(sec402) intrusion detection in the cloud | aws re:invent 2014
DESCRIPTION
If your business runs entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your AWS account to detect abnormal behavior. This session walks you through leveraging unique capabilities in AWS that you can use to detect and respond to changes in your environment.TRANSCRIPT
![Page 1: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/1.jpg)
![Page 2: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/2.jpg)
Today’s Geek Agenda
• Intrusion detection in your AWS environment
• AWS-specific security features to build with
• AWS-specific intrusion detection mechanisms w/ demos
• Other tips, resources
![Page 3: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/3.jpg)
• Operating System• Processes• Files
• Packets• Flows ?
Server Network Cloud
![Page 4: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/4.jpg)
Configuration
Amazon S3 Amazon EC2 Amazon VPC Amazon RDS Elastic BeanstalkIAM
Security
GroupVPC
SubnetAmazon
S3 Bucket
Groups, Users,
Credentials
Applications
Amazon RDS DB Instances
Objects
Instances
Internet Gateways
Customer
AWS
Traditional IDS
This Talk
![Page 5: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/5.jpg)
Traditional IDS in AWS
• On premises, Amazon VPC endpoint
Amazon VPC Corporate Data Center
VPN Gateway Customer Gateway
Router
![Page 6: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/6.jpg)
VPC Subnet
Traditional IDS in AWS
• In cloud, as VPC NAT gateway or on-instance
Virtual Private Cloud
Instances
Internet Gateway
![Page 7: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/7.jpg)
Configuration
Amazon S3 Amazon EC2 Amazon VPC Amazon RDS Elastic BeanstalkIAM
Security
GroupVPC
SubnetAmazon
S3 Bucket
Groups, Users,
Credentials
Applications
Amazon RDS DB Instances
Objects
Instances
Internet Gateways
Customer
AWS
Traditional IDS
This Talk
![Page 8: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/8.jpg)
Prerequisites• AWS Identity and Access Management (IAM)
• Multi-Factor Authentication (MFA)
• Amazon S3 Bucket Logging
• And THREE more …
![Page 9: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/9.jpg)
What’s a Role
• Named IAM entity (name isn’t a secret)
• Set of permissions
• No credentials: Policy specifies who can assume
![Page 10: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/10.jpg)
Security Role
• You need insight when managing the security of many AWS accounts
• Create a “security audit role” with “read” access to policies and configurations you want to monitor.
![Page 11: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/11.jpg)
Security Role (Example Policy)
![Page 12: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/12.jpg)
Security Role (Snippet of Example Policy)
![Page 13: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/13.jpg)
Demonstration: Creating Security Role
![Page 14: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/14.jpg)
Security Audit Policy Template is now available in AWS Management Console
![Page 15: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/15.jpg)
Write-Once Storage• What is it good for
– Tripwire– Configuration audits– Logs
• Integrity for records of activity, historical configurations
• Further enhanced by moving off-system or limiting availability to a VERY select few
![Page 16: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/16.jpg)
Configuring Write-Once Storage
• Bucket versioning
• MFA delete
• Go for the gusto: Create a second account
– Bucket policy
– Role
![Page 17: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/17.jpg)
![Page 18: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/18.jpg)
![Page 19: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/19.jpg)
Audit Logs via AWS CloudTrail• AWS CloudTrail records API calls in your
account and delivers logs to your Amazon S3 bucket.
• Typically, delivers an event within 15 minutes of the API call.
• Log files are delivered approximately every 5 minutes.
• Currently in all public regions, supporting most AWS services
Image Source: Jeff Barr
![Page 20: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/20.jpg)
Turning on AWS CloudTrail
• Have a centralized write-only store? Use it!
![Page 21: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/21.jpg)
What is in the logs?
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
![Page 22: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/22.jpg)
Who? Example 1: API Call by IAM User Bob
Bob
"type": "IAMUser",
"userName": “Bob”
Anonymized data
![Page 23: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/23.jpg)
Who? Example 2: API Call by Federated User Alice
"userIdentity":{
"type":"FederatedUser",
"principalId":"123456789012:Alice",
"arn":"arn:aws:sts::123456789012:federated-user/Alice",
"accountId":"123456789012",
"accessKeyId":"ASEXAMPLE1234WTROX8F",
"sessionIssuer":{
"type":"IAMUser",
"accountId":"123456789012",
"userName":“Bob"
}
}Anonymized data; Partial Output
![Page 24: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/24.jpg)
Who? Example 3: AWS Service Creating Resource on Behalf of a User
Anonymized data
• Elastic Beanstalk creating AWS resources on behalf of IAM user Bob
"userIdentity": {
"accountId": "123456789012","arn": "arn:aws:iam::123456789012:user/Bob","invokedBy":"elasticbeanstalk.amazonaws.com","principalId": " ASEXAMPLE123XWTROX8F ","type": "IAMUser","userName": “Bob"
}
![Page 25: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/25.jpg)
Security-relevant AWS CloudTrailEvents for IDS
• Some AWS CloudTrail events are more interesting security-wise than others, such as …
– Console Sign-In
– Authorization Failure
– Etc.
