Reading the AWS Compliance FrameworkBertram DornSpecialized Solutions Architect EMEAFor Security and Compliance
Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
Request reports at:aws.amazon.com/compliance/#contact
ISO27000
ISO9001
Agenda:• Overview• CloudTrail
• Source• Structure• Analytics options
• VPC FlowLogs• What for• Where from• How structured• How to access them• Some analytics
What can you answer using a CloudTrail event?
v Who made the API call?
v When was the API call made?
v What was the API call?
v Which resources were acted up on in the API call?
v Where was the API call made from and made to?
AWSCloudTrail
CloudTrailcanhelpyouachievemanytasks• Securityanalysis
• TrackchangestoAWSresources,forexampleVPCsecuritygroupsandNACLs
• Compliance– logandunderstandAWSAPIcallhistory
• Provethatyoudidnot:• Usethewrongregion
• Useservicesyoudon’twant
• Troubleshoot operationalissues– quicklyidentifythemostrecentchangestoyourenvironment
AWSCloudTraillogscanbedeliveredcross-account
CloudTrailcanhelpyouachievemanytasks• Accountscansendtheirtrailstoacentral
account
• Centralaccountcanthendoanalytics
• Centralaccountcan:• Redistributethetrails
• Grantaccesstothetrails
• FilterandreformatTrails(tomeetprivacyrequirements)
Turn on CloudTrail using AWS CLI• Step 1: Create a trail•
$ aws cloudtrail create-trail --region=eu-central-1 \
• --name ITAuditandOpsTrail --s3-bucket mybucket
• Step 2: Start logging on the trail
• $ aws cloudtrail start-logging --region=eu-central-1 \
• --name ITAuditandOpsTrail
What does an event look like?•
{
• "eventVersion": "1.01",
• "userIdentity": {
• "type": "IAMUser", // Who?• "principalId": "AIDAJDPLRKLG7UEXAMPLE",
• "arn": "arn:aws:iam::123456789012:user/Alice", //Who? • "accountId": "123456789012",
• "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
• "userName": "Alice",
• "sessionContext": {
• "attributes": {
• "mfaAuthenticated": "false",
• "creationDate": "2014-03-18T14:29:23Z"
• }
• }
• },
• "eventTime": "2014-03-18T14:30:07Z", //When?• "eventSource": "cloudtrail.amazonaws.com",
• "eventName": "StartLogging", //What?
• "awsRegion": "us-west-2",//Where to?
• "sourceIPAddress": "72.21.198.64", // Where from?• "userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx",
• "requestParameters": {
• "name": "Default“ // Which resource?• },
// more event details
• }
Firewall-Requirements• Based on NIST800, BSI-IT Grundschutz and others
– Anti-Spoofing
– Packet-Filtering (minimum) stateful/stateless
– Segregation of Duties at the management side
– Logging/Audit capabilities on the management side
– Event-Logging on processed traffic
Security Group
IAM
AWS Config CloudTrail
FlowLogs
The Source I
CloudWatchLogs
LogGroupENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
The Source II
Flows
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security Group
Security Group
Structure I
Event-Version
AccoutNumber
ENI-ID
Source-IP
Destionation-IP
SourcePort
Destination-Port
Proto-Number
Number of PacketsNumber of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
Structure II
Flow Logs is STATISTICAL about activity in a window of time
Start-Time Window
End-Time Window
Number of Packets
Number of Bytes Action
How To Access
CloudWatchLogs
LogGroupENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
ENI-LogStream
Start
End
TIME
Some Analytics
Time -> 1 Month2 Public IPs
('Number of Source IPs: ', 48604)('Number of Destionation IPs: ', 5373)('Number of Source Ports: ', 64363)('Number of Destionation Ports: ', 64348)('Number of Bytes IPs: ', 887551682.0)('Number of Packets IPs: ', 8400707.0)
Top Related