10. 1. web ACL 생성
ALLOW requests by def
ault, but…
2. Rule 추가
BLOCK if…
3. Conditions 부여
the source IP matches this
list…
4. CloudFront
연계
for any request to
d123.cloudfront.net.
AWS WAF 구성 절차
11. • IPSets
CIDR notation on octet boundaries:
• 192.0.0.0/8 – Matches 192.*.*.*
• 192.168.0.0/16
• 192.168.32.0/24
• 92.168.32.64/32 – 단일 IP 주소 조건 부여
• Strings and bytes
웹 요청의 어느 부분에 대해서도 시그니쳐 탐색 가능
적용 사례: Referrer whitelisting
Match conditions
12. • 웹 요청의 어느 부분에 대해서도 시그니쳐 탐색 가능
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.
5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users
Match conditions: Strings and bytes
13. • 회피 기술을 무력화 하는 transforms
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.
5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
Match conditions: Strings and bytes
14. • 유해한 바이너리도 탐색 가능.
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. 바이너리 파일 선정 2. Base64 인코딩 3. 검색 기준에 설정
$> base64 bad.bin
iVBORw0KGgoAAAAN
Match conditions: Strings and bytes
20. • 선수금 없음
• 한달 동안 web ACL 당 5$, rule 당 1$
• 백만 요청 당 $0.60
• 사례 :
테스트 환경 (1 rule): $6 / 월
작은 규모 (6 rules, 58M views): $46 / 월
중간 규모 (6 rules, 260M views): $167 / 월
요금 체계
24. • Agent 기반 - 어플리케이션 보안 수준 진단
• 빌트인 진단 rule 선택 적용
• 보안 진단 결과 – 가이드 제공
• API를 통한 자동화
AWS Inspector 란 무엇인가?
25. • 인프라에 대한 보안을 적용하는 것이 종종 비싸거나 효과적이지 않
기 때문에.
• Inspector 는 자동화되고, 반복적으로 적용하여 비용을 절감하고 효과적으
로 보안성을 높이도록 제작됨.
• 고객 서버, 서비스, 인프라의 보안을 강화하는데 주력해온 AWS의 보안 노
하우를 활용.
• 구체적으로 실행 가능한 해결책에 대해 자세하게 가이드.
왜 Inspector를 사용하는 것이 좋은가?
26. 1. EC2인스턴스 상에 하나의 서비스로서 설치.
2. 고객 어플리케이션에 대한 정보를 가지고 인스턴스에 대한 Tag
정보 입력.
3. Inspector의 ‘application’ 과 ‘assessment’ 구성.
4. Inspector 기동.
5. 고객 서비스 플로우 테스트.
6. Inspector를 중단하고 결과가 나올때 까지 설정된 시간동안 대기
.
7. 진단 결과를 받고 적절한 조치를 실행.
어떻게 이용하는 것인가?
27. • Agent – EC2상에 설치되는 Inspector 모듈
• Application – 지정된 Tag 에 의해 그룹핑된 한개 이상의 리소스 집
합
• Assessment – application상에서 실행될, 선택된 Rule 패키지와
Configuration 조합.
• Findings – 진단 결과.
• Rule 패키지 – 6가지 선택 가능 : CVE / Network / OS /
Application / PCI DSS / 인증
• 원격 측정(진단)
Inspector 의 개념
28. • CVE (common vulnerabilities and exposures) – 수천개 항
목
• Network security best practices - 4 항목
• Authentication best practices – 9개 항목
• Operating system security best practices – 4개 항목
• Application security best practices – 2개 항목
• PCI DSS 3.0 readiness – 25개 항목
Rule 패키지
29. • EC2 ‘UserData’ 활용
• AWS CloudFormation 활용
신규 인스턴스 생성 시 쉽게 agent 설치
기존 인스턴스들에도 agent 배포
• 기타 다른 ‘DevOps’ 도구들과 연동 : Ansible, Chef, Puppet, Salt
기존 인프라에 적용
• API를 활용: 리소스 그룹핑, 진단결과 관리, 진단 작업 시작/중단
등
자동화 팁!
30. • GA전 까지 FREE.
• 제한 조건
• Applications: 50
• Assessments: 500
• Agents: 500
• Linux only (AL2015+, Ubuntu 14.04+)
• us-west-2 region (US West [Oregon])
현재는 제한된 preview 버전!
31. • 다양한 rules 과 패키지 추가
• 연계 환경 추가
• AWS Config Rules과 함께,
• 고객의 AWS 구성정보에 대한 진단.
• 전체 환경(어플리케이션 + AWS 인프라)에 대한 진단.
• Trusted Advisor와 함께,
• 보다 많은 보안 관련 체크 제공
The big picture !
33. • 기록된 내역이 변경되는 것을 탐지하는 rules 설정.
• AWS가 제공하는 pre-built rules 사용.
