Sensors onAWS - Amazon Web Servicesaws-de-media.s3. Sensors onAWS Bertram’Dorn EMEA Specialized Solutions

  • View
    0

  • Download
    0

Embed Size (px)

Text of Sensors onAWS - Amazon Web Servicesaws-de-media.s3. Sensors onAWS Bertram’Dorn EMEA...

  • Sensors on  AWS Bertram  Dorn EMEA  Specialized Solutions  Architect Security  and Compliance

  • Agenda: • Overview • CloudTrail

    • Source • Structure • Analytics  options

    • VPC  FlowLogs • What for • Where from • How structured • How to access them • Some analytics

  • CloudTrail:  A  Intro

  • What  can  you  answer  using  a  CloudTrail  event?

    v Whomade  the  API  call?

    v When was  the  API  call  made?

    v What was  the  API  call?

    v Which resources  were  acted  up  on  in  the  API  call?

    v Where  was  the  API  call  made  from  and  made  to?

  • AWS  CloudTrail

    CloudTrail  can  help  you  achieve  many  tasks • Security  analysis • Track  changes  to  AWS  resources,  for  example  

    VPC  security  groups  and  NACLs

    • Compliance  – log  and  understand  AWS  API  call   history

    • Prove  that  you  did  not: • Use  the  wrong  region • Use  services  you  don’t  want

    • Troubleshoot   operational  issues  – quickly   identify  the  most  recent  changes  to  your   environment

  • AWS  CloudTrail  logs  can  be  delivered  cross-­‐account

    CloudTrail  can  help  you  achieve  many  tasks • Accounts  can  send  their  trails  to  a  central  

    account

    • Central  account  can  then  do  analytics • Central  account  can:

    • Redistribute  the  trails • Grant  access  to  the  trails

    • Filter  and  reformat  Trails  (to  meet  privacy   requirements)

  • Turn  on  CloudTrail

  • Turn  on  CloudTrail  using  AWS  CLI • Step  1:  Create  a  trail •

    $ aws cloudtrail create-trail --region=eu-central-1 \

    • --name ITAuditandOpsTrail --s3-bucket mybucket

    • Step  2:  Start  logging  on  the  trail

    • $ aws cloudtrail start-logging --region=eu-central-1 \ • --name ITAuditandOpsTrail

  • What  does  an  event  look  like? •

    {

    • "eventVersion": "1.01", • "userIdentity": {

    • "type": "IAMUser", // Who? • "principalId": "AIDAJDPLRKLG7UEXAMPLE",

    • "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012", • "accessKeyId": "AKIAIOSFODNN7EXAMPLE", • "userName": "Alice", • "sessionContext": { • "attributes": { • "mfaAuthenticated": "false", • "creationDate": "2014-03-18T14:29:23Z" • } • } • },

    • "eventTime": "2014-03-18T14:30:07Z", //When? • "eventSource": "cloudtrail.amazonaws.com",

    • "eventName": "StartLogging", //What?

    • "awsRegion": "us-west-2",//Where to?

    • "sourceIPAddress": "72.21.198.64", // Where from? • "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", • "requestParameters": {

    • "name": "Default“ // Which resource? • },

    // more event details

    • }

  • Receive  email  notifications  of  specific  API  activity

    Lambda

  • CloudTrail:  Demo

  • VPC  FlowLogs:  Detailed

  • Firewall-­Requirements • Based  on  NIST800,  BSI-­IT  Grundschutz and  others

    – Anti-­Spoofing

    – Packet-­Filtering  (minimum)  stateful/stateless

    – Segregation  of  Duties  at  the  management  side

    – Logging/Audit  capabilities  on  the  management  side

    – Event-­Logging  on  processed  traffic

    Security  Group

    IAM

    AWS Config CloudTrail

    FlowLogs

  • The  Source  I

    CloudWatch Logs

    LogGroup ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

  • The  Source  II

    Flows

    Security Group

    Subnet  10.0.0.0/24

    Routing Table

    Network ACL

    Subnet  10.0.1.0/24

    Routing Table

    Network ACL

    Virtual Private Gateway Internet Gateway

    Lockdown at instance level

    Isolate network functions

    Lockdown at network level

    Route restrictively

    Router

    Availability Zone A Availability Zone B

    Security Group

    Security Group

  • Structure  I

    Event-Version

    AccoutNumber

    ENI-ID

    Source-IP

    Destionation-IP

    SourcePort

    Destination-Port

    Proto-Number

    Number of Packets Number of Bytes

    Start-Time Window

    End-Time Window

    Action

    State

    2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

    ACCEPT OK

  • Structure  II

    Flow Logs is STATISTICAL about activity in a window of time

    Start-Time Window

    End-Time Window

    Number of Packets

    Number of Bytes Action

  • Structure  III

    TIME

    S/D IP/Port Tupel

    ?

  • Example

  • How  To  Access

    CloudWatch Logs

    LogGroup ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    ENI-LogStream

    Start

    End

    TIME

  • Some  Analytics

    Time -> 1 Month 2 Public IPs

    ('Number of Source IPs: ', 48604) ('Number of Destionation IPs: ', 5373) ('Number of Source Ports: ', 64363) ('Number of Destionation Ports: ', 64348) ('Number of Bytes IPs: ', 887551682.0) ('Number of Packets IPs: ', 8400707.0)

  • Some  Analytics

  • Some  Analytics

  • FlowLogs:  Demo

  • Thank  You