a web services (aws) services o & s t - peerlyst...aws is providing great support in terms of...
TRANSCRIPT
AMAZON WEB SERVICES (AWS) SERVICES
OVERVIEW & SECURITY TIPS
ENTREPRENEUR | CISO ADVISOR | CYBERFEMINIST | PEERLYST BRAND
AMBASSADOR | TOP 50 CYBER INFLUENCER | @RESPONSIBLE CYBER
MAGDA LILIA CHELLY
1
AGENDA
• AWS SERVICES OVERVIEW
• REGIONS & AVAILABILITY ZONES
• VIRTUAL PRIVATE CLOUD (VPC)
• ELASTIC COMPUTE CLOUD (EC2)
• AWS OBJECT STORAGE: S3, AND GLACIER
• IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
• CONTENT DELIVERY NETWORK (CDN)
• VERSIONING & ENCRYPTION
2
AWS SERVICES OVERVIEW
Amazon Web Services offers on-
demand cloud computing
services to individuals,
companies and governments, on
demand with a paid subscription
with an option available for 12
months.
APPLICATION
PLATFORM
INFRASTRUCTURE
3
AWS SERVICES OVERVIEW
Source: https://en.wikipedia.org/wiki/Cloud_computing#/media/File:Cloud_computing.svg
1. Infrastructure-as-a-service (IaaS)
Servers, virtual machines, storage,
networks, etc. provided by the cloud
provider and billed per usage.
2. Platform as a service (PaaS)
Access to a ready-made environment for
development, testing, delivering, and
managing software, billed per usage.
3. Software as a service (SaaS)
Access to applications over the Internet, like
for example Gmail, or Office365, billed per
usage.
4
AWS SERVICES OVERVIEW
5
WHAT DO YOU NEED ?
WHAT REGULATION IS YOUR BUSINESS SUBJECT TO ?
WHAT IS YOUR RESPONSIBILITY ?
WHERE DO YOU NEED THESE SERVICES ?
FIRST QUESTION - WHAT DO YOU NEED?
6
WHAT DO YOU NEED ?
Before starting the course, and your implementation it is very important to
understand your choice, and what would you and your business need as
architecture, and approach.
• Infrastructure as a service (IaaS)
• Platform as a service (PaaS)
• Software as a service (SaaS)
• Private cloud
• Public cloud
• Hybrid cloud
7
SECOND QUESTION - WHAT REGULATIONS
IS YOUR BUSINESS SUBJECT TO?
8
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?
AWS is providing great support in terms of good practices, and guidelines for
business compliance with local regulations.
For Singapore, financial institutions are highly regulated by the Monetary
Authority of Singapore (MAS). We can find publicly available: AWS User Guide
to Financial Services Regulations & Guidelines in Singapore, to support AWS
services deployment and configuration.
You can download the guide from the link:
https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulati
ons_Guidelines_in_Singapore.pdf
9
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?
AWS features also a list of
access-controlled documents
relevant to compliance and
security as AWS Artifact.
The list can be easily
accessible with an admin
account, and you can download
the correspondent document, to
follow the instructions.
https://console.aws.amazon.co
m/artifact
10
THIRD QUESTION – WHAT IS YOUR
RESPONSIBILITY ?
11
WHAT IS YOUR RESPONSIBILITY ?
Source: https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulations_Guidelines_in_Singapore.pdf
12
FOURTH QUESTION - WHERE DO YOU NEED
THESE SERVICES?
13
REGIONS & AVAILABILITY ZONES
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
AWS Services are located worldwide in
several locations.
These locations are composed of Regions
and Availability Zones.
Region = One Geographical Area
Availability Zone = Separated Location in a Geographical Area
Example:
https://ec2.ap-south-1.amazonaws.com
14
REGIONS & AVAILABILITY ZONES
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services
Regions are an important point
for AWS implementation and
deployment.
Your choices might vary
depending on the considered
region, as all services are not
available consistently over the
regions.
Example: Glacier is not
available in Singapore.
15
REGIONS & AVAILABILITY ZONES
16
Use multiple availability zones (AZs) for redundancy !
Various service limits are enforced by Amazon. You can ask for soft limit
increase, in some cases.
AWS SERVICES OVERVIEW
17
YOUR ARE
AWESOMELY GETTING
THERE … ☺
LET’S CHECK THE
SECURITY TIPS
LET’S REMEMBER
THE IMPORTANT
BASICS
LET’SRECAP
VIRTUAL PRIVATE CLOUD (VPC)
18
AMAZON VIRTUAL PRIVATE CLOUD (VPC)
Amazon Virtual Private Cloud (VPC) – What is it ?
