architecting for end-to-end security in the enterprise (arc308) | aws re:invent 2013

62
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. ARC308 Architecting for End-to-End Security in the Enterprise Hart Rossman, Principal Security Consultant Bill Shinn, Principal Security Solutions Architect November 14, 2013

Upload: amazon-web-services

Post on 27-Jan-2015

120 views

Category:

Technology


4 download

DESCRIPTION

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

TRANSCRIPT

Page 1: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

ARC308

Architecting for End-to-End Security in the

Enterprise

Hart Rossman, Principal Security Consultant

Bill Shinn, Principal Security Solutions Architect November 14, 2013

Page 2: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

A Typical Enterprise

Security Journey:

1. Integrate AWS into the

Enterprise Security Strategy

2. Deploy Defense in Depth:

Enterprise Security

Architecture in the Cloud

3. Convert Strategy to Tactics:

Security Playbook

4. Instrument for Operations:

Privilege Isolation, Bastion

Role, and Auditing Role

Enterprise Security Operations

Playbook Operations

Strategy

Architecture

Enterprise Security Planning

Page 3: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Enterprise Security

Strategy

Economics

Strategy

Enterprise Security Operations

Playbook Operations

Strategy

Architecture

Enterprise Security Planning

Page 4: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Economies of Scale

• AWS control objectives idempotent across the

entire cloud

• Reduced compliance scope

• Defense in depth layers are variable cost

• Security benefits from automation

Page 5: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Why Update Your Security Strategy for

AWS? • Communicate the CISO’s intent & Concept of

Operations (CONOPS)

• Articulate a vision for the desired end-state

Page 6: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Enterprise Security

Architecture

Capabilities Framework

Defense in Depth Architecture

Enterprise Security Operations

Playbook Operations

Strategy

Architecture

Enterprise Security Planning

Page 7: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 8: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 9: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormation

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Page 10: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

AWS Certifications

Page 11: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

AW

S

Cert

ific

atio

ns

Lifecycle Rules

Page 12: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 13: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormation

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Page 14: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

SSH Keys

Page 15: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Security Groups

Page 16: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

IAM Users, Groups & Roles

Page 17: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

MS-SQL TDE

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Redshift CloudHSM Support

Page 18: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 19: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormation

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Page 20: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Amazon CloudTrail

Page 21: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter Amazon Elastic MapReduce &

Amazon Redshift

Page 22: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Security Operations Center

Page 23: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 24: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormation

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Network

AWS Internet

Security

ELB SSL

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Security

Groups

Page 25: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Network

AWS Internet

Security

ELB SSL

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Security

Groups

Resource Tagging

Page 26: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

Se

cu

rity

Op

era

tio

ns

Cen

ter

Network

AWS Internet

Security

ELB SSL

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Security

Groups

AWS Support

Page 27: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Capabilities Framework • Policies and Standards

• Threat Intelligence Anticipate

• Access Control

• Network Architecture

• Active Response Deter

• IDS

• Log analysis

• Alerting

• Security Operations Center

Detect

• Incident Response to Compromise Respond

• Disaster Recovery/BCP

• Known Good State

• Forensics Recover

Page 28: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormation

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Page 29: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Geographic

Diversity

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Snapshots & Replication

Page 30: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mo

nit

ori

ng

CloudWatch

SNS

Notifications

AWS Abuse

Notifications

Trusted Advisor

EMR, Redshift

Analytics

S3, CloudFront

Access Logs

AWS

CloudTrail

App Logs

DB Logs

OS Logs

Ma

na

ge

me

nt

Network

AWS Internet

Security

ELB SSL

Security

Groups

VPC VPN

Gateway

VPC Subnets

VPC NACLs

VPC Routing

Tables

Direct

Connect

Storage & Content

S3 ACLs,

Bucket

Policies

S3, Glacier

SSE

S3 MFA

Delete

Lifecycle

Rules

Client-Side

Encryption

S3, Glacier,

CloudFront

SSL

S3 Object

Metadata

Storage

Gateway SSL

CloudFront

Signed URLs

EBS Volume

Encryption

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor

Patching

SQL SSL

Clients

DynamoDB,

SimpleDB

SSL

EMR Job Flow

Roles

Org

aniz

e,

Deplo

y,

& M

anage

SSL API, CLI,

Console

Access Policy

Language

CloudHSM

CloudFormatio

n

Resource

Tagging

Snapshots &

Replication

Route 53

IAM Users,

Groups &

Roles

IAM MFA

Server

Certificates

IAM + STS

Federation

IAM Password

Policy

Auth

enticate

& A

uth

orize

Log,

Audit,

& A

naly

ze

Monitor

& A

lert

Go

vern

ance

AW

S S

ecurity

& C

om

plia

nce

AW

S

Cert

ific

atio

ns

People

AW

S S

A’s

&

Pro

serv

AW

S

Support

Se

cu

rity

Op

era

tio

ns

Cen

ter

Geographic Diversity

Page 31: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Corporate Data Center

Internet

Existing

Perimeter

Security Stack VPN

Internet

Gateway

AWS Direct

Connect Customer

GW

Defense-in-Depth Architecture

Page 32: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web T

ier

App T

ier

Pro

tect

Tie

r

DB

Tie

r

IAM

Route Table

NACL

Internet

Gateway

VPN Corporate

Data Center

Internet

Existing

Perimeter

Security

Stack

VPN AWS

DX CGW

Network Protection

Page 33: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web T

ier

App T

ier

Pro

tect

Tie

r

DB

Tie

r

IAM

Internet

Gateway

VPN Corporate

Data Center

Internet

Existing

Perimeter

Security

Stack

VPN AWS

DX CGW

Instance

Auto Scaling Host Security

Software SSH Keys

Managed

Encryption

Bastion Host Bootstrapping

AMIs

CloudFront

Load Distro

Penetration

Testing

Instance Protection

Page 34: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web T

ier

App T

ier

Pro

tect T

ier

DB

Tie

r

IAM

Internet

Gateway

VP

N

Corporate

Data Center

Internet

Existing

Perimeter

Security

Stack

VPN AWS

DX CGW

Database

Oracle TDE MySQL, MS-

SQL SSL

Oracle NNE

Redshfit

Cluster

Encryption

RDS Auto

Minor Patching

SQL SSL

Clients

DynamoDB,

SimpleDB SSL

EMR Job Flow

Roles

Database Protection

Page 35: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web

App

Pro

tect

DB

In-line Threat Management: Bastion Host

Pro

tect T

ier

Bastion

Page 36: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web

App

Pro

tect

DB

In-line Threat Management: IPS/IDS NAT HA

Availability Zone A Availability Zone B

IPS NAT Layer

EIP

1

EIP

2 EIP

3

EIP

4

App Layer

IPS NAT Layer

App Layer

Page 37: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Web T

ier

App T

ier

Pro

tect T

ier

DB

Tie

r

IAM

S3

CloudFront

Route Table

NACL

Internet

Gateway

VPN Corporate

Data Center

Internet

Existing

Perimeter

Security

Stack

VPN AWS

DX CGW

Page 38: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Playbook

Rehearsed actions

Task automation

Document approved configurations

Enterprise Security Operations

Playbook Operations

Strategy

Architecture

Enterprise Security Planning

Page 39: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Why Build a Security Operations

Playbook? • Empower CISO organization to operate their

cloud enterprise securely

• Enable CISO business partners to secure

deployments and manage mission risk

Page 40: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Typical Components

• Overview of the AWS service or enterprise

process

• Requirements/Dependencies

• Workflow

• Exceptions

Page 41: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Sample Entry: Amazon S3

Description

• Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.

Secure Configuration

• Data stored in Amazon S3 is secure by default; only bucket and object owners have access to the Amazon S3 resources they create. For customers who must comply with regulatory standards such as PCI and HIPAA, Amazon S3’s data protection features can be used as part of an overall strategy to achieve compliance.

