netflix security monkey overview
DESCRIPTION
An overview of the Netflix Security Monkey Open Source tool. The presentation provides some background information, architectural overview, and screenshots showing the tool in action.TRANSCRIPT
![Page 1: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/1.jpg)
Security Monkey Netflix’s Open Source Cloud Security
Tracking System
Ryan Hodgin @rhodgin
![Page 2: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/2.jpg)
In the News
![Page 3: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/3.jpg)
Background
• Project started in 2011 to monitor security policies for Netflix’s AWS accounts (before AWS CloudTrail and CloudWatch)
• Discussed in blog posts and tech conferences 2011-2013
• Used inside Netflix to manage several dozen AWS accounts
• Part of the Simian Army set of projects
![Page 4: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/4.jpg)
Simian Army Projects
• Chaos Monkey
• Chaos Gorilla
• Chaos Kong
• Janitor Monkey
• Doctor Monkey
• Compliance Monkey
• Latency Monkey
• Security Monkey
![Page 5: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/5.jpg)
Security Monkey Key Features
• Accesses AWS Cloud Resources through API calls and inspects them
• Notifies team of changes or issues found
• Maintains a history of settings
• Provides a user interface to view issues and history
• Allows for justification to be provided and tracked
• Supports creation of new rules (code based)
• Works across accounts (dozens for Netflix)
![Page 6: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/6.jpg)
Conceptual Design
DB
Web User Interface
Watcher
Auditor
Notifier
AWS Account Information and Services
![Page 7: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/7.jpg)
User Interface - Settings
![Page 8: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/8.jpg)
User Interface - Search
![Page 9: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/9.jpg)
User Interface - Reports
![Page 10: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/10.jpg)
User Interface – Identified Issue
![Page 11: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/11.jpg)
User Interface – Justified Issue
![Page 12: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/12.jpg)
Scheduler Log - Searching for Issues
![Page 13: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/13.jpg)
Code Detecting Issues
![Page 14: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/14.jpg)
DB Record for Issues
![Page 15: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/15.jpg)
Security Monkey Technology
• Written in Python 2.7
• Flask Web Development Framework
• AngularJS and Dart User Interface
• Boto python AWS client
• SQLAlchemy python DB client
• Nginx proxy
• PostgreSQL for DB storage
• Runs on Ubuntu Linux and OS X
![Page 16: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/16.jpg)
Security Monkey Architecture
Database
nginx proxy
API Server
Scheduler AWS
Static Content
Supervisor
![Page 17: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/17.jpg)
DB Tables
![Page 18: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/18.jpg)
AWS Services Currently Watched
• Identity and Access Management
• Security Groups – EC2 and RDS
• Simple Storage Service (S3)
• Elastic Load Balancers
• Simple Notification Service (SNS)
• Simple Queue Service (SQS)
![Page 19: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/19.jpg)
AWS Services Currently Audited
• Identity and Access Management – User Only
• Security Groups – EC2 and RDS
• Simple Storage Service (S3)
• Simple Notification Service (SNS)
![Page 20: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/20.jpg)
Audit Rules by Service
• Identity and Access Management – User has active access keys (audit)
• Simple Notification Service – Empty topic policy
– Topic open to everyone
– Friendly cross account access
– Unknown cross account access
• S3 – Object Storage – All users can access
– All authenticated users can access
– Unknown cross account access
– Log delivery can access
– Friendly account access
![Page 21: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/21.jpg)
Audit Rules by Service
• Security Group – Security Group has more than 50 rules
– Security Group contains large networks (larger than /24)
– Security Group subnet mask is /0
– Security Group completely open (0.0.0.0/0) to any network
– Security Group completely open to VPC (10.0.0.0/8)
• RDS Security Group – Security Group subnet mask is /0
– Security Group completely open (0.0.0.0/0) to any network
– Security Group completely open to VPC (10.0.0.0/8)
![Page 22: Netflix security monkey overview](https://reader033.vdocuments.net/reader033/viewer/2022051412/5481539e5806b5f2108b469e/html5/thumbnails/22.jpg)
Questions