Amazon Virtual Private Cloud (Amazon VPC) allows you the provisioning of a
logically isolated section of the Amazon Web Services (AWS) cloud.
Your can select your own IP address range, create subnets, and configure
route tables and network gateways.
You can use both IPv4 and IPv6 in your VPC for secure and easy access to
resources and applications.
19
AMAZON VIRTUAL PRIVATE CLOUD (VPC)
This is an example of a simple architecture
with the different services, including a VPC.
Inside the VPC, we have two different
subnets, a router, and an Internet Gateway.
Tip: Use a load balancer to balance
between AZs.
It is definitely recommended to use a
public subnet with an Internet Gateway
for Internet access.
20
AMAZON VIRTUAL PRIVATE CLOUD (VPC)
Default VPC and Custom VPC are the only VPC forms available.
• Default VPC is created when you create an AWS account.
• Custom VPC is dedicated for advanced users.
21
ELASTIC COMPUTE CLOUD (EC2)
22
ELASTIC COMPUTE CLOUD (EC2)
Elastic Compute Cloud (EC2) – What is it ?
EC2 provides a web service that provides secure, resizable compute capacity in the
cloud.
The different types of EC2 will provide you various CPUs, memory capacities, storage
types, and networking capacity.
An instance type can be changed if it has an Elastic Block Store (EBS) store
volume root device.
Example:
23
Instance Type vCPUMemory
(GiB)
Storage
(GB)
Networking PerformancePhysical Processor
Clock Speed
(GHz)
t2.nano 1 0.5 EBS Only Low Intel Xeon family up to 3.3
t2.micro 1 1 EBS Only Low to Moderate Intel Xeon familyUp to 3.3
ELASTIC COMPUTE CLOUD (EC2)
Amazon Elastic Block Store (Amazon EBS) – What is it ?
Amazon Elastic Block Store (Amazon EBS) is a block storage volume for Amazon EC2
instances.
Data stored on an Amazon EBS volume can persist after instance termination, and
independently of the instance life.
EBS has four types of storage:
• Provisioned IOPS SSD (io1)
• General Purpose SSD (gp2)
• Throughput Optimized HDD (st1)
• Cold HDD (sc1)
You can not detach or attach instance store volume to another instance.
24
ELASTIC COMPUTE CLOUD (EC2)
25
Elastic Compute Cloud (EC2) – Some Tips ?
"Enable termination protection" option allows you to protect an accidental EC2
instance termination.
To enable termination protection for an instance at launch time
• Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
• On the dashboard, choose Launch Instance and follow the directions in the wizard.
• On the Configure Instance Details page, select the Enable termination protection check box.
To enable termination protection for a running or stopped instance
• Select the instance, choose Actions, Instance Settings, and then choose Change Termination
Protection.
• Select Yes, Enable.
In addition, enable backups, and output data to another AWS service.
ELASTIC COMPUTE CLOUD (EC2)
26
If you need to copy an EC2 instance to another region, you can create an Amazon
Machine Images (AMI).
The AMI can be deployed then as it does represent a high performance execution
environment for applications running on EC2, and contains all the information to launch an
instance.
EC2-Classic is an old configuration which is not available anymore. It is still being
supported for clients.
ELASTIC COMPUTE CLOUD (EC2)
27
The most secure option to connect to instances without Internet connectivity in a private
subnet VPC is a bastion host server to connect to the instances.
Bastion hosts are instances within your public subnet and are typically accessed
using SSH or RDP. Once remote connectivity has been established with the bastion host,
it then behaves like a bridge, allowing you to use SSH or RDP to login to other instances
(within private subnets) within your network.
You can use bastion as a bridge with security groups and NACL to access other private
instances.
ELASTIC COMPUTE CLOUD (EC2)
28
Placement group is a logical grouping of instances within a single Availability Zone,
achieving high performance computing, with low-latency network performance.
There is a soft limit of 20 instances per region. You can submit the limit increase form
and retry the failed requests once approved.
You can use CURL, or GET command; to access the information for your instance,
for example:
[ec2-user ~]$ curl http://169.254.169.254/latest/meta-data
Or
[ec2-user ~]$ GET http://169.254.169.254/latest/meta-data
AWS OBJECT STORAGE: S3, AND GLACIER
29
AWS OBJECT STORAGE: S3, AND GLACIER
• S3 Amazon Simple Storage Service, min
object storage size is 0B
• S3 Standard - Infrequent Access (Standard
- IA), min object storage size is 128KB
• Amazon S3 Reduced Redundancy Storage,
min object storage size is 128KB
• Glacier
30
AWS provides various storage options – What are they ?
Let’s focus on the four below:
AWS OBJECT STORAGE: S3, AND GLACIER
31
AWS provides various storage options – Some Tips ?
