The document provides best practices for managing security operations in AWS. It discusses key aspects of the AWS shared responsibility model including that AWS manages security of the cloud while customers are responsible for security in the cloud. It also covers identity and access management best practices such as creating individual users, granting least privilege, using groups to manage permissions, restricting privileged access with conditions, enabling auditing with CloudTrail, configuring strong password policies and rotating credentials regularly. The document provides an overview of key certification programs and compliance offerings from AWS.
2. Since migrating to AWS, we
created a secure solution for our
customers that can handle
thousands of daily transactions,
while reducing our costs by 30%
Stefano Harak
Online Senior Product Manager, Vodafone
”
“ Vodafone Italy, based in Milan,
provides mobile services for more
than 30 million customers.
Customers can buy additional credit
for SIM cards using a credit or debit
card.
Key requirement was to build a PCI
DSS-compliant solution.
Vodafone Italy migrates to AWS and creates a secure environment
for customer transactions while reducing capital costs by 30%
4. AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
AWS takes care
of the security
OF the Cloud
You
Network
Security
Identity &
Access
Control
Customer applications & content
Inventory &
Config
Data
Encryption
You get to define
your controls IN
the Cloud
5. AWS takes care
of the security
OF the Cloud
You
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Client-Side Data
Encryption
Server-Side Data
Encryption
Network Traffic
Protection
Platform, Applications, and Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & content
You get to define
your controls IN
the Cloud
7. Assurance Programs
Certifications / Attestations
DoD
SRG
FedRAMP
FIPS
IRAP
ISO 9001
ISO 27001
ISO 27017
ISO 27018
MLPS Level 3
MTCS
PCI DSS Level 1
SEC Rule 17-a-4(f)
SOC 1
SOC 2
SOC 3
Laws, Regulations, and
Privacy
DNB [Netherlands]
EAR
EU Model Clauses
FERPA
GLBA
HIPAA
HITECH
IRS 1075
ITAR
My Number Act [Japan]
U.K. DPA – 1988
VPAT / Section 508
EU Data Protection Directive
Privacy Act [Australia]
Privacy Act [New Zealand]
PDPA - 2010 [Malaysia]
PDPA - 2012 [Singapore]
Alignments / Frameworks
CJIS
CLIA
CMS
EDGE
CMSR
CSA
FDA
FedRAMP
TIC
FISC
FISMA
G-Cloud
GxP (FDA CFR 21 Part 11)
ICREA
IT Grundschutz
MITA 3.0
MPAA
NERC
NIST
PHR
Uptime Institute Tiers
UK Cloud Security Principles
UK Cyber Essentials
https://aws.amazon.com/compliance/
8. You benefit from an environment built for the most security-
sensitive organizations.
AWS manages 1,800+ security controls so you don’t have to.
You get to define the right security controls for your workload
sensitivity.
You always have full ownership and control of your data.
What this means
9. You are in control of privacy
You retain full ownership and control of your
content
Choose the AWS Singapore Region and AWS
will not replicate it elsewhere unless you
choose to do so.
Control format, accuracy, and encryption any
way that you choose.
Control who can access content.
Control content lifecycle and disposal.
10. Your data stays where you put it
13 regions
35 Availability Zones
Announced:
4 AWS regions (Canada, China, Ohio, and the United Kingdom)
9 Availability Zones
12. Encrypt your sensitive information
Native encryption across services for free
Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift
End-to-end SSL/TLS
Scalable key management
AWS Key Management Service (KMS) provides scalable,
low-cost key management
AWS CloudHSM provides hardware-based, high-assurance
key generation, storage, and management
Third-party encryption options
Trend Micro, SafeNet, Vormetric, HyTrust, Sophos, etc.
13. AWS Identity and Access Management (IAM)
Enables you to control who can do what in your AWS account
Splits into users, groups, roles, and permissions
Control
Centralized
Fine-grained - APIs, resources, and AWS Management Console
Security
Secure (deny) by default
14. Policy enforcement
Final decision =“Deny”
(explicit Deny)
Yes
Final decision
=“Allow”
Yes
No Is there an
Allow?
4
Decision
starts at Deny
1
Evaluate all
applicable
policies
2
Is there an
explicit
Deny?
