O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Transparency and Control with AWS CloudTrail and AWS Config

7.224 visualizações

Publicada em

Notes on the "Transparency and Control with AWS CloudTrail and AWS Config" presentation.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Transparency and Control with AWS CloudTrail and AWS Config

  1. 1. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Transparency and Control with AWS CloudTrail and AWS Config ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  2. 2. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon Web Services (AWS)Your Applications AWS Infrastructure Foundation Services Deployment & Management Application Services Amazon EC2 AWS Lambda Compute Storage & Content Delivery Amazon S3 AWS Storage Gateway Amazon EBS Amazon Glacier Amazon CloudFront Database Amazon RDS Amazon DynamoDB Amazon Elasticache Amazon Redshift Networking Amazon VPC AWS Direct Connect Amazon Route 53 Administration & Security AWS Directory Service AWS Config Deployment & Management AWS Elastic Beanstalk AWS OpsWorks AWS CloudFormation AWS Code Deploy Analytics Amazon EMR Amazon Kinesis AWS Data Pipeline Application Services Amazon SQS Amazon SWF Amazon AppStream Amazon Elastic Transcoder Amazon SES Amazon CloudSearch Mobile Services Amazon Mobile Analytics Amazon Cognito Amazon SNS Enterprise Applications Amazon WorkDocs Amazon WorkSpaces Amazon WorkMail AWS Identity and Access Management AWS Trusted Advisor AWS CloudTrail Amazon CloudWatch AWS CloudHSM
  3. 3. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Agenda • Talk about AWS [‘CloudTrail’, ‘Config’] • Ponder AWS [‘CloudTrail’, ‘Config’] • Contemplate AWS [‘CloudTrail’, ‘Config’] – Log diving • Correlation between [‘CloudTrail’, ‘Config’] • Cross-account, role-based access
  4. 4. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 TL;DR – These are “complementary services” AWS CloudTrail (an entity did something) • Record of API requests and response elements – who did what and when, from where AWS Config (resources changes and status) • AWS account configuration – Configuration item history – Configuration item stream – Configuration item snapshots • Optionally, a notification whenever a resource is created, modified, or deleted with the resulting configuration
  5. 5. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. AWS CloudTrail The recorded information includes: • The identity of the API caller • The time of the API call • The source IP address of the API caller • The request parameters • The response elements returned by the AWS service
  6. 6. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Increase your visibility of what happened in your AWS environment – who did what and when, from where • CloudTrail will record access to API calls and save logs in your Amazon S3 bucket, no matter how those API calls were made • Who did what and when and from what IP address • Receive notification of log file delivery using the Amazon Simple Notification Service (Amazon SNS) • Rapid integration of AWS services since launch with more supported services coming soon • Aggregate log information into a single S3 bucket • AWS Partner integration with log analysis tools from AlertLogic, Boundary, CloudCheckr, DataDog, Graylog2, LogEntries, Splunk, and SumoLogic. Use AWS CloudTrail to track access to APIs and IAM
  7. 7. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS CloudTrail logs can be used for many powerful use cases CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources • e.g., VPC security groups and NACLs • Compliance • Understand AWS API call history • Troubleshoot operational issues • Quickly identify the most recent changes to your environment • AWS CloudTrail console API activity history search • Look up API activity captured for your AWS account in the last 7 days • Filter with an attribute and time range
  8. 8. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Amazon CloudWatch Logs can monitor your system, application, and custom log files from Amazon EC2 instances and other sources, for example: • Monitor your web server HTTP log files and use CloudWatch metrics filters to identify 404 errors and count the number of occurrences within a specified time period • Use CloudWatch alarms to notify you when the number of 404 errors breaches whatever threshold you decide to set – you could use this to automatically generate a ticket for investigation Now monitor everything with Amazon CloudWatch logs
  9. 9. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config is a fully managed service that provides an inventory of your AWS resources, lets you audit the resource configuration history, and notifies you of resource configuration changes AWS Config
  10. 10. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2015-06-26) AWS Config
  11. 11. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships • Bi-directional map of dependencies automatically assigned • Change to a resource propagates to create configuration items for related resources
  12. 12. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Relationships Resource Relationship Related Resource CustomerGateway is attached to VPN Connection Elastic IP (EIP) is attached to Network Interface is attached to Instance Instance contains Network Interface is attached to ElasticIP (EIP) is contained in Route Table is associated with Security Group is contained in Subnet is attached to Volume is contained in Virtual Private Cloud (VPC) InternetGateway is attached to Virtual Private Cloud (VPC) … …. …..