• It makes sense to prioritize review for these.
![Page 26: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/26.jpg)
Example 1 – Sign-In Logging
https://console.aws.amazon.com/iam/home?state=hashArgs%23&isauthcode=true",
![Page 27: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/27.jpg)
Example 2 – Authorization Failure
![Page 28: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/28.jpg)
Example 3 – AWS CloudTrail Turned OFF
![Page 29: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/29.jpg)
AWS CloudTrail Search / Alert Solutions
• AWS Marketplace
• SaaS
• Open Source
![Page 30: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/30.jpg)
Example AWS Marketplace Solution for AWS CloudTrail Search / Alert
![Page 31: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/31.jpg)
Example SaaS Solution for AWS CloudTrail Search / Alert
![Page 32: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/32.jpg)
Example Open Source Solution for AWS CloudTrail Search / Alert
![Page 33: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/33.jpg)
Detecting Unauthorized Access
• Types of access
– Credentials
– Publicly accessible resources
– Cross account access
![Page 34: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/34.jpg)
Detecting Unauthorized Access –Credentials
• Types of credentials– Login profile– Access key– X509– CloudFront– Temporary Security Credentials
• Attachment points– Root account– IAM users
• You want to know what credentials are out there with access to your account.
![Page 35: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/35.jpg)
Demonstration: Checking Credentials
![Page 36: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/36.jpg)
![Page 37: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/37.jpg)
IAM Credentials Report
![Page 38: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/38.jpg)
Detecting Unauthorized Access –Public
• Publically accessible resources (NOT by default, but could be configured as such)– Amazon S3 Bucket
– Amazon S3 Anonymous Objects
– Amazon SQS Open / Public Queues
• You want to keep track of which resources are readable (or writable even) to the world
![Page 39: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/39.jpg)
Detecting Unauthorized Access – Cross Account
• Resources that support resource policies– Amazon S3 Buckets
– Amazon SQS queues
– Amazon SNS topics
• You want to pay particular attention to any resources that have resource policies allowing cross account access.
![Page 40: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/40.jpg)
CHECKING FOR CROSS-ACCOUNT ACCESS TO RESOURCES
![Page 41: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/41.jpg)
![Page 42: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/42.jpg)
Detecting Unauthorized Access – Roles
• What is a role
– Name
– AssumeRole Policy
– Capabilities
• You want to look at what roles are present in the account and who can assume them
![Page 43: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/43.jpg)
CHECKING FOR ROLES
![Page 44: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/44.jpg)
![Page 45: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/45.jpg)
Detecting Unauthorized Access –Effective Access
• Ways of expressing * (IMPLICIT *)– PutUserPolicy– Credential creation– PassRole *
• You want to look out for policies that could be used to gain all access (IAM APIs)
• Using IAM Policy Simulator …https://policysim.aws.amazon.com/
![Page 46: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/46.jpg)
{
"Statement": [
{
"Sid": "Stmt1383555181147",
”NotAction": ”*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1383555193395",
"Action": ["iam:PutUserPolicy"],
"Effect": "Allow",
"Resource": "*"
},
]
}
{
"Statement": [
{
"Sid": "Stmt1383555181147",
"Action": ”ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1383555193395",
"Action": ["s3:*",”iam:PassRole”],
"Effect": "Allow",
"Resource": "*"
},
]
}
![Page 47: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/47.jpg)
![Page 48: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/48.jpg)
{
"Statement": [
{
"Sid": "Stmt1383555181147",
”NotAction": ”*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1383555193395",
"Action": ["iam:PutUserPolicy"],
"Effect": "Allow",
"Resource": "*"
},
]
}
{
"Statement": [
{
"Sid": "Stmt1383555181147",
"Action": ”ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stmt1383555193395",
