AWS on Splunk, Splunk on AWS
5 likes2,489 views
The document discusses the integration of Splunk with AWS, highlighting lessons learned from customer experiences and security comparisons between cloud and on-premises environments. It outlines AWS services, including resource administration, monitoring, and security controls, emphasizing the shared responsibility model between AWS and customers. Additionally, it presents best practices for managing cloud resources and features customer success stories using Splunk on AWS.
AWS on Splunk, Splunk on AWS
- 1. June 7, 2016 Boston AWS on Splunk, Splunk on AWS
- 2. Agenda • Lessons learned from Splunk Live! • Operations in the Cloud on AWS, a primer • Customer Success
- 3. What is AWS ? How do you Cloud? Can I run forwards in AWS? Do Indexers run in the Cloud? Ephemeral? Can I get metrics from y’all? This cloud this a not going to work for me right? Is the Cloud Secure as my Data Center?
- 4. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? AWS can be more secure than your existing environment Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication
- 5. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls IN the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption AWS and you share responsibility for security
- 6. Key AWS Certifications and Assurance Programs
- 7. AWS - global footprint Everyday, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise.
- 8. Our Scale and global footprint explained James Hamilton: Innovation at Scale Presentation re:Invent 2014 1. 2. 3. 4. http://mvdirona.com/jrh/work/ https://www.youtube.com/ watch?v=JIQETrFC_SQ
- 9. Enterprise Applications Virtual Desktop Sharing & Collaboration Platform Services Analytics Hadoop Real-time Streaming Data Data Warehouse Data Pipelines App Services Queuing & Notifications Workflow App streaming Transcoding Email Search Deployment & Management One-click web app deployment Dev/ops resource management Resource Templates Mobile Services Identity Sync Mobile Analytics Push Notifications Administration & Security Identity Management Access Control Usage Auditing Key Storage Monitoring And Logs Core Services Compute (VMs, Auto-scaling and Load Balancing) Storage (Object, Block and Archival) CDN Databases (Relational, NoSQL, Caching) Networking (VPC, DX, DNS) Infrastructure Regions Availability Zones Points of Presence
- 11. Enterprise Applications Virtual Desktop Sharing & Collaboration Platform Services Analytics Hadoop Real-time Streaming Data Data Warehouse Data Pipelines App Services Queuing & Notifications Workflow App streaming Transcoding Email Search Deployment & Management One-click web app deployment Dev/ops resource management Resource Templates Mobile Services Identity Sync Mobile Analytics Push Notifications Administration & Security Identity Management Access Control Usage Auditing Key Storage Monitoring And Logs Core Services Compute (VMs, Auto-scaling and Load Balancing) Storage (Object, Block and Archival) CDN Databases (Relational, NoSQL, Caching) Networking (VPC, DX, DNS) Infrastructure Regions Availability Zones Points of Presence
- 12. Amazon Cloudwatch AWS CloudTrail Amazon Cloudwatch Events Amazon Cloudwatch Logs Operations in the Cloud AWS Config
- 13. AWS CloudTrail Managing in the Cloud
- 14. Records AWS API calls for your account and delivers log files to you • identity of the API caller • the time of the API call • the source IP address of the API caller • the request parameters • and the response elements returned AWS CloudTrail
- 15. { "Records": [{ "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "Alice", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2016-03-18T14:29:23Z" } } }, "eventTime": "2016-03-18T14:30:07Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StartLogging", "awsRegion": "us-west-2", "sourceIPAddress": "72.21.198.64", ….log continues
- 16. IAM User Deleted! Keypair Created! Root login from unexpected region!
