| Follow @lancinimarco

Continuous Visibility into Ephemeral Cloud Environments

A collection of resources and tutorials for providing continuous visibility into ephemeral cloud environments.

This is the high-level outline of the different sections:

What cloud resources are needed, and how to define them in a manner that safely allows a tool to perform a security audit across a fleet of AWS accounts/GCP projects.

    • AWS Setup
      1. Resource Definition
        1. Setup Role role-security-audit in every account
        2. Setup Role role-security-assume in Hub account
        3. Setup User user-security-audit in Hub account
      2. Setup Tooling for Cross-Account Auditing
        1. Setup ~/.aws/credentials
        2. Setup ~/.aws/config
    • GCP Setup
      1. Resource Definition
      2. Setup Tooling for Cross-Account Auditing

How to leverage Cartography to detect, identify, categorize, and visualize all the assets being deployed in your estate.

    • The Challenges Posed by Ephemeral Environments
    • Enter Cartography
      1. Cartography's Value Proposition
    • Real World Setup
      1. Multi-Cloud Auditing
        1. Access Configuration: AWS IAM
        2. Access Configuration: GCP IAM
      2. Deployment on Kubernetes
        1. Neo4j Deployment
        2. Cartography Deployment
    • Data Consumption
      1. The Basics: Neo4j Browser
      2. The Automation: Programmatic Analysis
        1. Custom Query Format
        2. Creation of New Queries
        3. Query Manager
      3. Repeatability: Jupyter Notebooks
        1. Code Structure
        2. Run Notebooks
        3. Upgrade to Dashboards

How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift.

    • Multi-Cloud Auditing with Cartography
    • Elasticsearch Integration
      1. High Level Setup
      2. Deployment on Kubernetes
        1. Ingestor Deployment
        2. Elasticsearch Deployment
      3. Data Consumption: Kibana
    • Drift Detection
      1. Drift Detection with Elasticsearch
      2. Elastalert Alerts (Slack and Jira)

How to setup Domain-Wide Delegation of Authority in GSuite.

    • The Need for Domain-Wide Delegation of Authority
    • Process
      1. 1️⃣️ Create an Account in GSuite
      2. 2️⃣️ Create a Service Account in GCP

How to design a state of the art multi-account security logging platform in AWS.

    • Problem Statement
    • Which Services Can We Leverage?
      1. CloudTrail
      2. CloudWatch
      3. GuardDuty
      4. Config
      5. Access Logs
    • State of the Art Security Logging Platform in AWS
      1. Collection
      2. Delivery
      3. Long-Term Storage and Audit Trail
      4. Monitoring and Alerting