AWS RRS provides the same functionality as AWS S3, but is cheaper.
It is ideally suited for non-mission, critical applications, such as files which can be
reproduced.
Example:
Storing image thumbnails can be a good use case for storing content in AWS RRS.
AWS RRS is being cheaper than AWS IA.
AWS OBJECT STORAGE: S3, AND GLACIER
Key points to remember regarding an S3 bucket are:
• S3 is a Object Based storage, only for, for example files. and not OS. It can store files from 0 to 5 TB
• Names of Buckets are universal, and therefore need to be unique
• HTTP 200 CODE is the confirmation for successful data upload
• When you upload an object, the object will be immediately available - Read after write consistency
• If you change/delete an object in the bucket, the object might not be immediately updated. It might
take few minutes - Override after put or deleting
• No partial or damaged/corrupted objects when uploading, updating, or deleting.
• Encryption is enabled
32
AWS OBJECT STORAGE: S3, AND GLACIER
33
Implementing versioning
and lifecycle rules are key
to prevent data loss.
Accidental deletion of data
from an S3 bucket can be
avoided by:
• Enabling versioning
• Enabling MFA access
AWS OBJECT STORAGE: S3, AND GLACIER
34
You can't have any dots in your bucket name if you use the bucket name in the
subdomain of your URLs if you would like to use SSL for your bucket.
This will cause a certificate mismatch.
AWS SSL certificate only covers *.s3.amazonaws.com.
Versioning is required for replication in S3.
To list delete markers (and other versions of an object), you need to use the
versions subresource in a GET Bucket versions request, as a simple GET will not
retrieve delete marker objects.
AWS OBJECT STORAGE: S3, AND GLACIER
35
You can retrieve data faster from Glacier with:
Expedited retrievals and access data in 1 – 5 minutes for a flat rate of $0.03 per GB
retrieved,
or
Bulk retrievals to access your data in approximately 5 – 12 hours for a flat rate of just
$0.0025 per GB retrieved.
Cross region replication has additional cost (Redundancy)
IDENTITY AND ACCESS MANAGEMENT (IAM)
& SECURITY GROUPS
36
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Identity and Access Management (IAM) – What is it ?
Access Control is one of the most important security controls to put in place, and
therefore we can check the below important points offered par AWS services.
You can define your Identity Access Management rules, and create Security Groups to
control and limit the access to the resources.
The statement is the main element of the IAM policy and it is a must for a policy.
Elements such as condition, version and ID are not required.
37
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
You will have:
• A centralised control of your AWS account (I recommend hardware MFA for the root
account)
• Granular Permissions
• Identity Federation, including Active Directory
• Multi Factor Authentication
• Password Policies
• PCI DSS Compliance
38
Every user gets an IAM account. Never login to the master.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Identity and Access Management (IAM) – Some Tips ?
I encourage highly to use hardware MFA or Virtual MFA Device for your access control,
as for example Google Authenticator.
39https://aws.amazon.com/iam/details/mfa
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
40
When you create a new user, a pair of access key is generated if enabled.
Make sure that you do not enable it if not necessary.The access keys (Users can have multiple API keys) will not allow a user to connect to the
console however will allow for an API to get access.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
41
AWS Best practices advise a password with 14
characters’ length.
I recommend using at least 12 characters,
complexity, password expiration, and no
password reuse.
It is possible to create an IAM when an
instance is running ONLY if "no reboot"
option is checked.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Security Group Network ACL
Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of
any rules
Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to
allow traffic
Applies to an instance only if someone specifies the security
group when launching the instance, or associates the security
group with the instance later on
Automatically applies to all instances in the subnets it's
associated with (backup layer of defense, so you don't have to
rely on someone specifying the security group)
42
Another access control measure is Security Groups. This in fact is one of the main
controls.
I highly recommend to add Network Access Control Lists as an additional layer of
security.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
43
Outbound Ports should be enabled on NACL, when an instance needs to be accessible by
everyone, even if port 80 allows inbound.
Source/Destination check should be disabled when a custom NAT instance is launched,
even after configuring security groups and NACL.
Instances should have either public IP or elastic IP to be able to reach the Internet. You
can have one Elastic IP address associated with a running instance at no charge.
You can also check the associated IP through the instance metadata.
For an instance to be able to connect to the Internet with an Internet Gateway, and a
public subnet, a route should be created as 0.0.0.0/0 and your internet gateway as target.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
44
A NAT gateway in the Failed state is automatically deleted after about an hour.
Ensure that different route tables for your private and your public subnet. If the table is
the same, it will not route traffic to the Internet.
Use the tracert (Windows) command or traceroute (Linux) command. ICMP packets are
ignored.
