aws security best practices and design patterns
DESCRIPTION
AWS is architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. When using AWS, not only are infrastructure headaches removed, but so are many of the security issues that come with them.TRANSCRIPT
AWS Security Best Practices & Design PatternsBill ShinnPrincipal Security Solutions Architect
1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
RegionUS-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
AWS lets customers choose where their content goes
Availability Zone
Take advantage of high availability in every Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
ASIA PAC (Bejing)
Edge Locations
Dallas(2)
St.Louis
Miami
JacksonvilleLos Angeles (2)
Palo Alto
Seattle
Ashburn(2)
Newark
New York (2)
Dublin
London(2)
AmsterdamStockholm
Frankfurt(2)
Paris(2)
Singapore(2)
Hong Kong
Tokyo
Sao Paulo
South Bend
San Jose
OsakaMilan
Sydney
ChennaiMumbai
Use edge locations to serve content close to your customers
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
Web Tier
Application Tier
Database Tier
Only specific ports open to the Internet
Staff can limit app tier access to a
bastion/management tier
All other Internet ports blocked by default
Sync with on-premises database
Amazon EC2 Security Group Firewall
VPC Security Groups
VPC Network Security Controls
VPC Hybrid Architecture
Corporate Data center
Internet
Existing Perimeter
Security StackVPN
Internet Gateway
AWS Direct Connect
Customer GW
Defense-in-Depth Architecture
Web
Tie
r A
pp T
ier
Pro
tect
Tie
rD
B T
ier
IAM
Route Table
NACL
Internet Gateway
VPNCorporate
Data center
Internet
Existing Perimeter Security Stack
VPNAWS DX CGW
Network Protection
Web
Tie
r A
pp T
ier
Pro
tect
Tie
rD
B T
ier
IAM
Internet Gateway
VPNCorporate
Data center
Internet
Existing Perimeter Security Stack
VPNAWS DX CGW
Instance
Auto ScalingHost Security
SoftwareSSH Keys
Managed Encryption
Bastion Host Bootstrapping
AMIs
CloudFront Load Distro
Penetration Testing
Instance Protection
Web
Tie
r A
pp T
ier
Pro
tect
Tie
rD
B T
ier
IAM
Internet Gateway
VPN
Corporate Data center
Internet
Existing Perimeter Security Stack
VPNAWS DX CGW
Database
Oracle TDEMySQL, MS-
SQL SSL
Oracle NNE
Redshfit Cluster
Encryption
RDS Auto Minor Patching
SQL SSL Clients
DynamoDB, SimpleDB SSL
EMR Job Flow Roles
Database Protection
Web
App
Pro
tect
DB
In-line Threat Management: Bastion Host
Pro
tect
Tie
rB
astio
n
Web
App
Pro
tect
DB
In-line Threat Management: IPS/IDS NAT HA
Availability Zone A Availability Zone B
IPS NAT Layer
EIP1
EIP2
EIP3
EIP4
App Layer
IPS NAT Layer
App Layer
Web
Tie
r A
pp T
ier
Pro
tect
Tie
rD
B T
ier
IAM
S3
CloudFront
Route Table
NACL
Internet Gateway
VPN Corporate Data center
Internet
Existing Perimeter Security Stack
VPNAWS DX CGW
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDSMaster
AutoscalingWeb Tier
AutoscalingApplication Tier
End Users/Students/Researchers InternetGateway
RDSStandby
Snapshots
Web App Hostingin VPC
Multi-AZ RDSData Tier
ExistingDatacenter
VirtualPrivate
Gateway
CustomerGateway
VPN Connection
OrDirect Connect
NetworkPartner
Location
Administrators &Campus Users
S3
CloudFront
Static/StreamingContent
VPC Public Subnet 10.40.1.0/24 VPC Public Subnet 10.40.2.0/24
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24
AZ A AZ B
Public ELB in TCP mode w/ Proxy Protocol
InternetGatewayRoute 53
HAProxy tier – if needed, session state managed via client-side cookie inserted by HAProxy. HAProxy nodes route to web server where user session exists, regardless of which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in S3, retrieved by CloudFormation at system launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for, and JSESSION cookie (appsession) for sticky sessions via hashtable if needed.
