Embed Size (px)
Citation preview
Sensors on AWSBertram DornEMEA Specialized Solutions ArchitectSecurity and Compliance
Agenda:• Overview• CloudTrail
• Source• Structure• Analytics options
• VPC FlowLogs• What for• Where from• How structured• How to access them• Some analytics
CloudTrail: A Intro
What can you answer using a CloudTrail event?
v Whomade the API call?
v When was the API call made?
v What was the API call?
v Which resources were acted up on in the API call?
v Where was the API call made from and made to?
AWS CloudTrail
CloudTrail can help you achieve many tasks• Security analysis
• Track changes to AWS resources, for example VPC security groups and NACLs
• Compliance – log and understand AWS API call history
• Prove that you did not:• Use the wrong region
• Use services you don’t want
• Troubleshoot operational issues – quickly identify the most recent changes to your environment
AWS CloudTrail logs can be delivered cross-‐account
CloudTrail can help you achieve many tasks• Accounts can send their trails to a central
account
• Central account can then do analytics
• Central account can:• Redistribute the trails
• Grant access to the trails
• Filter and reformat Trails (to meet privacy requirements)
Turn on CloudTrail
Turn on CloudTrail using AWS CLI• Step 1: Create a trail•
$ aws cloudtrail create-trail --region=eu-central-1 \
• --name ITAuditandOpsTrail --s3-bucket mybucket
• Step 2: Start logging on the trail
• $ aws cloudtrail start-logging --region=eu-central-1 \
• --name ITAuditandOpsTrail
What does an event look like?•
{
• "eventVersion": "1.01",
• "userIdentity": {
• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",
• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",
• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
• "userName": "Alice",
• "sessionContext": {
• "attributes": {
• "mfaAuthenticated": "false",
• "creationDate": "2014-03-18T14:29:23Z"
• }
• }
• },
• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",
• "eventName": "StartLogging", //What?
• "awsRegion": "us-west-2",//Where to?
• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",
• "requestParameters": {
• "name": "Default“ // Which resource?• },
// more event details
• }
Receive email notifications of specific API activity
Lambda
CloudTrail: Demo
VPC FlowLogs: Detailed
Firewall-Requirements• Based on NIST800, BSI-IT Grundschutz and others
– Anti-Spoofing
– Packet-Filtering (minimum) stateful/stateless
– Segregation of Duties at the management side
– Logging/Audit capabilities on the management side
– Event-Logging on processed traffic
Security Group
IAM
AWS Config CloudTrail
FlowLogs
The Source I
CloudWatchLogs
LogGroupENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
The Source II
Flows
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security Group
Security Group
Structure I
Event-Version
AccoutNumber
ENI-ID
Source-IP
Destionation-IP
SourcePort
Destination-Port
Proto-Number
Number of PacketsNumber of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
Structure II
Flow Logs is STATISTICAL about activity in a window of time
Start-Time Window
End-Time Window
Number of Packets
Number of Bytes Action
Structure III
TIME
S/D IP/Port Tupel
?
Example
How To Access
CloudWatchLogs
LogGroupENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
Start
End
TIME
Some Analytics
Time -> 1 Month2 Public IPs
('Number of Source IPs: ', 48604)('Number of Destionation IPs: ', 5373)('Number of Source Ports: ', 64363)('Number of Destionation Ports: ', 64348)('Number of Bytes IPs: ', 887551682.0)('Number of Packets IPs: ', 8400707.0)
Some Analytics
Some Analytics
FlowLogs: Demo
Thank You
