Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016

June 2016

Using AWS Networking and Logging Features to Enhance Security

Nathan McGuirt, Senior Solutions Architect, AWSDave Rogers, Head of Architecture & Security, UK MOJ Digital & Technology

Expectations

Managing traditional networks is hard

Lack of visibility Heavy technical lift

Crunchy exterior, soft center

credit: theilr/flickr

Network enforcement tools

Server 192.168.0.3

Server 192.168.0.4

Server 192.168.1.3

Server 192.168.1.410.0.0.3

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping service

10.0.0.2

Amazon Virtual Private Cloud VPC A

Enforcement—security groupsWeb Server Security GroupAllow Inbound HTTP from 0.0.0.0/0

Allow Inbound HTTPS from 0.0.0.0/0

Allow Outbound SQL to DB Servers

DB Security GroupAllow Inbound SQL from Web Servers

AD Member Security GroupAllow Outbound AD traffic to AD Servers

XTCP 139

Enforcement—VPC subnet ACLs

Subnet ACL

VPC Subnet

Security Group

Enforcement—VPC route tables

VPC subnet VPC subnet

0.0.0.0/0

VPC subnet

Local routes only

0.0.0.0/0

Enforcement: AWS WAF (Web Application Firewall)

AWS Management ConsoleAdmins

Developers AWS APIWeb app in

Amazon CloudFront

Define rules

Deploy protection

AWS WAF

Traffic isolation—VPN and AWS Direct Connect

Customer gateway

Virtual gateway

Two IPSec tunnels

192.168.0.0/16 172.31.0.0/16

192.168/16

Private fiber via peering facility

Traffic isolation—VPC endpoints

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

Isolation—VPC peering

Logging

Amazon CloudWatch Logs

Logging: VPC Flow Logs

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

Logging—AWS CloudTrail

"Records": [{ "eventVersion": "1.0", "userIdentity": {... "arn": "arn:aws:iam::123456789012:user/Alice",... }, "eventTime": "2015-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55",...

Logging—Elastic Load Balancing, CloudFront, Amazon S3 access logs

Logging destination bucket

Elastic Load Balancing

CloudFront logs

Amazon S3 bucket logs

Change control

Normalize

RecordChanging resources

Deliver

Stream

Snapshot (ex. 2014-11-05)AWS Config

History

Change control—AWS Config

Change control—AWS CloudFormation

Template StackAWSCloudFormation

Orchestrate changes across AWS services

Use as foundation to AWS Service Catalog products

Use with source code repositories to manage infrastructure changes

JSON-based text file describing infrastructure

Resources created from a template

Can be updated Updates can be

restricted

Change control—CloudFormation change sets

Separation of Duties

Making use of logs

Example events of concern

• Configuration changes that impact ability to detect or understand events

• Activities that are inconsistent with expectations• Activities that violate policy

Monitoring logging status—CloudTrailCloudTrail EventsCloudTrail

CloudWatch Logs CloudWatch Logs Filter

Metric filter"FilterPattern": ”{ ($.eventName = StopLogging) }",

CloudWatch metric

Air-raid siren

CloudWatch Alarm

Monitoring for unexpected (network) behavior

VPC Flow LogsAt some meaningful rate,

fire an alarm

Filter: RejectedFilter: Source: Internal

Take an automated action:Cut off network access

CloudWatch Logs Metric Filter CloudWatch Alarm AWS Lambda Function

Watching for disallowed configurations

AWS Config

Config Rule

Email alert

Automated action:modify SG

No TCP 22 from 0.0.0.0/0 in Production

SO’s mailbox

VPC Flow Logs—network dashboard

• Amazon Elasticsearch Service

• Amazon CloudWatch Logs subscriptions

All of this can be automatedSo what does that do for practices in the cloud?

