© 2014 Autodesk Strengthening Operations with Splunk and AWS CloudTrail Alan Williams alanwill on Twitter & GitHub Principal Engineer AWS/Splunk Big Data Webinar 10/16/2014 

© 2014 Autodesk §  Engineer @ Autodesk §  Technology Generalist §  Background in Infrastructure §  AWS for ~4 years §  Splunk for ~1 year §  Motorcyclist §  Soft spot for pit bulls Who Am I? 

© 2014 Autodesk §  Leader in 3D design, engineering and entertainment software §  Introduced AutoCAD in 1982 §  Empowering the Maker movement §  Help our customers imagine, design and create a better world Who is Autodesk? http://www.autodesk.com/products/personal-design-and-creativity 

© 2014 Autodesk §  How do we know what’s happening in our accounts? §  Malicious activity? §  How can we validate that we’re compliant? Problem 

© 2014 Autodesk 

© 2014 Autodesk + 

© 2014 Autodesk §  Logs AWS API calls §  Visibility and analytics §  AWS native §  Simple to configure §  Point and click (most parts automatable) §  Covers almost all AWS services §  New coverage added regularly (http://goo.gl/jf9uLq) §  Available in all 8 regions (http://goo.gl/ojU7ut) Why CloudTrail? 

© 2014 Autodesk §  Leverage existing investment §  Standard log aggregation platform §  Splunk App for AWS (http://goo.gl/Xc7XsZ) §  Familiar technology §  Logging = Splunk §  Supports logging REST endpoints §  SQS & S3 §  Single view across all accounts Why Splunk? 

© 2014 Autodesk CloudTrail + Splunk Architecture SNS Topic SQS Queue CloudTrail S3 Bucket SNS Topic CloudTrail 1 1 2 2 3 3 4 4 5 Account A Account B Core Services Account §  Simple to configure §  Scalable to many accounts §  Central logging view across all accounts 

© 2014 Autodesk §  Incident Response §  Operations Troubleshooting §  Compliance Auditing CloudTrail Use Cases 

© 2014 Autodesk §  Something happened in Account X between a certain time window §  Has this compromised host made any API calls? §  Where have these IAM keys been used? Incident Response 

© 2014 Autodesk Something happened in Account X between a certain time window 

© 2014 Autodesk Has this compromised host made any API calls? 

© 2014 Autodesk Where have these IAM keys been used? 

© 2014 Autodesk §  Who created this instance? §  Where in the world are sign-ins originating? Operations Troubleshooting 

© 2014 Autodesk Who created this instance? 

© 2014 Autodesk Where in the world are sign-ins originating? 

© 2014 Autodesk §  Alert if an SG rule is created with 0.0.0.0/0 rule §  Frequency of certain events §  Alert whenever an IAM user is created Compliance Auditing 

© 2014 Autodesk Alert if an SG rule is created with 0.0.0.0/0 rule 

© 2014 Autodesk Alert whenever an IAM user is created 

© 2014 Autodesk §  AWS CloudTrail + Splunk = Happy Marriage §  Scalable to 100s of accounts §  Toolset for Operations and Security Teams §  Our common use cases with examples Summary 

Autodesk is a registered trademark of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2014 Autodesk. All rights reserved. @alanwill alanwill