3
No Final decision =“Deny”
(default Deny)
5
AWS retrieves all policies
associated with the user and
resource.
Only policies that match the action
and conditions are evaluated.
If a policy statement
has a Deny, it trumps
all other policy
statements.
Access is granted
if there is an
explicit Allow
and no Deny.
• By default, an
implicit (default)
Deny is returned.
A Deny always wins over an Allow.
16. Principal – Examples
An entity that is allowed or denied access to a resource
Indicated by an Amazon Resource Name (ARN)
With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->
"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->
"Principal":{"AWS":"arn:aws:iam::123456789012:root" }
"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->
"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->
"Principal":{"Federated":"www.amazon.com"}
"Principal":{"Federated":"graph.facebook.com"}
"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->
"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service -->
"Principal":{"Service":"ec2.amazonaws.com"}
Replace
with your
account
number
17. Action – Examples
Describes the type of access that should be allowed or denied
You can find these in the docs or use the policy editor to get a drop-down list
Statements must include either an Action or NotAction element
<!-- EC2 action -->
"Action":"ec2:StartInstances"
<!-- IAM action -->
"Action":"iam:ChangePassword"
<!-- S3 action -->
"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->
"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name. This would cover
Create/Delete/List/Update-->
"Action":"iam:*AccessKey*"
18. Understanding NotAction
Lets you specify an exception to a list of actions
Could result in shorter policies than using Action and denying many actions
Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
19. Understanding NotAction
Lets you specify an exception to a list of actions
Could result in shorter policies than using Action and denying many actions
Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
20. Understanding NotAction
Lets you specify an exception to a list of actions
Could result in shorter policies than using Action and denying many actions
Example: Let’s say you want to allow everything but IAM APIs
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "iam:*",
"Resource": "*"
}
]
}
or
This is not a Deny. A user could still have a
separate policy that grants IAM:*
If you want to prevent the user from ever being
able to call IAM APIs, use an explicit Deny.
21. Resource – Examples
The object or objects that are being requested
Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->
"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- SQS queue-->
"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple DynamoDB tables -->
"Resource":["arn:aws:dynamodb:us-west-
2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-
2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region -->
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
22. Conditions
Optional criteria that must evaluate to
true for the policy to evaluate as true
Ex: restrict to an IP address range
Can contain multiple conditions
Condition keys can contain multiple values
If a single condition includes multiple values
for one key, the condition is evaluated using
logical OR
Multiple conditions (or multiple keys in a
single condition): the conditions are
evaluated using logical AND
Condition element
Condition 1:
Key1: Value1A
Condition 2:
Key3: Value3A
AND
AND
Key2: Value2A OR Value2B
OR ORKey1: Value1A Value1B Value 1C
23. Condition example
"Condition" : {
"DateGreaterThan" : {"aws:CurrentTime" : "2015-10-08T12:00:00Z"},
"DateLessThan": {"aws:CurrentTime" : "2015-10-08T15:00:00Z"},
"IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}
}
Allows a user to access a resource under the following conditions:
The time is after 12:00 P.M. on 10/8/2015 AND
The time is before 3:00 P.M. on 10/8/2015 AND
The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
All of these conditions must be met in order for the statement to evaluate to TRUE.
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
24. Policy variables
Predefined variables based on service request context
• Existing keys (aws:SourceIP, aws:CurrentTime, etc.)
• Principal-specific keys (aws:username, aws:userid, aws:principaltype)
• Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id)
• SAML keys (saml:aud, saml:iss)
• See documentation for service-specific variables
Benefits
• Simplifies policy management
• Reduces the need for hard-coded, user-specific policies
Use cases we’ll look at
• Easily set up user access to “home folder” in Amazon S3
• Limit access to specific Amazon EC2 resources
25. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::myBucket"],
"Condition":
{"StringLike":
{"s3:prefix":["home/${aws:username}/*"]}
}
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource": ["arn:aws:s3:::myBucket/home/${aws:username}",
"arn:aws:s3:::myBucket/home/${aws:username}/*"]
}
]
}
The anatomy of a policy with variables
Version is required
Variable in conditions
Variable in resource ARNs
Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
30. Basic user and permission management
1. Create individual users.
2. Grant least privilege.
Benefits
Less chance of people making
mistakes
Easier to relax than tighten up
More granular control
31. Basic user and permission management
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
Benefits
Easier to assign the same
permissions to multiple users
Simpler to reassign permissions
based on change in
responsibilities
Only one change to update
permissions for multiple users
32. Basic user and permission management
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
4. Restrict privileged access further with
conditions.