Define all rules within a single aws_security_group_rules resource to refresh security
groups rules faster. (To be confirmed and feedback is welcome)
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
45
Here you can find a great example of the different
between ACL and Security Groups.
Security groups — Act as a firewall for Amazon EC2
instances
Network access control lists (ACLs) — Act as a
firewall for subnets
Changes to Security Groups rules are automatically
applied after a short period.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
46
By default, security groups are configured as below:
• Allow no inbound traffic
• Allow all outbound traffic
• Allow instances associated with this security group to communicate
You need to disable SSH access.
You can create an IAM role with two attached policies to delegate permission to access
a resource. The permission policy grants the user for the desired task on the resource
and the trust policy indicates which trusted accounts are allowed to grant its users
permissions to assume the role.
CONTENT DELIVERY NETWORK (CDN)
47
CONTENT DELIVERY NETWORK (CDN)
Content Delivery Network – What is it ?
Another service that is provided by AWS and is critical is the CDN CloudFront.
This service is critical when hosting a web application online.
It delivers content by replicating commonly requested files (static content) across a
globally distributed set of caching servers.
From my experience, I suggest analyse your business requirements, as you might have
additional functionalities needed.
Amazon CloudFront doesn’t have these features: purge it all, or purge instant, SPDY
Protocol Support, Real time statistics or CDN balancing tech.
48
CONTENT DELIVERY NETWORK (CDN)
49
VERSIONING & ENCRYPTION
50
VERSIONING & ENCRYPTION
51
Encryption – What is it ?
AWS offers various types of encryption:
At rest,
Server Side Encryption
• S3 Managed keys – SSE-S3
• AWS Key Management Service,
SSE-KMS
• Server Side Encryption with
Customer Provided Keys – SSE-C
Client Side Encryption
VERSIONING & ENCRYPTION
52
A new version of a file on an S3 bucket is considered an update subject to eventual
consistency.
If you specified the version ID on the GET request, then the new file will be subject to a
read-after-write consistency.
With SSE-KMS you can have different objects stored with different keys in the same
bucket.
You will have two layers of security controls: the bucket and the objects.
Boot volume encryption on an EC2 instance, has some known issues. Google is your
friend :D !
AWS DATABASES
53
AWS DATABASE
If You Need Consider UsingProduct Type
A managed relational database in the cloud that you can launch
in minutes with a just a few clicks.Amazon RDS Relational Database
A fully managed MySQL and PostgreSQL-compatible relational
database with 5X performance and enterprise level features.Amazon Aurora Relational Database
A managed NoSQL database that offers extremely fast
performance, seamless scalability and reliabilityAmazon DynamoDB NoSQL Database
A fast, fully managed, petabyte-scale data warehouse at less
than a tenth the cost of traditional solutions.Amazon Redshift Data Warehouse
To deploy, operate, and scale in-memory cache based on
memcached or Redis in the cloud.Amazon ElastiCache In-Memory Cache
Help migrating your databases to AWS easily and inexpensively
with zero downtime.
AWS Database Migration
ServiceDatabase Migration
To build flexible cloud-native directories for organizing
hierarchies of data along multiple dimensions.Amazon Cloud Directory Directory
54Source: aws.com
COMPLIANCE TESTING
If you would like to test your configuration vs your compliance requirements,
and regulation, you can run the AWS Script.
I recommend the local execution. It was very fast and easy.
AWS GitHub script to scan for CIS compliance
55
ADDITIONAL RESOURCES
Link to CIS Benchmark Guideline
Link to CIS Three-Tier Guideline
AWS Well Architected
AWS Cloud Adoption Framework – Security
56
MAGDA CHELLY, CYBERFEMINIST, CISSP
MAGDA LILIA CHELLY, IS THE MANAGING DIRECTOR OF RESPONSIBLE CYBER BY DAY,
AND A CYBER FEMINIST HACKER BY NIGHT. SHE SPEAKS FIVE LANGUAGES FLUENTLY,
AND HAS A PHD IN TELECOMMUNICATION ENGINEERING WITH A SUBSEQUENT
SPECIALIZATION IN CYBER SECURITY (CISSP).
‘’Your employees are your company’s biggest asset yet equally represent your weakest
link. Empower YOUR people to protect YOUR business with a trusted, value-adding and
effective cyber-security provider’’
Magda Chelly, CyberFeminist, CISSP
MAGDA WAS RECENTLY NOMINATED AS GLOBAL LEADER OF THE YEAR AT THE WOMEN
IN IT AWARDS 2017, AND TOP 50 CYBER SECURITY INFLUENCER, GLOBALLY.
57
THANK YOU !
PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS
58