building a hyper secure vpc on aws with puppet
DESCRIPTION
This presentation was given at PuppetConf 2013. It addresses a set of security concerns on AWS VPC and how we used Puppet to address these concerns.TRANSCRIPT
![Page 1: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/1.jpg)
Puppetconf2013
BuildingaHyperSecureVPConAWS
withPuppet
TimNolet
![Page 2: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/2.jpg)
ArchitectatXebia(theNetherlands)
Linux/Java/Cloud/Automation/Operations
github.com/tnolet
nl.linkedin.com/in/tnolet
![Page 3: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/3.jpg)
Holland=TheNetherlands
Image:xkcd.com
![Page 4: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/4.jpg)
![Page 5: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/5.jpg)
Itendtoramble...
![Page 6: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/6.jpg)
TheAssignment
![Page 7: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/7.jpg)
![Page 8: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/8.jpg)
TheAssignment(1)
1. BuildageneralpurposeVPConAWS
2. Standardizeapplicationdeployment
3. Applycompanysecuritypolicies
![Page 9: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/9.jpg)
TheAssignment(2)
1. DoitwithOpenSource
2. UseAWSstandards
3. Stayclosetoreferenceimplementations
![Page 10: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/10.jpg)
AWSandsecurity
IAM,MFA,HSMSSL,SSH,VPNISO27001PCI-DSSPGP
..andprobablysomemoreacronyms
![Page 11: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/11.jpg)
DesignPrinciples
AGridbasedon:
3xAvailabilityZone
3xTier:web,app,data
1xManagementsubnet
![Page 12: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/12.jpg)
![Page 13: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/13.jpg)
![Page 14: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/14.jpg)
DesignPrinciples
Referencestacks
ImplementedinCloudFormation
Provision:
EC2instances
SecurityGroups
RDSinstances
ELBloadbalancers
RDSinstances
etc.
![Page 15: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/15.jpg)
public_three_tier_stack_redundant_rds.template
![Page 16: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/16.jpg)
![Page 17: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/17.jpg)
AMIHardening
1. ApplyCISBenchmarkforRedHatLinux
2. Log+Alertonanydiscrepancies
3. MonitorYUMsecurityupdates
Benchmark:https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf
![Page 18: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/18.jpg)
CISBenchmarkModule
manifests/1_software.pp2_osservices.pp3_specialservices.pp4_network.pp5_logaudit.pp6_accessauth.pp7_user.pp8_banners.pp9_maintenance.ppinit.pp
=>
![Page 19: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/19.jpg)
Coooode!
#1.6AdditionalProcessHardening
#1.6.1RestrictCoreDumps
file{"/etc/security/limits.conf":source=>"puppet:///modules/cis_baseline/limits.conf",ensure=>"present",group=>"0",mode=>"644",owner=>"0",}
#1.6.2ConfigureExecShieldfile_line{"Execshield":path=>"/etc/sysctl.conf",line=>"kernel.exec-shield=1",}
![Page 20: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/20.jpg)
Hacking/etc/pam.d/su
Allowsonlyusersinthe`wheel`grouptouse`su`
#6.5RestrictAccesstothesuCommand
augeas{"pam.d/su":context=>"/files/etc/pam.d/su/",changes=>["ins01after*[module='pam_rootok.so'][control='sufficient'][type='auth'][last()]","set01/typeauth","set01/controlrequired","set01/modulepam_wheel.so","set01/argumentuse_uid",],onlyif=>"match*[type='auth'][control='required'][module='pam_wheel.so'][argument='use_uid']size==0",}
![Page 21: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/21.jpg)
Taggingdependentmodules
IPtablesismanagedbyitownmoduleWecheckifitisincludedusingthe`tagged`function
#4.7EnableIPtables
#CISRule4.7shouldbeenforcedthroughtheiptables/firewallmodule.#Weonlynotifyifitisnotrunning
iftagged("firewall_base"){notice("CISrule4.7EnableIPtablesisinstalledandenabled")}else{alert{"CISrule4.7EnableIPtablesisnotinstalled":}}
![Page 22: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/22.jpg)
Tags:orderisimportant
![Page 23: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/23.jpg)
ActualIPoftheGraylog2hostisinHiera
CentralLogging
Rsyslog=>Graylog2
/etc/rsyslog.conf#Forwardalllogstocentralloggingserver*.*@<%=central_log_app_server%>#udpforwarding
![Page 24: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/24.jpg)
![Page 25: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/25.jpg)
SortingSearchingAlertingGraphing
...basicallyaSIEMonthecheap
![Page 26: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/26.jpg)
Networktrafficlogging
Why?
AWSSecurityGroupsandNetworkACL'sdon'tloganything
![Page 27: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/27.jpg)
Networktrafficlogging
How?
Puppet+IPtables+Rsyslog+Graylog2
Extendingthepuppetlabs_firewallmodulefromtheforgehttps://forge.puppetlabs.com/puppetlabs/firewall
![Page 28: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/28.jpg)
Allow/Drop/Log
1. AlloworDropconnections2. Taginitialconnections,onbothdroppedandallowed3. Don'ttagestablishedandrelatedconnections4. LogtoGraylog2viarsyslog
![Page 29: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/29.jpg)
LetRelatedandEstablishedpassthroughunharmed
Allow/Drop/Log
firewall{"000INPUTallowrelatedandestablished":state=>["RELATED","ESTABLISHED"],action=>"accept",chain=>"INPUT",proto=>"all",}
![Page 30: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/30.jpg)
Allow/Drop/Log
firewallchain{'LOGNEW:filter:IPv4':ensure=>present,}
firewall{"100LogallNEWconnections":chain=>"LOGNEW",log_level=>"info",log_prefix=>"FIREWALLTCPINBOUND",jump=>"LOG",}
firewall{"101Accepttheconnection":chain=>"LOGNEW",action=>"accept",}
Createa"LOGNEW"chainforallNEWconnectionsTagthemwithaprefixandjumpthemtotheLOGtargetThenaccepttheconnections
![Page 31: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/31.jpg)
JumpyourallowedtraffictotheLOGNEWchain
Allow/Drop/Log
firewall{"100allowssh":state=>["NEW"],dport=>"22",proto=>"tcp",jump=>"LOGNEW"}
![Page 32: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/32.jpg)
Exceptions...
ProxiesDNSDatabaserunningnodesOtherbridgingtypenodes
![Page 33: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/33.jpg)
CustomFactertotherescue!
IPrangesmatchtheGRID
AvailabilityzoneTier
![Page 34: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/34.jpg)
Av.ZonecustomFact
defget_avzoneipaddress=Facter.value(:ipaddress)ifFacter.value(:tier)=="management"av_zone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.([012345][0-9]|6[0-2])$/)avzone="zone_1a"elsifipaddress=~(/^.*\.*\.*\.(6[5-9]|[789][0-9]|1[0-1][0-9]|12[0-6])$/)avzone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.(129|1[3-8][0-9]|190)$/)avzone="zone_1c"elseavzone="default"endend
![Page 35: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/35.jpg)
Done!
![Page 36: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/36.jpg)
Good/Bad/PlainUgly
![Page 37: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/37.jpg)
Good
Community!
![Page 38: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/38.jpg)
Good
Graylog2isgreatandextremelyflexible
![Page 39: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/39.jpg)
Good
VPCisthewaytogoonAWS
CloudFormation'spowerisincredible
![Page 40: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/40.jpg)
Bad
PerformanceoflargecatalogswithPuppet2.7
file{"/etc/somedirectory":recurse=>true,ignore=>["work","temp","log"],checksum=>none}
Hiera-GPGiscumbersometosaytheleast
![Page 41: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/41.jpg)
Bad
JSONnotationofCloudFormationtemplates
...meh
Tip:CFNDSL=RubyDSLforCloudFormationtemplates
https://github.com/howech/cfndsl
![Page 42: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/42.jpg)
Ugly
Unifiedstateandlifecyclemanagement
![Page 43: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/43.jpg)
Ugly
Everythingisautomated,butusingit'sown:
1. DSL2. Authentication/Authorization3. Paradigms4. Versioning5. Younameit...
![Page 44: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/44.jpg)
Ugly
Onesinglesourceoftruthfor:
1. Audittrail/logging2. Instancestatus3. Applicationstatus4. CRUDactionsonthewholeinfrastructure
![Page 45: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/45.jpg)
Hope?!
RightScale,Scalr,Cloudifyandsimilar?AWSOpsWorks?
![Page 46: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/46.jpg)
Hope?!
NotthirdpartyorapluginPartofthecoreNotSaaSonlyEnterprise
CloudProvisioning,ConfigurationManagementandApplicationDeployment
![Page 47: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/47.jpg)
Rantover...
![Page 48: Building a Hyper Secure VPC on AWS with Puppet](https://reader033.vdocument.in/reader033/viewer/2022052504/554ba6ecb4c905b8618b5039/html5/thumbnails/48.jpg)
Questions?