- 17. Cloudtrail Best Practices •Turn it on •All regions, all accounts •All one bucket •Enable log file validation
- 18. Amazon Cloudwatch Amazon Cloudwatch Events Amazon Cloudwatch Logs Managing in the Cloud
- 19. Amazon Cloudwatch • Monitor Amazon EC2 & other service • Collect and track metrics • Collect and monitor logs • Set alarms • Set custom metrics
- 21. Managing in the Cloud AWS Config
- 22. What is AWS Config? • Resource • inventory Configuration History Change Notifications
- 23. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls IN the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption AWS and you share responsibility for security
- 24. Common use cases • Resource Administration • Auditing and Compliance • Manage and troubleshoot configuration changes • Security Analysis
- 25. Config Rules • Set a desired configuration • Evaluated against resource configuration Unencrypted EBS volume created Evaluate against Config rules Flag as Non-compliant
- 26. Customer Success with Splunk • IT + Marketing = FTW • Trending flavors • Supply Tracking and proactive service http://www.coca-colafreestyle.com/en/home/
- 27. Splunk Runs On & With AWS 100% Uptime SLA SOC2 Type II Certified Runs on AWS Cloud Services Apps Splunk App for AWS, ServiceNow, SFDC, etc. AWS Specific Integrations Config, CloudTrail, CloudWatch, VPC Flowlogs, Lambda: AWS IoT, AWS Kinesis: AWS Cloudformation Splunk Analytics for EMR Hunk Splunk Core + Enterprise Security & ITSI available Enterprise on AWS For small IT teams starts $90/mo Starts at 1gb/day Software Apps and Integrations As a service on AWS Delivery Models
- 28. Thank you! (and protect your account with MFA)
- 29. Link for further study • The cyber kill chain • Sharing logs across accounts • Custom metrics in Cloudwatch • Custom Config Rules on Github • Cloudformation templates for Splunk • Coca-cola wins with Splunk
Editor's Notes
- #3: I have had an opportunity this year to support a few Live events. There are a few common questions that come up. That has changed what I think we should talk about today and focus on those answers. We are going to talk about a few services and features we offer that help operations bulid monitoring and alerting on the cloud and in the cloud And closing on a customer success story and questions
- #4: So some of those questions that I hear frequenry during lives Lets start with what is AWS, security, the global infrastructure and the platfrom
- #5: Security is Job Zero. It is where we start and build it into every facet of AWS. Last year, IDC released a report showing how AWS can be MORE secure than your existing environment. How? Automated logging and monitoring. With tools like the AWS Config service, cloudtrail logging and other services, logging and monitoring is an inherent capability of the AWS platform, and these tools eliminate much of the manual effort More encryption. While it seems obvious that public cloud environments need encryption, many organizations have ignored the need inside their existing environments that have often become large and complex themselves. The cloud makes introducing encryption much easier. Stronger authentication. Enterprises still frequently limit their multifactor authentication capabilities to the edge — remote VPNs accessing enterprise datacenters. The move to the cloud highlights the "anytime, anywhere" use of sensitive applications and reinforces the need for strong authentication everywhere.
- #6: At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place. As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services. As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
- #7: We are certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards. Top Row (left to right) ISO 27001 Information Security Management ISO 9001 Quality Management Systems Requirements American Institute of Certified Professional Accounts (SOC 1, SOC 2, SOC 3 reports) Payment Card Industry Data Security Standard (PCI-DSS) Federal Information Security Management Cloud Security Alliance Middle Row: TUV Trust IT – independent certification body for the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT Grundschutz) UK G-Cloud Digital Marketplace HIPAA (Health Information Portability and Accountability Act) Federal Information Processing Standards 140-2 Americans with Disabilities Act Section 508 Motion Pictures of America Association Bottom Row: US International Traffic in Arms Regulations Department of Defense Cloud Security Model Criminal Justice Information Systems (CJIS) Security Policy Federal Risk Authorization Management Program (FedRAMP) Australian Information Risk Assurance Program US Department of Education (FERPA) <FOR MORE IN DEPTH QUESTIONS REFER THE CUSTOMER TO http://aws.amazon.com/compliance FOR MORE DETAILS>
- #8: So, I wanted to get started by taking a look at how the AWS business is progressing. We now have over 1 million active customers, this is non-Amazon customers with AWS account usage activity in the past month. TALKING POINTS We define an “active customer” as non-Amazon customers who have account usage activity within the past month To support global business, we maintain 12regions across the US, South America, Europe (Ireland and Germany), Japan, China, Singapore, and Australia. We count hundreds of thousands of customers across 190 countries This includes over 800 government agencies and over 3,000 educational institutions Scale and capacity matter. Every day, we add enough new server capacity to support Amazon.com when it was a $7B global enterprise.
