Continuous Visibility into Ephemeral Cloud Environments
This is the high-level outline of the different sections:
What cloud resources are needed, and how to define them in a manner that safely allows a tool to perform a security audit across a fleet of AWS accounts/GCP projects.
- AWS Setup
- Resource Definition
- Setup Role role-security-audit in every account
- Setup Role role-security-assume in Hub account
- Setup User user-security-audit in Hub account
- Setup Tooling for Cross-Account Auditing
- Setup ~/.aws/credentials
- Setup ~/.aws/config
- GCP Setup
- Resource Definition
- Setup Tooling for Cross-Account Auditing
How to leverage Cartography to detect, identify, categorize, and visualize all the assets being deployed in your estate.
- The Challenges Posed by Ephemeral Environments
- Enter Cartography
- Cartography's Value Proposition
- Real World Setup
- Multi-Cloud Auditing
- Access Configuration: AWS IAM
- Access Configuration: GCP IAM
- Deployment on Kubernetes
- Neo4j Deployment
- Cartography Deployment
- Data Consumption
- The Basics: Neo4j Browser
- The Automation: Programmatic Analysis
- Custom Query Format
- Creation of New Queries
- Query Manager
- Repeatability: Jupyter Notebooks
- Code Structure
- Run Notebooks
- Upgrade to Dashboards
How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift.
- Multi-Cloud Auditing with Cartography
- Elasticsearch Integration
- High Level Setup
- Deployment on Kubernetes
- Ingestor Deployment
- Elasticsearch Deployment
- Data Consumption: Kibana
- Drift Detection
- Drift Detection with Elasticsearch
- Elastalert Alerts (Slack and Jira)
How to setup Domain-Wide Delegation of Authority in GSuite.
- The Need for Domain-Wide Delegation of Authority
- Process
- 1️⃣️ Create an Account in GSuite
- 2️⃣️ Create a Service Account in GCP
How to design a state of the art multi-account security logging platform in AWS.
- Problem Statement
- Which Services Can We Leverage?
- CloudTrail
- CloudWatch
- GuardDuty
- Config
- Access Logs
- State of the Art Security Logging Platform in AWS
- Collection
- Delivery
- Long-Term Storage and Audit Trail
- Monitoring and Alerting
How to design a state of the art multi-account security logging platform in GCP.
- Problem Statement
- Which Services Can We Leverage?
- Cloud Logging
- Cloud Monitoring
- Cloud Identity
- Security Command Center
- Access Logs
- State of the Art Security Logging Platform in GCP
- Collection
- Delivery
- Long-Term Storage and Audit Trail
- Monitoring and Alerting
Open sourcing an automated process to get Neo4J and Cartography up and running in a Kubernetes cluster, using HashiCorp Vault as a secrets management engine.
