Strengthening Operations with Splunk and AWS CloudTrail

Transcript

1. © 2014 Autodesk Strengthening Operations with Splunk and AWS CloudTrail

   Alan Williams alanwill on Twitter & GitHub Principal Engineer AWS/Splunk Big Data Webinar 10/16/2014

2. © 2014 Autodesk §  Engineer @ Autodesk §  Technology Generalist

   §  Background in Infrastructure §  AWS for ~4 years §  Splunk for ~1 year §  Motorcyclist §  Soft spot for pit bulls Who Am I?

3. © 2014 Autodesk §  Leader in 3D design, engineering and

   entertainment software §  Introduced AutoCAD in 1982 §  Empowering the Maker movement §  Help our customers imagine, design and create a better world Who is Autodesk? http://www.autodesk.com/products/personal-design-and-creativity

4. © 2014 Autodesk §  How do we know what’s happening

   in our accounts? §  Malicious activity? §  How can we validate that we’re compliant? Problem

5. © 2014 Autodesk

6. © 2014 Autodesk +

7. © 2014 Autodesk §  Logs AWS API calls §  Visibility

   and analytics §  AWS native §  Simple to configure §  Point and click (most parts automatable) §  Covers almost all AWS services §  New coverage added regularly (http://goo.gl/jf9uLq) §  Available in all 8 regions (http://goo.gl/ojU7ut) Why CloudTrail?

8. © 2014 Autodesk §  Leverage existing investment §  Standard log

   aggregation platform §  Splunk App for AWS (http://goo.gl/Xc7XsZ) §  Familiar technology §  Logging = Splunk §  Supports logging REST endpoints §  SQS & S3 §  Single view across all accounts Why Splunk?

9. © 2014 Autodesk CloudTrail + Splunk Architecture SNS Topic SQS

   Queue CloudTrail S3 Bucket SNS Topic CloudTrail 1 1 2 2 3 3 4 4 5 Account A Account B Core Services Account §  Simple to configure §  Scalable to many accounts §  Central logging view across all accounts

10. © 2014 Autodesk §  Incident Response §  Operations Troubleshooting § 

    Compliance Auditing CloudTrail Use Cases

11. © 2014 Autodesk §  Something happened in Account X between

    a certain time window §  Has this compromised host made any API calls? §  Where have these IAM keys been used? Incident Response

12. © 2014 Autodesk Something happened in Account X between a

    certain time window

13. © 2014 Autodesk Has this compromised host made any API

    calls?

14. © 2014 Autodesk Where have these IAM keys been used?

15. © 2014 Autodesk §  Who created this instance? §  Where

    in the world are sign-ins originating? Operations Troubleshooting

16. © 2014 Autodesk Who created this instance?

17. © 2014 Autodesk Where in the world are sign-ins originating?

18. © 2014 Autodesk §  Alert if an SG rule is

    created with 0.0.0.0/0 rule §  Frequency of certain events §  Alert whenever an IAM user is created Compliance Auditing

19. © 2014 Autodesk Alert if an SG rule is created

    with 0.0.0.0/0 rule

20. © 2014 Autodesk Alert whenever an IAM user is created

21. © 2014 Autodesk §  AWS CloudTrail + Splunk = Happy

    Marriage §  Scalable to 100s of accounts §  Toolset for Operations and Security Teams §  Our common use cases with examples Summary

22. Autodesk is a registered trademark of Autodesk, Inc., and/or its

    subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2014 Autodesk. All rights reserved. @alanwill alanwill