Demystify AWS Cloud Workload Security by Visualizing Connectivity and Security Policy

Why Do We Need Visualization?

Most of the top enterprises today provide public cloud access to their employees or IT department. Public cloud providers have done a good job of providing a frictionless way of consuming cloud resources, which leads to employees being able to create, modify, and delete resources like AWS EC2 instances on demand. From a usability perspective, this is awesome, but for security teams responsible for keeping the enterprise secure, this is a nightmare scenario since new cloud resources can be spun up from one minute to the next, unbeknownst to IT. A few of the first-order answers they want to know are how to get the high-level view of the instances currently running, what they are communicating with, and how to secure those communication paths.

How We Do It  

A few days back when my boss came and challenged me to provide that visualization, guess what happened? Yes, you guessed right; I accepted it. Let me quickly describe how I achieved that and later we will discuss in detail the complete developer workflow. For the solution to work well in the cloud, nothing less than an AWS Lambda would have sufficed.

Once I decided on the Lambda, the rest fell in place quickly. For visualization to work, we need the traffic flow data originating to or from an EC2 instance. To get that data, AWS provides VPC flow logs. After enabling the VPC flow log (Figure 1, step 1), the Lambda triggers (step 3) on new flow log (step 2) and pushes the traffic flow event to Illumio ASP via a simple API call (step 4). Once the traffic logs are ingested by ASP we get the full traffic and security policy visualization (step 5).

Figure 1: Diagram showing the workflow for integrating AWS & Illumio to achieve cloud workload flow & security policy visualization

Now that we understand the high-level workflow and integration, let's deep dive on the solution.

MANAGEMENT AND CONFIGURATION PLANE

1. AWS Cloud configuration
2. Create a Log Group from the CloudWatch console.
3. Create a Lambda function from the AWS Lambda console and Add trigger by configuring a CloudWatch log created in 1A above. The code for the Lambda function and the configuration of the function can be found at the GitHub link associated with this blog post. An example configuration is shown in 1C below.

1. Create a flow log subscription for the VPC that you desire to visualize. Select the destination as "Send to CloudWatch Logs" and enter the appropriate destination log group created in 1A above and an IAM role.
2. Illumio configuration
3. Create an Unmanaged workload for each EC2 instance that for which you'd like to visualize connectivity and security policy. For our demo, I have created two Unmanaged workloads.
4. Write a security policy that applies to these workloads.

DATA PLANE

There is nothing additional we have to do for the data plane. When the instances generate or receive the data, flow logs will be generated and logged at Amazon CloudWatch service.

CONTROL PLANE

All the magic to visualize the traffic flow between the EC2 instance happens here. When a flow log is received by the Amazon CloudWatch service, it triggers an event and the Lambda function associated with this event is executed. The lambda function parses the flow log and uses Illumio bulk_traffic_flows REST API to upload the flow logs to Illumio ASP. Since we had previously configured the Illumio Unmanaged workload for AWS EC2 instances, Illumio ASP will build and visualize the traffic flows. We should be able to view the Application dependency map for the environment from the GUI now.

Demo

15:59

Conclusion

At the start of the post, I went through the importance of understanding your cloud environment by seeing all new traffic flows. Then how you could visualize all AWS traffic flows using Illumio's application dependency map to understand the security posture of the cloud environment. We could use a simple AWS Lambda function and powerful Illumio ASP programming capabilities to achieve our goals. Let's see if we have answers to the questions we started with:

Q: How to get the high-level view of the instances currently running?
A: We were able to export traffic flows for currently running EC2 instances to Illumio ASP and visually see them using Illumio Illumination GUI.

Q: What they are communicating with?
A: The Illumination view provided us a collective picture called Application Dependency Map of all the flows between various labeled workloads giving additional context about the workloads and the flows.

Q: How to secure those communication paths?
A: Illumination also provides a powerful security policy tool to verify and test Segmentation policies for workloads.

I hope you found this blog useful and learned a few techniques used for achieving our goal that could be extended to solve many other security problems. If you are looking to understand and explore more about Illumio, please feel free to get in touch with me by subscribing to our blog post.