Netflix has quietly open sourced another one of the tools it has created in-house to manage its massive AWS-based cloud last week. Called Security Monkey, Netflix uses the tool to monitor and analyze the security of its AWS configurations.
According to a blog post last Monday, Netflix built the first version of Security Monkey in 2011, when it only used a few different AWS accounts and delivered its video streaming service from one AWS region. Since then, it has grown to “several dozen AWS accounts” and multiple AWS regions.
Security Monkey is a member of its Simian Army – a set of tools that keeps its cloud “safe, secure and highly available” – including Chaos Monkey, its cloud infrastructure testing tool, and Janitor Monkey, which detects and cleans up unused cloud resources.
Security Monkey includes three main components: Watcher, Notifier and Auditor. The Watcher component monitors a given AWS account and technology and detects and records changes to configurations. The Notifier component lets a user or group know when a particular item has changed. The final component, the Auditor, executes a set of rules against an AWS configuration to determine the level of risk associated with the configuration.
Netflix said that it runs Security Monkey in AWS on Ubuntu Linux, with storage provided by a PostgreSQL RDS database. It currently runs Security Monkey on a single m3.large instance.
The application is written in Python using the Flask framework.
Netflix uses its standard single-sign on provider for authentication, but in the open source version has implemented Flask-Login and Flask-Security for user management.
While Security Monkey has been in use at Netflix since 2011, the company is planning to add new features over time, including integration with CloudTrail for change detail, as well as more refined AWS permissions for Security Monkey operations.
For AWS, Netflix has been a great customer and community member, giving back by open sourcing cloud management tools, making them available to other companies who may use AWS.