securing awsfiles.informatandm.com/uploads/2018/10/securing_aws... · 2018-10-17 · securing aws...

Kiran KuppaSolutions Architect

Amazon Web Services

Securing AWSLeverage AWS security best practices to reduce your risk.

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Maitreya RanganathSolutions Architect

Amazon Web Services

What to expect from this Session

• Security and Compliance in AWS• AWS Assurance Programs• AWS Security Enablers• Security by Design• DevSecOps

Why - Modernize Technology Governance

The majority of technology governance relies predominantly on administrative and operational security controls with LIMITED technology enforcement.

Automation is needed to dominate governance through technology enablement.

Assets

ThreatVulnerability

Why is this important?

Modern day IT environments present challenges to managing security and meeting compliance requirements due to the volume of data that needs to be safeguarded and increasing complexity around how users connect to data.

A reliable security approach is needed to ensure data is protected and available to authorized users and systems.

Confidentiality Integrity Availability

1500+ Governme

nt Agencies

3600+ Education Institution

190 Countries

11,200+ Nonprofit

Security is Job Zero

Over A Million Active Customers and Every Imaginable Use Case

Requirements from every industry

• Nothing better for the entire community than a tough set of customers…

Everyone’s Systems and Applications

Financial Health Care Government

Global Infrastructure

Requirements Requirements Requirements

The most sensitive workloads run on AWS

“With AWS, DNAnexus enables enterprises worldwide to perform genomic

analysis and clinical studies in a secure and compliant environment at a scale not

previously possible.”

— Richard Daly, CEO DNAnexus

“The fact that we can rely on the AWS security posture to boost our own

security is really important for our business. AWS does a much better job at

security than we could ever do running a cage in a data center.”

— Richard Crowley, Director of Operations, Slack

“We determined that security in AWS is superior to our on-premises data center

across several dimensions, including patching,

encryption, auditing and logging, entitlements, and compliance.”

—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)

Security and Compliance in AWS

Security Of the Cloud and Security In the Cloud

AWS foundational security applies to every customer

AWS maintains a formal control environment

• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)

• SOC 2 Type II and public SOC 3 report

• ISO 27001 Certification

• Certified PCI DSS Level 1 Service Provider

• FedRAMP Authorization

• HIPAA and MPAA capable

Experts auditors test and validate 360° of the cloudAWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions Availability Zones Edge Locations

Auditor

AWS is responsible forthe security OF the

Keys to cloud security

• Cloud goes beyond the traditional elements of security and adds…

• Agility

• Automation

Visibility Auditability Controllability

Who owns Security in a Cloud Environment?

AWS Shared Security Responsibility

Infrastructure Services

Platform Services

Abstracted Services

Security is Shared and Classified by Ownership

AWS Shared Responsibility:for Infrastructure Services

Customer Data

Platform & Application Management

Operating system, network, and firewall configuration

Data ConfidentialityEncryption at-rest /

in-transit, authentication

Data AvailabilityHA, DR/BC, Resource Scaling

Data IntegrityAccess control, Version

control, Backups

Managed by AWS

Managed by customers

NetworkingStorageCompute

EdgeLocations

Availability

ZonesRegions

AWS Global Infrastructure

Foundation Services

• AWS

• Network, Compute, Storage

• AWS Global Infrastructure

• AWS Endpoints

Infrastructure Services – Example Amazon EC2

• Customer

• Customer Data

• Customer Application

• Operating System

• Network & Firewall (VPC)

• Customer Identity & Access Mgmt

• AWS Identity & Access Mgmt(Users, Groups, Roles, Policies)

• High-Availability / Scaling

• Instance Management

• Data Protection(In-transit, At-rest, Backup)