HAProxy/Public SSL
HAProxy/Public SSL
HAProxy/Public SSL
HAProxy/Public SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.4.0/24
HAProxy tier performs backend encryption between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by CloudFormation at system launch using entitlements of IAM role for EC2.
SG: WebSecurityGroup
SG: ELBSecurityGroup
SG: HAProxySecurityGroup
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24
AZ A AZ B
InternetGatewayRoute 53
HAProxy tier – if needed, session state managed via client-side cookie inserted by HAProxy. HAProxy nodes route to web server where user session exists, regardless of which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in S3, retrieved by CloudFormation at system launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for, and JSESSION cookie (appsession) for sticky sessions via hashtable if needed.
HAProxy/Public SSL
HAProxy/Public SSL
HAProxy/Public SSL
HAProxy/Public SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
Tomcat/Private
SSL
VPC Public Subnet 10.40.3.0/24 VPC Public Subnet 10.40.4.0/24
HAProxy tier performs backend encryption between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by CloudFormation at system launch using entitlements of IAM role for EC2.
SG: WebSecurityGroup
SG: HAProxySecurityGroup
VPC Best Practices
Leverage existing governance• Address space allocation• Internet access policies• Management of routing protocol and route advertisements
IAM policies for VPC actions• Separation of duties • Authentication & authorization enforcement
Network Filtering• Use security groups for stateful network packet filtering• Use stateless network ACLs for separation of duties and coarse-grained
management
Connecting VPCs• Hub and Spoke using Direct Connect• VPN Hub and Spoke• VPC Peering
EC2 Resource Permissions
Assign permissions to EC2 Resources
InstanceSnapshotVolume
Combine with existing permissions and policies based on EC2 Actions to create extremely fine-grained polices for managing AWS resources.
Leverage Tagging and attribute-driven conditions
Tags such as “Production” or “AppName”Overlay organizational structure such as cost centers or departmentsRequire dedicated tenancy as a condition
Additional EC2 resources and conditions added through 2014.
1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials
Agile Network Architecture
Update and change private network
addressing, subnets, route tables and
administrative control of network
functions to move systems and
applications in response to vulnerabilities,
regulatory changes, project partnerships,
etc.
Use named security groups to logically
control access between systems of like
trust or based on data classification.
Security attributes of system move with
the system independent of network
location. Relocate systems via API call to
address changing threat environment.
Security Groups
Amazon VPC
+
Non-Persistent Platforms
Auto-scaling groups will ensure that
capacity is predictable while you rotate
out portions of the environment. You can
also swap out the base AMI in an auto-
scaling launch configuration with a freshly
patched one, then progressively kill off
stale instances.
Changing the paradigm of what a target
or attack surface looks like. Automation
around Amazon Machine Image creation
and bootstrapping with tools like AWS
OpsWorks, Amazon Elastic Beanstalk,
Chef or Puppet means you can
constantly lay down a moving target.
Amazon Auto-scaling Groups
AWS Elastic Compute Cloud
+
Standardized Environments & Change Detection
Interrogate and describe entire
environment with Java, Python, .NET,
Ruby, PHP or other SDKs. Detect change
in standardized environment
programmatically and integrate with
existing asset and SIEM workflows.
AWS SDKs
Use CloudFormation to create an
environment that mirrors your security
standards. One API call results in
hardened AMIs with base security
controls installed, predictable firewall and
network configuration, and appropriately
defined access and roles.
+AWS
CloudFormation
Instance Identity
Security token service generates unique
credentials and constantly rotates an
additional token.
Identity and Access Management roles
for EC2 instances provide entitlements to
the instance itself. Credentials are
presented through a RESTful meta-data
service accessible only on the local host.
Credentials can be leveraged by apps
that need to call AWS APIs, retrieve data
from S3, etc. Native integration with
SDKs and CLI tools.
Security Token Service
+Identity
Management
Consolidated API Logging
Log archival solution for life-cycle
management.
CloudTrail provides increased visibility
into your user activity by recording AWS
API calls. Integration with Amazon SNS
and ecosystem partners facilitates
analytics.
Provides logging up and down the stack
in one place (storage, networking,
instances, identity).
Amazon S3 + Glacier
+AWS CloudTrail