re:Invent 2017 security review

2017.12.03

RSS feed

Amazon’s big conference happened in Las Vegas this past week where they announced a number of new services and features (link), and hosted a ton of presentations. So far there are over 600 videos on youtube here from the past week, and not all talks are up yet. Using Amazon’s own site, you can narrow in on the security and compliance videos and also links to slides for some, but there are still 128 sessions (link).

Multi-account strategy

The big theme for new videos this year was a focus on using multiple AWS accounts. AWS has been advocating this for a while, but hasn’t provided much of an explanation of how to manage all those accounts. Some example talks on this topic:

GuardDuty

The big security service announced is GuardDuty (video). This service monitors your CloudTrail logs, VPC flow logs, and DNS logging. It does all this without you needing to actually turn on these things, such as VPC flow logs. These alerts are recorded in the console, and to CloudWatch Events, so you’ll still need something to pull these alerts from CloudWatch events and email them to you or send Slack messages. You also cannot add or change their rules, so you’ll still want to use something like StreamAlert to monitor CloudTrail with your own rules, and to send these GuardDuty alerts to your Slack channels. At $4/mo for the CloudTrail monitoring and a few dollars for the other monitoring, and with turning it on being just a single click, this is an awesome new addition.

The service comes with 33 rules currently. Some of which require you to have uploaded a list of black-listed IPs, so expect to see some AWS specific threat intelligence offerings. Some rules are based around AWS controlled lists of IPs, such as Tor exit nodes or malicious C2 servers (it gets those from Proofpoint and CrowdStrike). Some rules are for potentially concerning actions, such as weakening a password policy, or turning off CloudTrail. Some of the rules use additional logic that is more difficult to write yourself, such as a “superman” check, where it looks for logins within a short time from different geographical areas. Other checks include looking for console access from new ASNs (ie. IP ranges) or using temporary IAM role credentials outside of AWS’s IP ranges. You can read about the rules it has in the user guide.

Note that GuardDuty is regional, meaning you need to turn it on in each region, much like CloudTrail once was.

Patrick Olsen put together a good walk-through with screenshots of this tool here.

Other new features

  • Cross-region VPC peering: This is huge. Previously, if you had two regions that you wanted to talk to each other, you either needed to expose services in those region publicly, possibly setting up Security Group’s with IP-based restrictions, or the more common solution was to set up VPN tunnels between the regions. AWS talked a bit this year about how all your services should be performing authentication and you shouldn’t really be using network based access control like Security Groups, but for many that’s not going to happen, so this is a big security win for removing the need to maintain VPNs and have less complicated network security rules.
  • FreeRTOS: Amazon has been pushing into the IoT space with things like Greengrass, and a number of announcements this past week were IoT specific, with the biggest one being this Amazon version of the popular real-time operating system to ensure updates are code-signed and TLS encrypted, that sensitive data can be securely stored on the device, and other benefits. Amazon also announced they’ll soon be releasing a new service called IoT Device Defender which will perform some monitoring and alerting of anomalies happening with IoT devices, but there aren’t many details yet.
  • Managed rules for AWS WAF: AWS WAF previously was an awkward service because you had to create all the rules yourself and set them up on your own so it wasn’t clear what the service was really buying for you versus just getting some other third-party WAF. Now there is an AWS Marketplace of managed rules that you can subscribe to, making this much easier and more useful.
  • AWS Systems Manager: EC2 Systems Manager is now AWS Systems Manager, and the new benefit it provides is the ability to create resource groups that are just logical groupings of resources across different services, such as EC2 instances, S3 buckets, and RDS databases, that are related to one application. You can then easily see things like changes that have happened to just those resources. There is very little info about this yet, but this may help better keep track of, and segment, the resources people can interact with.
  • NTP Service: Being able to make sense of logs requires clocks be kept in-sync, and so many have had to run their own NTP service within their private VPCs, but not anymore, as you can now access 169.254.169.123 for the NTP service.
  • Updates to QuickSight: QuickSight is like Kibana for making dashboards for those familiar with the ELK stack, but works across a variety of data sources (such as logs stored in S3 buckets via Athena). This service has been around since 2015, but the new updates include allowing QuickSight to work on data inside VPCs without them needing public end-points, and being able to show flat tables of data, instead of just graphs.
  • PrivateLink now allows custom endpoints. This means you could create an application that is exposed to EC2’s privately in a VPC, and additionally can expose those services to other AWS customers through the marketplace without needing to deal with your own authentication on those services.

Customer talks

In addition to announcements and training from AWS, a big part of re:Invent is letting customers show off what they are doing in AWS.

Cloud Inquisitor

Riot Games open-sourced their tool Cloud Inquisitor (code, video, blog). It’s similar in a lot of ways to Capital One’s Cloud Custodian in that it scans through accounts looking for things that are not in compliance with the company’s rules. I’ve previously written about some of the free tools for AWS including Cloud Custodian and Security Monkey which are all fairly similar in my article Free tools for auditing the security of an AWS account.

Like Cloud Custodian, Cloud Inquisitor allows the user to create custom rules that are stored in source control, and for resources that are not in compliance, it can take action, such as deleting EC2’s that haven’t been tagged properly. Where Cloud Inquisitor differentiates itself is:

  • It looks for resources that could be domain hijacking (ie. subdomain take-over) opportunities. For example, if you have a CloudFront resource that a Route53 sub-domain is pointing at, and you delete that CloudFront resource, but not the Route53 record, then someone could use that for subdomain take-over, as explained in this post The Principles of a Subdomain Takeover from sweepatic. Cloud Inquisitor is the only tool I know of for detecting this.
  • Cloud Inquisitor is focused on notifying the owners of resources with warnings about their non-compliance. Most tools only inform the security teams, so this is a huge improvement for reducing the load on security teams.

Repokid

Netflix previously released Repokid back in June with their intro post Introducing Aardvark and Repokid. This tool looks at Access Advisor, CloudTrail, and S3 access logs to determine the least privileges for IAM policies for users and roles based on what they have historically used, and automatically applies these new policies. Patrick Kelley and Travis McPeak discuss this tool in their talk Using Access Advisor to Strike the Balance Between Security and (SID316)