Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Transcript

1. Automated Defence for Cloud
   Security in AWS using Serverless
   Madhu Akula & Subash SN
   Appsecco
   

   View Slide

2. Why you should listen to us?
   Madhu Akula
   ●
   Automation Ninja at Appsecco
   ●
   Interested on Security, DevOps and
   Cloud
   ●
   Speaker & Trainer at Defcon, All Day
   DevOps, DevSecCon, etc.
   ●
   Found security vulnerabilities in
   Google, Microsoft, Adobe, etc.
   ●
   Twitter @madhuakula
   Subash SN
   ●
   Security Engineer at Appsecco
   ●
   Interested on Security, Development
   and Machine learning
   ●
   Speaker & Trainer at CSI, null, etc.
   ●
   Technical director at Computer
   Society of India
   ●
   Twitter @pingsns
   

   View Slide

3. View Slide

4. What we are going to show you for next 15 min?
   

   View Slide

5. Let’s start with Demo
   

   View Slide

6. High level architecture
   

   View Slide

7. Services used
   ●
   DynamoDB
   ○
   DynamoDB is the central database where rules are mapped to their respective ACL IDs. Rules for IP
   addresses and expirytime are added and removed from the blacklist_ip table by appropriate lambda
   functions
   ●
   Blacklist Lambda function
   ○
   Blacklist function is the only exposed endpoint from the setup. Any IP that needs to be blacklisted
   needs to be supplied to this function via a HTTPS request and a valid accessToken
   ●
   Handle Expiry Lambda function
   ○
   HandleExpiry function is periodically triggered to remove the expired rules from the ACL and
   database
   

   View Slide

8. Services used
   ●
   Cloudwatch
   ○
   Cloudwatch is used to trigger the HandleExpiry lambda function periodically. The function is
   triggered every minute to remove expired rules
   ●
   VPC Network ACL
   ○
   The Access Control List for our VPC Network (Basically the Firewall rules)
   

   View Slide

9. Configuration
   Blacklist Endpoint :
   https://lambda_url/blacklistip?accessToken=ACCESS_TOKEN&ip=IP_ADDRESS
   Parameters:
   ●
   acl_id : The ACL ID that was used to add the rule
   ●
   accessToken: Access token to validate requests
   ●
   expiryTime : Time after which the rule expires
   ●
   ruleLimit: The maximum number of rules that can be added
   

   View Slide

10. Bonus - We did this for Azure cloud as well
    

    View Slide

11. Summary
    ●
    We created attack threshold rules in ElastAlert
    ●
    Created AWS Lambda functions backed by DyanamoDB to dynamically block IP
    addresses in AWS network ACL
    ●
    We created a near real-time blocking system that is infinitely scalable
    ●
    The ideas are not limited to only these. By leveraging on the advantages of
    serverless we can solve some interesting problems in the security industry
    ●
    While Security teams can leverage Serverless to solve problems at scale, we should
    remember that, attackers can also leverage on these infinitely scalable platform
    

    View Slide

12. References
    ●
    https://blog.appsecco.com/automated-defense-using-serverless-computing-84ee04
    b9b129
    ●
    https://github.com/appsecco/alldaydevops-aism
    ●
    https://github.com/appsecco/defcon24-infra-monitoring-workshop
    ●
    https://serverless.com
    ●
    https://aws.amazon.com/serverless
    ●
    https://azure.microsoft.com/en-in/services/functions
    ●
    https://www.youtube.com/watch?v=YZ058hmLuv0
    

    View Slide

13. QUESTIONS
    @madhuakula | @pingsns | @appseccouk
    

    View Slide