Benefits
Additional granularity when
defining permissions
Can be enabled for any AWS
service API
Minimizes chances of
accidentally performing
privileged actions
33. Basic user and permission management
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
4. Restrict privileged access further with
conditions.
5. Enable AWS CloudTrail to get logs of API
calls.
Benefits
Visibility into your user activity
by recording AWS API calls to
an Amazon S3 bucket
36. Credential management
6. Configure a strong password policy.
7. Rotate security credentials regularly.
8. Enable multi-factor authentication
(MFA) for privileged users.
Benefits
Supplements user name and
password to require a one-time
code during authentication
37. Delegation
9. Use IAM roles to share access. Benefits
No need to share security
credentials
No need to store long-term
credentials
Use cases
Cross-account access
Intra-account delegation
Federation
38. Delegation
9. Use IAM roles to share access.
10. Use IAM roles for Amazon EC2 instances.
Benefits
Easy to manage access keys
on EC2 instances
Automatic key rotation
Assign least privilege to the
application
AWS SDKs fully integrated
AWS CLI fully integrated
39. Delegation
9. Use IAM roles to share access.
10. Use IAM roles for Amazon EC2 instances.
11. Reduce or remove use of root.
Benefits
Reduce potential for misuse of
credentials
40. Top 11 IAM best practices
1. Users – Create individual users.
2. Permissions – Grant least privilege.
3. Groups – Manage permissions with groups.
4. Conditions – Restrict privileged access further with conditions.
5. Auditing – Enable AWS CloudTrail to get logs of API calls.
6. Password – Configure a strong password policy.
7. Rotate – Rotate security credentials regularly.
8. MFA – Enable MFA for privileged users.
9. Sharing – Use IAM roles to share access.
10. Roles – Use IAM roles for Amazon EC2 instances.
11. Root – Reduce or remove use of root.
41. IAM users vs. federated users
Depends on where you want to manage your users
On-premises → Federated users (IAM roles)
In your AWS account → IAM users
Other important use cases
Delegating access to your account → Federated users (IAM roles)
Mobile application access → Should always be federated access
IMPORTANT: Never share security credentials.
42. AWS access keys vs. passwords
Depends on how your users will access AWS
Console → Password
API, CLI, SDK → Access keys
Make sure to rotate credentials regularly
Use credential reports to audit credential rotation.
Configure password policy.
Configure policy to allow access key rotation.
44. Enabling credential rotation for IAM users
(Enable access key rotation sample policy)
Access keys
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:
user/${aws:username}"
}]}
1. While the first set of credentials is still active,
create a second set of credentials, which will
also be active by default.
2. Update all applications to use the new
credentials.
3. Change the state of the first set of credentials
to Inactive.
4. Using only the new credentials, confirm that
your applications are working well.
5. Delete the first set of credentials.
Steps to rotate access keys
45. Inline policies vs. managed policies
Use inline policies when you need to:
Enforce a strict one-to-one relationship between policy and principal.
Avoid the wrong policy being attached to a principal.
Ensure the policy is deleted when deleting the principal.
Use managed policies when you need:
Reusability.
Central change management.
Versioning and rollback.
Delegation of permissions management.
Automatic updates for AWS managed policies.
Larger policy size.
46. Groups vs. managed policies
Provide similar benefits
Can be used to assign the same permission to many users.
Central location to manage permissions.
Policy updates affect multiple users.
Use groups when you need to
Logically group and manage users .
Use managed policies when you need to
Assign the same policy to users, groups, and roles.
47. Combine the power of groups AND managed
policies
Use groups to organize your users into logical clusters.
Attach managed policies to groups with the permissions those groups need.
Pro tip: Create managed policies based on logically separated permissions
such as AWS service or project, and attach managed policies mix-and-
match style to your groups.
48. One AWS account vs. multiple AWS accounts?
Use a single AWS account when you:
Want simpler control of who does what in your AWS environment.
Have no need to isolate projects/products/teams.
