General

• The AWS Pop-up Loft | London was hosted at the Brew Eagle House 163 City Rd, London EC1V 1NR
• Here, the venue consisted of 2 rooms located behind a shared café; one for hot-desking and the other for the training sessions
• The hot-desking room contained around 40 desks and booths with power and free refreshments
• The training room had formal seating for around 100 people plus sofas on the side for a dozen or so, again with free refreshments
• The event provided free Wi-Fi which represented typical ADSL performance so adequate at best
• The dress code was casual given the developer-heavy attendance.

Sessions

IAM Best Practices | Presenter: Matt Maddox (Manager Solutions Architect @ Amazon)

• Top 11 best practices for IAM
  • Create individual users
  • Grant least privilege
  • Manage with groups
  • Restrict privilege further with conditions
  • Enable CloudTrail to get logs for API calls
  • Configure a strong password policy
  • Rotate security credentials
  • Use roles to share access (delegation)
  • Use roles for EC2 instances
  • Reduce use of root account.
• Use Cases
  • Inline policies are best for 1-2-1 relationships with a given resource, whereas managed policies are best for reusable policies and where versioning and roll-back are of value
  • Use groups for logically managing IAM users, and managed policies for assigning common policies to users, roles, groups, and users.

Security Incident Response and Forensics on AWS | Presenter: Dave Walker (Specialist Solutions Architect @ Amazon)

• Be prepared!
• Be contactable by AWS; verify contact detail on accounts – ideally routing to several people/a team
• Produce an incident response run book
• Ensure team contact details are visible and correct
• Train the team
• CloudFormation everything!
• Backup all IP; CloudFormation templates, AMIs, DB backups, etc. Ideally, store these in another AWS account
• Log everything. For anything not exposing logging, i.e., new services, etc. consider fronting it using API Gateway to obtain logging information
• Enable AWS Detailed billing
• Use Center for Internet Security (CIS) Security Benchmark as a standard for OS security. Includes commands to self-certify.
• Consider SIRS (Security Incident Response Simulations) – essentially game day’s where AWS work with you to inject simulated attacks into AWS service to help you assess your response.
• Consider alerting on blocked traffic in VPC Flow Logs as a low-cost IDS service
  If in doubt raise early! AWS are the best people to assist in any security incident and would sooner be involved from the beginning so raise a ticket and make it known it is in response to a security incident (they will likely call you in with 34 seconds!!).
• Review CIS AWS Foundations.

Finding the signal in the noise: effective SecOps with Splunk Cloud

Andrew Morris (SaaS Product Manger @ Splunk)

• Splunk makes machine data accessible and usable to everyone
• Any data, any source, any question
• Splunk is the glue around all data!
• Splunk’s largest customer is processing 1.7 PB of data daily
• Gatwick uses Splunk; to manage the entire airport, from baggage handling to traffic control, logistics, etc.
• There are over 1,000 apps available for the Splunk platform (most are free) – think of these applications as domain intelligence for a given data source
• Splunk offers data visualisation, data analytics, machine learning, as well as correlation of alerts
• Baseline the norm and alert on deviation from this
• Splunk Live in on 11th May (customer share experience/case studies also a training day)

Presenter: Ross McKerchar (Global IT Security Manager @ Sophos)

• Case study
  • Brutal prioritisation; accept that you have limited capacity and focus on what is really important (may just focus on the critical assets only, etc.) – use CIS Critical Security Controls to assist this.
  • Focus on the achievable; the key here is only focusing on what is preventable (e.g., an SQL injection attack can be too quick to stop whereas a phishing attack may take weeks to unfold so may be more preventable)
  • Use a 4 step approach to building the solution (1. Log gathering, 2. Threat detection, 3. Governance (Config Management), 4. Security automation)
  • Mini cats can be used to compromise Kerberos (therefore in their experienced pen testers are hot on Active Directory – lock down admin accounts!!)
  • Security automation is the goal(i.e., blacklisting IPs on the fly, multiple attacks add to watch list and investigate IPs, etc.) as security resources are expensive and rare!
  • Not able to discuss their use of Splunk for monitoring AWS due to some random reason regarding their special sauce (IP)??!
  • Consume Windows security logs, including new device/application installation events – these can make a big impact
  • It is important to hook into a CMDB and make groupings of critical servers
  • Most useful for governance (writing reports from dashboards) than threat detection or automation for Sophos
  • Correlation needs tuning – you are never finished
  • Net effect of Splunk means fewer security engineers and more business analyst
• Demo
  • Platform with search engine built on top
    Incredible power; new search across all logs based on time frame and search words like err* or ip=x.x.x.x
  • Normalisation of data, e.g., users are the same regardless of the data source (AD, Linux, HR database, etc.)
  • Many maths functions for building complex search results
  • Build baseboard from above queries
  • AWS
    • Resource count dashboard
    • CloudTrail/config
    • Volumes in use/capacity
    • IAM & VPC errors
    • Topology maps across multiple accounts
    • Easy to setup ten mins.