AWS Shared Responsibility:for Platform Services

Customer Data

Client-side data encryption & data integrity authentication

Network traffic protection encryption / integrity / identity

Managed by customers

Managed by AWS

Firewall

ration

Operating system & Network Configuration

NetworkingDatabasesStorageCompute

EdgeLocations

AvailabilityZones

RegionsAWS Global Infrastructure

Foundation Services

• AWS

• AWS Endpoints

• Operating System

• Instance Management

• Platform / Application(Aurora, MS SQL, Oracle, MySQL, PostgreSQL)

Platform Services – Example RDS

• Customer

• Customer Data

• Firewall (VPC)

• Customer Identity & Access Mgmt(DB Users, Table Permissions)

• Data Protection(In-transit, At-rest, Backup)

AWS Shared Responsibility:for Abstracted Services

Customer Data

Client-side data encryption, data integrity and authenticationA

Managed by

customers

Client-side data encryption provided by platform (protection of data at-rest)

Network traffic encryption provided by platform (protection of data in-transit)

Operating system, network, and firewall configuration

Managed by

NetworkingDatabasesStorageCompute

LocationsAvailability

ZonesRegions

AWS Global

Infrastructure

Foundation

Services

• AWS

• AWS Endpoints

• Platform / Application

• Data Protection (In-transit, At-rest)

Abstracted Services – Example S3

• Customer

• Customer Data

• Data Protection(In-transit, At-rest)

Part of your compliance work is done

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Application security

Service configuration

Account management

Authorization policies

Customer

Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.

Secure, compliant workloads

Does This Mean All Workloads Running on AWS are Automatically Compliant?

What does this mean for you?

▪ Customers benefit from an environment built for the most security sensitive organizations▪ AWS manages and validates testing against more than 3000 security controls so you don’t have to▪ You get to define the right security controls for your workload sensitivity▪ You always have full ownership and control of your data

AWS Security & Compliance Resources

Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks

DoD SRG DNB [Netherlands] CIS

FedRAMP EAR CLIA

FIPS EU Model Clauses CJIS

IRAP EU Data Protection Directive CMS EDGE

ISO 9001 FERPA CMSR

ISO 27001 GLBA CSA

ISO 27017 HIPAA FDA

ISO 27018 HITECH FedRAMP TIC

MLPS Level 3 IRS 1075 FISC

MTCS ITAR FISMA

PCI DSS Level 1 My Number Act [Japan] G-Cloud

SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)

SOC 1 Privacy Act [New Zealand] IT Grundschutz

SOC 2 PDPA - 2010 [Malaysia] MITA 3.0

SOC 3 PDPA - 2012 [Singapore] MPAA

UK Cyber Essentials U.K. DPA - 1988 NERC

VPAT / Section 508 NIST

EU-US Privacy Shield PHR

Spanish DPA Authorization UK Cloud Security Principles

Comprehensive security and compliance profile23

Inherit global security and compliance controls

PCI-DSS

Payment Card Industry (PCI) Data Security Standard (DSS)▪AWS is Level 1 compliant (highest level). ▪Validated by an authorized independent QSA.▪You can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud.

AWS PCI Package▪Attestation of Compliance (AoC)▪PCI responsibility summary

Description of the in-scope servicesCustomer implementation considerationsOverview of shared responsibility

AWS security and compliance resources

▪ AWS Artifact

▪ Introduction to AWS Security

▪ AWS Security Overview

▪ AWS Security Best Practices

▪ AWS Risk & Compliance

▪ Security at Scale Whitepapers

▪ Customer penetration testing requests

▪ Security Partner Solutions

▪ Request more information by contacting us

• aws.amazon.com/securityaws.amazon.com/compliance

AWS Security EnablersManage, secure and audit the use of AWS services

AWS Identity and Access Management (IAM)

• Centrally manage users and user permissions in AWS

▪ Manage users, groups, roles, and policies.

▪ Define which AWS resources users can access.

▪ Federate with other Identity Providers (IdP)

AWS Organizations

▪ Centrally manage groups of AWS accounts

▪ Simplified creation of new AWS accounts

▪ Logically group AWS accounts for management convenience

▪ Apply Service control policies (SCP)

▪ Simplified billing

▪ Control individual account permissions at scale

▪ All organization management activity is logged in AWS CloudTrail

▪ An AWS account can be a member of only one organization

▪ Console, SDK, and CLI support for all management tasks

Multiple VPCs vs Multiple Accounts

DevelopmentVirtual Private Cloud

StagingVirtual Private Cloud

ProductionVirtual Private Cloud

Regulated (PCI)Virtual Private Cloud

DevelopmentAWS Account

Virtual Private Cloud

StagingAWS Account

ProductionAWS Account

Regulated (PCI)AWS Account

Strategies for Using Multiple AWS Accounts

▪ Separation of production, development and testing environments

▪ Multiple autonomous departments

▪ Centralized security management with multiple autonomous independent projects

DevelopmentAWS Account

StagingAWS Account

ProductionAWS Account

Regulated (PCI)AWS Account

Central GovernanceAWS Account

virtual private cloud

Account

Boundary

Network

Boundary

Multiple Accounts AND Multiple VPCs

App 1 App X

▪ Account provisioning

▪ Security oversight

▪ VPC configuration

▪ IAM configuration

▪ Development / approval of templates

▪ AMI creation / management

▪ Shared Services

▪ Monitoring / Logging

BillingAdministrative

Connectivity

Compute & Network Security

Amazon VPC

▪ Virtual network dedicated to your AWS account.

▪ Logically isolated from other virtual networks in the AWS.

▪ You choose the IP address range for your VPC.

▪ Can span multiple Availability Zones.

Amazon VPC Security

• VPC Security Groups (mandatory)

▪ Instance level, stateful▪ Supports ALLOW rules only▪ Default deny inbound, allow outbound▪ Use as “whitelist” – least privilege

• VPC NACLs (optional)

▪ Subnet level, stateless▪ Supports ALLOW and DENY▪ Default allow all▪ Use as “guardrails”

• Changes audited via AWS CloudTrail Security Group

Subnet

Instance

VPC Flow Logs

▪ Agentless▪ Enable per ENI, per subnet, or per VPC▪ Logged to AWS CloudWatch Logs▪ Create alarms from log data

AWSaccount

Source IP

Destination IP

Source port

Destination port

Interface Protocol Packets

Bytes Start/end time

Accept or reject

• For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS.

AWS DDoS Shield

• For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24X7 access to DDoS experts for complex cases.

• Standard Protection • Advanced Protection

Available to ALL AWS customers at No Additional Cost

Paid service that provides additional, comprehensive protections from large and

sophisticated attacks

Attack notification and reporting

Attack monitoring and detection

• Real-time notification of attacks via Amazon CloudWatch

• Near real-time metrics and packet captures for attack forensics

• Historical attack reports

AWS Shield Advanced cost protection

• AWS absorbs scaling cost due to DDoS attack

• Amazon CloudFront

• Elastic Load Balancer

• Application Load Balancer

• Amazon Route 53

AWS WAF

AWS WAF – Layer 7 application protection

HTTP floods Scanners and probes

SQL injectionBots and scrapers

IP reputation lists

Cross-site scripting

Use AWS WAF to Mitigate OWASP’s Top 10 Web Application

Logging and Monitoring

AWS CloudTrail• Track changes made to your AWS resources

• Records all API calls made on your account

• Enabled on a per-region basis

Integration with 3rd party solutions (ex. Splunk)

• Benefits:

▪ Resource change tracking

▪ Security analysis

▪ Demonstrate Compliance

What is recorded?✓ The identity of the API caller✓ The time of the API call✓ The request parameters✓ The response elements

Amazon CloudWatch

• AWS managed service providing a reliable, scalable, and flexible monitoring solution that you can start using within minutes.

• You no longer need to set up, manage, and scale your own monitoring systems and infrastructure.

▪ CloudWatch - monitor AWS resources and applications you run on AWS in real time

▪ CloudWatch Events - send system events from AWS resources to AWS Lambda functions, Amazon SNS topics, streams in Amazon Kinesis, and other target types

▪ CloudWatch Logs - monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, or other sources

Amazon Simple Notification Service (SNS)

• A web service that is easy to set up, operate, and send notifications.

• Publish messages from an application and immediately deliver them to subscribers or other applications.

▪ Messages published to topic.

▪ Topic subscribers receive message.

Publisher

HTTP/S

SMSSNS Topic

Subscriber

Mobile Push

Lambda

• Amazon Macie is an AI-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in AWS.

• Amazon Macie uses machine learning to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used in your organization.

• Amazon Macie continuously monitors data access activity for anomalies, and delivers alerts when it detects risk of unauthorized access or inadvertent data leaks.

Amazon Macie

Amazon Guard Duty

• Threat detection service

• Continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

• Monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise.

• Detects potentially compromised instances or reconnaissance by attackers.

Encryption Services

AWS Key Management Service (KMS)49

Customer MasterKey(s)

Data Key 1

Amazon S3 Object

Amazon EBS Volume

Amazon Redshift Cluster

Data Key 2 Data Key 3 Data Key 4

Managed service to securely create, control, rotate, and use encryption keys.

AWS Cloud HSM

CloudHSM

AWS Administrator –

manages the appliance

You – control keys and

crypto operations

Amazon Virtual Private Cloud

Help meet compliance requirements for data security by using a dedicated Hardware Security Module appliance with AWS.

• Dedicated, single-tenant hardware device• Can be deployed as HA and load balanced

• Customer use cases:• Oracle TDE• MS SQL Server TDE• Setup SSL connections• Digital Rights Management (DRM)• Document Signing

KMS vs CloudHSM

KMS CloudHSM

Multi-tenant AWS service Single-tenant HSM

Highly available and durable key storage and management

Customer-managed durability and availability

AWS managed root of trust Customer managed root of trust

Broad support for AWS services Broad third-party app support

Symmetric encryption only Symmetric and asymmetric options

Configuration Management

AWS CloudFormation

Allows you to define a “template” which is composed of different

“resources” and then provision that template into repeatable, live, “stacks”.

Infrastructure as Code

Why Infrastructure as Code?

• Automates deployment, provisioning, and configuration of the entire infrastructure

▪ Deploy servers, configure networking, assign storage

▪ Manage configuration and access

▪ Track and audit changes

• Embeds security controls and compliance auditing

AWS Service Catalog

▪ Centrally manage catalogs of IT services approved for use on AWS▪ Enables users to quickly deploy approved IT services in a self-service manner▪ Helps achieve consistent governance and meet compliance requirements

AWS Config

▪ Managed service that provides AWS resource inventory, configuration history, and configuration change notifications.

▪ Provides continuous details on all configuration changes associated with AWS resources.

▪ Combines with CloudTrail for full visibility into what contributed to the change.▪ Enables compliance auditing, security analysis, resource change tracking, and

troubleshooting.

AWS Config Rules

• Features

• Flexible rules evaluated continuously and retroactively

• Dashboard and reports for common goals

• Customizable remediation

• API automation

Continuously monitors the configuration of existing and new AWS resources to assess compliance with desired configurations

Benefits

• Continuous monitoring for unexpected changes

• Shared compliance across your organization

• Simplified management of configuration changes

Amazon Inspector

• Features

• Configuration scanning engine

• Activity monitoring

• Built-in content library

• Automatable via API

• Fully auditable

• Benefits

• Common Vulnerabilities and Exposures (CVE)

• Network Security Best Practices

• Authentication Best Practices

• Operating System Best Practices

• Application Security Best Practices

Security assessment tool analyzing end-to-end application configuration and activity

Security by DesignAutomating Security, Compliance, and Governance in AWS

What is Security by Design (SbD)?

