architecting security and governance across multi accounts

Architecting Security and Governance Across a Multi-Account Strategy

Dave Walker, Specialist Solutions Architect, Security and Compliance

Whattoexpectfromthesession

• "EverythingStartswithaThreatModel"• ControlMapping• ExistingMulti-AccountStrategies,andMulti-AccountPlanning• Organizations• BaseliningIndividualAccounts• PuttingitTogether

“StartHere”

“Everythingstartswithathreatmodel”

• STRIDE,DREAD,others• Identify:

• Actors• Vectors• “Badstuffthatcouldhappenwhenbadpeoplegetcreative”• Probabilitiesandconsequencesofbadstuffhappening

• Applytechnicalandproceduralmitigations• AllthewayuptheOSIstack,fromnetworktoapplication

• DanIonita's "Gazetteerofthreat/riskmodellingframeworks":http://eprints.eemcs.utwente.nl/23767/

“Everythingstartswithathreatmodel”

• Constrainscopeofpotentialthreatstoindividualaccounts• Planforincidentresponseandforensics• Protectyourlogrecordsfromtamperingandunauthorised reads

WhatAWSMeansby"Governance"

SecurityRisk ComplianceGovernance

Attackvectors• Application-levelandAPI-levelattacks

• “Ifittakesinput,itlikelyhasanin-bandattackvector”• “Ifithasacontrolpoint,itlikelyhasanout-of-bandattackvector”• “Evenifitdoesn’titselfhaveausefulcompromise,itmightbeauseful

propagationvector”

• Asuccessfulattack=disruptionorcorruptionofserviceoutput,orreductioninresponsivenesstofutureservicecalls,orbeingaconduitof“badcontent”tovulnerableconsumersoftheservice

• ConsidertheOWASPTop10andotherapplication-levelattacks

ControlMapping

Why a Mapping of Security Controls?

• PCI-DSS• standards for merchants which process credit card payments and

have strict security requirements to protect cardholder data. A point-in-time certification.

• SOC 1-3• designed by the “big 4” auditors as an evolution of SSAE16, SAS70

etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation.

• ISO 27001• outlines the requirements for Information Security Management

Systems. A point-in-time certification, but one which requires mature processes.

General Headings:• Infrastructure meta-security• Host security• Network security• Logging and Auditing• Resilience• User Access Control and Management• Cryptography and Key Management• Incident Response and Forensics• “Anti-Malware”• Separation of Duty• Data Lifecycle Management• Geolocation• Anti-DDoS

“Can our current Security Functions be mapped onto AWS?”

AWS Environment Management

Logging and AuditingAsset ManagementManagement Access ControlConfiguration Management

Configuration

Monitoring

AWS CloudTrailAWS Config, APIAWS IAM, OrganizationsWeb ConsoleAWS CloudFormationAWS OpsWorksCLIAPISDKsAmazon CloudWatch

“Can our current Security Functions be mapped onto AWS?”Network

AWS to Customer NetworksLayer 2 Network SegregationStateless Traffic ManagementIPsec VPNFirewall/ Layer 3 Packet FilterIDS/IPS

Managed DDoS Prevention

Internet and/or Direct ConnectAmazon VPCNetwork Access Control ListsVPC VGW, MarketplaceSecurity GroupsAWS CloudTrail, CloudWatchLogs,SNS, VPC Flow LoggingIncluded in Amazon CloudFront

“Can our current Security Functions be mapped onto AWS?”

Encryption, Key Management

Data-In-FlightVolume EncryptionObject EncryptionKey ManagementDedicated HSMsDatabase Encryption

IPsec or TLS or your own Amazon EBS EncryptionAmazon S3 Encryption (Server and Client Side)

AWS Key Management ServiceAWS CloudHSMTDE (RDS / Oracle EE)Encrypted Amazon EBS (with KMS)Encrypted Amazon Redshift

“Can our Current Security Functions be mapped onto AWS?”

