Note: This post comes from SendGrid’s Security Team. For more technical posts like this, check out our technical blogroll.

As described within SendGrid Security teams’ last post, we are using a tool we call Krampus to help us mitigate potential risk within our cloud infrastructure. Our aim within this post is to explain and share how we leverage that tool to make our lives easier. In our initial post on our team’s approach to cloud security, we mentioned the following:

“Our ability to enable the business to quickly execute on our cloud security strategy relied on us being able to stand on the shoulders of giants. For example, we have opted to run a modified version of Netflix’s Security Monkey project in order to identify resources with security issues.”

And one might very well ask “What kind of modifications did you make?”

The answer to that…we call the Justice Engine.

What is this Justice Engine that you speak of?

The Justice Engine is a plugin that we’ve developed for Security Monkey that acts as Judge and Jury of resources. It begins by calculating the risk any given cloud resource poses to our company. This risk is calculated based on the resource’s configuration over time. Configurations such as having a resource accessible to the whole Internet are weighed heavily by the Justice Engine and are more likely to be flagged to be removed.

Once the resources’ score has been calculated, the Justice Engine continues by formatting the results into a standard that Krampus can action, and finishes by warning the various resource owners of the planned action.

All of this allows engineers to make changes to their resources and update them to meet the configuration standards we set and avoid Krampus disabling or removing that resource from our cloud infrastructure.

What other things are you checking?

Given that our organization’s cloud footprint is only growing larger, we’ve set expectations for tagging various resources. So, we have made one such modification in auditing to ensure that expected tags for AWS resources exist and are properly filled.

Thanks to the team developing and maintaining Security Monkey, these custom audits are easy to create and deploy. So as our security-at-scale expectations evolve, we can make adjustments or add new features quickly and easily.

So you are deleting your engineers’ resources? How are they alright with that?!

Setting expectations for appropriate resource configurations were certainly required before we began actioning resources. The Information Security Team worked with our engineering and operations teams from the very beginning so that our final standards were set without ruffling feathers, and without compromising security. This system exists to enforce that communal standard, rather than imposing our security expectations.

Given our company’s concern with transparency, we designed the alerts to be flexible to the many different team’s needs. We have already built modules for aggregate emails to be sent on a regular cadence, as well as team chat communications through HipChat. Depending on the resource, the notifications will be sent to a team’s preferred communication channel, giving them the information needed to take action.

If you have any questions, comments, or recommendations, please let us know at security@sendgrid.com. We are welcoming to any open issues within the Krampus GitHub repository. We hope you can make use of these tools for mitigating abuse within your AWS instances.

P.S. Love and respect to Netflix and their efforts in developing and sharing cloud security tools. And thanks, of course, to the employees at SendGrid for their support and feedback throughout the development and deployment of this tool.



Tell Hause is a security engineer excited about providing pragmatic security solutions to everyone. After completing his degree while working for SendGrid you can find him raving, perhaps too excitedly about functional languages, opsec and motorcycles.