  13. 13. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Configuration item All configuration attributes for a given resource at a given point in time, captured on every configuration change
  14. 14. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Component Description Contains Metadata Information about this configuration item Version ID, configuration item ID, time when the configuration item was captured, state ID indicating the ordering of the configuration items of a resource, MD5Hash, etc. Common Attributes Resource attributes Resource ID, tags, resource type. Amazon Resource Name (ARN), Availability Zone, etc. Relationships How the resource is related to other resources associated with the account EBS volume vol-1234567 is attached to an EC2 instance i- a1b2c3d4 Current Configuration Information returned through a call to the Describe or List API of the resource e.g., for EBS volume state of DeleteOnTermination flag. Type of volume. For example, gp2, io1, or standard Related Events The AWS CloudTrail events that are related to the current configuration of the resource AWS CloudTrail event ID. Configuration item
  15. 15. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Config use cases • Security analysis • Audit compliance • Change management • Troubleshooting • Discovery
  16. 16. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
  17. 17. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Record correlation AWS CloudTrail Record { "Records": [ {…}, "responseElements": {…}, "requestID": "27508138-3475-4b6e-9429- 88118eb1622b", "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", "eventType": "AwsApiCall", "recipientAccountId": "222222222222" } ] } AWS Config Record { "fileVersion": "1.0", "configurationItems": [ { … "relatedEvents": [ "ac21dd8c-98fe-46f8-9fce-5b77ae607346" ], "awsAccountId": "222222222222", "configurationItemStatus": "ResourceDiscovered", … } } ] }
  18. 18. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Log diving • This is the case of the surprise Elastic IP (bad surprise) – What was done? • Easy: an EIP was created – When was it created? – Who created it? – Where did it come from?
  19. 19. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 What • Starting with AWS Config – Search for the origin of "eipalloc-184efb7d“ – Utilize the AWS Config console Resource Lookup tool or search the AWS Config log files in Amazon S3 • AWS Config Partners http://aws.amazon.com/config/partners/ • Roll a bit of code … • The EventID leads us to AWS CloudTrail – "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346",
  20. 20. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 When • The AWS Config log file contains a timestamp – "configurationItemCaptureTime": "2015-06-19T16:44:57.073Z" • Pivot to the specific AWS CloudTrail log file based on: – Timestamp – EventID
  21. 21. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … }
  22. 22. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Who and where ( in the CloudTrail log) { "Records": [ { "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROAJXTPIKQ7QQEXAMPLE:bob-corpbroker", "arn": "arn:aws:sts::222222222222:assumed-role/NetManagerRole/bob-corpbroker", "accountId": "222222222222", "accessKeyId": "ASIAJOW7BLKIKEXAMPLE", … "sourceIPAddress": "198.51.100.178", "userAgent": "acme-corp-netmgmt-internal/1.2.3.4", … "eventID": "ac21dd8c-98fe-46f8-9fce-5b77ae607346", … } • ACME corporation uses a federated identity broker that leverages the company’s existing Directory Services and access control systems. • CloudTrail logs indicate “bob” was issued a token by the broker to use the NetManager role. – The RoleSessionName, “bob- corpbroker”, was set by the broker when generating the STS token for “bob” via the AssumeRole API. • “bob” connected to the EC2 API endpoint from the IP Address 198.51.100.178. • Federated Identity broker logs created by ACME corporation contain additional details. • Now we know the EIP was created by an STS token issued from the corporation.
  23. 23. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 AWS Identity and Access Management (AWS IAM) enables you to securely control access to AWS services and resources • Control who can do what and when from where • Fine-grained control of user permissions, resources, and actions • Add multi-factor authentication • Hardware token or smartphone apps • Test out your new policies using the IAM policy simulator You have fine-grained control of your AWS environment
  24. 24. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Segregate duties between roles with IAM Region Internet Gateway Subnet 10.0.1.0/24 Subnet 10.0.2.0/24 VPC A - 10.0.0.0/16 Availability Zone Availability Zone Router Internet Customer Gateway You get to choose who can do what in your AWS environment and from where AWS account owner (master) Network management Security management Server management Storage management Manage and operate
  25. 25. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Keep control of who can do what on AWS using your existing directory • AWS IAM now supports SAML 2.0 • Federate with on-premises directories like Active Directory or another SAML 2.0 compliant identity provider • Use Active Directory users and groups in AWS for authentication and authorization • For example, a ‘Network Administrators’ AD security group can have access to create and manage on- premises and AWS EC2 instances or Elastic IP addresses Federate AWS IAM with your existing directories
  26. 26. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 Thank You. This presentation will be loaded to SlideShare the week following the Symposium. http://www.slideshare.net/AmazonWebServices AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015

×