AWS Agility + Splunk Visibility =

Cloud Success

Splunk App for AWS Demo

Laura Ripans, AWS Alliance Manager

Disruptive innovation and

business transformation starts with data

3

I HAVE BEEN GIVEN AN AWS ACCOUNT!!!

Why is Splunk Important For AWS Customers?

4

“You can’t protect what you can’t see.”

Best Practices for Securing Workloads in Amazon Web Services

Gartner, April 2015

Neil MacDonald, Greg Young

“Security monitoring will make or break a technology risk management program.”

“Security requires visibility.”

Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment

IDC, July 2015

Pete Lindstrom

Amazon Web Services

“Intro to AWS Security”

2015 AWS Summit Series

Extrapolating…

5

“You can’t operate what you can’t see.”

“You can’t manage cost for what you can’t see.”

“You can’t gain business analytics for what you can’t see.

IT Operations• What is my EBS footprint and posture

across all my accounts and all my regions?

• Who started/stopped/restarted what instances and when?

• What EC2 instances are underutilized and perhaps overprovisioned?

• What is the traffic volume into my VPC and where is it originating from?

• Why are certain resources unreachable from certain subnets/VPCs?

• List resources with missing or non-conforming tags

Security• Who added that rule in the security

group that protects our application servers?

• Where is the blocked traffic into that VPC coming from?

• What was the activity trail of a particular user before and after that incident?

• Alert me when a user imports key-pairs or when a security group allows all ports

• What instances are provisioned outside of a VPC, by whom and when?

• What security groups are defined but not attached to any resource?

Detailed Use CasesCost Management

• How many instances am I running?

• What reserved instances have I purchased in the past?

• What is my reserved instance utilization?

• How much am I paying per account?

• How much am I using per service across all accounts?

• How many reserved instances should I buy based on usage?

• Is this account within budget this month, and how has it tracked in the last year?

7

True End State: Complete Hybrid Visibility

Index Untapped Data: Any Source, Type, Volume

Online Services

Web Services

ServersSecurity GPS

Location

StorageDesktops

Networks

Messaging

TelecomsOnline

Shopping Cart

Web Clickstreams

Databases

Energy Meters

RFID

On-Premises

Private Cloud

End-to-End Visibility

Application Delivery

Security, Compliance, and Fraud

IT Operations

Business Analytics

Industrial Data andthe Internet of Things

Public Cloud

Config

Lambda

EC2

Containers

CloudTrail

End State: Comprehensive AWS Visibility

Splunk App for AWS

Explore Analyze Dashboard Alert

AWS Data Sources

EC2

EMR

Kinesis

R53

VPC

ELB

S3

CloudFront

CloudTrail

CloudWatch

Redshift

SNS

API Gateway

Config

RDS

CF

IAM

Lambda

8

Act

9

Name Brief Description Notes

CloudTrail API activity audit trail Low Volume/High Value

Config Change management data Low Volume/High Value

Config Rules Configuration rule check/evaluation Low Volume/High Value

CloudWatch Metrics System/Service metrics data High Volume

CloudWatch Logs Service or application logs High Volume

VPC Flow Logs VPC/“Firewall” logs High Volume

Detailed BillingSpending information for each service and

account High Value

ELB Elastic Load balancer logs High Volume

CloudFront Content delivery network access logs High Volume

S3 S3 bucket access logs High Volume

S3 (ANY) Any service or application that logs into S3 High Volume

Lambda Event driven computation framework High Volume

Inspector Security scan/assessment Low Volume/High Value

Kinesis Streams Generic streaming data High Volume

IoT IoT device data High Volume

SQS Simple queuing service High Volume

MetadataCustom Splunk-side collector of metadata

about AWS environment High Volume

Supported* List of AWS Services ad Splunk Data

Sources

*Non-inclusive list. More services may be supported via in-direct ingest method

Splunk App for AWS: The Value

10

Security Topology Timeline

Usage Insights Billing

• View user activity

• Gain a full audit trail

• Detect anomalous behavior

• View EC2 utilization metrics

• View by account, region, instance

• Supports numerous AWS services

• Visualize your AWS Environment

• View resource relationships

• Gain playback history

• Compare and correlate events

• View in a time-series ribbon

• Accelerate investigations

• Leverage machine learning toolkit

• Gain billing recommendations

• Detect security and billing anomalies

• Gain view into resource cost

• Improve RI planning / utilization

• Monitor actual spend vs. forecast

Enhance AWS Security with Splunk

11

AWS Well Architected Framework

● Stop guessing your capacity needs

● Test systems at production scale

● Automate to make architectural experimentation easier

● Allow for evolutionary architectures

● Data-Driven architectures

● Improve through game days

12

Splunk’s AWS Credentials

• AWS Advanced Technology Partner

• AWS Big Data Competency

• AWS Security Competency

• AWS Government Competency

• AWS IoT Competency

• AWS MSP Technology Provider

• AWS Marketplace BYOL & Private Pricing Partner

• AWS IoT Launch partner for IoT analytics

• AWS Security by Design Program Partner

• 1st partner with published Blueprints for AWS Lambda

• 1st partner to pass SaaS extension for Well Architected framework

Demo

Thank You