Sensors onAWS - Amazon Web Servicesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Sensors onAWS Bertram’Dorn EMEA Specialized Solutions Architect Security and Compliance

Sensors on  AWSBertram  DornEMEA  Specialized Solutions  ArchitectSecurity  and Compliance

Agenda:• Overview• CloudTrail

• Source• Structure• Analytics  options

• VPC  FlowLogs• What for• Where from• How structured• How to access them• Some analytics

CloudTrail:  A  Intro

What  can  you  answer  using  a  CloudTrail  event?

v Whomade  the  API  call?

v When was  the  API  call  made?

v What was  the  API  call?

v Which resources  were  acted  up  on  in  the  API  call?

v Where  was  the  API  call  made  from  and  made  to?

AWS  CloudTrail

CloudTrail  can  help  you  achieve  many  tasks• Security  analysis

• Track  changes  to  AWS  resources,  for  example  VPC  security  groups  and  NACLs

• Compliance  – log  and  understand  AWS  API  call  history

• Prove  that  you  did  not:• Use  the  wrong  region

• Use  services  you  don’t  want

• Troubleshoot   operational  issues  – quickly  identify  the  most  recent  changes  to  your  environment

AWS  CloudTrail  logs  can  be  delivered  cross-­‐account

CloudTrail  can  help  you  achieve  many  tasks• Accounts  can  send  their  trails  to  a  central  

account

• Central  account  can  then  do  analytics

• Central  account  can:• Redistribute  the  trails

• Grant  access  to  the  trails

• Filter  and  reformat  Trails  (to  meet  privacy  requirements)

Turn  on  CloudTrail

Turn  on  CloudTrail  using  AWS  CLI• Step  1:  Create  a  trail•

$ aws cloudtrail create-trail --region=eu-central-1 \

• --name ITAuditandOpsTrail --s3-bucket mybucket

• Step  2:  Start  logging  on  the  trail

• $ aws cloudtrail start-logging --region=eu-central-1 \

• --name ITAuditandOpsTrail

What  does  an  event  look  like?•

{

• "eventVersion": "1.01",

• "userIdentity": {

• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",

• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",

• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",

• "userName": "Alice",

• "sessionContext": {

• "attributes": {

• "mfaAuthenticated": "false",

• "creationDate": "2014-03-18T14:29:23Z"

• }

• }

• },

• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",

• "eventName": "StartLogging", //What?

• "awsRegion": "us-west-2",//Where to?

• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",

• "requestParameters": {

• "name": "Default“ // Which resource?• },

// more event details

• }

Receive  email  notifications  of  specific  API  activity

Lambda

CloudTrail:  Demo

VPC  FlowLogs:  Detailed

Firewall-­Requirements• Based  on  NIST800,  BSI-­IT  Grundschutz and  others

– Anti-­Spoofing

– Packet-­Filtering  (minimum)  stateful/stateless

– Segregation  of  Duties  at  the  management  side

– Logging/Audit  capabilities  on  the  management  side

– Event-­Logging  on  processed  traffic

Security  Group

IAM

AWS Config CloudTrail

FlowLogs

The  Source  I

CloudWatchLogs

LogGroupENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

The  Source  II

Flows

Security Group

Subnet  10.0.0.0/24

Routing Table

Network ACL

Subnet  10.0.1.0/24

Routing Table

Network ACL

Virtual Private Gateway Internet Gateway

Lockdown at instance level

Isolate network functions

Lockdown at network level

Route restrictively

Router

Availability Zone A Availability Zone B

Security Group

Security Group

Structure  I

Event-Version

AccoutNumber

ENI-ID

Source-IP

Destionation-IP

SourcePort

Destination-Port

Proto-Number

Number of PacketsNumber of Bytes

Start-Time Window

End-Time Window

Action

State

2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

Structure  II

Flow Logs is STATISTICAL about activity in a window of time

Start-Time Window

End-Time Window

Number of Packets

Number of Bytes Action

Structure  III

TIME

S/D IP/Port Tupel

?

Example

How  To  Access

CloudWatchLogs

LogGroupENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

ENI-LogStream

Start

End

TIME

Some  Analytics

Time -> 1 Month2 Public IPs

('Number of Source IPs: ', 48604)('Number of Destionation IPs: ', 5373)('Number of Source Ports: ', 64363)('Number of Destionation Ports: ', 64348)('Number of Bytes IPs: ', 887551682.0)('Number of Packets IPs: ', 8400707.0)

Some  Analytics

Some  Analytics

FlowLogs:  Demo

Thank  You