Data Management

Hierarchical StorageDeletion ProtectionVersioningArchiving

Amazon S3 Lifecycle Amazon S3 MFA DeleteAmazon S3 VersioningAmazon Glacier (optionally, with Vault Lock)


Host / Instance Security

Traditional ControlsInstance ManagementIncident ManagementAsset ManagementInstance Separation

Traditional Controls (mostly)Delete-and-promoteMore alternatives!“What the API returns, is true”PCI Level 1 HypervisorDedicated Instances


Logging, Analysis, Alerting

Traditional OS Sources

Database Logs

Traditional OS SourcesCloudWatch LogsEC2 Systems Manager InventoryRDS / Redshift Logs

Logs→metrics→alerts→actions

AWS Config

CloudWatch / CloudWatch Logs

CloudWatch alarms

AWS CloudTrail

Amazon EC2 OS logs

Amazon VPC Flow Logs

Amazon SNS

email notification

HTTP/S notification

SMS notifications

Mobile push notifications

APIcallsfrommostservices

MonitoringdatafromAWSservices

Custommetrics

ExistingMulti-AccountStrategies,andMulti-AccountPlanning

TheStorySoFar• MASCOT

• fullyrole- andidentity-managedimplementationfromProServe• PresentedatRe:Invent 2016SAC319

(https://www.youtube.com/watch?v=pqq39mZKQXU),SAC320(https://www.youtube.com/watch?v=xjtSWd8z_bE)

• BertramDorn'sworkfrom2014• similarstructure,butanumberofdifferences• https://youtu.be/CNSaJs7pWjA

• NeithercoversOrganizations(quiteyet)• MASCOThascoverageforKMS

WhatNeedsSegregatingfromWhat?• Obviouscasesfirst:

• ReadaccesstoBillingandLogrecordsfromeveryone,exceptAuditorsandSecurity• ...andeventhen,accessshouldbelimitedtoappropriatecases• considerevidentialweight

• ProdfromDev,TestandStaging• rememberKnightCapital?• also"bugringfencing"

• Compliancein-scopefromout-of-scope• auditorsneedtoseeahardscopeboundary• youwillwanttokeepin-scopeenvironmentsassmallaspossible• usebothAWSAccountsandVPCsforthis

• Lessobviouscases:• Lookatyourownorgchartandbodyofpolicies• ConsiderhowSeparationofDutyandNeedtoKnowoperate

• bothwithinandbetweendepartments

• Withinorgcharts,policy,compliancescoping,andtheneedtoringfence devaccountswherebugscouldimpactAPIaccess,liestheanswersto"howmany:

• AWSOrganizations• KMSCMKs• AWSaccounts

• ...doIneed?"

WhatNeedsSegregatingfromWhat?

Organizations

Inthebeginning…Your AWS Account

You

TodayJump

Account

Your Cloud Team

Dev Account

Prod Account

Data Science Account

Audit Account

Cross Account Trusts

CrossAccountResourceAccess

You

Whatdocustomerswanttodo?

UseAWSaccountboundariesfor

isolation.

Centrallymanagepoliciesacrossmanyaccounts.

Delegatepermissions,but

maintainguardrails.

Seecombinedviewofallcharges.

IntroducingAWSOrganizations

ControlAWSserviceuseacrossaccounts

Policy-basedmanagementformultipleAWSaccounts.

ConsolidatebillingAutomateAWSaccountcreation

TypicalUseCases• ControltheuseofAWSservicestohelpcomplywithcorporatesecurityandcompliancepolicies.

• ServiceControlPolicies(SCPs)helpyoucentrallycontrolAWSserviceuseacrossmultipleAWSaccounts.

• Ensurethatentitiesinyouraccountscanuseonlytheservicesthatmeetyourcorporatesecurityandcompliancepolicyrequirements.

• AutomatethecreationofAWSaccountsfordifferentresources.

• APIdrivenAWSaccountcreation.• UseAPIstoaddthenewaccounttoagroupandattach

servicecontrolpolicies.• UseAPIresponsetotriggeradditionalautomation(eg

deployCloudFormation template)

TypicalUseCases

• Createdifferentgroupsofaccountsfordevelopmentandproductionresources.

• Organise groupsintoahierarchy.• Applydifferentpoliciestoeachgroup.• Alternatively,groupaccordingtolines-of-businessor

otherdesireddimensions.