Have no need for breaking up the cost.
Use multiple AWS accounts when you:
Need full isolation between projects/teams/environments.
Want to isolate recovery data and/or auditing data (e.g., writing your
CloudTrail logs to a different account).
Need a single bill, but want to break out the cost and usage.
49. Segmented AWS account structure
Procurement and
Finance
SOC/Auditors
Billing account
Production
accounts
User management
account
Security/Audit
account
Application Owners
Security/auditUtilityFinancial
Consolidated Billing,
Billing Alerts
Read-only access
for all accounts
Dev/Test
accounts
Operational
Logging
account
Backup/DR account
Key management
account
Shared services
account
Domain Specific Admins
Event and State
Logging
Read-only access
to logging data
51. Infrastructure as code is a practice whereby
traditional infrastructure management techniques
are supplemented and often replaced by using
code-based tools and software development
techniques.
52. “It’s all software”
AWS Resources
Operating System and Host Configuration
Application Configuration
53. AWS Resources
Operating System and
Host Configuration
Application
Configuration
Infrastructure Resource Management
Host Configuration Management
Application Deployment
54. AWS Resources
Operating System and
Host Configuration
Application
Configuration
AWS CloudFormation
AWS OpsWorks
AWS CodeDeploy
55. AWS Resources
Operating System and
Host Configuration
Application
Configuration
Amazon Virtual Private
Cloud (VPC)
Amazon Elastic Compute
Cloud (EC2)
AWS Identity and Access
Management (IAM)
Amazon Relational
Database Service (RDS)
Amazon Simple Storage
Service (S3)
AWS CodePipeline
…
Windows Registry
Linux Networking
OpenSSH
LDAP
AD Domain Registration
Centralized logging
System Metrics
Deployment agents
Host monitoring
…
Application dependencies
Application configuration
Service registration
Management scripts
Database credentials
…
AWS CloudFormation
AWS OpsWorks
AWS CodeDeploy
56. Template CloudFormation Stack
JSON formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS resources
Comprehensive service support
Service event aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
CloudFormation – Components & technology
57. Template File
Defining Stack
Git
Perforce
SVN
…
Dev
Test
Prod
The entire infrastructure can be
represented in an AWS CloudFormation
template.
Use the version
control system of
your choice to
store and track
changes to this
template
Build out multiple
environments using the
same template, such as
for Development, Test,
Production, and even
DR
Many stacks & environments from one template
58. What security benefits does this give
Ability to perform “Code Audit” on your infrastructure
Look for unauthorized network configurations
Verify security groups
Verify operating system
Use with AWS CodeCommit trigger or GitHub hooks
Split ownership (single file or merge)
App team owns main section
Network team owns VPC/subnets
Security team owns security groups
Automate upon check-in!
59. Where else can this be applied?
CloudFormation
template
Task definition Application-
specification file
(AppSpec file)
…and more.
AWS CloudFormation AWS CodeDeployAmazon EC2 Container Service
62. Why cloud logging/monitoring is different
Distributed servers coming and going (e.g., Auto Scaling,
micro services)
More visibility (e.g., AWS CloudTrail)
In the cloud, we have more log types than in the data center.
More different kinds of data. Many distinct log sources not
monitored by same systems on premises.
Networking (Amazon VPC Flow Logs)
System/application
Configuration (very difficult on-premises)
Large amount of information(e.g., Amazon VPC Flow Logs)
66. Ubiquitous logging and monitoring
Amazon CloudWatch Logs lets you grab everything and monitor activity
Storage is cheap - collect and keep your logs
Agent based (Linux and Windows)
Export data
• To Amazon S3
• Stream to Amazon Elasticsearch Service or AWS Lambda
Integration with metrics and alarms means you can continually scan
for events you know might be suspicious
Combine/use third-party products
IF (detect web attack> 10 in a 1-minute period)
ALARM == INCIDENT IN PROGRESS!
68. What can you answer using a CloudTrail event?
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted upon in the API call?