- #10: Starting from security built on the global infrastructure AWS offers a broad and deep platform of services and features.
- #11: When I was putting this presentation together, I was thinking about putting an icon up for each service and the metrics we have for those, I realized it was just easier to take a screenshot of Some to call out S3 Metrics VPC Flow Logs through CloudWatch Logs Lambda API Gateway CloudTrail API logs
- #12: Starting from security built on the global infrastructure AWS offers a broad and deep platform of services and features.
- #16: Here’s an example of the log format, in all of its glorious JSON, and as you can see it’s pretty dense. And that’s an important point: due to the volume, format and density of the logs, they aren’t really designed to be human readable (at least in any meaningful way). Here we can see that user Alice, who is an IAM user (you could also see if they were a federated user from active directory). Unfortunately, she isnt MFA authenticated, but she probably should be. We can see she turned on Cloudtrail, which is a fun fact about Cloudtrail, it logs itself too. There’s a ton of other services that will surface data into Cloudtrail
- #17: As I said, these logs can get pretty dense and they werent designed to be human readable. The system is designed to feed into an analysis engine like Amazon EMR or Splunk. You’ll also need to set up or integrate with a notification system, because
- #18: First of all, turn it on. Fun fact, cloudtrail logs cloudtrail itself being turned. One of the very first things you should do is enable it. CloudTrail provides a history of AWS API calls for an account, and facilitates security analysis, resource change tracking, and compliance auditing of an AWS environment. CloudTrail is an essential service for understanding AWS use, and should be enabled in every region for all AWS accounts. CloudTrail delivers log files to a designated Amazon Simple Storage Service (Amazon S3) bucket approximately every five minutes, and can be configured to trigger an Amazon Simple Notification Service (Amazon SNS) message when new log files are delivered or to send events directly to AWS CloudWatch Logs for immediate processing. But you cant get any of that goodness unless it is enabled While you’re at it, make sure you’re getting everything in one bucket, from all of your regions (except Govcloud – different story), unless the customer has specific requirements to separate. Centralizing makes it much easier to manage logs, secure them and understand if things are missing. Cloudtrail gives you the ability to use validation, i.e. the ability to make sure your logs havent been tampered or changed after delivery. SHA-256. Digest file w/ hash that refs the log file delivered You should put a restictive policy on the S3 bucket , including MFA delete
- #20: Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate.
- #21: For most people, monitoring data may be about Graphs searching logs Alarming
- #23: AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. With AWS Config, you can do the following: Evaluate your AWS resource configurations for desired settings. Get a snapshot of the current configurations of the supported resources that are associated with your AWS account. Retrieve configurations of one or more resources that exist in your account. Retrieve historical configurations of one or more resources. Receive a notification whenever a resource is created, modified, or deleted. View relationships between resources. For example, you might want to find all resources that use a particular security group.
- #24: At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place. As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services. As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
- #26: A Config Rule represents desired configurations for a resource and is evaluated against configuration changes on the relevant resources, as recoded by AWS Config. The results of evaluating a rule against the configuration of a resource are available on a dashboard. Using Config Rules, you can assess your overall compliance and risk status from a configuration perspective, view compliance trends over time and pinpoint which configuration change caused a resource to drift out of compliance with a rule.
- #27: Then: Coca-Cola achieved an 80% reduction in IT tickets and achieved a 40% reduction in operational costs compared to its previous ticketing solution by using AWS and the Splunk Cloud. Now: The company also analyzes data around trending flavor mixes from its popular Freestyle machines and correlates that information with geographical and other data to implement targeted marketing, improve service and more efficiently stock vending machines.
- #28: ~2:00 minutes Enumerate AWS specific offerings and solutions. Briefly describe each one: Splunk cloud – SaaS application built on AWS, 100% uptime SLA and it’s SOC 2 certified Splunk paid AMI coming in July , currently you can get a BYOL in marketplace AMI. Splunk Light, starts at 90$/month for 1GB per day Hunk – currently OEMed Enterprise Security: This is positioned as a “premium service” ITSI: Splunk App for AWS: