devsecops in the cloud is not just ci/cd: embracing ... in the cloud is not just ci/cd: embracing...
TRANSCRIPT
![Page 1: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/1.jpg)
SESSIONID:SESSIONID:
#RSAC
HenrikJohansson
DevSecOpsInTheCloudIsNotJustCI/CD:EmbracingSecurityAutomation
CSV-T11
SecuritySpecialistSolutionsArchitectAmazonWebServices@henrikjay
![Page 2: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/2.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=SecurityAutomation
![Page 3: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/3.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TerminologyDisclaimer
import re
re.search('([Dd]ev[Ss]ec|[Ss]ec[Dd]ev|[Rr]ugged\s[Dd]ev)[Oo]ps')
=SecurityAutomation
AtScale
![Page 4: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/4.jpg)
#RSAC
Why/Who/Where/When/What
4
![Page 5: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/5.jpg)
#RSAC
WhyGoalsofDevSecOps
![Page 6: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/6.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
![Page 7: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/7.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why- GoalsofDevSecOps
PaceofInnovation…meetPaceofSecurityAutomation
Elasticandautonomoussecurityvalidationofinstancedeployments
Risk/ratingbasedactions
AutomaticIncidentResponseRemediation
Securityatscale
![Page 8: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/8.jpg)
#RSAC
WhoMe?
![Page 9: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/9.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Purpose
Securityisaserviceteam,notablockerSecurityiseveryone'sjob
Allowflexibilityandfreedom
butcontroltheflowandresult.
![Page 10: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/10.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meetthenewsecurityteam
Operations Engineering
ApplicationSecurity Compliance
![Page 11: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/11.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meetthenewsecurityteam
Operations Engineering
ApplicationSecurity Compliance
Development
![Page 12: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/12.jpg)
#RSAC
Where
3(+)places
![Page 13: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/13.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where
1. SecurityoftheCI/CDPipeline• Accessroles• Hardeningbuildservers/nodes
2. SecurityintheCI/CDPipeline• Artifactvalidation• Staticcodeanalysis
![Page 14: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/14.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CI/CDforDevOps
VersionControl CIServer
PackageBuilder
DeployServerCommitto
Git/masterDev
Get/PullCode
Images
SendBuildReporttoDevStopeverythingifbuild failed
DistributedBuildsRunTestsinparallel
StagingEnv
TestEnv
CodeConfigTests
ProdEnv
Push
Config InstallCreate
ArtifactRepoDeploymenttemplatesforinfrastructure
Generate
![Page 15: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/15.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VersionControl CIServer
PackageBuilder
PromoteProcessBlockcreds
FromgitDev
Get/PullCode
Images
Logforaudit
StagingEnv
TestEnv
CodeConfigTests
ProdEnv
Audit/Validate
ConfigChecksum
ContinuousScan
CI/CDforDevSecOps
SendBuildReporttoSecurityStopeverythingifaudit/validationfailed
Deploymenttemplatesforinfrastructure
Scanhook
![Page 16: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/16.jpg)
#RSAC
Whataboutmyotherstuff?
![Page 17: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/17.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where
InfrastructureascodeSplitownershipPre-deployvalidation
ElasticsecurityautomationAPIdrivenAutoscalinggroups– hooksExecutionlayerscaleswithtargets
RuntimesecurityTagbasedtargeting
Rip-n-replace
Continuouspentesting
ImmutableinfrastructureValidationandenforcement
Integratewithmanagedservices
…
3. CloudscaleSecurityakaalltheotherstuffpeoplearereallytalkingabout
![Page 18: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/18.jpg)
#RSAC
When
![Page 19: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/19.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When
EasyAllthetime!
![Page 20: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/20.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When– ControlandValidate
Pre-event- WhenpossibleStoreinfrastructureincoderepository— Validateeachpush(githooks)— Usemanagedmicroservicesasexecutionengine— Scancloudinfrastructuretemplatesforunwanted/riskvaluedconfigurations— ValidateContainerdefinitions
Validatesystemcodeearlyon— Findunwantedlibrariesetc.
ForceinfrastructurechangesthroughtemplatesBlockifneeded/unsure
![Page 21: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/21.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When– ControlandValidate
Post-event- AlwaysFollow-uponsensitiveAPI’s— IAM,SecurityGroups/Firewall,Encryptionkeys,Logging,etc.— Alert/Inform
Usesourceoftruth— Lockedtoexecutionfunction(ReadOnly)
Validatesource— HumanorMachine/CICD
Decideonremediation
![Page 22: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/22.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When- Trigger
Trigger:Perchange— APIbased— Eventlogs
PerdayPerframework— Overallinfrastructure,componentsandresources— Onecomponentmultipleframeworks
![Page 23: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/23.jpg)
#RSAC
WhatGivemesomeexamples
![Page 24: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/24.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Givemesomeexamples
SecurityvalidationinaelasticinfrastructureImplement->Validate->DecideTerminateuponfailure
AutomaticIncidentResponseRemediationAutohealloggingDisableoffender
Integratehost-basedandcloud-basedImmutableinfrastructure- Isolateinstance
![Page 25: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/25.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example– Autoisolation
Modify/etc/pam.d/sshd
Executescriptuponlogonsessionoptionalpam_exec.so/path/trigger.sh
Triggercloudbasedeventasmarker#!/bin/bashINSTANCE_ID=$(wget-q-O- http://169.254.169.254/latest/meta-data/instance-id)REGION=$(wget-q-O- http://169.254.169.254/latest/meta-data/placement/availability-zone|sed's/.\\{1\\}$//')DATE=$(date)awsec2--region$REGIONcreate-tags--resources$INSTANCE_ID--tags\"Key=Tainted,Value=$DATE\”
ExecutecloudfunctiononmarkerdetectionRemovefromloadbalancer/scalinggroups(willauto-heal)Blockin/outgoingtrafficusingcloudcontrols
![Page 26: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/26.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example– Autoisolation
Don’tforgetsafeguards!HowmanyinstancescanIisolatebeforeIfisolated>x:
wake_human()Remember,xcouldbe0
![Page 27: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/27.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Examplelogging
DetectCloudloggingdisabled
PriorityEnablelogging
ForensicsHavethishappenedbefore
CountermeasuresIfnum_disabled>x:#xcouldbezerobasedontypeanduser
disable_user()
Alert!
![Page 28: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/28.jpg)
#RSAC
Cool…soIjustfixthings??Well…yes...but...
![Page 29: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/29.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Risks
Failureisalwaysanoption,nowatscriptspeed
Weforgottotellyou…
Noproperalerting,loggingorfollow-uponautomatedevents
Yougotscripts…theygotscripts
Howdoyouminimizeriskoffailedremediationfunctions?
![Page 30: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/30.jpg)
#RSAC
Implementremediationframework
![Page 31: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/31.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Theanatomyofremediation
Continuous/Eventbased
Executionconstraints
Willactionriskbreakingsomething
Willchangeaffectcost
Isthereasourceoftruth
PriorityAction Forensic Counter
measures Alerts Log
Know
Execute
![Page 32: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/32.jpg)
#RSAC
Attheendoftherainbow…Whatarewetryingtoaccomplish?
![Page 33: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/33.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals
MinimizerelyingonhumansAutomationdoesn’tsleep,eatorneedcoffeeinthemorning
Preventbadconfigurationsbeforetheyareimplemented
Autocorrect/remediateviolationswherepossible
Daily/instantbenchmarkvalidationofinfrastructureValidateagainstindustryframeworksExtendtoremediation
![Page 34: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/34.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Yournextstep
LookthroughyourinfrastructuresecurityrunbookWhatcanyouautomate?Howcanyouvalidate?
Example:OSSvalidationforCISAWSFoundationFrameworkhttps://github.com/awslabs/aws-security-benchmark
![Page 35: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/35.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OSSCodetolearnfrom
git-secrets - Preventsyoufromcommittingpasswordsandothersensitiveinformationtoagit repository.
aws-security-benchmark - Benchmarkscriptsmappedagainsttrustedsecurityframeworks.
aws-config-rules - [Node,Python,Java]RepositoryofsampleCustomRulesforAWSConfig
Netflix/security_monkey - MonitorspolicychangesandalertsoninsecureconfigurationsinanAWSaccount.
Netflix/edda - EddaisaServicetotrackchangesinyourclouddeployments.
ThreatResponse - OpenSourceSecuritySuiteforhardeningandrespondinginAWS.
CloudSploit – Capturingthingslikeopensecuritygroups,misconfiguredVPCsandmore.
Stelligent/Cfn_nag – LooksforpatternsinCloudFormation templatesthatmayindicateinsecureinfrastructure.
Capitalone/cloud-custodian - RulesengineforAWSfleetmanagement.
![Page 36: DevSecOps In The Cloud Is Not Just CI/CD: Embracing ... In The Cloud Is Not Just CI/CD: Embracing Security Automation ... Repository of sample Custom Rules for AWS Config Netflix/security_monkey-Monitors](https://reader031.vdocuments.site/reader031/viewer/2022030416/5aa1fb9d7f8b9a1f6d8c9f60/html5/thumbnails/36.jpg)
#RSAC
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remember
It’sactuallynotwho,when,whereorwhat...It’sjusthow