▪ Modern, systematic, security assurance approach

▪ Formalizes AWS account design, automates security controls, and streamlines auditing

▪ Provides security control built in throughout the AWS IT management process

Effective security is ubiquitous and automatic…

Security by Design Four Phase Approach

Understand your requirements

Build a “secure environment” that fits

your requirements

1Enforce the use of

the templatesPerform validation

activities

Security Controls

▪ Access

▪ Audit

▪ Config Mgmt

▪ Contingency Plans

Data Classification

▪ Data Type

▪ Data Impact

▪ Data Sensitivity

Data Usage

▪ Storage

▪ Retention

▪ Processing

▪ Sharing

Regulations

▪ Governmental

▪ Organizational

▪ Individual

#1: Understand your requirements

#2: Build a “secure environment”

• What are the different options for securing your environment?

▪ Service selection

▪ Encryption

▪ Network segmentation

▪ User permissions

▪ Authorized OS images

▪ Resource protection

▪ Logging / monitoring

#3: Enforce the use of templates

▪ What if the ONLY choices are “pre-approved templates?

▪ Templates guarantee ALL configurations comply with your organization’s security standards

#4: Perform Validation Activities

• 100% Audit-Ready▪ Environments deployed from templates are audit-ready

▪ Rules defined within the templates are the baseline for comparison

• 100% Audit Coverage ▪ Auditing itself is configured and enabled via template

▪ Auditing it performed continuously and in real-time

▪ Properly scoped permissions prevent and detect attempts to tamper with or disable auditing

• 100% Visibility▪ Audit information captures the state of all deployed resources

• 100% Remediation▪ Non-compliant resources are flagged and alerts are generated

▪ These alerts can be used to trigger actions such as quarantining the offending resource

Admins

AWSCloudFormation

Template AWSService Catalog

Amazon VPC

AWSCloudTrail

AWSConfig

Constrained Permissions

Amazon CloudWatch

Security by Design Deployment

Impact of Security by Design

▪ Creates forcing functions that cannot be overridden by users

▪ Establishes reliable operation of controls

▪ Enables continuous and real-time auditing

▪ Represents the technical scripting of your governance policy

• Result

• Automated environment enabling enforcement of security and compliance polices and a functionally reliable governance model.

Automated Countermeasure Examples

Application DoS - Random searches

Amazon CloudFront

AWS WAF

AmazonSNS

Good users

Bad guys

AmazonS3

AWSLambda

Access logs to S3

Lambda parses logs

IP added to Auto Block rule

Notification

Counts requests per minute from same IP

Brute force login on SSH bastion

Amazon CloudWatch

AmazonSNS

Good users

Bad guys

AWSLambda

SSH access logs

Alarm triggered

NACL deny rule created

Notification

DMZ Subnet

Unintended IAM access granted

Amazon CloudWatch

Events

AmazonSNS

Elevated Privileges

AWSLambda

IAM API Events

Deliver event upon rule match

Revoke IAM access if user not in Admins group

Notification

AWS CLI

Console

DevSecOps

Thank you!

securing awsfiles.informatandm.com/uploads/2018/10/securing_aws... · 2018-10-17 · securing aws...

Documents

aws re:invent 2016: securing enterprise big data workloads...

aws re:invent 2016: running, configuring, and securing...

securing serverless workloads with cognito and api gateway...

aws webcast - securing the microsoft windows platform on...

six best practices for securing aws...

saam1146bes best practices for securing hybrid … greenberg...

securing web applications in the aws cloud

securing docker with aws

securing your content and media workflows on aws

securing media content and applications in the cloud...

securing serverless architectures - aws serverless web day

(sec323) new: securing web applications with aws waf

aws cloud network best practices for securing your · pdf...

securing serverless and container services...securing...

securing kubernetes workloads on aws · 2020-04-22 ·...

securing aws deployments with sophos utm

securing amazon web services with qualys (r) · pdf...

securing aws with hids -...

securing your enterprise applications in amazon aws · 1 |...

be prepared to leverage the velocity of aws mark… · be...