"Action": ["s3:*",”iam:PassRole”],
"Effect": "Allow",
"Resource": "*"
},
]
}
![Page 49: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/49.jpg)
Detecting Unauthorized Access –Effective Access
• Dump the output of various configuration APIs into write-once storage
• Pay attention to changes
• Some examples for grabbing this data …
https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
![Page 50: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/50.jpg)
Using Security Role for Amazon S3 Audit (Bucket Policies)
https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
![Page 51: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/51.jpg)
Account Configuration Change Security Alerts
• Dump all the users, groups, roles, attached permissions, creds for all users
• Amazon S3 bucket, Amazon SQS queue, Amazon SNS topic policies
• Amazon EC2 security group configuration
• All goes to flat file, write-once Amazon S3 object
• Diff and detect changeshttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
![Page 52: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/52.jpg)
Demonstration: Intrusion Detection Script
https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
![Page 53: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/53.jpg)
Example UsageSecConfig.py [-h] -a ACCESS_KEY_ID -k SECRET_ACCESS_KEY \
[-t SECURITY_TOKEN] [-r ROLE] [-v] [-d]
-h, --help show this help message and exit
-a ACCESS_KEY_ID, --access_key_id ACCESS_KEY_ID
access key id
-k SECRET_ACCESS_KEY, --secret_access_key SECRET_ACCESS_KEY
secret access key
-t SECURITY_TOKEN, --security_token SECURITY_TOKEN
security token (for use with temporary security
credentials)
-r ROLE, --role ROLE role to assume
-v, --verbose enable verbose mode
-d, --debug enable debug mode
![Page 54: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/54.jpg)
Example Outputiam:accountsummary, AccountMFAEnabled, , 1iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQiam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQiam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Qiam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQiam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWAiam:useringroup, ClassicRTTUser, , ClassicRTTGrpiam:userpolicy, ClassicRTTUser, PowerUserAccess-ClassicRTTUser-201306251128, 3be1369a6334b59ecbe24496a45a6c792ea8468bf29f31d30f5d5efc645b2197iam:userpolicy, audit, ReadOnlyAccess-audit-201310221803, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001diam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141348, 08504c15956913f7a75aadc895ef2b92368826916f95027a128388e60cda61d4iam:userpolicy, ec2test, AdministratorAccess-ec2test-201306141416, 76c7d1e7027c934815dd4c69db072992cd2912af59a513ddc633223b7fe01ebbiam:userpolicy, ec2test, ReadOnlyAccess-ec2test-201310231957, 02bc4680f269c2949a2da250e6c2b430e3f2a6c1f9e665fce58b6d94de27001diam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ffiam:userpolicy, quux, mypolicy, 2ad665ca145f5d107be53beecc7c0092461d76c1b9588cae4e0b0f4cbdbc5083iam:grouppolicy, test, CloudFrontFullAccess-test-201310291053, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73iam:assumerolepolicy, ClassicRTTRole, arn:aws:iam::923022406781:role/ClassicRTTRole, 3036fb93022a9f4146d6ccc67ff953d2be25c5ae3d0241b8b983442b577e5b73iam:assumerolepolicy, jenkins, arn:aws:iam::923022406781:role/jenkins, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ffiam:assumerolepolicy, ltest, arn:aws:iam::923022406781:role/ltest, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80iam:assumerolepolicy, security_audit, arn:aws:iam::923022406781:role/security_audit, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80iam:assumerolepolicy, uascr, arn:aws:iam::923022406781:role/uascr, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbbiam:rolepolicy, ClassicRTTRole, PowerUserAccess-ClassicRTTRole-201306251129, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ffiam:rolepolicy, jenkins, ReadOnlyAccess-jenkins-201303291802, 6e676d8b13e140781b56775c55e2894d8b8b838e15a12b64bf128a9794931b80iam:rolepolicy, security_audit, ReadOnlyAccess-security_audit-201311061949, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbbiam:rolepolicy, uascr, AmazonDynamoDBFullAccess-uascr-201210111714, 75cc727843ed2bc783bf9c325300ff307d9b2594b2a53d88b59e609e39af1a89s3:bucketpolicy, caec.us, , NoSuchBucketPolicys3:bucketpolicy, cf-templates-g5zg6nnco317-us-east-1, , NoSuchBucketPolicys3:bucketpolicy, dcslides, , NoSuchBucketPolicys3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicys3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20s3:bucketpolicy, gbr-testv, , NoSuchBucketPolicys3:bucketpolicy, gbrcrypto, , NoSuchBucketPolicys3:bucketpolicy, gbrcrypto-logs, , NoSuchBucketPolicys3:bucketpolicy, gregroth.desktop.amazon.com, , NoSuchBucketPolicys3:bucketpolicy, logs.s3.caec.us, , NoSuchBucketPolicys3:bucketpolicy, s3.caec.us, , NoSuchBucketPolicysqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicysqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
![Page 55: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/55.jpg)
Example Output (Snippet)iam:accountsummary, AccountMFAEnabled, , 1
iam:accesskey, ClassicRTTUser, Active, AKIAJQF4G2ZOZBL3FYKQ
iam:accesskey, ClassicRTTUser, Active, AKIAJVVZ456L2HVERGIQ
iam:accesskey, audit, Active, AKIAJJ7D5VQ2KAC4RX6Q
iam:accesskey, ec2test, Active, AKIAIMWFQHOLKE3ARKOQ
iam:accesskey, ec2test, Active, AKIAISNKP5NBWJRQTBWA
iam:accesskey, mbp-r-managed, Active, AKIAJKVVGIG7L5UC5OGQ
iam:accesskey, quux, Active, AKIAJR7ZICS26O32EPBQ
iam:accesskey, test, Active, AKIAINTUMS4ITD5CJVSA
iam:useringroup, ClassicRTTUser, , ClassicRTTGrp
![Page 56: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/56.jpg)
Example Output (Snippet)s3:bucketpolicy, dcslides, , NoSuchBucketPolicy
s3:bucketpolicy, elasticbeanstalk-us-east-1-923022406781, , NoSuchBucketPolicy
s3:bucketpolicy, gbr-billreport, , ee9f053535a1c6bb3f7becc968d6851679e9694757c8fe18ae3588e7334e2a20
sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletemetoo, , NoPolicy
sqs:queuepolicy, https://queue.amazonaws.com/923022406781/deletme, , 21fbfa969788e8675e540c1fb0114f1a5d280863d5c4e4e9476ec106af8bffc9
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test, , c5f96939702f70124b7e2af14ed07034d155fa56bf043f187d5d6d2d1c9521c0
sns:topicpolicy, arn:aws:sns:us-east-1:923022406781:test2, , 27f459b59b384b38c92458a4c2ea7268be7c73db687cfba52ac7521770541cb8
![Page 57: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/57.jpg)
Example Diff, Something to Look Into< iam:userpolicy, mbp-r-managed, one, e3e0211e865b5cac2a57241edcb8aeb9d546764abba2f325b694ec840985c2ff
---
> iam:userpolicy, mbp-r-managed, ReadOnlyAccess-mbp-r-managed-201311111559, b675543c022ca9bce21414468a7b62e207116f11f77e722ae2f65fed7e69ffbb
> iam:userpolicy, mbp-r-managed, one, 1cc602178f7e876c6d38cbaa8c4adde19b1c3e5a89e6f13c29df5688eb73f50f
https://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
![Page 58: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/58.jpg)
Advanced Warning on Billing / Usage Example
![Page 59: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/59.jpg)
Example OK vs UH-OH Billing Trend / Graph
![Page 60: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/60.jpg)
Billing Alerts• No need to wait until end of month to become
aware of unexpected utilization• Establish a baseline of known good billing over
time; set your thresholds (overall or service specific)
• Investigate alerts to determine r00t (?) cause• Simplest cloud IDS mechanism, and FREE** Setup of 10 alarms and receipt of 1 K notifications
![Page 61: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/61.jpg)
Enable Monitoring of Your Estimated Charges
![Page 62: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/62.jpg)
Creating A Billing Alarm – Select “By Service”
![Page 63: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/63.jpg)
Creating A Billing Alarm – Select Sevice (eg. Amazon EC2), Create Alarm
![Page 64: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/64.jpg)
Creating A Billing Alarm – Enter Name, Description, Set Threshold
![Page 65: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/65.jpg)
Creating A Billing Alarm – Set Alarm, Notification, Create Alarm
![Page 66: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/66.jpg)
Example Billing Alert via CLI
![Page 67: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/67.jpg)
Assuming You Anticipate ~ $1 K / Month …
$1000
$750
$500
$250
Week 1 Week 2 Week 3 Week 4
= OK!
![Page 68: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/68.jpg)
“Early” Alerts Are “Interesting” …
$1000
$750
$500
$250
Week 1 Week 2 Week 3 Week 4
= OK! = Hmm …
![Page 69: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/69.jpg)
More than One “Early” Alert …?
$1000
$750
$500
$250
Week 1 Week 2 Week 3 Week 4
= OK! = Hmm … = Uh-Oh!
