Amazon’s biggest customer Netflix has made the public cloud security, monitoring and analysis tool it built for itself in 2011 freely available. The tool, Security Monkey, can be downloaded from Netflix’s GitHub site.
Security Monkey has given the security teams at Netflix a better awareness of changes and security risks in its AWS environment, according to the company's cloud security team blog.
Netflix delivers its service primarily through the Amazon Web Services public cloud. It built the first version of Security Monkey four years ago because of the complexity of the Netflix IT infrastructure and the limited change tracking and evaluation capabilities of AWS.
The code for Netflix’s streaming service is deployed “thousands of times a day” and cloud configuration parameters are modified just as frequently, the Netflix security team said. The team wanted to understand how things were changing and how changes affected its security so it could understand and manage the associated risk.
It therefore created Security Monkey to track and evaluate security-related changes and configurations in its AWS environments.
The tool continuously monitors and detects potential anomalies and risky configurations in the cloud infrastructure. It is an “AWS security configuration tracker and analyser that scales for large and globally distributed cloud environments,” the team said.
There are a number of security-relevant AWS components and configuration items such as security groups, S3 bucket policies and IAM users. Changes or misconfigurations can create an unnecessary security risk, according to the security team. “It was also critical to have access to an authoritative configuration history service for forensic and investigative purposes. We also needed these capabilities at scale across the many accounts we manage and the many AWS services we use.”
The tool has three components – Watcher, Notifier and Auditor. Security Monkey also has a number of built-in rules, and users are free to add their own.
According to Netflix, the tool is now available via open source and can be used by AWS customers to check historical data for a given configuration item.
“We look forward to seeing how other AWS users choose to extend and adapt its capabilities,” the cloud security team said.
Netflix will continue to add features, including SSL certificate expiry monitoring, authorisation capabilities for admins, and a simpler installation method.