TypicalUseCases

KeyFeatures

• PolicyframeworkformultipleAWSaccounts.• Group-based accountmanagement.• AccountcreationandmanagementAPIs.• Consolidatedbilling forallAWSaccountsinyourorganization.• EnableConsolidatedBillingOnly orAllFeatures.

HowisOrganizationsdifferentfromIAM?

• CreategroupsofAWSaccounts withAWSOrganizations.• UseOrganizationstoattachSCPs tothosegroupstocentrallycontrol

AWSserviceuse.• EntitiesintheAWSaccountscanonlyusetheAWSservicesallowed

byboth theSCPandtheAWSIAMpolicyfortheaccount.

Howtogetstarted?

• Revisitorcreateyouraccountsegmentationstrategy.• Decide whichtypeoforganizationisrightforyou.• Organize yourAWSaccountsaccordingtoit.• Test&begintoapplySCPsslowly.• Iterate onSCPstoachieveyourdesiredstate.

Pricing&Availability

• Availableat noadditionalcharge.• Globalservice.• AccessedthroughendpointinN.Virginiaregion.

ServiceControlPolicies(SCPs)

• EnablesyoutocontrolwhichAWSserviceAPIsareaccessible- DefinethelistofAPIsthatareallowed– whitelisting- DefinethelistofAPIsthatmustbeblocked– blacklisting

• Cannotbeoverriddenbylocaladministrator• ResultantpermissiononIAMuser/roleistheintersectionbetween

theSCPandassignedIAMpermissions• Necessarybutnotsufficient• IAMpolicysimulatorisSCPaware

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": "*",

"Resource": "*"

},

{

"Effect": "Deny",

"Action": "redshift:*",

"Resource": "*"

}

]

}

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Action": [

"ec2:RunInstances",

"ec2:DescribeInstances",

"ec2:DescribeImages",

"ec2:DescribeKeyPairs",

"ec2:DescribeVpcs",

"ec2:DescribeSubnets",

"ec2:DescribeSecurityGroups"

],

"Resource": "*"

} ] }

Blacklistingexample Whitelistingexample

Bestpractices– AWSOrganizations

1. MonitoractivityinthemasteraccountusingCloudTrail2. Donotmanageresourcesinthemasteraccount3. Manageyourorganizationusingtheprincipalof“Leastprivilege”4. UseOUstoassigncontrols5. TestcontrolsonsingleAWSaccountfirst6. Onlyassigncontrolstorootoforganizationifnecessary7. Avoidmixing“whitelisting”and“blacklisting”SCPsinorganization8. CreatenewAWSaccountsfortherightreasons

MoreonSCPs• ServiceControlPolicies• ...whichlooklikeIAMpolicies

• (butwithoutsupportforConditions,inv1.0)

• ImposedbyMasteraccountonchildaccounts• essentiallyconcatenatewithper-child-accountIAMpolicies• Allows/Deniesaccesstospecificper-serviceAPIcalls,orwholeservices• aswithIAMpolicies,asingleexplicitDenyoverridesanynumberofexplicit

Allows

• But:theyarealsoappliedtotherootuserinthechildaccount• Here'swherewegetintoMandatoryAccessControl!J

MoreonSCPs• Also:

• youdon'thavetoapplyanSCPbefore youpopulateyouraccountwithassets...

• thislendstheideaof"immutableinfrastructure"tootherservices,fromthepointofviewofthechildaccounts

• (includingServerless)• eg:

• S3websiteswhichcan'thavetheircontentschanged• Lambdafunctionswhichareinvoke-only"blackboxes"• ACMcert/keypairswhichcan'tbedeleted• PreventCloudTrail,Config everbeingturnedoff• ...

MoreonSCPs• InPractice:

• theimposeroftheSCPintheMasteraccountgetsnoprivilegeinthechildaccount'sservice,asafunctionofthiscapability

• thismakesSCPsaneat2-personrulemechanism,too

BaseliningIndividualAccounts

IndustryBestPracticesforSecuringAWSResources

CISAmazonWebServicesFoundationsArchitectureagnosticsetofsecurityconfigurationbestpracticesprovidesset-by-stepimplementationandassessmentprocedures

CISAWSFoundationAutomationismostlythere...