• AWS Lambda를 활용한 커스텀 rule 지원
• 지속적인 진단수행을 자동화
• 컴플라이언스 시각화나 위험한 변경을 식별하기 위해 대쉬보
드 제공.
Config Rules(preview)
35. • AWS managed rules
AWS가 정의
minimal (or no) configuration 필요
AWS에 의해 관리되는 Rules
• Customer managed rules
AWS Lambda를 사용하여 정의
Rules들이 해당 account에서 실행됨
관리책임은 고객 몫
기록된 구성정보의 검증을 체크하는 한개의 rule.
Config Rule
36. • 변경작업에 의해 기동: Rules은 연관된 리소스가 변경될 때 기동.
Config Rules를 기동시키는 변경 작업들:
• Tag key/value
• Resource types
• Specific resource ID
e.g. ‘Production’으로 태깅된 EBS volume은 반드시 EC2 instance에 붙어 있어야 함.
• 주기적으로 기동: Rule이 지정된 빈도와 주기에 의해 실행됨.
e.g. 매 3시간 마다, 해당 Account가 3 대 이상의 “PCI v3” EC2 instance를 실행하고 있는지 확
인.
Config Rules - Triggers
37. 1. 모든 EC2 instance들은 반드시 한개의 VPC상에 존재하여야 한다.
2. 모든 attached EBS volume들은 KMS ID를 가지고 반드시 암호화되어야 한
다.
3. CloudTrail은 반드시 활성화되어 있어야 하고, 선택적으로 S3 bucket, SNS to
pic, CloudWatch Logs와 함께 구성되는 것을 권장한다.
4. Attach 된 상태의 모든 security group은 반드시 port 22를 포함한 지정된 포
트에 대한 무제한 접근을 방지해야 한다.
5. VPC안에 사용을 위해 할당된 모든 EIP들은 반드시 인스턴스에 할당되어 있
어야 한다.
6. 모든 모니터링 되는 리소스들은 적절하게 tag keys:values로 태깅되어 있어
야 한다.
AWS managed rules
38. • 고객사 프랙티스를 자동화 하기 위해 코드로 구현.
• AWS Lambda에 관련 샘플로 간단히 시작 가능.
• 보안 베스트 프랙티스와 컴플라이언스를 위한 가이드 라인 구현.
• AWS파트너가 생성한 Rule도 활용가능.
• 단일 대쉬보드 상에 정리된 형태의 컴플라이언스 뷰를 제공.
Custom rules
39. Resource Type Resource
Amazon EC2 EC2 Instance
EC2 Elastic IP (VPC only)
EC2 Security Group
EC2 Network Interface
Amazon EBS EBS Volume
Amazon VPC VPCs
Network ACLs
Route Table
Subnet
VPN Connection
Internet Gateway
Customer Gateway
VPN Gateway
AWS CloudTrail Trail
Identity and Access Management IAM Users
IAM Groups
IAM Roles
IAM Customer Managed Policies
Amazon EC2 Dedicated Hosts
지원되는 리소스 타입
40. • 월간 Active Rule의 갯수를 기반으로 과금.
Active Rule 당 월 $2.00 과금됨
(Rule 당 Evaluation 수가 20,000건을 넘으면 Evaluation 당 $0.0001 추가 과
금)
• Evaluation: 해당 Rule/리소스에 대한 1회의 결과. 한개의 Account안
에서 Rule간 Evaluation 결과는 공유될 수 있음.
• Active rule: 최소 월 1회의 evaluation 이 실행된 Rule.
• AWS Lambda를 통해 커스텀 Rule을 실행할 수도 있음(Lambda비용
별도)
Config Rules pricing
41. AWS Security and Compliance
클라우드 자체의 보안
클라우드 위의 환경에 대한
보안을 지원하는 서비스와
도구들
Service Type Use cases
On-demand evaluation
s
EC2 상에서 운영중인 어플리케
이션 환경에 대한 보안 점검
Continuous evaluations
내부 베스트 프랙티스의 코딩화,
관리실수/보안취약점 조치 또는
변경에 따른 대응 절차
Periodic evaluations
비용, 성능, 가용성, 보안에 대한
전반적인 체크
Inspector
Config Rules
Trusted Adviso
r
AWS 보안 서비스/도구: 사용처?
Many WAFs have high start-up costs both in terms time and in money
There’s often a high-minimum cost to get started for a website
and many solutions require complex initial rule configuration
And once you get a rule set, that’s just the beginning.
Customer told us they often have to continuously complex rule sets, and usually just things simple to avoid false positives.
Customers tend to fall back to a set of bread and butter mitigations:
-IP Blacklists
-Virtual patching at the ready –
-SQLi and XSS protection
Many AWS customers have adapted a DevOps service team model, where dev teams manage infrastructure and code deployment. These teams rely on automated deployment and need APIs to integrate with WAF.
APIs same also give customers the ability to automate their Security operations
To give customers automated reactive mitigations that find bad actors through log analsysis and add them to blacklists.
