© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Serverless Security AutomationWill St. Clair – Solutions Architect - Education, Amazon Web Services

Kym Weiland – Director of Release Implementation, FINRA

Stephen Mele – Software Developer, FINRA

June 13, 2017

Agenda

• AWS governance in the enterprise

• Key configuration and control points

• Serverless computing with AWS Lambda and

AWS Step Functions

• Example: Building automation to deploy configuration

and remediate issues

• Customer case study: FINRA

AWS adoption patterns

• In highly federated organizations,

AWS adoption often begins flowing

from the bottom up

• In parallel, central IT often begins

establishing a formal architecture

for AWS

• Need a governance approach that:

• Meets the organization’s

requirements

• Scales to all users of AWS

• Enables use of the complete

AWS platform

Top down

adoption

Bottom up

adoption

Tailor governance based on impact

Higher-impact accounts are

more likely to be managed by

central or departmental IT

groups and will have more

security controls.

Low High

High

Low

Availability

Confidentiality

Lower-impact accounts still

have basic security controls,

but can be issued freely to

end users for test,

development, or low impact

research and production

workloads.

For high-impact workloads

• know how to map their

organization’s controls to

appropriate AWS configuration

• use AWS (and partner)

solutions to automate

monitoring and remediation

Administrators should…

For all workloads

• establish infrastructure to

analyze Cost and Usage

Reports and charge back

usage

• automate the issuance and

security of AWS accounts for

all users

• otherwise, end users doing

exploratory or low-risk

work will not be visible

Key configuration points

AWS CloudFormation

Amazon

CloudWatchAWS Config

Config Rules

AWS CloudTrail

CloudWatch

Events

Manual configuration

Root MFA

Alternate contacts

IAM

Managed

Policies

Roles

Security questions

Amazon

VPC

VPC peering

Flow logs

Key configuration points: CloudFormation

Administrators:

Type: AWS::IAM::Group

Properties:

GroupName: SecurityAdministrators

ManagedPolicyArns:

- !Ref AssumeAdministratorRoleWithMFAPolicy

- arn:aws:iam::aws:policy/AdministratorAccess

SecurityAuditors:

Type: AWS::IAM::Group

Properties:

GroupName: SecurityAuditors

ManagedPolicyArns:

- !Ref AssumeSecurityAuditorRoleWithMFAPolicy

• Write JSON or YAML

templates to define AWS

resources

• Use to deploy:

• Identity and Access

Management policies

and roles

• Virtual Private Cloud

configurations

• etc.

Key Configuration Points: IAM

• Each AWS account should have centrally-managed

Managed Policies and Roles

• Roles should be configured to trust the

organization’s IdP and/or an AWS account used to

supervise managed accounts

Administrator SecurityAuditor

Departmental account

Supervisor account

Trust Policy

Key Configuration Points: AWS Config

• AWS Config creates Configuration Snapshots,

which are JSON documents describing the

current state of the environment

• Virtual Private Cloud configurations, running

instances, and more

• AWS Config Rules let you define conditions and

monitor whether an account is in or out of

compliance with policy

• Administrators see red/green status for defined rules

How do we manage all these configuration points?

Locally-run scripts

Manually

Fully automated,

composable modules

running in AWS

Serverless computing with AWS Lambda

Continuous

Scaling

No Servers to

ManageSubsecond

Metering

AWS Lambda handles:

• Operations and

management

• Provisioning and

utilization

• Scaling

• Availability and fault

tolerance

Automatically scales your

application, running code in

response to each trigger

Your code runs in parallel and

processes each trigger

individually, scaling precisely

with the size of the workload

Pricing

• CPU and Network

scaled based on

RAM (128 MB to

1500 MB)

• $0.20 per

1M requests

• Price per 100ms

Introducing AWS Step Functions

• Write single-task Lambda

functions instead of complex

scripts

• Define your workflow logic in

one place

• Scalable, resilient, agile

• Fully managed by AWS

• No servers to run

• Doesn’t lose state

Example: Cross-account CloudWatch Events

• CloudWatch Events enables administrators to

subscribe to events about activity in their AWS

account

• Calls to AWS APIs

• Instance lifecycle (start/stop)