NowAddanIncidentResponseBaseline:• HaveasmallNACLed subnetperAZ,perVPCforisolationofmisbehaving

instances• fliptheirENIstoit,asneeded

• HaveaForensicsroleliketheAuditrole,per-account• read-onlyaccessto(essentially)everything

• HavearunbooksoaForensicInvestigatorcanworkwiththenetworkadminteamto:• provisionaforensicworkstationAMIontotheisolationsubnet• openaholeintheNACLtotheworkstationfromanappropriatebastion

(oruseRunCommandtoremotelyoperateforensicCLItools)

PotentialFurtherExtensions

• EC2SystemsManager• Inventory:likeOSQuery• StateManager:likeOpenSCAP

• DMZs• Bastions• Managementnetworks

AWSEnterpriseAccelerator:ComplianceArchitectures

SampleArchitecture–SecurityControlsMatrixCloudformationTemplates

5xtemplatesUserGuide

http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

PuttingitTogether

BillingRecords HandledbyOrganizationsMasterItemDescription

UsageStartDate

UsageEndDate

UsageQuantity

CurrencyCode

CostBeforeTax

Credits

TaxAmount

TaxType

TotalCost

$0.000perGB- regionaldatatransferunderthemonthlyglobalfreetier

01.04.1400:00

30.04.1423:59 0.00000675 USD 0.00 0.0

0.000000 None

0.000000

$0.05perGB-monthofprovisionedstorage- USWest(Oregon)

01.04.1400:00

30.04.1423:59

1.126.666.554 USD 0.56 0.0

0.000000 None

0.560000

First1,000,000AmazonSNSAPIRequestspermontharefree

01.04.1400:00

30.04.1423:59 10.0 USD 0.00 0.0

0.000000 None

0.000000

First1,000,000AmazonSQSRequestspermontharefree01.04.1400:00

30.04.1423:59 4153.0 USD 0.00 0.0

0.000000 None

0.000000

$0.00perGB- EU(Ireland)datatransferfromUSWest(NorthernCalifornia)

01.04.1400:00

30.04.1423:59 0.00003292 USD 0.00 0.0

0.000000 None

0.000000

$0.000perGB- datatransferoutunderthemonthlyglobalfreetier

01.04.1400:00

30.04.1423:59 0.02311019 USD 0.00 0.0

0.000000 None

0.000000

First1,000,000AmazonSNSAPIRequestspermontharefree

01.04.1400:00

30.04.1423:59 88.0 USD 0.00 0.0

0.000000 None

0.000000

$0.000perGB- datatransferoutunderthemonthlyglobalfreetier

01.04.1400:00

30.04.1423:59 3.3E-7 USD 0.00 0.0

0.000000 None

0.000000

AWSCloudTraillogscanbedeliveredcross-account

CloudTrailcanhelpachievemanytasksAccountscansendtheirtrailstoacentralaccountCentralaccountcanthendoanalyticsCentralaccountcan:‣ Redistributethetrails‣ Grantaccesstothetrails‣ FilterandreformatTrails(tomeetprivacy

requirements)

S3 Subtleties

• S3 write-only cross-account sharing• Share write-only (no reading or listing of contents) from owner account

via bucket policy• Writer accounts have IAM permissions to write

Multi-AccountAggregationofDeliveredData

Region1

Region2

Region3

CommonS3bucket

AmazonS3policiesshouldpermitaccountstowriteConfig data

SNSTopic:Region1

SNSTopic:Region2

SNSTopic:Region3

CommonSQSqueue

AmazonSQS/AmazonSNSpublish/subscribepermissionsshouldbeset

StagingandMaskingLogs• WecanmaskPIIinCloudTraillogs

• BertramDorn hasaLambdafunctionforit• OriginallyintendedasaproposaltoaddressconsiderationsinupcomingGermanprivacy

law• Canbegeneralised tootherconsistentAWSlogformats

StagingandMaskingLogs• Extendittomaskrelevantfieldsin:

