aws security do’s and don’ts - user guide to tackle the threat landscape
TRANSCRIPT
Tackling the Threat Landscape - AWS Security Do’s and Don’ts
Feb 16, 2016
A product by
Amarkant Singh Director – Product Engineering, Minjar
Our Request
On Mute Mode till Q/A Last 15 minutes of Webinar
What This Session is Not
•Not a on-premise versus cloud security comparison
•Not a technical deep dive into network security fundamentals
•Not a technical deep dive into operating system level security
•Not a technical deep dive into database level security
Minjar- Cloud Automation and Solutions for AWS
AWS Architectures, Managed Cloud , DevOps, CloudOps
Botmetric – Intelligent Cloud Platform for AWS Cost Management, Infrastructure Audit and DevOps Automation for AWS Cloud; Sold as a SaaS Product
Botmetric About us
Agenda – 1Hr Session
AWS security fundamentals
Security is a Key Pillar of AWS
How to ensure that best practices are
followed
This Session – AWS Security Do’s and
Don’ts
Regions, Availability Zones, and Endpoints
• AWS lets customers choose where their content goes • Take advantage of high availability in every Region • Use edge locations to serve content close to your customers
AWS and You Share Responsibility for Security
• Amazon Web Services provides a secure global infrastructure and services in the cloud.
• You can build your systems using AWS as the foundation.
AWS is responsible for (considering EC2, an infrastructure service)
• Facilities • Physical security of hardware • Network infrastructure • Virtualization infrastructure• Hardware lifecycle management
Shared responsibility models
• Infrastructure services
• Container services
• Abstracted services
Shared responsibility models: Infrastructure services Example: Amazon EC2, Amazon EBS, Amazon VPC
Your are responsible for (considering EC2, an infrastructure service)
• Amazon Machine Images (AMIs) • Operating systems • Applications • Data in transit • Data at rest • Data stores • Credentials • Policies and configuration
Shared responsibility models: Container services Example: Amazon RDS, Amazon EMR
Shared responsibility models: Abstracted services Example: Amazon S3, Amazon DynamoDB
The threat landscape
Threat Landscape
• Unauthorized access• Account/Service Hijacking• Malicious Insiders• Lack of understanding• Human errors
Varying Responsibility/Threat Surface Areas
Configuration
Configuration + Operation
Abstracted Services
Container Services
Infrastructure Services
AWS Security Building Blocks
Access Controls
• EC2 Key-Pair• Access to instances
• Identity and Access Management (IAM)• Access to AWS management console• Access to APIs via SDKs and CLI• Share access with third parties • Share access among different AWS account
• AWS Directory Service
Network Security
• Amazon EC2 Security Groups• Acts as a virtual firewall• Can add multiple rules• Many to many relation
• VPC Networking• Elastic Network Interface(ENI)• Subnets• Network access control list (NACL)• Route Table• Internet Gateway
• AWS Web Application Firewall (WAF)
Data Security
• Encrypt data at rest• All major AWS data services provide in-built feature for encryption• S3, EBS, Redshift, RDS
• AWS Key Management Service (KMS)• Enabling you to have complete control over encryption keys
• AWS CloudHSM• Hardware based cryptographic key storage
Inventory/Config : Monitoring and Logging
• AWS Config• Inventory and configuration management tools
• AWS CloudTrail• Logs each and every API call to your AWS infrastructure
• Amazon CloudWatch• Alert notifications can be raised on crossing certain thresholds
AWS Security Best Practices Do’s and Don’ts
Best Practices : EC2 Key Pair
• Do’s• Rotate SSH keys regularly• Create Key Pairs Using Passphrase• Enable Google Authenticator based MFA for SSH• Change SSH from port 22 to a non standard port
• Don’ts• Do not keep private keys in temp or home directories• Do not keep unused EC2 key pairs
Best Practices : Identity and Access Management
• Do’s
• Create individual IAM users• Unique credentials• Individual credential rotation• Individual permissions
• Grant least privilege• Less chance of people making mistakes• Easier to relax than to tighten up• More granular control to API and resources• Avoid assigning *:* policy• Use policy templates
Best Practices : Identity and Access Management (cont.)