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 42: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Choosing Controls

IAM Access Policy Bucket Policy ACLs Granularity Fine grained Fine grained Coarse grained Purpose Role-based access control

(RBAC) Grant permissions without IAM and

provide cross-account access Grant simple, broad

permissions Application Apply to IAM groups, roles,

users Apply to S3 buckets Apply to buckets and objects

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 43: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Mapping ACLs to Policy Actions Bucket ACL Bucket Policy Actions

READ s3:ListBucket, s3:ListBucketVersions, s3:ListBucketMultipartUploads

WRITE s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion (owner only)

READ_ACP s3:GetBucketAcl

WRITE_ACP s3:PutBucketAcl

FULL_CONTROL (READ + WRITE + READ_ACP + WRITE_ACP)

Object ACL Object Policy Actions

READ s3:GetObject, s3:GetObjectVersion, s3:GetObjectTorrent

READ_ACP s3:GetObjectAcl, s3:GetObjectVersionAcl

WRITE_ACP s3:PutObjectAcl, s3:PutObjectVersionAcl

FULL_CONTROL (READ + READ_ACP + WRITE_ACP)

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 44: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Using Access Policy Conditions {

"Id": "S3PolicyId1",

"Statement": [

{

"Effect": "Allow",

"Principal": { "AWS": "*" },

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::YourBucket/*",

"Condition": { }

},

{

"Effect": "Allow",

"Principal": { "AWS": "*" },

"Action": [

"s3:PutObject",

"s3:DeleteObject"

],

"Resource": "arn:aws:s3:::YourBucket/*",

"Condition": {

"IpAddress": {

"aws:SourceIp": "10.10.1.0/24"

}

}

}

]

}

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 45: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Enforcing SSL

{

"Statement": [

{

"Version": "2012-10-17",

"Principal": "*",

"Effect": "Deny",

"Action": "s3:*",

"Resource": "arn:aws:s3:::YourBucket/*",

"Condition":{

"Bool":{

"aws:SecureTransport":"false"

}

}

}

] }

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 46: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Enable & Enforce SSE

{

"Version":"2008-10-17",

"Id":"PutObjPolicy",

"Statement":[{

"Sid":"DenyUnEncryptedObjectUploads",

"Effect":"Deny",

"Principal":{"AWS":"*"},

"Action":"s3:PutObject",

"Resource":"arn:aws:s3:::YourBucket/*",

"Condition":{

"StringNotEquals":{

"s3:x-amz-server-side-encryption":"AES256"

}

}

}

]

}

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 47: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

CloudFormation

Template

{

"AWSTemplateFormatVersion" : "2010-09-09",

"Description" : "AWS CloudFormation Sample Template for S3 Bucket Policy",

"Resources" : {

"S3BucketCFn" : {

"Type" : "AWS::S3::Bucket",

"DeletionPolicy" : "Retain"

},

"BucketPolicy" : {

"Type" : "AWS::S3::BucketPolicy",

"Properties" : {

"PolicyDocument": {

"Version" : "2012-10-17",

"Id" : "MyPolicy",

"Statement" : [

{

"Sid" : "ContributorAccess",

"Action" : ["s3:GetObject"],

"Effect" : "Allow",

"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"} , "/*"]]},

"Principal" : { "AWS": "*" }

},

{

"Sid" : "ListAccess",

"Action" : ["s3:ListBucket"],

"Effect" : "Allow",

"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"}]]},

"Principal" : { "AWS": "*" }

},

{

"Sid" : "EnforceSSL",

"Action" : ["s3:*"],

"Effect" : "Deny",

"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"}, "/*"]]},

"Principal" : { "AWS": "*" },

"Condition" : { "Bool": {"aws:SecureTransport": false}}

}

]

},

"Bucket" : {"Ref" : "S3BucketCFn"}

}

}

},

"Outputs" : {

"BucketName" : {

"Value" : { "Ref" : "S3BucketCFn" },

"Description" : "Name of newly created S3 bucket"

}

}

}

Creates an S3 bucket with a

randomized name with the following

permissions:

