The Right Way to Audit AWS Policies

Prof Wool: Best Practices for Amazon Web Services Security | The Right Way to Audit AWS Policies Subscribe

Best Practices for Amazon Web Services (AWS) Security: Lesson 6

In this whiteboard video lesson Professor Wool provides best practices for performing security audits across your AWS estate.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello the right way to audit AWS policies so to set us up you have an Amazon estate Amazon Web Services and you now need to do a security audit to make sure that the policies that are enforced by the AWS security groups are in line with the policies that you want them to so let's acquaint ourselves quickly with what you have to deal with on the left-hand side here you can see the security groups that were defined in your estate you can see that I've sketched three of them there's one and blue for Linux based servers there's a security group in black for database servers and there's a security group in orange for Apache web servers and maybe you have more of these each design for some purpose and over here you have all the instances that belong to the V PC that you're currently auditing so the question that I'd like to think about today is what is the level at which you're going to do your audit so the obvious choice if you're just using the AWS tools the plain vanilla AWS tools is to look at each of the security groups and review it so you can look at the rules for Apache web servers and the Apache security group look over the rules compare them to the corporate policies and regulatory requirements that you might have and see these match and then you can repeat the same type of review for the other security groups and this is fine however there are two challenges here when you're looking at a security group on its own you don't have context you don't know if it's even associated with any kind of instance because it might just be floating and not doing anything that's perfectly possible in AWS and also you have to remember as we spoke in an earlier lesson that security groups can be mixed and matched so you can have multiple security groups associated with with individual instances and here I've sketched instances that have two security groups associated with them so let's say this one over here has both the database security group associated with it and also the blue Linux security group associated with it so both of them together and if you want to understand what your security stance is you really need to look at the combination of all the security groups associated with in instance if you just look at a security group in isolation you're getting a partial view of the security stands and you don't have context so this is not the ideal way to do a security review conversely you could look at instances you could look at every one of these instances and see that on this one you have a combination of the orange security group and the blue security group and on this one you have a combination of the black security group and the red security group and you can review each instance on its own you get a very accurate review of what is protecting each instance the trouble is that there are lots of instances you might have thousands of them so this doesn't scale well and it's extremely repetitive because as you can see lots of these instances not exactly the same combination of security groups associated with them so what's the right balance how do you do this in a way that's both accurate but reasonably are contained in terms of scale and this is where I'd like to introduce the concept of a security container this is not an Amazon concept this is a concept that we're meeting for the first time here in class so what's the security container so in life here a security container is the collection of all the instances that have exactly the same combination of security groups associated with it so if you look at at this sketch you can see that these two instances over here have precisely the same security groups associated with them the black and the blue and these three over here are another security container because they all are associated with the orange and blue and and these two have the black and the red etc the point is that if you look at a security container by definition all the server's all the instances in it have exactly the same security group combination and therefore from a security review point of view they're all identical they're all clones so it's enough to review one of them and once you review that one and you've convinced yourself that the policy is enforced by the combination of all the rules of all the security groups associated with that instance are in line with what you want to allow in your organization then you know that all instances in this security container are equally protected and you don't need to look at the rest of them so if you look at the audits at this level of abstraction you look at these security containers and review each security container then on the one hand you've covered every possible active combination of security groups that you have in your state so you're not neglecting anything but on the other hand you're doing just the right amount of work and you're not facing some kind of explosion in the effort that you need to spend because you have all these instances and there are security systems and tools that can work at this level of abstraction and assist you thank you for your attention and see you next time

Videos

Prof Wool: Best Practices for Amazon Web Services Security | The Right Way to Audit AWS Policies Subscribe

Related videos

New! How to Manage Dynamic Objects in Cloud Environments

How to Intelligently Select the Security Groups to Modify...

Change Management, Auditing and Compliance in an AWS...

Combining Security Groups and Network ACLs to Bypass AWS...