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')

=Security automation

Terminology Disclaimer

import re

re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')

=Security automation

at scale

A fundamental principle of DevOps is automation!

People make mistakes

People bend the rules People act with malice

Machines don’tstill

4 steps to enable Security automation

at scale

Step 1 Establish your level of Trust

…. Select & configure your tools based on your level of Trust

0 100?

AWS KMSAWS Managed KeysAWS Secret ManagerAWS CloudHSM

Customer Managed KeysHardware Security Module

Customer Managed KeysAWS Key Management Service

Step 1 Establish your level of Trust….

TRUST

0

Deploy Kubernetes NativelyYou manage:- Etcd- Worker nodes- Masters

TRUST

Elastic Kubernetes Service- Kubernetes endpoint- Managed master nodes- Native integration with AWS

TRUST

Photo by Jp Valery on Unsplash

Elastic Kubernetes ServiceAPI endpoint authenticationEtcd volumes encrypted

TRUST

More to Automate

TRUST

MoreAutomated

But no matter where you are on the trust scale, plan to integrate security automation

Step 2Security by Design

What to Expect from the Session

SecurityOwnership

Security EpicsIdentity & Access

Mgt

Config & Vulner -ability

Analysis

Incidence Response

Infra-structure Security

Logging & Monitoring

Data Protection

Secure CI/CD

Privacy by Design

- Every member of your team is a security owner

- Decompose Epics to functional stories

- Create security related acceptance criteria

- Same CI/CD pipeline to roll out security features

Step 3What are you securing?

Step 3 What are you securing

1. Security of the CI/CD Pipeline• Access roles• Hardening build servers/nodes

2. Security in the CI/CD Pipeline• Artifact validation• Static code analysis

CI/CD for DevOps

Version Control CI Server

Package Builder

Deploy ServerCommit to

Git/masterDev

Get / PullCode

Images

Send build report to DevStop everything if build failed

Distributed BuildsRun Tests in parallel

Staging Env

Test EnvCodeConfigTests

Prod Env

Push

Config InstallCreate

Artifact RepoDeployment templates for infrastructure

Generate

Version Control CI Server

Package Builder

Promote ProcessBlock creds

From gitDev

Get / PullCode

Images

Log for audit

Staging Env

Test EnvCodeConfigTests

Prod Env

Audit/Validate

Config Checksum

ContinuousScan

CI/CD for DevSecOps

Send build report to SecurityStop everything if audit/validation failed

Deployment templates for infrastructure

Scan hook

Infrastructure as CodeWrite, Version, Store, Deploy your Infrastructure as Code- AWS CloudFormation - Terraform

Mean Time To RecoverImmutable infrastructure

Step 4Automate Responses

Long Love

Log Love

Event Log Love

Log Love

What are you doing based on your logs?

Putting it all together

Amazon CloudWatch

AWSCloudTrail

role

Your SaaS tools

AmazonSimple

Notification Service

Your security

team

AWS API AWS clouduser bucket

AWSLambda

2

Use logging services to prevent as well as protect

Your security

team

Malicious IPs

Amazon CloudFront

AWS WAF bucket

Elastic Load Balancing

Web Servers

Amazon CloudWatch

stack

AWSLambda

1

3

4

Ubiquitous logging:Log flow

Raw logs

Permissions

Amazon EMR

Amazon Glacier

Amazon Redshift

Amazon S3

Write to S3

Parse in EMR and upload to AmazonRedshift

Amazon EC2 instances

Analyze with standardBI tools

Archive to Amazon Glacier

AWS CloudTrail

Encrypted end to end!

Ubiquitous logging: What are we looking for?

• Unused permissions• Overuse of privileged accounts• Usage of keys• Anomalous logins• Policy violations• System abuse….• Collect data once, many use cases

4 Steps to enable security automation at scale

- Establish your level of Trust- Security by Design - Security of and in the CI/CD pipeline- Automated Responses

KEY TAKEAWAYS

Automation doesn’t sleep, eat, or need coffee in the morning

Security is not an “afterthought” Automate security at cloud scale