• Do’s
• Use groups to assign permissions to IAM users• Easier to assign the same permissions to multiple users• Simple to re-assign based on change in responsibilities• Can be used to map permissions to a specific business function• Easily add/remove users
• Restrict privileged access further with conditions• Additional level of granularity when defining permissions • Minimizes chances of accidentally performing privileged actions• Can define tag based or specific resource based access
Best Practices : Identity and Access Management (cont.)
• Do’s
• Configure a strong password policy for your users• Password expiration• Password strength• Password re-use
• Enable MFA for all users not just privileged users, why take chance• Use roles for applications that run on Amazon EC2 instances
• Automatic key rotation• Rotate credentials regularly
Best Practices : Identity and Access Management (cont.)
• Don’ts• Do not use your root account access keys
• Create an IAM user for yourself and forget the root account• Stop using any third party tools that asks for Access Keys & Secret Keys
• It isn’t safe• What if their database is compromised• Use roles for cross-account access instead
• Do not have single role for all the users• Do not have too many users with administrative access• Do not use old access keys. Rotate it.
Best Practices : Network Security
• Do’s• Keep only those instances in public subnet which needs to be accessed
directly from internet.
Best Practices : Network Security (cont.)
• Do’s• Access private machines within your VPC from outside via a bastion host
• Install OSSEC – A host based intrusion detection system• Provide limited access to common administrative ports to only a small subset
of addresses. • This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC).
• Provide limited access to common database ports.• Try to use non-standard ports for your internal applications• ELB listener security
• Use HTTPS or SSL
Best Practices : Network Security (cont.)
• Don’ts• Never create security group rules like 0.0.0.0/0
• Follow the rule of least privilege here as well• Specially do not open port 22 for everyone
• Do not allow UDP / ICMP on private instances.• Do not use IPs to allow intra-instance network access
• Use security groups instead
Best Practices : Data Security
• Do’s• Ensure all sensitive data are encrypted at rest
• Use native encryption provided with RDS, S3, EBS, etc• Ensure proper permissions for your S3 buckets
• Do not give read/write access to everyone• Use HTTPs/SSL almost always when transferring data over internet or across
regions
Best Practices : Inventory/Config
• Do’s• Enable AWS CloudTrail Logs
• Even in regions where you don’t have instances• Enable VPC Flow Logs• Enable ELB Access Logs• Enable AWS Config• Enable Termination Protection
How Botmetric can help you
Performs Regular Security Scans
Detects and Report Best Practices Violations
• Proactively sends a summary email having list of important audit violations
• You can view major violations detected by Security Audit from a single pane
Act on Audit Violations Right from BotmetricProvides one click fix to many of the audit violations.
Provides step by step guidelines to fix the audit violations.Supplies your team with enough information to help them go from problem to solution, 10x faster.
Provides Audit History and Ability for On-Demand Audit
Lets you view audit history in detail. You can also download historical audit reports.
Apart from daily automated audits, you can also execute audit whenever you want.
You can execute audit on AWS account of your choice.
When Should You Perform a Security Audit• On a periodic basis• When there are changes in your organization• If you have stopped using any AWS service• If you have added or removed software• If you suspect an unauthorized access
Recap
• Be vigilant• Audit regularly• Rotate keys and credentials• Always follow the principle of least permissions• Do not use root account• Keep your security group rules tight• Wherever possible, enable MFA
Further reading
• AWS Security Features• AWS Security Blog• AWS Security Best Practices White Paper
Thou shalt relax and ask questions :)
Signup for a 14-day free trialwww.botmetric.com
Follow us for more events and webinars
Amarkant SinghDirector, Product Engineering