Upload
amazon-web-services
View
232
Download
5
Tags:
Embed Size (px)
Citation preview
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Transparency and Control with AWS CloudTrail and AWS Config
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Amazon Web Services (AWS)Your Applications
AWS Infrastructure
Foundation Services
Deployment & Management
Application Services
Amazon EC2
AWS Lambda
Compute Storage & Content Delivery
Amazon S3
AWS Storage Gateway
Amazon EBS
Amazon Glacier
Amazon CloudFront
Database
Amazon RDS
Amazon DynamoDB
Amazon Elasticache
Amazon Redshift
Networking
Amazon VPC
AWS Direct Connect
Amazon Route 53
Administration & Security
AWS Directory Service
AWS Config
Deployment & Management
AWS Elastic Beanstalk
AWS OpsWorks
AWS CloudFormation
AWS Code
Deploy
Analytics
Amazon EMR
Amazon Kinesis
AWS Data Pipeline
Application Services
Amazon SQS
Amazon SWF
Amazon AppStream
Amazon Elastic Transcoder
Amazon SES
Amazon CloudSearch
Mobile Services
Amazon Mobile
Analytics
Amazon Cognito
Amazon SNS
Enterprise Applications
Amazon WorkDocs
Amazon WorkSpaces
Amazon WorkMail
AWS Identity and Access
Management
AWS Trusted Advisor
AWS CloudTrail
Amazon CloudWatch
AWS CloudHSM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Agenda• Talk about AWS [‘CloudTrail’, ‘Config’]• Ponder AWS [‘CloudTrail’, ‘Config’]• Contemplate AWS [‘CloudTrail’, ‘Config’]
– Log diving• Correlation between [‘CloudTrail’, ‘Config’]• Cross-account, role-based access
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
TL;DR – These are “complementary services”
AWS CloudTrail (an entity did something)
• Record of API requests and response elements– who did what and when,
from where
AWS Config (resources changes and status)
• AWS account configuration– Configuration item history – Configuration item stream– Configuration item
snapshots• Optionally, a notification
whenever a resource is created, modified, or deleted with the resulting configuration
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you.
AWS CloudTrail
The recorded information includes:
• The identity of the API caller
• The time of the API call
• The source IP address of the API caller
• The request parameters
• The response elements returned by the AWS service
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Increase your visibility of what happened in your AWS environment – who did what and when, from where• CloudTrail will record access to API calls and save logs in your
Amazon S3 bucket, no matter how those API calls were made• Who did what and when and from what IP address• Receive notification of log file delivery using the Amazon Simple
Notification Service (Amazon SNS)• Rapid integration of AWS services since launch with more
supported services coming soon• Aggregate log information into a single S3 bucket• AWS Partner integration with log analysis tools from AlertLogic,
Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk, and SumoLogic.
Use AWS CloudTrail to track access to APIs and IAM
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks• Security analysis
• Track changes to AWS resources• e.g., VPC security groups and NACLs
• Compliance• Understand AWS API call history
• Troubleshoot operational issues• Quickly identify the most recent changes to your
environment
• AWS CloudTrail console API activity history search• Look up API activity captured for your AWS
account in the last 7 days
• Filter with an attribute and time range
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances and other sources, for example:
• Monitor your web server HTTP log files and use CloudWatch metrics filters to identify 404 errors and count the number of occurrences within a specified time period
• Use CloudWatch alarms to notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation
Now monitor everything with Amazon CloudWatch logs
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Config is a fully managed service that provides an inventory of your AWS resources, lets you audit the resource configuration history, and notifies you of resource configuration changes
AWS Config
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Continuous ChangeRecordingChanging Resource
s
AWS Config
History
Stream
Snapshot (ex. 2015-06-26)
AWS Config
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Relationships
• Bi-directional map of dependencies automatically assigned
• Change to a resource propagates to create configuration items for related resources
Example: Security Group sg-10dk8ej and EC2 instance i-123a3d9 are “associated with” each other
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Relationships
Resource Relationship Related ResourceCustomerGateway is attached to VPN ConnectionElastic IP (EIP) is attached to Network Interface is attached to InstanceInstance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC)InternetGateway is attached to Virtual Private Cloud (VPC)… …. …..
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Configuration item
All configuration attributes for a given resource at a given point in time, captured on every configuration change
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Component Description Contains
Metadata Information about this configuration item
Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc.