Media

Slide decks from the day:

• Introduction to Docker on AWS
• Finding the Signal in the Noise Effective SecOps with Splunk Cloud
• Changing the mental model for CICD when building cloud-native – containerized applications
• IAM Best Practices slides
• Wrapp Transitioning to ECS slides
• Deep Dive AWS CloudHSM slides
• Security Incident Response and Forensics on AWS

Summary

The day was interesting, and it was fun to hot-desk somewhere new, I picked up new knowledge and actionable improvements for the business. However, I was hoping for a more intimate and interactive day with more AWS and innovation buzz. Also, with travel, it was a long and intense day!!

This year’s event, like last year, took place at the ExCeL in London

Welcome

• Gavin Jackson, Managing Director of AWS for UK and Ireland, welcomed the audience.
• He mentioned that the day was the largest AWS summit in Europe to date.
• He reassured his customers that Amazon was committed to a post-Brexit economy with the continuation of it an investment in a UK region, which should be online late 2016/early 2017. The message was very; much keep calm and carry on!

Keynote

• Werner Vogels, CTO of Amazon.com presented the Keynote.
• The message was clearly on AWS success and growth, with a reflection over the last decade.
• In the last ten years they have achieved the following:
  • $10B run rate
  • 64% YoY growth
  • 1M+ active customers
• AWS released over 700 updates last year and had already released over 400 to May this year so are due to surpass last year’s rate!
• Werner highlighted the five pillars of design, development, and operations:
  • Security
  • Reliability
  • Scalability
  • Predictable performance
  • Cost control
• Tom Blomfield, CEO of Mondo highlighted the opportunities available now the Financial Conduct Authority (FCA) have permitted the use cloud services for financial services organisations.

Big Data Architectural Patterns and Best Practices on AWS

• Data sympathy; the point was made that the right tool should be sourced from the data.
• It is best practice to decouple, storage and compute for scalability and cost efficiency.

Getting Started with AWS Lambda and the Serverless Cloud

• Dean Bryen, Solutions Architect at AWS, provided an introduction into the Lambda and API gateway services
• He shared his serverless compute manifesto:
  • Functions are the unit of deployment and scaling
  • No machines, VMs, or containers visible in the programming model
  • Permanent storage lives elsewhere
  • Scales per request. Users cannot over- or under- provision capacity
  • Never pay for idle (no cold servers/containers can run anywhere)
  • BYOB (Bring Your Own Code)
  • Metrics and logging are a universal right.
• Common use-cases for Lambda include the following:
  • Data processing (including image and video transcoding)
  • Log analysis
  • Data enrichment
  • Abstracting business logic from the front-end (web or mobile)
• Should manage state in JavaScript on the front-end under as no cookies are available to use.
• It was confirmed that Linux containers are used under the hood to provide the service.
• VPC integration is a recently released feature, enabling a Lambda function to seamlessly interact with AWS resources hosted in a VPC, for example, EC2, RDS, etc.
  VPC integration supports S3 endpoints and VPC peering. However, will not have access to the Internet unless you have an existing NAT instance or NAT gateway.
• The following Lambda VPC best practices were identified:
  • VPC is optional – don’t turn it on unless you need it. Otherwise, the function will be launched into an Amazon-manged VPC.
  • The ENIs used by Lambda feature count against your quota so ensure you have enough to match your peak concurrency levels and do not delete or rename these!
  • Ensure your subnets have enough IPs for those ENIs
  • Specify at least one subnet in each AZ otherwise, Lambda will obey, but cannot be fault-tolerant
• James Hall of a digital agency in the UK called Parallax then presented his experience of delivering innovative solutions using Lambda. This was the same talk he presented at the last AWS UK Meetup – see notes here.
• He advised that deployment and version control are the key to success.
  He also mentioned that he was staggered by how well his serverless solutions performed at scale; they stress tested using multiple solutions and noted that the solution actually speeds up under load, presumably as the containers are already pre-warmed.

Media

The day’s slides can be located here.