Where was the API call made from and made to?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
71. AWS CloudTrail best practices
1. Enable in all regions Benefits
Also tracks unused regions
Can be done in single
configuration step
72. AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
Benefits
Ensure log-file integrity
Validated log files are
invaluable in security and
forensic investigations
Built using industry standard
algorithms: SHA-256 for
hashing and SHA-256 with
RSA for digital signing
AWS CloudTrail will start
delivering digest files on an
hourly basis
Digest files contain hash values
of log files delivered and are
signed by CloudTrail
73. AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
3. Encrypted logs
Benefits
By default, CloudTrail encrypts
log files using S3 server-side
encryption (SSE-S3)
You can choose to encrypt
using AWS KMS (SSE-KMS)
S3 will decrypt on your behalf if
your credentials have decrypt
permissions
74. AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
3. Encrypted logs
4. Integrate with Amazon
CloudWatch Logs
Benefits
Simple search
Configure alerting on events
75. AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
3. Encrypted logs
4. Integrate with Amazon
CloudWatch Logs
5. Centralize logs from all
accounts
Benefits
Configure all accounts to send
logs to a central security
account
Reduce risk for log tampering
Can be combined with S3 CRR
Include dev/stage accounts!
76. VPC Flow Logs
Log network traffic for Amazon VPC, subnet,
or single interfaces
77. VPC Flow Logs
Stores log in AWS CloudWatch Logs
Can be enabled on
Amazon VPC, a subnet, or a network interface
Amazon VPC and subnet enables logging for all interfaces in the VPC/subnet
Each network interface has a unique log stream
Flow logs do not capture real-time log streams for your network interfaces
Can capture on interfaces for other AWS services
Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift,
and Amazon WorkSpaces
Filter desired result based on need
All, Reject, Accept
Troubleshooting or security related with alerting needs?
Think before enabling all on VPC—will you use it?
78. Log management and analytics
ELK (Elasticsearch Service + Logstash + Kibana)
Elasticsearch Service + Kibana + Amazon CloudWatch Logs
Third-party solution
84. Tools - AWS Config Rules
Time based
When configuration snapshot is delivered
Choose between 1, 3, 6, 12 or 24 hours
Change based
EC2, IAM, CloudTrail, or tags
AWS managed or custom checks using Lambda
Control compliance status using Lambda
Encrypted volumes, CloudTrail, EIP attached, SSH access, Amazon
EC2 in Amazon VPC, restricted common ports, and require tags
87. The key to custom rules
response = client.put_evaluations(
Evaluations=[
{
'ComplianceResourceType': 'string',
'ComplianceResourceId': 'string',
'ComplianceType': 'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA',
'Annotation': 'string',
'OrderingTimestamp': datetime(2015, 1, 1) },
],
ResultToken='string’
)
Use annotation for pulling rule status using CLI
88. AWS Config Rules repository
AWS Community repository of custom Config Rules
https://github.com/awslabs/aws-config-rules
Contains Node and Python samples for custom rules for
AWS Config
90. Tools - Amazon CloudWatch Events
Trigger on event
Amazon EC2 instance state change notification
AWS API call (very specific)
AWS Management Console sign-in
Auto Scaling (no lifecycle hooks)
Or schedule (used by AWS Lambda)
Cron is in the cloud!
No more “unreliable town clock”
Min 5 minutes
Single event can have multiple targets
92. How can I get the different events?
import json
def lambda_handler(event, context):
eventdump = json.dumps(event, indent=2)
print("Received event: " + json.dumps(event, indent=2))
return eventdump
93. Risks with automatic remediation
You can now automatically mess up your approved
changes
No proper alerting and follow-up on automatic events
Overcomplicated and undercomplicated scripts
No info on desired state
Race the hacker…automation wars!
95. What is Amazon Inspector?
Enables you to analyze the behavior of your AWS resources and helps identify
potential security issues
Application security assessment
Agent based
15 minutes–24 hours
Selectable built-in rules (rule packages)
Common vulnerabilities and exposures
CIS Operating System Security Configuration Benchmarks
Security best practices
Run-time behavior analysis
Security findings – guidance and management
Automatable via APIs
99. Summing up
Enforce separation of duties and least privilege accounts
MFA on users; enforce using IAM policies
Know what is security vs. troubleshooting logs
Storage is cheap, not knowing can be very expensive – log if possible
Alerting is good, automating your security response is better
Use managed services and built-in reporting to offload and automate
See the big picture: what info do you want and what tool can give it to you