aws & infrastructure hardening - cloud infrastructure security

Download AWS & Infrastructure Hardening - Cloud Infrastructure Security

Post on 13-Feb-2017




1 download

Embed Size (px)


  • AWS & Infra HardeningMay 17, 2016

    Maqbul Khan Sr. Technical Consultant, MinjarA product by

  • Our Request

    On Mute Mode till Q/ALast 15 minutes of Webinar

  • AgendaAccess, Authorization & RevokeAWS Account SecurityNetwork SecurityInfrastructure SecuritySecurity AuditLock down your production: No Mans Land

  • Minjar- Cloud Automation and Solutions for AWSAWS Architectures, Managed Cloud , DevOps, CloudOps Botmetric Intelligent Cloud Platform for AWS Cost Management, Infrastructure Audit and DevOps Automation for AWS Cloud; Sold as a SaaS ProductAbout Us

  • AWS & Infrastructure Hardening

  • What is AAR?

    To make sure access inventory is maintainedEvery access has been given upon authorizationAccess has to be revoked immediately when there is no need

    Why do we need AAR?

    Different organizations have different departments, teams and their partnersAccess, Authorization & Revoke

  • Lets take a scenario:A organization has an AWS account and infrastructureAnd possible teams:On-shore IT TeamOff-shore Development teamManaged Service CloudOps / DevOps Team

    So how do we manage and secure AWS account and Infrastructure?Access, Authorization & Revoke

  • AWS AccountAWS Console AccessDifferent AWS services


    Access, Authorization & Revoke

  • How do we make sure our AWS account is secured?


    AWS Account Security

  • AWS Account SecurityUsersEnable MFADont create access key & secret key if requiredCheck when was the last access activity performed by the user?Review Access Keys and Secret KeysRemove old keys which users dont accessIf users are not using access keys / secret keys, it is recommended to removeEnable API protection on the resourcesRotate keys every certain period of time

  • AWS Account Security

  • AWS Account Security

  • AWS Account SecurityRolesFor resources Use switch roles

    GroupsCreate different groups by different permissions for different teams and add them to those groupsi.e. Development teams need only access to specific resourcesCreate a group for dev teamCreate policy using tag

    Lets look at the example

  • AWS Account SecurityExample

  • Network SecurityCreate secured VPC designUse private & public subnetUse of multiple VPCs to create single entry pointEnable VPC flow logsNetwork ACLSecurity Groups

  • Infrastructure SecuritySome of primary AWS Services which we strongly recommend using:Enable CloudTrailKeep logs in your primary accountVPC Flow logsKeep logs in your primary accountUse AWS ConfigUseful toolUse CloudWatchKeeps all resources metrics and can be used for logs management as well

  • Infrastructure SecuritySo how do we really protect our underlying infrastructure?Using JumpboxAllow access to only specific IPs to be accessibleKeep your infrastructure in private subnet i.e.EC2 instancesRDS instancesEnable Multi-factor authentication on SSHUse public keys over private keys: Avoid sending pem keys over the email. Using public key is safer.Avoid using common users: ec2-user, root, ubuntu, centosCreate unique credentials for each user

  • Infrastructure Security

  • Infrastructure SecurityAdditional securityUse Client VPN connectivityUse Site to site VPNEnable ELB logsMove your server logs to centralized location i.e. CloudWatchSecure logsAuth logsApplication logsEnable general logs on RDSEnable S3 logs

  • Security AuditHow do we do security audit?Do not rely on humanMake your audit automated as much possiblePerform weekly/monthly/quarterly audit on your infrastructure

  • Security AuditWhat shall we audit?IAMRemove users who are no more part of the teamDisable users who are no more activeMake sure MFA is enabled on each userRemove old keysEnable API protection on the resourcesAvoid granting access to all resourcesEnable MFA on root accountDo not use access key on root account

  • Security AuditWhat shall we audit?Infrastructure accessDisable ssh access of the users who are not activeRotate private key of EC2 server on regular basisMake sure MFA is enabled on each userMake sure access is given on as needed basisSSH port is not open to logs are enabledELB data transfer happens on secured communication

  • Production: No Mans LandWhy we must lock down the production?That is where your data is storedThat is where your customers data is storedIt must be secured and should not be accessible by everyone

    So how do we work with production?How do we do the deployments?How do we troubleshoot the problem?How do we make database changes?How do we maintain our infrastructure?AUTOMATION

  • Thou shalt relax and ask questions :)Signup for a 14-day free trialwww.botmetric.comFollow us on Twitter, LinkedIn, Facebook to catch the latest updates from BotmetricMaqbul KhanSr. technical Consultant, Minjar