re:Invent 2017 - Automating Security and Compliance testing of IaC for DevSecOps

Transcript

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Automating Security and Compliance Testing of IaC for DevSecOps R o y F e i n t u c h C o - f o u n d e r & C T O @ r o y f e i n r e : I n v e n t 2 0 1 7 , S I D 3 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. When It Comes to Security, Sooner is Better (and Cheaper) “…high-performing development teams spend 50 percent less time remediating security issues” when they address security throughout the SDLC, instead of “retrofitting security at the end.” Puppet 2017 State of DevOps Report

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. • Too late • Too much stress Traditional Security is Not Built for CI/CD

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. • You can (and should) apply coding best-practices into your IaC development • You can now test your infrastructure for security and compliance before it is actually deployed in a live environment • While tools for static application code analysis are mature, infrastructure analysis is still in its infancy Treat Infrastructure Code Just Like Application Code

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Commit Stage - Treat CFT just like any other application code - Perform static code analysis (aka infrastructure unit-tests) Live Stage - Deploy a live test environment and test it (aka integration testing) The Plan: Multi-Staged approach DevSecOps pipeline responsibility Production *SecOps monitoring responsibility Prep - Define a core set of industry best practices, regulatory compliance and security controls and internal org policies Production Stage – Perform continuous security & compliance assessment for production environment

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Pros • Fast & Cheap: ◦ Measured in seconds ◦ Closest to the developer ◦ Can be be even integrated as a git commit hook or IDE plugin Cons • Difficult, technology is not 100% there yet • Not everything can be statically reasoned about Commit Stage (aka infrastructure unit-tests)

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Pros • Can cover every test - just like in our prod env Cons • Slow (measured in multi-minutes) • Lots of mechanics and moving parts -> complexity, price Live Test (aka infrastructure integration-tests)

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Pros • This is the ultimate resource we are trying to protect • Every tool and 3rd party service is designed to assist us here… • Covers everything. Including changes that happened not though our sanitized pipeline Cons • Yet another suite of technologies to master…(commonly these tools cater for the OPS/ GRC folks and not devs) Production Stage – Continuous Testing

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. And now… a graph

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Implementation v.1 Source blog: https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ Code: https://github.com/Dome9/reinvent2017

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Demonstrate DevSecOps pipeline using AWS native tools: Code pipeline Cloud Formation Lambda S3 Demo #1

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. LEVEL 1 COMPLETE! GET READY FOR THE NEXT LEVEL

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Photo: https://techgnosis.com/take-the-red-pill/

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. IMO, this is difficult to: write maintain review / audit Suggestion: Use a standard computer language to reason about JSON structures (python, JS...) CFT static analysis - RegEx ^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).\s:\s*u?.(22).*[cC]idr[iI]p.\s*:\s*u?.((0\.){3}0/0 ).|[cC]idr[iI]p.\s*:\s*u?.((0\.){3}0\/0).*([fF]rom[pP]ort|[tT]o[pP]ort.*).\s*:\s*u?.(22)) BTW - I injected 5 errors into this Regex. Did you spot it?

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT is flexible and dynamic (almost like a programming lang): 1. Parameters • user defined • pseudo parameters (like AWS:Region) 2. Intrinsic functions 3. Conditions CFT static analysis - Dynamic Templates

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT static analysis - Dynamic Templates Port is resolved by correlating a map with a user provided parameter (using intrinsic function)

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT static analysis - Dynamic Templates This one is actually ok as we allow our devs to connect to their dev environments...

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT is flexible and dynamic (almost like a programming lang): Parameters • user defined • pseudo parameters (like AWS:Region) Intrinsic functions Conditions CFT Simulator project on github https://github.com/Dome9/cft-simulator CFT static analysis - Dynamic Templates

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Same outcome can be represented in multiple ways: Because the syntax permits Because of default implicit behavior CFT static analysis - Multiple Representations This means that in addition to understanding the CFT syntax, we must also fully understand the the domain we are reasoning about and the CFT default behaviors Example: a few ways to control the IP address of an EC2 instance • NIC can be defined with Instance level network properties • NIC can be defined as an embedded resource of instance with the NetworkInterfaces property • NIC can be defined as a "root" resource and be attached to an Instance via Ref intrinsic function • A "root" NIC resource can also be attached with the NetworkInterfaceAttachment resource via the InstanceId property • Public IP can be assign to the NIC by setting the AssociatePublicIpAddress property to true on the NIC properties (only when defining it as embedded resource of instance) • Public IP can be assign by creating an ElasticIP Resource and associating it using the 'InstanceId' property • An ElasticIP can also be associated with the ElasticIPAssociation resource • A public IP can be assigned to the primary NIC just based on a subnet behavior (the MapPublicIpOnLaunch property of subnet)

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT static analysis - Multiple Representations Here, the rules are defined externally to the Security Group resource

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CFT static analysis - Reasoning about our domain Someone didn’t properly whitelist our NOC IP address Oops, forgot about port ranges...

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 1. Word / Excel - policy language for the the humans 2. RegEx for static CFT eval 3. Python/JS/… + AWS SDK to assess live environment 4. Continuous monitoring & alerting: Config Rules/ CloudTrail/ CloudWatch Alerts, SIEM tools, Cloud configuration monitoring tools, Security monitoring and alerting tools... Multiple Technologies Challenge

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. /^.*Ingress.*(([fF]rom[pP]ort|[tT]o[pP]ort).\s*:\s*u?.(22).*[cC]idr[iI] p.\s*:\s*u?.((0\.){3}0\/0)|[cC]idr[iI]p.\s*:\s*u?.((0\.){3}0\/0).*([fF] rom[pP]ort|[tT]o[pP]ort).\s*:\s*u?.(22))/ My CFT Regex for n in regions: client = boto3.client('ec2', region_name=n) response = client.describe_security_groups( Filters=[{'Name': 'tag:aws:cloudformation:stack-name', 'Values': [stackName]}]) for m in response['SecurityGroups']: if "72.21.196.67/32" not in str(m['IpPermissions']): for o in m['IpPermissions']: try: if int(o['FromPort']) <= 22 <= int(o['ToPort']): result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(m['GroupId'])) except: if str(o['IpProtocol']) == "-1": result = False failReason = "Found Security Group with port 22 open to the wrong source IP range" offenders.append(str(n) + " : " + str(m['GroupId'])) My Python Boto Script My production Alerting Mechanisms “You shall not have SSH ports exposed to the internet” My org policy, section 1.2 Multiple Technologies Challenge

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Instance should have tags with [key='owner'] SecurityGroup should not have inboundRules with [port=22 and scope='0.0.0.0/0'] SecurityGroup where name='default' should not have inboundRules Introducing GSL Governance Specification Language Purpose built language to reason about cloud security & compliance Guess what these rules say Concise, human-readable policies eliminate errors in translation and simplify security, compliance and governance

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 1. Static CFT assessments built into CI pipeline 2. On demand assessments for test / staging env via Assessments API 3. Always-on, Continuous monitoring for Production env Implementation v.2 - Compliance Engine All driven from the same GSL policy file !!!

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Compliance-Engine CFN Deploy Test env CFT Validator Assess Test env Delete Test stack CFN Execute Prod Change set Production System Continuous Monitoring AWS Code Pipeline Commit Stage Live Test Stage Production Stage DevSecOps Pipeline v.2

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Demonstrating a CI/CD pipeline using native AWS services + Dome9 Compliance Engine... DevSecOps v.2 Demo

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. You are welcome to booth #2107 to continue the discussion Thank you! www.dome9.com