View
172
Download
0
Category
Preview:
Citation preview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Security AutomationWill St. Clair – Solutions Architect - Education, Amazon Web Services
Kym Weiland – Director of Release Implementation, FINRA
Stephen Mele – Software Developer, FINRA
June 13, 2017
Agenda
• AWS governance in the enterprise
• Key configuration and control points
• Serverless computing with AWS Lambda and
AWS Step Functions
• Example: Building automation to deploy configuration
and remediate issues
• Customer case study: FINRA
AWS adoption patterns
• In highly federated organizations,
AWS adoption often begins flowing
from the bottom up
• In parallel, central IT often begins
establishing a formal architecture
for AWS
• Need a governance approach that:
• Meets the organization’s
requirements
• Scales to all users of AWS
• Enables use of the complete
AWS platform
Top down
adoption
Bottom up
adoption
Tailor governance based on impact
Higher-impact accounts are
more likely to be managed by
central or departmental IT
groups and will have more
security controls.
Low High
High
Low
Availability
Confidentiality
Lower-impact accounts still
have basic security controls,
but can be issued freely to
end users for test,
development, or low impact
research and production
workloads.
For high-impact workloads
• know how to map their
organization’s controls to
appropriate AWS configuration
• use AWS (and partner)
solutions to automate
monitoring and remediation
Administrators should…
For all workloads
• establish infrastructure to
analyze Cost and Usage
Reports and charge back
usage
• automate the issuance and
security of AWS accounts for
all users
• otherwise, end users doing
exploratory or low-risk
work will not be visible
Key configuration points
AWS CloudFormation
Amazon
CloudWatchAWS Config
Config Rules
AWS CloudTrail
CloudWatch
Events
Manual configuration
Root MFA
Alternate contacts
IAM
Managed
Policies
Roles
Security questions
Amazon
VPC
VPC peering
Flow logs
Key configuration points: CloudFormation
Administrators:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAdministrators
ManagedPolicyArns:
- !Ref AssumeAdministratorRoleWithMFAPolicy
- arn:aws:iam::aws:policy/AdministratorAccess
SecurityAuditors:
Type: AWS::IAM::Group
Properties:
GroupName: SecurityAuditors
ManagedPolicyArns:
- !Ref AssumeSecurityAuditorRoleWithMFAPolicy
• Write JSON or YAML
templates to define AWS
resources
• Use to deploy:
• Identity and Access
Management policies
and roles
• Virtual Private Cloud
configurations
• etc.
Key Configuration Points: IAM
• Each AWS account should have centrally-managed
Managed Policies and Roles
• Roles should be configured to trust the
organization’s IdP and/or an AWS account used to
supervise managed accounts
Administrator SecurityAuditor
Departmental account
Supervisor account
Trust Policy
Key Configuration Points: AWS Config
• AWS Config creates Configuration Snapshots,
which are JSON documents describing the
current state of the environment
• Virtual Private Cloud configurations, running
instances, and more
• AWS Config Rules let you define conditions and
monitor whether an account is in or out of
compliance with policy
• Administrators see red/green status for defined rules
How do we manage all these configuration points?
