Public-Cloud Kunden, haben Multi-Account Architekturen (z.B. Landing Zone), um den DevOps-Teams Autonomie und Geschwindigkeit zu geben. In diesem Umfeld zentrale Security Anforderungen im Bezug Governance und Compliance zu erfüllen, ist eine Herausforderung. Nuvibit Semper unterstützt die Reise vom DevOps- zum DevSecOps-Team, indem es erlaubt, Security Anforderungen durch das Applikations-Team zu spezifizieren und direkt zu applizieren. Unterschiedliche Anforderungen für z.B. Dev, Test, Prod können mit Policies spezifiziert werden. Die Lösung zeigt, was mit AWS nativen Security Services erreicht werden kann.
22. Who is Nuvibit?
• Nuvibit AG
• Founded in 2021 in Switzerland
• 100% Focus on AWS
• Focus large AWS Multi-Account
Environments and Security
• Addicted to Everything as Code
24. AWS has cool native Services
Fully integrated Security Standards:
• AWS Foundational Security Best Practices v1.0.0:
143 controls per account
• CIS AWS Foundations Benchmark v1.2.0:
43 controls per account
• PCI DSS v3.2.1: 45 controls per account
More than 100 threat-detections for:
• EC2
• IAM
• S3
• Kubernetes
AWS Security Hub
Amazon GuardDuty
Amazon CloudWatch Logs Insights
25. • 3.1 Monitor for unauthorized API calls
• 3.2 Monitor for AWS Management Console sign-in without MFA
• 3.3 Monitor for usage of root account
• 3.5 Monitor for CloudTrail configuration changes
• 3.6 Monitor for AWS Management Console authentication failures
• 3.7 Monitor for disabling or scheduled deletion of customer created CMKs
• 3.8 Monitor for S3 bucket policy changes
• 3.9 Monitor for AWS Config configuration changes
• 3.10 Monitor for security group changes
• 3.11 Monitor for changes to Network Access Control Lists (NACL)
• 3.12 Monitor for changes to network gateways
• 3.13 Monitor for route table changes
• 3.14 Monitor for VPC changes
Control Details
Nuvibit Blog Post
How do you monitor the CIS AWS 3.x controls?
26. Customer Challenges we faced
• General Security Controls are not applicable for all workloads
(i.e. sandbox accounts)
• Some workloads require custom Security Controls
• Large amounts of false positives / accepted findings clutter our
monitoring
• Transparent Security Control and -Finding customization
• Fast rollout of new Security Controls (in a large set of accounts)
• From Paper Policies to reproducible Results (Security as Code)
27. Your AWS Accounts are heterogeneous!
You need good Tailoring!
1. AWS Foundational Security Best Practices standard
2. CIS AWS Foundations Benchmark controls
3. PCI DSS controls
28. Cluster your AWS Accounts
AWS Account comes with:
• Account ID
• OU-ID
• Account Tags
Security /
Foundation Team
Workload A Team
29. Use Case - Root Login In Production & Core
• CIS AWS 3.3 Benchmark: Monitor for usage of root account
• Security Team: In Production- & Core Accounts the security control must generate an alarm
Security /
Compliance Team
30. Use Case - Security Group
Security /
Compliance Team
Workload A Team
Workload X Team
• CIS AWS 3.10: Monitor for Security Group changes
• Security Team: Only in Production accounts monitor for Security Group changes
• Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules
• Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
32. Use Case - Security Group
Security / Compliance Team
Detect
Condition
• Only in Production accounts monitor
for Security Group changes
33. Use Case - Security Group
Workload A Team
Drop
Condition
• For Production Workload A filter out
inbound TCP port 80 / 443 rules
34. Use Case - Security Group
Workload X Team
Response
Instruction
Condition
Response-Examples:
• Notification
• Alarming
• Ticket
• Auto-Remediation
• For Production Workload X alarm on
inbound TCP port 22 (SSH) rules
36. Use Case - Security Group - Demo
Security /
Compliance Team
Workload A Team
Workload X Team
• CIS AWS 3.10: Monitor for Security Group changes
• Security Team: Only in Production accounts monitor for Security Group changes
• Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules
• Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
37. SEMPER in a nutshell
1. Detect YOUR findings
2. Enrich YOUR findings with context
3. Filter out unnecessary findings
4. Manage YOUR Response to findings
Shift Left AWS Security with Security as Code
42. A solid AWS Foundation helps – a lot
Foundation Team
Workload Team
Workload Team
• Nuvibit Cloud Foundation Map
• Nuvibvit Reference architecture for AWS Multi-Account Customers
• AWS Landing Zone
Security Team
49. Our Paradigm: Security as Code
• McKinsey - Security as code: The best (and maybe only) path to securing cloud applications and systems
Because it is the most effective approach to
secure cloud workloads with speed and agility!
Context-Driven
Configuration and
Processing
• Gartner - Using Cloud-Native ‘Policy as Code’ to Secure Deployments at Scale
50. SEMPER Policy Types
Demo SEMPER – Policy-Scope
Account-Clusters via Policy-Scope
Configure Policies
Filtering-Exclude Policies
Response Policies
51.
52. SEMPER Demo – Use Case IAM
Use Case – Observe IAM Roles
• Security Team: In the whole AWS Organization monitor for IAM Role changes
• Workload A Team: In Production Workload A account IAM Roles must have a Boundary Policy attached
Security /
Compliance Team
Workload A Team
53. SEMPER Demo – Use Case IAM
Security / Compliance Team Workload A Team