Automated Defence for Cloud Security in AWS using Serverless @ Serverless Summit 2017

Transcript

1. Automated Defence for Cloud Security in AWS using Serverless Madhu

   Akula & Subash SN Appsecco

2. Why you should listen to us? Madhu Akula • Automation

   Ninja at Appsecco • Interested on Security, DevOps and Cloud • Speaker & Trainer at Defcon, All Day DevOps, DevSecCon, etc. • Found security vulnerabilities in Google, Microsoft, Adobe, etc. • Twitter @madhuakula Subash SN • Security Engineer at Appsecco • Interested on Security, Development and Machine learning • Speaker & Trainer at CSI, null, etc. • Technical director at Computer Society of India • Twitter @pingsns
3. None

4. What we are going to show you for next 15

   min?

5. Let’s start with Demo

6. High level architecture

7. Services used • DynamoDB ◦ DynamoDB is the central database

   where rules are mapped to their respective ACL IDs. Rules for IP addresses and expirytime are added and removed from the blacklist_ip table by appropriate lambda functions • Blacklist Lambda function ◦ Blacklist function is the only exposed endpoint from the setup. Any IP that needs to be blacklisted needs to be supplied to this function via a HTTPS request and a valid accessToken • Handle Expiry Lambda function ◦ HandleExpiry function is periodically triggered to remove the expired rules from the ACL and database

8. Services used • Cloudwatch ◦ Cloudwatch is used to trigger

   the HandleExpiry lambda function periodically. The function is triggered every minute to remove expired rules • VPC Network ACL ◦ The Access Control List for our VPC Network (Basically the Firewall rules)

9. Configuration Blacklist Endpoint : https://lambda_url/blacklistip?accessToken=ACCESS_TOKEN&ip=IP_ADDRESS Parameters: • acl_id : The

   ACL ID that was used to add the rule • accessToken: Access token to validate requests • expiryTime : Time after which the rule expires • ruleLimit: The maximum number of rules that can be added

10. Bonus - We did this for Azure cloud as well

11. Summary • We created attack threshold rules in ElastAlert •

    Created AWS Lambda functions backed by DyanamoDB to dynamically block IP addresses in AWS network ACL • We created a near real-time blocking system that is infinitely scalable • The ideas are not limited to only these. By leveraging on the advantages of serverless we can solve some interesting problems in the security industry • While Security teams can leverage Serverless to solve problems at scale, we should remember that, attackers can also leverage on these infinitely scalable platform

12. References • https://blog.appsecco.com/automated-defense-using-serverless-computing-84ee04 b9b129 • https://github.com/appsecco/alldaydevops-aism • https://github.com/appsecco/defcon24-infra-monitoring-workshop • https://serverless.com

    • https://aws.amazon.com/serverless • https://azure.microsoft.com/en-in/services/functions • https://www.youtube.com/watch?v=YZ058hmLuv0

13. QUESTIONS @madhuakula | @pingsns | @appseccouk