Going Bananas for Cloud Security - Auditing and Monitoring your AWS deployment with security_monkey

Presented at AppSec USA 2015, Sept. 25, 2015, 11:30 a.m. (55 minutes).

Engineers at Netflix enjoy great freedom to deploy their applications without much interference from the security team. This hands off approach works great to enable quick deployments, nimble experimentation, and allow the security team to be seen as enablers or "securitators". Any change to our AWS environment is tracked and audited for security violations by a tool called security_monkey. Security_monkey watches dozens of AWS accounts for modifications in a number of technologies such as IAM, S3, ELB, SSL, SES, SNS, SQS, and EIPs among others. Security_monkey also keeps a historical record of all changes and shows diffs, but in a JSON format which makes it easy to backup and restore. Security_monkey audits your environment for configurations which have security implications, but with a stronger focus on security instead of Trusted Advisor's focus on cost savings. Security_monkey will help you understand interconnectivity and access rights between various AWS accounts. Security_monkey was open sourced in June of 2014 and continues to grow. This talk will discuss how security_monkey is used to prove "the firewall" didn't break your environment at 2am, how to keep an eye on all the changes occurring in your environment, and how to use security_monkey to audit your existing infrastructure. Time permitting, this talk will also present a few cloud security best practices such as: - Ridding your environment of IAM Users and why access keys are evil. - Who owns this access key? - Where is this security_group or s3 bucket referenced? - Avoid allowing RFC-1918 IPs ingress permissions on your EC2-Classic security groups and RDS security groups, and why. - Avoid S3 "AuthenticatedUsers" permission at all costs. - How security_monkey can help you overcome AWS policy size limits. - How security_monkey can expand wildcard policies to uncover all the permissions being occluded by the use of wildcards. - How security_monkey can help you compare your deployment across regions (if this feature is complete by then).

Presenters:

  • Patrick Kelley - Super Senior Cloud Security Engineer - Netflix
    I'm the author of security_monkey and a contributor to sleepy_puppy. I'm into building security tools, often specific to AWS, with python and angular. People should talk to me about making my code more pythonic, AWS security, and about the incredible and unique culture at Netflix.

Links:

Similar Presentations: