2 40pm - building security best practices with aws and
TRANSCRIPT
![Page 1: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/1.jpg)
S C O TT WA R D
BUILDING SECURITY BEST PRACTICES WITH AWS AND CROWDSTRIKE
![Page 2: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/2.jpg)
SPEAKER
§ 18+ years at Amazon & Amazon Web Services
§ 13 years building financial systems and global payments integrations
§ 5+ years as a partner solution architect focused on security technology partners
§ Likes…… Cheeseburgers
Principal Solutions Architect
SCOTT WARD
© 2019 CROWDSTRIKE
![Page 3: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/3.jpg)
SECURITY AND OPERATIONAL EXCELLENCEARE OUR TOP PRIORITY
![Page 4: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/4.jpg)
SOFTWARE
PLATFORM, APPLICATIONS, IDENTITY, & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CUSTOMER DATA
CUSTOMER
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE DATAFILE SYSTEM AND/OR DATA
NETWORK TRAFFICPROTECTION (ENCRYPTION, INTEGRITY,
IDENTITY)
HARDWARE/AWS GLOBAL INFRASTRUCTURE
COMPUTE STORAGE DATABASE NETWORKING
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
RESPONSIBILITY FOR SECURITY “IN” THE CLOUD
AWS
RESPONSIBILITY FOR SECURITY “OF” THE CLOUD
SHARED RESPONSIBILITY MODEL
![Page 5: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/5.jpg)
PLATFORM, APPLICATIONS, IDENTITY, & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CUSTOMER DATA
CUSTOMER
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE DATAFILE SYSTEM AND/OR DATA
NETWORK TRAFFICPROTECTION (ENCRYPTION, INTEGRITY,
IDENTITY)
RESPONSIBILITY FOR SECURITY “IN” THE CLOUD
SHARED RESPONSIBILITY MODEL
![Page 6: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/6.jpg)
§ Virtual Servers in the Cloud§ Vertically and Horizontally Scale§ Windows and Linux Operating Systems§ Five instance Classes & 100+ Instance Types
General Purpose
Compute Optimized
Memory Optimized
Accelerated Computing
Storage Optimized
ELASTIC COMPUTE CLOUD (EC2)
![Page 7: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/7.jpg)
You control the operating system§ Patching§ User Access/Permissions§ OS Hardening§ Encryption§ Security Features§ Logging§ Security Products
Security Groups§ Stateful Firewall§ Default Deny for Inbound
You control your network placement§ Define what is private and public
EC2 SECURITY
![Page 8: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/8.jpg)
§ You use CrowdStrike to help protect your EC2 instances
§ EC2 offers benefits around flexibility and elasticity
§ What strategies exist to ensure that your security can keep up with how you are using AWS?
CROWDSTRIKE AND EC2
![Page 9: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/9.jpg)
Current Golden AMI
Running Instance Add Falcon + Other tools or software
New Golden AMI
§ Copy AMI to necessary regions and accounts§ Publish new golden AMI IDs§ Enforce usage through pipelines or configuration checks
sudo /opt/CrowdStrike/falconctl -d -f --aid
PREBAKED AMI
![Page 10: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/10.jpg)
EC2 Instance
IAM Permissions
Bootstrap Code
S3 Bucket
Parameter Store
BOOTSTRAP AT LAUNCH
![Page 11: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/11.jpg)
S3 bucket to store agents
S3 Bucket: falcon-agent-bucket
BOOTSTRAP AT LAUNCH
![Page 12: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/12.jpg)
BOOTSTRAP AT LAUNCH
![Page 13: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/13.jpg)
BOOTSTRAP AT LAUNCHBootstrap Code for S3
LINUX#!/bin/bashaws s3 cp s3://falcon-agent-bucket/rhel/current/falcon-sensor-current.rpm /tmpyum install /tmp/falcon-sensor-current.rpm –y/opt/CrowdStrike/falconctl -s --cid=xxxxxxxxxxxxxxxxxxxservice falcon-sensor start---------------WINDOWS<powershell>Read-S3Object -BucketName falcon-agent-bucket/windows/current -Key WindowsSensor.exe -File c:\WindowsSensor.exe
c:\WindowsSensor.exe /install /quiet /norestart CID=xxxxxxxxxxxxxxxxxxx</powershell>
![Page 14: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/14.jpg)
BOOTSTRAP AT LAUNCHAccess policy for S3
{"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::falcon-agent-bucket"
},{
"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::falcon-agent-bucket/rhel/current/*”
}]
}
![Page 15: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/15.jpg)
BOOTSTRAP AT LAUNCH
AWS Parameter Store
![Page 16: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/16.jpg)