• Allow anyone to LIST the

bucket

• Allow anyone to GET objects

• Require SSL encryption in

transit

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 48: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Keys, Delimiters, and Tags

Using Keys and Delimiters

• S3 tags should not be used to configure

permissions to resources

• Instead, use keys and delimiters as described in

the previous section to emulate “folder-level

permissions”

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 49: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Operations

Privilege Isolation & Roles

Refresher

IAM Role – Bastion Host

IAM Role – Auditing Role

49

Enterprise Security Operations

Playbook Operations

Strategy

Architecture

Enterprise Security Planning

Page 50: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Privilege Isolation AWS Account

IAM User/Group/Role

Region

Amazon VPC

Security Group

API Call

Resource

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 51: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

IAM / Security Token Service

• STS AssumeRole

• Valid token for one hour

• Returns access key ID, secret access key, and security token

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 52: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Privilege Isolation / Resources

Resource Permissions by Service (by API call)

http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html

• Amazon DynamoDB (tables and indexes)

• AWS Elastic Beanstalk (application, applicationversion, solutionstack)

• Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes)

• Amazon Glacier (vault)

• AWS IAM (signing credentials, group, …)

• Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group)

• Amazon RDS

• Amazon Route53 (hosted zone)

• Amazon S3 (bucket)

• Amazon SNS (topic)

• Amazon SQS (queue)

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 53: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

IAM Roles / EC2

• Role

• Instance Profile

• Identity for the instance itself

• Available to all application and users on host

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 54: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

IAM Roles / Instance Metadata

Service

• Entitlements of credentials => IAM role

• Short-life & expiration of credentials provided by STS

• Managed rotation

• No stored credentials!

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 55: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Bastion Host Configuration

• Eliminates need for individual IAM credentials

• Reduces or eliminates need for federation

• Combine with auditing of shell commands

• Control access by host / purpose

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 56: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Auditing Configuration

• Read-only access to AWS assets

• Census picture of all assets (feed scanning & SIEM reconciliation)

• RDS & Redshift query and connection auditing

• Change detection of vital objects

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 57: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Auditing / EC2 Read-only Policy {

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"ec2:DescribeAddresses",

"ec2:DescribeImageAttribute",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstanceStatus",

"ec2:DescribeInstances",

"ec2:DescribeNetworkInterfaceAttribute",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSubnets",

],

"Resource": [

"*"

],

"Effect": "Allow"

}

]

}

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 58: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Security Auditing / RDS Read-only Policy {

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"rds:DescribeDBInstances",

"rds:DescribeDBLogFiles",

"rds:DescribeDBParameterGroups",

"rds:DescribeDBParameters",

"rds:DownloadDBLogFilePortion"

],

"Resource": [

"*"

],

"Effect": "Allow",

"Condition": {

"streq": {

"rds:db-tag/environment": [

"prod",

"dr"

]

}

}

}]}

Overview of the AWS service or

enterprise process

Requirements/Dependencies

Workflow Exceptions

Page 59: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

What to do after re:Invent • Update security strategy and vision

• Map AWS features to strategic initiatives

• Integrate AWS into your security operations

• Document privilege isolation architecture

• Begin transition to IAM roles for EC2

• Enable IAM auditing role

Page 60: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

References

• Updated Security Best Practices Whitepaper http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

• AWS Compliance Center https://aws.amazon.com/compliance

• AWS Security Center

https://aws.amazon.com/security

• AWS Security Blog http://blogs.aws.amazon.com/security/

Page 61: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Re:Invent Related Sessions • Come talk security with AWS - Thursday, 4-6pm in the Toscana 3605

room

• SEC308 Auto-Scaling Web Application Security and AWS - Thursday, 4:15pm

• SEC402 Intrusion Detection in the Cloud -Thursday, 5:30pm

• SEC304 Encryption and Key Management in AWS - Friday 9:00am

• SEC306 Implementing Bulletproof HIPAA Solutions on AWS - Friday, 11:30am

Page 62: Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

ARC308