• CloudWatch logs• ELB,CloudFront,AmazonVPCflowlog,etc.records

• ...allofwhichuseCloudWatch Logs

• IfweuseCloudWatch Events,wecanuseaLambdafunctiontolandourlogsinalocalS3bucket,thenuseacross-accountLambdafunctiontomask-and-forward

• Config recordscanbeforwardedas-is

StagingandMaskingLogs

• FlowLogsetc• inCWLogs

Local maskingLambda

Local S3 bucket Cross-acctLambda

Consolidated logs bucket

LogAnalytics• Splunk,SumoLogic,otherAWSMarketplaceproducts• ElasticSearch andKibana

• https://aws.amazon.com/blogs/security/how-to-optimize-and-visualize-your-security-groups/

• Athena• "RunSQLagainstS3"

• QuickSight• IntendedforBusinessIntelligence,butbendabletopurpose...?

On-premise

bucket

AWS Account: Bill Aggregation

IdP server

Organization member account

Organization non-member account

API Endpoints

Read-only, read-all flow

API and IAM call flow

Logging traffic flow

Billing traffic flow

On-premise

bucket

AWS Account: Bill Aggregation

IdP server

AWSOrganizationsOrganization member

account


API Endpoints





On-premise

AWSLambda

role

bucket

AWS Account: Bill Aggregation and Anonymisation

bucket

IdP server


account


API Endpoints

AWS Account: Anonymised Bills





AWS Account: Log aggregation

On-premise

bucket

AWSLambda

role

bucket


bucket

IdP server


account


API Endpoints






On-premise

AWSLambda

role

bucketbucket

AWS Account: Anonymised Logs

AWSLambda

role

bucket


bucket

IdP server


account


API Endpoints

AWS Account: Log aggregation and anonymisation






role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server


account


AWS Account: IAM Federation

API Endpoints







role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server


account



API Endpoints

AWS Account: Security Team

AWS IAMScanningtools

Forensicstools







AWS Account: Resources

AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server

AWS KMS


account



API Endpoints



Forensicstools








AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server

AWS IAMAWS Account: Resources

AWS KMS


account



API Endpoints

AWS KMS



Forensicstools








AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server

AWS IAMAWS Account: ResourcesAWS IAM

AWS KMS

AWSOrganizations

LDAP

AWS Account: SharedSvcs

AWSCloudHSM




API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools








AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server

AWS Account: Audit(Internal)

AWS IAMAWS Account: ResourcesAWS IAM

AWS KMS

AWSOrganizations

LDAP


AWSCloudHSM




API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools



Amazon QuickSight






AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server



AWS Account: Audit(External)

AWS IAM

AWS KMS

AWSOrganizations

LDAP


AWSCloudHSM

AmazonAthena




API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools



Amazon QuickSight






AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server




AWS Account: Regulator

AWS IAM

AWS KMS

AWSOrganizations

LDAP


AWSCloudHSM

AmazonAthena

Amazon Redshift*




API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools



Amazon QuickSight






AWS IAM

role

On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket

AWS IAM

IdP server





AWS IAM

AWS KMS

AWSOrganizations

LDAP


AWSCloudHSM

AmazonAthena

Amazon Redshift*

AWS Account: Incident Response




API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools



Amazon QuickSight






AWS IAM

role


On-premise

AWSLambda

role

bucketbucket


AWSLambda

role

bucket


bucket


AWS IAM

IdP server





AWS IAM

AWS KMS

AWSOrganizations

LDAP


AWSCloudHSM

AmazonAthena

Amazon QuickSight

Amazon Redshift*

bucket

AWS Account: Forensic Repo

AWS Account: Incident Response

bucketAWS Account: Forensic Working Repo








API Endpoints

AWS KMSInternalDNS

Scanningtools



Forensicstools

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Centre Website: https://aws.amazon.com/compliance

Security Centre: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/

AWS Audit Training: [email protected]

HelpfulResources

The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M

IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U

Encryption on AWS: https://youtu.be/DXqDStJ4epE

Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8

HelpfulVideos

Thank you!