• Maintenance windows and health notifications

• We’d like to automatically enable access logs for

new Amazon Simple Storage Service (S3) buckets

Example: Cross-account CloudWatch Events

Managed account Consolidated admin account

API call

CloudWatch event

SNS topic

Publishes event

Lambda event

handler

Subscribes to

Remediation workflow

(Step Functions state

machine)

Creates execution

SupervisorAdminRole

Assumes

Remediation task states

Invokes

Amazon S3

GET bucket logging

PUT bucket logging

Example: Deploy CloudFormation template

• Maintain a library of CloudFormation templates to

enable common functionality

• Standard network configurations

• Frequently deployed applications (e.g., LAMP stack)

• We’d like to automatically deploy or update a

given template in a target AWS account

Example: Deploy CloudFormation template

Administration Account

SupervisorAdminRole

Trust policy

roles.yaml common.yaml etc.yaml

Template libraryAssume

XAcctRole

Trust policy

Apply

Template

Check

TmplStatus

Assumes

role

CloudFormation

stacks

Creates or

updates

stack

Waits for

stack

Step Functions state machines

ApplyTemplate

SupervisorLambdaRole

IAM user

UpdateManaged

Account

Invokes

Managed account

Example: Deploy CloudFormation template

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

FINRA Development Services

June 13, 2017

FINRA Gatekeeper

Kym Weiland & Stephen Mele

Problem

TransparencyGovernance

Devops

Access Control

Compliance

Transient Platform

Approach

Automation

Timely & Responsive

Auditable

TemporaryDiscourage access

to servers

Group

Membership

SSM Documents - Create

{

"schemaVersion":"1.2",

"description":"Script for GateKeeper to create temp user.",

"parameters":{

… Parameter details here …

},

"runtimeConfig":{

"aws:runShellScript":{

"properties":[

{

"id":"0.aws:runShellScript",

"runCommand":[ "useradd -e `date -d '+2 days' '+%Y-%m-%d'` {{ userName }}",

"mkdir /home/{{ userName }}/.ssh",

"echo '{{ publicKey }}' >> /home/{{ userName }}/.ssh/authorized_keys",

"chown -R {{ userName }}:{{ userName }} /home/{{ userName }}",

"chmod -R go-rwx /home/{{ userName }}/.ssh",

"echo '{{ userName }} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/{{ userName }}" ],

"workingDirectory":"/root",

"timeoutSeconds":"{{ executionTimeout }}"

}

]

}

}

}

SSM Documents - Remove

{

"schemaVersion":"1.2",

"description":"Script for GateKeeper to cleanup expired users.",

"parameters":{

… Parameter details here ...

},

"runtimeConfig":{

"aws:runShellScript":{

"properties":[

{

"id":"0.aws:runShellScript",

"runCommand":[ "cut -f1 -d':' /etc/passwd | grep {{ userName }} > /dev/null && (userdel -rf {{ userName }} ; echo 'user deleted' ) || echo 'no user to delete'",

"ls /etc/sudoers.d/ | grep {{ userName }} > /dev/null && (rm -f /etc/sudoers.d/{{ userName }} ; echo 'sudo file deleted' ) || echo 'no sudo file to delete'" ],

"workingDirectory":"/root",

"timeoutSeconds":"{{ executionTimeout }}"

}

]

}

}

}

Solution

SSM Controlled Documents

Secure Password Generation and Distribution

Only Internal Destinations

Generated Compliant Temporary Users

Automated Removal

Integrated With Enterprise Firewalls

Gatekeeper High Level

Gatekeeper

App

Users

Call SSM

on VPC

Store Request Data

Amazon EC2

Search EC2 &

AWS API

SSM

Amazon VPCs

Gatekeeper Detailed

Security Configuration

SSM document IAM role based

Approval process AWS-Tag Informed

Security Group bounded

Still tied to organization and firewall security

DevOps Methodology

Self Service for Delivery Teams

Allow for secured PEM file

No individual key management

Automated onboarding of fleet

Audit Trail & Reporting

Kym Weiland & Stephen Mele