Automation, enabled by public cloud, leads to continuous practice

continuous delivery is the foundation

continuous securityprevention & response

continuous deliverycontinuous security testingcontinuous hacking continuous risk managementcontinuous assurancecontinuous compliance

continuous security testing

continuous hacking

continuous risk management

continuous compliance the public cloud provides a platform

continuous securitydetection

continuous intrusion detectioncontinuous health checkingcontinuous anomaly detectioncontinuous capacity managementcontinuous scaling

continuous prevention& response

continuous detection

continuous delivery is hard

DevOps

Continuous

Delivery

DevOps is hard

because change toward DevOps is culture change

DevOps is culture changeNew skillsNew methodologiesNew hours & working locationsNew careersNew ways of thinkingNew planningNew governanceSometimes, new clothes

Rising cyber security threats require us to be adaptive.

Security conservatism, attempting to achieve stability through restricted change, increases risk.

We must embrace continuous practice.

Thank you!

Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016

Technology

Transcript of Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016

Tracking Causal Order in AWS Lambda Applications logging is available for AWS Lambda functions in all AWS regions, however log streams are local to a region and may or may not be distinct

Machine for Row-Mulching Logging Slash to Enhance Site, A Concept

Deploying a containerized web application with AWS Cloud ... · aws-elasticbeanstalk aws-elasticloadbalancing aws-elasticloadbalancingv2 aws-elasticloadbalancingv2-targets aws-elasticsearch

IR in the Cloud (AWS) · Logging in AWS –S3 •Bucket-Level (aka ... •AWS provides a LOT of native and awesome capabilities to leverage for DFIR I’ll take a typical default

Production Logging Tools Memory Logging Software Logging Software v1...Production Logging Tools Memory Logging Software +1(281) 974-7010 +1(403) 352-2245 info@datacan.ca Memory Logging

The Ten Riskiest AWS Misconfigurations...not to be confused with CloudWatch, that details health and performance metrics for AWS services 5 Policy and Config/Logging: Enable a trail

Water logging what is water logging?

Logging Configuration - Cisco€¦ · Logging Configuration Thefollowingdescribeshowtoenableauditandeventloggingonthecontroller. • LoggingConfigurationOverview,page1 Logging Configuration

Windows on AWS - london-summit-slides …london-summit-slides-2017.s3.amazonaws.com/How AWS can help yo… · AWS IAM Amazon S3 AWS CloudTrail AWS Config Logging and monitoring platform.

Build And Configure Centralized Logging Feature In AWS

ways to enhance security in AWS - Infopoint Security – Das … · 2017-02-08 · ways to enhance security in AWS eBook 6. 2 Contents Introduction ... leakage, integrity compromise,

PrProductionoduction Logging Logging TToolsools

Enabling a Security Investigation in AWS · with an introduction to relevant AWS services that can enhance your organization’s security posture. Finally, Palo Alto Networks will

Building a Logging Pipeline on AWS · CloudWatch Logs AWS managed service that aggregates logs by group and stream Pros: Default destination for Lambda, Batch, many other services

EBOOK: Backup & Recovery on AWS - The Grid Corporation€¦ · APN Storage partners enhance the backup and recovery experience by leveraging AWS for durable and secure data backup.

Thru-Pipe Logging System (ThruLog) Wireline Logging System20191108… · Slam Logging System (SlamLog) Slim Hostile Logging System (HostileLog) Thru-Pipe Logging System (ThruLog)

EdgeConnect for Amazon Web Services (AWS) · A Silver Peak EdgeConnect Virtual (EC-V) appliance can be deployed in Amazon Web Services (AWS) cloud to establish and enhance the WAN

Adaptive Logging: Optimizing logging and recovery …ooibc/alogging-sigmod16.pdf · Adaptive Logging: Optimizing Logging and Recovery ... of data logging versus command logging becomes

Building a Logging Pipeline on AWS - kdgregory.com · Logstash / Elasticsearch / Kibana The standard “roll your own” solution: Logstash parses logfiles and sends them to Elasticsearch,

ENHANCE AWS SECURITY WITH SPLUNK® SOLUTIONS