Common Attributes Resource attributes Resource ID, tags, resource type. Amazon Resource Name (ARN),Availability Zone, etc.
Relationships How the resource is related to other resources associated with the account
EBS volume vol-1234567 is attached to an EC2 instance i-a1b2c3d4
Current Configuration Information returned through a call to the Describe or List API of the resource
e.g., for EBS volumestate of DeleteOnTermination flag.Type of volume. For example, gp2, io1, or standard
Related Events The AWS CloudTrail events that are related to the current configuration of the resource
AWS CloudTrail event ID.
Configuration item
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Config use cases
• Security analysis• Audit compliance• Change management• Troubleshooting• Discovery
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Record correlation AWS CloudTrail Record{
"Records": [
{…},
"responseElements": {…},
"requestID": "27508138-3475-4b6e-9429-88118eb1622b",
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
"eventType": "AwsApiCall",
"recipientAccountId": "222222222222"
}
]
}
AWS Config Record{
"fileVersion": "1.0",
"configurationItems": [
{
…
"relatedEvents": [
"ac21dd8c-98fe-46f8-9fce-5b77ae607346"
],
"awsAccountId": "222222222222",
"configurationItemStatus": "ResourceDiscovered",
…
}
}
]
}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Record correlation AWS CloudTrail Record{
"Records": [
{…},
"responseElements": {…},
"requestID": "27508138-3475-4b6e-9429-88118eb1622b",
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
"eventType": "AwsApiCall",
"recipientAccountId": "222222222222"
}
]
}
AWS Config Record{
"fileVersion": "1.0",
"configurationItems": [
{
…
"relatedEvents": [
"ac21dd8c-98fe-46f8-9fce-5b77ae607346"
],
"awsAccountId": "222222222222",
"configurationItemStatus": "ResourceDiscovered",
…
}
}
]
}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Log diving• This is the case of the surprise Elastic IP
(bad surprise)– What was done?
• Easy: an EIP was created
– When was it created?– Who created it?– Where did it come from?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
What• Starting with AWS Config
– Search for the origin of "eipalloc-184efb7d“– Utilize the AWS Config console Resource Lookup tool or
search the AWS Config log files in Amazon S3• AWS Config Partners http://aws.amazon.com/config/partners/ • Roll a bit of code …
• The EventID leads us to AWS CloudTrail– "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
When• The AWS Config log file contains a
timestamp– "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z"
• Pivot to the specific AWS CloudTrail log file based on:– Timestamp– EventID
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Who and where ( in the CloudTrail log){
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",
"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",
"accountId": "222222222222",
"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",
…
"sourceIPAddress": "198.51.100.178",
"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",
…
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
…
}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Who and where ( in the CloudTrail log){
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker",
"arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker",
"accountId": "222222222222",
"accessKeyId": "ASIAJOW7BLKIKEXAMPLE",
…
"sourceIPAddress": "198.51.100.178",
"userAgent": "acme-corp-netmgmt-internal/1.2.3.4",
…
"eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
…
}
• ACME corporation uses a federated identity broker that leverages the company’s existing Directory Services and access control systems.
• CloudTrail logs indicate “bob” was issued a token by the broker to use the NetManager role.
– The RoleSessionName, “bob-corpbroker”, was set by the broker when generating the STS token for “bob” via the AssumeRole API.
• “bob” connected to the EC2 API endpoint from the IP Address 198.51.100.178.
• Federated Identity broker logs created by ACME corporation contain additional details.
• Now we know the EIP was created by an STS token issued from the corporation.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Identity and Access Management (AWS IAM) enables you to
securely control access to AWS services and resources• Control who can do what and when from where• Fine-grained control of user permissions, resources, and actions• Add multi-factor authentication
• Hardware token or smartphone apps• Test out your new policies using the IAM policy simulator
You have fine-grained control of your AWS environment
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Segregate duties between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
You get to choose who can do what in your AWS environment and from where
AWS account owner (master)
Network management
Security management
Server management
Storage management
Manage and operate
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Keep control of who can do what on AWS using your
existing directory• AWS IAM now supports SAML 2.0• Federate with on-premises directories like Active
Directory or another SAML 2.0 compliant identity
provider• Use Active Directory users and groups in AWS for
authentication and authorization• For example, a ‘Network Administrators’ AD security
group can have access to create and manage on-
premises and AWS EC2 instances or Elastic IP addresses
Federate AWS IAM with your existing directories
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015