BOOTSTRAP AT LAUNCH
AWS Parameter Store
![Page 17: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/17.jpg)
BOOTSTRAP AT LAUNCHBootstrap code for parameter store
#!/bin/bashagentloc=`aws ssm get-parameter --name /falcon/alinux/current --query 'Parameter.Value' --region us-west-2|sed 's/"//g’`
cid=`aws ssm get-parameter --name crowdstrike-customer-id --query 'Parameter.Value' --region us-west-2|sed 's/"//g’`
agentfile=`echo $agentloc|awk -F / '{print $4}'`aws s3 cp s3://$agentloc /tmp
yum install /tmp/$agentfile -y/opt/CrowdStrike/falconctl -s --cid=$cidservice falcon-sensor start
![Page 18: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/18.jpg)
BOOTSTRAP AT LAUNCHAccess policy for S3 and SSM
{"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::falcon-agent-bucket"
},{
"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::falcon-agent-bucket/alinux/current/*"
},{
"Effect": "Allow","Action": "ssm:GetParameter","Resource": [
"arn:aws:ssm:us-west-2:526039161745:parameter/falcon/alinux/current","arn:aws:ssm:us-west-2:526039161745:parameter/crowdstrike-customer-id"
]}
![Page 19: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/19.jpg)
Amazon S3
AMI
Launch
AWS Parameter Store
Bootstrap
Bootstrap
Final Instance
BOOTSTRAP AT LAUNCH
![Page 20: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/20.jpg)
AWS Systems Manager
Document
§ Install Software on instances managed by AWS Systems Manager
§ Deploy across a range of instances and operating systems
§ AWS EC2 and outside AWS
Zip File Deploy
USING SYSTEMS MANAGER DISTRIBUTOR
![Page 21: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/21.jpg)
Visibility Lack of AWS Metadata
IMPORTANT CHALLENGES FOR AWS CUSTOMERS
![Page 22: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/22.jpg)
Visibility into EC2 resources across all AWS accounts registered with Falcon Discover
FALCON DISCOVER FOR AWS
![Page 23: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/23.jpg)
§ Availability Zone
§ Instance Type
§ State (Running/Stopped)
§ AMI ID
§ Public IP
§ Private IP
§ Storage Volumes
§ Instance ID
§ Launch Time
§ Security Groups & Rules
§ Tags
§ VPC ID
§ Subnet
§ Region
IMPORTANT AWS METADATA
![Page 24: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/24.jpg)
AWS CloudTrail
You are making
API calls...
On a growing set of AWS
services around the
world..
CloudTrail is continuously
recording API calls
Store/ Archive
Troubleshoot
Monitor & Alarm
HOW FALCON DISCOVER IS LEARNING ABOUT YOUR RESOURCES
![Page 25: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/25.jpg)
AWSCloudFormation
AWSCloudTrail Amazon S3
AmazonSNS
IAMRole
CONNECTING FALCON DISCOVER WITH YOUR AWS ACCOUNT
![Page 26: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/26.jpg)
AWSCloudFormation
CONNECTING FALCON DISCOVER WITHYOUR AWS ACCOUNT
![Page 27: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/27.jpg)
Common AWS Strategy
§ Workload Isolation§ Avoid resource conflicts§ Clear security boundary§ Billing benefits
Falcon Discover Visibility
§ All your Accounts§ All your VPCs§ All Regions
MULTIPLE ACCOUNTS AND MULTIPLE VPCS
![Page 28: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/28.jpg)
AWS AGENT COVERAGE
![Page 29: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/29.jpg)
FILTERING ON MANAGED AND UNMANAGED INSTANCES
![Page 30: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/30.jpg)
FILTERING ON MANAGED AND UNMANAGED INSTANCES
![Page 31: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/31.jpg)
FALCON INSTANCE DETAILS DASHBOARD
![Page 32: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/32.jpg)
FILTERING INTERNET ACCESSIBLESECURITY GROUPS
![Page 33: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/33.jpg)
Security Hub AWS SECURITY HUB
![Page 34: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/34.jpg)
CROWDSTRIKE SECURITY HUB INTEGRATION
![Page 35: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/35.jpg)
TAKING ACTION WITH SECURITY HUB
AWS Security Hub Amazon CloudWatch Events
Amazon GuardDuty
Amazon Inspector
Amazon Macie
3rd Party Providers
!
Target options
![Page 36: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/36.jpg)
![Page 37: 2 40pm - Building Security Best Practices with AWS and](https://reader033.vdocuments.site/reader033/viewer/2022051315/627aa0a65662c820b528502e/html5/thumbnails/37.jpg)
THANK YOU
ANY QUESTIONS?© 2019 CROWDSTRIKE