Last week our AWS consulting team attended AWS re:Invent. We thought we would recap some of the things we found exciting about the event.
Before we get into specifics, let us first summarize what really impressed us about the security tracks at re:Invent. Security teams utilized DevOps and Cloud-centric technologies to benefit themselves as well as their organizations. They did so in some really cool ways.
Making Security Easy
One theme in particular was making security easy. Netflix’s Jason Chan expressed this in his talk by demonstrating several products his team developed to make security easy and transparent. The video is available here. The first tool we’ll highlight is RepoMan, set to release as an open source project on github by end of this year.
AWS Identity & Access Management require permissions. Sometimes permissions granted to users/roles are not necessarily utilized. RepoMan selectively flags permissions to remove based on various metrics. This helps to further restrict and clarify actual permission needs.
The next product Jason mentioned has actually been out for some time. Lemur, https://github.com/Netflix/lemur, is an open source tool that helps provision SSL certificates without all the fuss typically associated with provisioning SSL certificates (a serious hassle). This tool makes a complicated security process easy.
Another tool that really interested us was Rollie Pollie. IAM permissions are managed within a collection of JSON files. If permissions need to change, pull requests are issued to the repository that holds the appropriate JSON permission file. OtterBot, Netflix’s security chatbot, notifies the security team about the pull request. The team can then approve or deny this change from Slack.
Proactive Security Testing for AWS
Our team watched a fascinating talk on Proactive Security Testing for AWS by Alex Lucas available here. At the beginning, Alex discussed threat modeling, but then he demonstrated some interesting automated proactive security controls.
The first demonstration showed how to handle patches and create secure image baselines in an automated way on AWS EC2 instances. Incredibly useful for security administrators now shifting from a datacenter to AWS.
The next demonstration concerned basic static analysis as code moves through the deployment process. Using CodeCommit and SNS, a trigger can activate static analysis on new code immediately after it’s pushed. Keep in mind, there are plenty of ways to go about doing this both inside and outside of AWS, but it was intriguing nevertheless.
The last demonstration covered how to use Amazon’s Inspector tool to either promote a pre-production environment to production or deny this promotion. Inspector finds security weaknesses in configurations. If any serious issues are discovered, the environment is not promoted to production. If none are discovered, the environment is successfully promoted. This is a great way to avoid low-hanging fruit from causing big issues later.
Machine Learning and Lambda
Both Machine Learning and Lambda seemed to be the new tech everyone was leveraging in one form or another. Of particular interest to us security folk was Michael Capicotto and Matt Nowina’s Predictive Security talk found here.
Machine learning only works when you have a large amount of data to feed it. One thing security typically has a lot of? Logs. Michael and Matt went over how to leverage AWS machine learning to give threat ratings to logs as they’re generated and then fire alerts when those ratings exceed a specific limit.
The Predictive Security talk also served as a demo for their new “network reasoning” tool which was in a closed beta during the presentation. Essentially, it acts as a means to query against the entire AWS architecture. We’re very excited for this tool as it should help significantly cut down on the amount of manual review required when trying to create threat models or map AWS architecture.
The Security Automation talk found here by Venkat Vijayaraghavan and Nate Dye, managers of the AWS Shield and WAF products respectively, also touched on applying machine learning to security. Specifically, they dug into how machine learning could be used to determine if a domain within a referer header was generated or legitimate. While it is possible to dynamically update your WAF blacklist on the fly with this information, the false positive rate (~1%) was still a bit too high. This is definitely a technique to keep an eye on, though, as further research and tuning of the ML engine should drive the false positive rates down to acceptable levels.
Other notable talks included Brigid Johnson on Automating IAM policy validations and Andrew Flavell on addressing security in Nike’s Microservice architecture. The talks can be found here and here, respectively. Brigid spoke about turning the manual process of creating an IAM policy into an automated one by leveraging AWS’s API.
We felt that the most interesting take-away from Andrew’s discussion was Nike’s Cerberus tool https://github.com/Nike-Inc/cerberus. Cerberus is a secret key management system built on Hashicorp Vault and geared for AWS. Great for provisioning and secrets management in a microservice architecture.
To recap, there were some incredibly valuable ideas and concepts presented at this conference, and this is just a high-level short list. We recommend you browse through the 2016 re:Invent videos posted on YouTube. From our perspective, it was nice to see how various companies and their blue teams were handling modern security challenges in the cloud.
It was really interesting to see how security teams were using the cloud to their benefit by leveraging these new technologies. We have a lot of ideas now–more than we possibly have time for–and have already begun new research as a result. Our team will definitely be in attendance next year and would recommend this conference to anyone looking for both practical techniques as well as a little bit of inspiration.