![Page 70: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/70.jpg)
Create Your Own Meter-based Alerts?
• Use: programmatic access to billing data
• You have more info about the types and locations of charges
• Allows for looking for unexpected usage per region
![Page 71: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/71.jpg)
>$0 Usage Unexpected Region Alert Example
https://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
![Page 72: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/72.jpg)
Trusted Advisor
• Inspects AWS environment; can identify and help close security gaps, enable security features, examine permissions
– Open security groups
– Bucket policy
– IAM, passwords, MFA
https://aws.amazon.com/premiumsupport/trustedadvisor/
![Page 73: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/73.jpg)
Trusted Advisor Dashboard Example
![Page 74: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/74.jpg)
Trusted Advisor Security Checks Example
![Page 75: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/75.jpg)
![Page 76: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/76.jpg)
Trusted Advisor Checks via API
• AWS Support API includes Trusted Advisor checks
– List checks and their descriptions
– Get check results
– Specify checks to refresh
– Get refresh status of checks
http://docs.aws.amazon.com/awssupport/latest/APIReference/Welcome.html
![Page 77: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/77.jpg)
Alternate Security POC
• For security notifications, Support will utilize the contact information you provide AWS
• Consider adding a security-specific contact for your account
• Security POC = contact information for your organization’s security team
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html
![Page 78: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/78.jpg)
Rebuild Frequency
• Difficult for adversary to maintain persistence when an EC2 instance does not
• Breaking in repeatedly will be noisy, more likely to detect
• Auditing a system is easiest soon after creation
• Rebuild everything every day
![Page 79: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/79.jpg)
Support for Security
• AWS support is the one-stop shop for AWS customers, for ANY concerns, including security-related
• If support can not immediately address your concern, they will escalate internally to the appropriate technical team, AWS security included
https://aws.amazon.com/support
![Page 80: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/80.jpg)
Other re:Invent Talks
• SEC305 “IAM Best Practices”
• SEC303 “Mastering Access Control Policies”
• SEC306 “Turn On Cloudtrail”
• SEC404 “Incident Response in The Cloud”
• If missed, keep an eye on YouTube …
http://www.youtube.com/user/AmazonWebServices
![Page 81: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/81.jpg)
Security Best Practices Whitepaper• Help for designing security infrastructure and
configuration for your AWS environment• High-level guidance for …
– Managing accounts, users, groups roles– Managing OS-level access to instances– Securing your data, OS, apps, infrastructure– Managing security monitoring, auditing, alerting,
incident response
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
![Page 82: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/82.jpg)
AWS Security Resources
• AWS Security Blog
http://blogs.aws.amazon.com/security/
• AWS Security Center
https://aws.amazon.com/security
• Contact the AWS security team
![Page 83: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/83.jpg)
Pre-Req Reminders with References• AWS Identity and Access Management (IAM)http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMGettingStarted.html
• Multi-Factor Authentication (MFA)http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html
• Amazon S3 Bucket Logginghttp://docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html
• Roles for EC2http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html
• Amazon S3 Bucket Versioning with MFA Deletehttp://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.htmlhttp://docs.aws.amazon.com/AmazonS3/latest/dev/MultiFactorAuthenticationDelete.html
![Page 84: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/84.jpg)
Billing Alerts and Billing Data• Monitoring your AWS chargeshttp://docs.amazonwebservices.com/AmazonCloudWatch/latest/DeveloperGuide/monitor_estimated_charges_with_cloudwatch.html• Amazon CloudWatch Command Line Interface Referencehttp://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CLIReference.html• Programmatic Access to Billing Datahttp://docs.aws.amazon.com/awsaccountbilling/latest/about/programaccess.html
![Page 85: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/85.jpg)
Key Takeaways• Beyond traditional host- or network-based
intrusion detection, there is intrusion detection for the cloud
• AWS provides a variety of mechanisms and support that you can and should leverage to monitor key security controls
• Tinker, give us feedback, and approach our partners about incorporating some ideas here
![Page 86: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/86.jpg)
Downloads
• Example Intrusion Detection Scripthttps://reinvent2014-sec402.s3.amazonaws.com/SecConfig.py
• Regional Billing Alert Scripthttps://reinvent2014-sec402.s3.amazonaws.com/regional_billing_alert.rb
![Page 87: (SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014](https://reader031.vdocuments.net/reader031/viewer/2022020306/559446e51a28ab0f0d8b4579/html5/thumbnails/87.jpg)
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals