Note: This post comes from SendGrid’s Security Team. For more technical posts like this, check out our technical blogroll.

Transitioning to AWS is a big job. Even before security considerations, the logistics of such a move can be daunting, and the last thing anyone wants is to become the next big story about AWS infrastructure gone wrong.

Part of the beauty of the cloud is the ability to spin up or modify systems much quicker than was ever possible before. However this has opened up new security challenges that must be considered as well.

Our ability to enable the business to quickly execute on our cloud security strategy relied on us being able to stand on the shoulders of giants. For example, we have opted to run a modified version of Netflix’s Security Monkey project in order to identify resources with security issues.

There was still the question of how to go about handling these resources without incurring the need for additional security engineers. To solve this problem, last year our security team created a remediation tool we like to call Krampus. Today, we’re excited to announce that we’re open-sourcing this tool and making it available for all to use! Krampus, and relevant documentation, can now be found on SendGrid’s GitHub organization.

What does Krampus do?

Krampus helps automate AWS security by disabling or deleting resources with security issues. It’s deployed as a Lambda function, and can be run at a cadence of your choosing via CloudWatch Events. If preferred, it can also be run from an EC2 instance, or any other box with API credentials for the target AWS account.

Krampus itself is agnostic as far as determining what constitutes a problem—every environment is different and it is up to you to decide what should be remediated. Identifying issues can take place however you prefer. All Krampus ultimately needs is a task list it can understand, populated with things that need remediation.

Beyond security

Krampus supports use cases not necessarily specific to security, as well. For example, we use it to enforce our tagging standards in AWS. If an object is missing critical tags that we need for accountability and cost controls, then this item will be deleted from the account.

This behavior is also used to keep things tidy and to save engineers time. Since developers know objects without tags will be removed within a few hours, they can spin up ad-hoc systems for testing without worrying about the time needed to tear them down as Krampus will take care of it later.

By partnering with our engineering teams, we’ve also been able to achieve an impressive level of transparency and communication. Whenever Krampus takes action on an object, the relevant team is notified when, why, and on which account this action is taking place through a communication channel of their preference. This gives teams the opportunity to resolve an issue before Krampus does. Alternatively, they can leave it to Krampus at their discretion.

Krampus currently supports a variety of AWS resources, including security groups, EC2 instances, IAM objects, S3 buckets and more. SendGrid continues to develop support for more resources and welcomes all suggestions or contributions for things to support going forward.

If you have any questions, comments or problems feel free to drop us a line at security@sendgrid.com, or to open an issue up on the Krampus GitHub repository. We hope you find Krampus to be a useful part of your AWS security-at-scale strategy!



Chase Higgins
Chase is a security researcher from Denver and just completed his political science degree at the University of Denver. He enjoys hunting for software vulnerabilities (especially in browsers) and writing code in his spare time.