AWS Compliance-as-Code Guide

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your first compliance-as-code
Shogo Matsumoto
Senior Security Consultant
Professional Services, Public Sector
Amazon Web Services Japan
G R C 3 0 5 - R

Welcome!
Shogo Matsumoto
Senior security consultant,
AWSJ public sector professional services
IS auditor, ex-PCI DSS QSA
My favorites: AWS Artifact, AWS Config
CISA, CISSP, MBA
(University of Massachusetts Lowell)

About Me:
Youssef is a cybersecurity expert specializing in defense-in-depth
strategies and cybercrime investigation tactics. With over 15 years of
professional hands-on experience in various advanced security
engagements.
Youssef provides thought leadership across multiple Security
Consulting & Delivery domains. This includes Security Strategy, Risk,
Compliance, Security Assessments, Incident Response and Threat
Hunting. Previously he was the head of cybersecurity operations for
IBM in APJ.
Youssef Elmalty
Head of Security Consulting
ymmalty@amazon.com

Our goal:
Say hello to the AWS security, risk,
and compliance world.
This session is (mainly) for:
Auditors (compliance)
– Don’t know much about AWS and
coding
Create compliance check just the same as AWS Config rules

Agenda
• Problem finding and goal setting
• Prepare your audit environment
• Check that your critical services are enabled
• Stand on the shoulders of giants
• Conclusion

Responsibility gap: Each role has securityresponsibility
DEV: Develop and improve securely and with agility
OPS: Manage infrastructure or app securely, admin task
SEC:
Sec Engineer: Develop with security point of view
Pentester: Find potential vulnerability
Analyst (CSIRT): Manage security infrastructure and response
Compliance : Manage governance and security management
Auditor: Find failure for seeking root cause

Traditional limitations of audits
• Sampling based
• Don’t stop the business
• Fewer human resources

Current challenge of information security audits
• Scale
• Complex
• Frequent changes

How to be auditable?

AWS infrastructure: Transparency
• Sampling based
• Don’t stop the business
• Fewer human resources
• Scale
• Complex
• Frequent changes
• Programmable (API)
• Real-time compliance
• Automation
• Scalable
• Segregation of duties
• Event driven
Traditional approach AWS capability

First step: AWS Trusted Advisor
Recommendations &
action links

Introduction: Customer story in re:Invent session
https://www.youtube.com/watch?v=VR_4209ewIo

Be compliant-as-code
a.k.a. The state of meeting rules or standards
via a programmatic test-driven approach

Checklist Codified Checklist
Audit Continuous Visibility

Benefits
Scale consistently to all
customers
Focus time and resources
on value
Part of
day-to-day

AWS security services are helpful, but they require some
flexibility
Every cloud journey is unique
Every compliance may be unique

Considering “reinvent the wheel”
Reinvent the wheel (Understanding how it works)
Objective: Dive deep, long-term investment
Don’t reinvent the wheel (Your effort has already been done by someone else.)
Objective: easy to use, agility

Our goal (again):
Say hello to the AWS security, risk, and compliance world
Let’s move to your first step to compliance-as-code

Management Console Access
https://amzn.to/2N96EpE
Login UserName: Fenway**
Password: B0st0nStr0ng
You can access to Config and Session Manager

Login to your Audit Bastion
Go to “AWS Config”
Check the result of Config rules
Go to “Systems Manager”
Go to “Session Manager”
Press “ “, then you can find Fenway** instances:
Select ** is equal to your user name

Traditional approach
Setup your local PC with AWS credentials
Setup bastion and your local PC to connect SSH connection
Issues:
SSH key management and network
Preparation for local PC(SSH clients, AWS CLI, credentials and etc…)
Activity Logging and monitoring for auditors

Traditional approach
Set up your local PC with AWS credentials
Set up bastion and your local PC to connect to an SSH connection
Issues:
SSH key management and network
Preparation for local PC (SSH clients, AWS CLI, credentials, etc.)
Activity logging and monitoring for auditors

AWS Systems Manager: Session Manager
Secure access to your instances
No need to open SSH port
Less preparation for audit tasks
Keeps your local PC clean
Log and monitor auditor’s activity

AWS Cloud9: Cloud-based IDE
Browser-based IDE
Direct terminal access to AWS
Local (Amazon EC2 in VPC)
environment
Environment is already set up
Auto termination (default 30 min.)
Keeps your local PC clean

Preparation
Create your audit AWS account and AWS Identity and Access Management (IAM)
user (via AWS Organizations)
• Your security sandbox: Building your fundamentals
Tips: IAM setting:
Cross-account access
Role: Not only “security audit” policy
Set: Critical security services
• AWS CloudTrail
• AWS Config
• VPC flow logs
• Amazon S3 data events
• Elastic Load Balancing/Application Load Balancer access logs
• Amazon GuardDuty

Wait a minute to browse management console

AWS Command Line Interface
(AWS CLI)
Unified tool for managing your AWS services
Cross-platform (MSI, bundled installer, pip)
150+ top-level AWS CLI commands

Why AWS CLI ? (Auditor’s perspective)
Scripting what you audit:
The AWS CLI is an open source tool that enables you to interact with AWS services using
commands in your command-line shell. With minimal configuration, you can start using
functionality equivalent to that provided by the browser-based AWS Management
Console from the command prompt in your favorite terminal program:
• Linux shells—bash, zsh, and tsch to run commands in Linux, macOS, or Unix.
• Windows command line—PowerShell or at the Windows command prompt.
• Remotely—Run commands on Amazon EC2 instances through a remote terminal
such as PuTTY or SSH, or with Systems Manager.

Logging what you audited: Audit trail
Commands to interact with the history of AWS CLI commands run over time. To
record the history of AWS CLI commands set cli_history to enabled in the
~/.aws/config file. This can be done by running:
$ aws configure set cli_history enabled

Check uncovered resources and avoid service cost
Amazon API Gateway
Amazon CloudFront
Amazon CloudWatch
Amazon DynamoDB
Amazon EC2
Amazon EBS
Amazon Redshift
Amazon RDS
Amazon S3
S3 bucket attributes
Amazon VPC
AWS Auto Scaling
AWS Certificate Manager (AWS ACM)
AWS CloudFormation
CloudTrail
AWS CodeBuild
AWS CodePipeline
AWS Elastic Beanstalk
IAM
AWS Lambda function
AWS Service Catalog
AWS Shield
Systems Manager
AWS WAF
AWS X-Ray
ELB
E.g., AWS Config supported AWS resource types and resource relationships

Example: Is AWS Config enabled?
$ aws configservice get-status
Ensure AWS Config is enabled (record the AWS changes)
aws [options] <command> <subcommand> [parameters]
https://docs.aws.amazon.com/cli/latest/reference/index.html#

Help and AWS CLI command reference
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand>
help
Command reference is a good
resource
https://docs.aws.amazon.com/cli/latest/reference/index.html

Output option
--output (string)
The formatting style for command output
* JSON
* text
* table
$ aws ec2 describe-instances
Compare output between JSON and table
$ aws ec2 describe-instances –-output table
Compare output between JSON and table

Query option
--query (string)
A JMESPath query to use in filtering the response data
http://jmespath.org/tutorial.html

Challenge: List your instances
$ aws ec2describe-instances
$ aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId]"

Example: Using AWS Config via AWS CLI
$ aws configservice list-discovered-resources --resource-type
"AWS::EC2::Instance" --query "resourceIdentifiers[].resourceId“
Using AWS Config, you also can describe AWS resource information

AWS Config rules
$ aws configservice describe-config-rules --query "ConfigRules[].ConfigRuleName"
Check “cloud-trail-log-file-validation-enabled” on the list
$ aws configservice start-config-rules-evaluation --config-rule-names cloud-trail-
log-file-validation-enabled
Start evaluation
$aws configservice get-compliance-details-by-config-rule --config-rule-name
cloud-trail-log-file-validation-enabled
View the result
Example: https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html

Challenge: Evaluation by yourself without AWS Config
https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/index.html

Example: CloudTrail—is ‘LogFileValidationEnabled’ set?
$ aws cloudtrail describe-trails --query
"trailList[*].[Name,LogFileValidationEnabled]"
Ensure only LogFileValidationEnabled is set to true
$ aws cloudtrail describe-trails --query
"trailList[*].[Name,LogFileValidationEnabled]" --output table
Easier to report

Good job!
This control is a required CIS benchmark.
CIS Amazon Web Services Foundations
Benchmark version 1.2.0 shows a lot of
examples to review your environment by
AWS CLI via the console.
But you can dive deeper from now on.
https://www.cisecurity.org/benchmark/amazon_web_services/

Custom rules repository
https://github.com/awslabs/aws-config-rules

I’m happy to announce to you
https://aws.amazon.com/jp/blogs/aws/new-updated-pay-per-
use-pricing-model-for-aws-config-rules/

Where to start
AWS tools:
• AWS Trusted Advisor
• Amazon Inspector
• Amazon GuardDuty
• AWS Security Hub
• AWS Well-Architected Tool
Public standard and regulations
• CIS center for internet security
Open source tools:
• Scout2
• Prowler
• CS-suite
Commercial tools
• CloudCheckr
• Cloud Conformity

Trusted Advisor (security)

GuardDuty

Security Hub

AWS Well-Architected Tool

Manual audit

Manual audit (Cont.)

Set of security configuration best practices for hardening AWS accounts, and
provides continuous monitoring capabilities for these security configurations
CIS is developed by experts in US government, business, industry, and academia
to help organizations assess and improve security.
Center for internet security

Prowler

Scout2

CS Suite

CloudCheckr

Cloud Conformity

Third-party tools
Cloud Custodian
https://cloudcustodian.io/
PacBot
https://github.com/tmobile/pacbot
ScoutSuite
https://github.com/nccgroup/ScoutSuite
Insightwatch (Japanese language)
https://insightwatch.io/

In summary
• You don’t need to reinvent the wheel, but
if you know how it works, you can
understand the true value
• Let’s test your AWS CLI work as your first
compliance-as-code
• Transparency and shared responsibility in
your organization will help your auditors to
work more effectively and efficiently

In the next 90 days
• Have fun at re:Inforce
• Review and report your lessons learned
• Check AWS security services to help your
compliance
• Create your AWS security sandbox
• Discuss with your security staff/engineers how to
establish compliance baseline
• Build your organization’s compliance-as-code in
an agile manner

Thank you!
Shogo Matsumoto
matshogo@amazon.co.jp

AWS Compliance-as-Code Guide

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a AWS Compliance-as-Code Guide

Semelhante a AWS Compliance-as-Code Guide (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

AWS Compliance-as-Code Guide