A few folks have asked “How does Antiope differ from AWS Config”? Darn good question. I had looked at Config back in 2015 or so, and found it to be not that useful. If I dug around enough in the Console I could figure out who made a change, but honestly I have CloudTrail for that. When I took on the Cloud Security role I briefly looked at is with an eye towards “We should enable this everywhere, and dump the data to S3 in case someday we needed it for an investigation”.
AWS re:Invent 2018 Wrapup
It’s been about two now three weeks since AWS re:Invent 2018 wrapped, and I’m finally starting to recover. Six days in Vegas and a red-eye flight back to Atlanta have me not wanting to travel any more in 2018. So what happened of interest?
First off, my two Chalk Talks with Suman and Damindra went well. I’m glad that at least two people out of the 58,000 present thought my session was they best they’d attended.
Introducing Antiope
Managing a large number of cloud accounts across the global footprint that cloud providers offer is a herculean task for small security and governance teams.
Turner has been leveraging AWS native services to conduct continuous inventory and compliance as part of its Cloud Security Program. Today I’m releasing Antiope (PRONO An-Tie-Oh-Pee). It is intended to be an open sourced framework for managing resources across hundreds of AWS Accounts. From a trusted Security Account, Antiope will leverage cross-account roles to gather up resource data and store them in an inventory bucket.
How the scorecard works
In my last post I described how we improved our cloud security via the scorecards and spreadsheets. This post describes how we generate scorecards on an hourly basis using the basic building block of AWS.
The goal was to use native AWS services, with a secondary goal of avoiding the use of EC2 Instances that would need patching and other TLC. AWS is like Legos, they give you lots of parts and you have to put them together.
It's that time of year: AWS re:Invent
We’re a week away from AWS re:Invent and the level of cloud activity is reaching a fervor pace. Two things I’d like to share this morning. 1) How to Do re:Invent and 2) what all this re:Invent craziness means to a security professional.
If you’re lucky enough to go to re:Invent (and as far as I’ve heard it’s not sold out) a few things to bear in mind:
This is Vegas.
Moving the needle on Cloud Security
I’d like to share some of the things we’ve done to improve our AWS and Public Cloud Security posture. This was as much a cultural effort as it was a technical and security effort. Like all security/culture things, YMMV.
When I returned to Turner in my Cloud Security role I knew we had our work cut out for us. We had about 30-40 AWS accounts across three payer accounts (due to acquisitions etc).
Creating an AWS Security Account
I wanted to jot down some of my thoughts on creating an enterprise security account for managing AWS. I had one of these created at work and it’s proven invaluable in managing our rapidly expanding cloud footprint.
What is a dedicated security account? For us it serves several purposes:
It allows us to assume a least-privilege audit role into all of our other AWS accounts It serves as a log destination for our CloudTrail events.
Lateral Movement in AWS
Public Cloud introduced a new concept that not everyone fully grasps. In the on-prem days of old, you had a room & you had connections going into said room. Hopefully those connections had a firewall. Then there were lots of things in that room that authorized users needed to access to accomplish whatever goal your business has, and a bunch of other things in that room that the techies needed to access in order to keep those first things running and secure.
Sources of Authority in the three Public Cloud Providers
I’m spending more time thinking about Cloud Security in Google and Azure and trying to grok the differences between those platforms and AWS. One of the critical components for understanding your enterprise security stance is what is the source of authority for creating & managing resources in the cloud. As I was thinking about this, I realized that the three main players have very different models. Each model reflects on that companies pre-cloud origins.
Full MFA Protection in AWS
Security best practices typically call for some form of multi-factor authentication when accessing sensitive information system, or when accessing systems with elevated privileges (admin level). In most cases, accessing a public cloud provider via WebConsole or API is accessing the system for administrative purposes and requires an extra level of protection than a simple password.
AWS Provides the ability to use MFA on it’s systems, but the ability to enforce that across all facets of the AWS API is not a trivial task.