Or to have an easy way to automatically deploy a patch to block a new zero-day exploit
Block or allow web requests based on IP addresses, string matches, SQL injection or any combination of those criteria.
You can use WAF to monitor security events with new 1 minute CloudWatch metrics and alarms that can alert you when certain types of traffic hits your website.
You can use sample raw requests to see header details to help you create better WAF rules.
AWS WAF launches with a new API and new management console dedicated to web application firewall rule configuration and monitoring
You can deploy those rules to CloudFront distributions, which are often used by customers are part of their web application stack
AWS WAF gives customers the web security features they need, but with a unique approach to security:
Setting AWS WAF is a simple 4 step process
Create a WebACL,
A WebACL which is the top-level entity in the AWS WAF.
and set you default action, which for most customer is a default of ALLOW
---
Then Add a Rule to Block If
---
Specific conditions match that web request
---
Destined to my CloudFront distribution
AWS supports IP ranges in CIDR notation on octet boundaries.
Well-behaved browsers pass along a Referer header to let the web server from which site the browser is requesting content.
Some customers want to enforce a policy that limits content viewers to only the people on their website.
Whitelisting a specific set of referers is a simple way to prevent a form of content abuse.
To configure a referer whitelist with AWS, you’ll use a string match set
and will configure the string match set to inspect the referer header
using a contains style search for
in this case, example.com
And you’ll associate that string match set with a rule who’s action is set to ALLOW the request.
To get around that, we provide transform instructions within AWS WAF match sets.
In this example, we’ll use a to lower directive to always set the input string to lower.
You’re not limited to strings, you can search for arbitrary bytes.
That’s handy because sometimes attackers accidently inject non-printable characters into their headers.
Or you may need to stop a bit of malicious binary from making it into your servers
Here’s a walk through of the order of operations.
First our condition will URL Decode the query string.
Then the built-in SQL injection match condition checks for valid SQL statements, not just simple SQL keywords.
So you should see a lot less false positives with this rule that other SQLi detection systems that look only for simple key words
Let’s allow our Pen testers to do whatever they want with our website but whitelisting their IP ranges.
Emphasize rule order
You can of course assign one WebACL to multiple distributions, but you can reuse other parts of the WebACL too.
For instance, let’s say we have two CF distributions. Each dev team wants to maintain its own security rules. But the security wants the ability to update one rule to deploy patches to new vulnerabilities. You can do that with AWS WAF.
I’ve got a set of SQL injection attempts I’ll kick off in the back ground.
Lots to cover, these walk through slides will probably need at least one slide per bullet point.
With Count rules you can multiple layers of visibility.
First are CloudWatch metrics, this is you high-level signal for activity.
Next, sampled requests let you see specific details about the requests hitting your page.
Finally, after analysis, you may decide these bots shouldn’t be using your web server resources.
Agent Based – focused on the instances rather than AWS Configuration -> See AWS Config & Config Rules for more in that area.
Test your infrastructure and applications for potential security issues..
Provides guidance based on any findings identified.
Choice of policy packages for assessing infrastructure and applications.
Shared responsibility model, Shift in separated model, AWS and Customer responsibilities.
WHAT’S IN IT FOR THE CUSTOMER
I want to convince you that everyone should run this and reduce their overheads in addressing security manually.
Running internet and internal facing services is hard. There are always changes, new patches, new issues to address. Wouldn’t it be great if there was a service to do the lifting for you.
There is a lot information to understand when trying to secure your services, expert area, security engineers are not common. Many companies don’t have them on their teams and need to bring in external help. wouldn’t it be helpful if someone could distill it for you.
When you spend money on security (or bring in external help), a service like Inspector allows you to focus on the new or unique feature areas of your product over the infrastructural areas
Configure assessment, select groups of tags, select policies. Policies at launch may include AWS Best Practices. E.g. appropriate access checks. Critical Security Checks – ensure most important security measures (patches, OS configuration) are in place etc.
Application – Group of resources identified by one or more tags. (LP: EC2, us-west-2)
Assessment – A selection of rules packages and configuration running on an application.
Rules Packages(CVE + *** 1 other ***)
CVE (Common Vulnerabilities and Exposures)
Network Security Best Practices
Authentication Best Practices
Operating System Security Best Practices
Application Security Best Practices
PCI DSS 3.0 Readiness
CloudFormation fragment showing installation of agent on AL. For non-users of AL explain how this would work without cfn-init.
Explain how to use tools to gather a file from S3 and execute it for (same as CFN but different provisioning step for infra).
APIs overview – show calls that would create resource groups and manage them, manage findings. Start and stop assessments.
Total agents: xxx
Simultaneous assessments: xxx
Total assessments: xxx
Agents per assessment: xxx
AWS Config Rules Session unfortunately the same time as this
Look at our YouTube channel after the event and our slideshare
Talk about AlertLogic, add their material to the deck.
Every change to a resource causes a new configuration item to be created that captures the new configuration of the resource