Locally-run scripts
Manually
Fully automated,
composable modules
running in AWS
Serverless computing with AWS Lambda
Continuous
Scaling
No Servers to
ManageSubsecond
Metering
AWS Lambda handles:
• Operations and
management
• Provisioning and
utilization
• Scaling
• Availability and fault
tolerance
Automatically scales your
application, running code in
response to each trigger
Your code runs in parallel and
processes each trigger
individually, scaling precisely
with the size of the workload
Pricing
• CPU and Network
scaled based on
RAM (128 MB to
1500 MB)
• $0.20 per
1M requests
• Price per 100ms
Introducing AWS Step Functions
• Write single-task Lambda
functions instead of complex
scripts
• Define your workflow logic in
one place
• Scalable, resilient, agile
• Fully managed by AWS
• No servers to run
• Doesn’t lose state
Example: Cross-account CloudWatch Events
• CloudWatch Events enables administrators to
subscribe to events about activity in their AWS
account
• Calls to AWS APIs
• Instance lifecycle (start/stop)
• Maintenance windows and health notifications
• We’d like to automatically enable access logs for
new Amazon Simple Storage Service (S3) buckets
Example: Cross-account CloudWatch Events
Managed account Consolidated admin account
API call
CloudWatch event
SNS topic
Publishes event
Lambda event
handler
Subscribes to
Remediation workflow
(Step Functions state
machine)
Creates execution
SupervisorAdminRole
Assumes
Remediation task states
Invokes
Amazon S3
GET bucket logging
PUT bucket logging
Example: Deploy CloudFormation template
• Maintain a library of CloudFormation templates to
enable common functionality
• Standard network configurations
• Frequently deployed applications (e.g., LAMP stack)
• We’d like to automatically deploy or update a
given template in a target AWS account
Example: Deploy CloudFormation template
Administration Account
SupervisorAdminRole
Trust policy
roles.yaml common.yaml etc.yaml
Template libraryAssume
XAcctRole
Trust policy
Apply
Template
Check
TmplStatus
Assumes
role
CloudFormation
stacks
Creates or
updates
stack
Waits for
stack
Step Functions state machines
ApplyTemplate
SupervisorLambdaRole
IAM user
UpdateManaged
Account
Invokes
Managed account
Example: Deploy CloudFormation template
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FINRA Development Services
June 13, 2017
FINRA Gatekeeper
Kym Weiland & Stephen Mele
Problem
TransparencyGovernance
Devops
Access Control
Compliance
Transient Platform
Approach
Automation
Timely & Responsive
Auditable
TemporaryDiscourage access
to servers
Group
Membership
SSM Documents - Create
{
"schemaVersion":"1.2",
"description":"Script for GateKeeper to create temp user.",
"parameters":{
… Parameter details here …
},
"runtimeConfig":{
"aws:runShellScript":{
"properties":[
{
"id":"0.aws:runShellScript",
"runCommand":[ "useradd -e `date -d '+2 days' '+%Y-%m-%d'` {{ userName }}",
"mkdir /home/{{ userName }}/.ssh",
"echo '{{ publicKey }}' >> /home/{{ userName }}/.ssh/authorized_keys",
"chown -R {{ userName }}:{{ userName }} /home/{{ userName }}",
"chmod -R go-rwx /home/{{ userName }}/.ssh",
"echo '{{ userName }} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/{{ userName }}" ],
"workingDirectory":"/root",
"timeoutSeconds":"{{ executionTimeout }}"
}
]
}
}
}
SSM Documents - Remove
{
"schemaVersion":"1.2",
"description":"Script for GateKeeper to cleanup expired users.",
"parameters":{
… Parameter details here ...
},
"runtimeConfig":{
"aws:runShellScript":{
"properties":[
{
"id":"0.aws:runShellScript",
"runCommand":[ "cut -f1 -d':' /etc/passwd | grep {{ userName }} > /dev/null && (userdel -rf {{ userName }} ; echo 'user deleted' ) || echo 'no user to delete'",
"ls /etc/sudoers.d/ | grep {{ userName }} > /dev/null && (rm -f /etc/sudoers.d/{{ userName }} ; echo 'sudo file deleted' ) || echo 'no sudo file to delete'" ],
"workingDirectory":"/root",
"timeoutSeconds":"{{ executionTimeout }}"
}
]
}
}
}
Solution
SSM Controlled Documents
Secure Password Generation and Distribution
Only Internal Destinations
Generated Compliant Temporary Users
Automated Removal
Integrated With Enterprise Firewalls
Gatekeeper High Level
Gatekeeper
App
Users
Call SSM
on VPC
Store Request Data
Amazon EC2
Search EC2 &
AWS API
SSM
Amazon VPCs
Gatekeeper Detailed
Security Configuration
SSM document IAM role based
Approval process AWS-Tag Informed
Security Group bounded
Still tied to organization and firewall security
DevOps Methodology
Self Service for Delivery Teams
Allow for secured PEM file
No individual key management
Automated onboarding of fleet
Audit Trail & Reporting
Kym Weiland & Stephen Mele
Recommended