Tackling the Threat Landscape - AWS Security Do’s and Don’ts

Feb 16, 2016

A product by

Amarkant Singh Director – Product Engineering, Minjar

Our Request

On Mute Mode till Q/A Last 15 minutes of Webinar

What This Session is Not

•Not a on-premise versus cloud security comparison

•Not a technical deep dive into network security fundamentals

•Not a technical deep dive into operating system level security

•Not a technical deep dive into database level security

Minjar- Cloud Automation and Solutions for AWS

AWS Architectures, Managed Cloud , DevOps, CloudOps

Botmetric – Intelligent Cloud Platform for AWS Cost Management, Infrastructure Audit and DevOps Automation for AWS Cloud; Sold as a SaaS Product

Botmetric About us

Agenda – 1Hr Session

AWS security fundamentals

Security is a Key Pillar of AWS

How to ensure that best practices are

followed

This Session – AWS Security Do’s and

Don’ts

Regions, Availability Zones, and Endpoints

• AWS lets customers choose where their content goes • Take advantage of high availability in every Region • Use edge locations to serve content close to your customers

AWS and You Share Responsibility for Security

• Amazon Web Services provides a secure global infrastructure and services in the cloud.

• You can build your systems using AWS as the foundation.

AWS is responsible for (considering EC2, an infrastructure service)

• Facilities • Physical security of hardware • Network infrastructure • Virtualization infrastructure• Hardware lifecycle management

Shared responsibility models

• Infrastructure services

• Container services

• Abstracted services

Shared responsibility models: Infrastructure services Example: Amazon EC2, Amazon EBS, Amazon VPC

Your are responsible for (considering EC2, an infrastructure service)

• Amazon Machine Images (AMIs) • Operating systems • Applications • Data in transit • Data at rest • Data stores • Credentials • Policies and configuration

Shared responsibility models: Container services Example: Amazon RDS, Amazon EMR

Shared responsibility models: Abstracted services Example: Amazon S3, Amazon DynamoDB

The threat landscape

Threat Landscape

• Unauthorized access• Account/Service Hijacking• Malicious Insiders• Lack of understanding• Human errors

Varying Responsibility/Threat Surface Areas

Configuration

Configuration + Operation

Abstracted Services

Container Services

Infrastructure Services

AWS Security Building Blocks

Access Controls

• EC2 Key-Pair• Access to instances

• Identity and Access Management (IAM)• Access to AWS management console• Access to APIs via SDKs and CLI• Share access with third parties • Share access among different AWS account

• AWS Directory Service

Network Security

• Amazon EC2 Security Groups• Acts as a virtual firewall• Can add multiple rules• Many to many relation

• VPC Networking• Elastic Network Interface(ENI)• Subnets• Network access control list (NACL)• Route Table• Internet Gateway

• AWS Web Application Firewall (WAF)

Data Security

• Encrypt data at rest• All major AWS data services provide in-built feature for encryption• S3, EBS, Redshift, RDS

• AWS Key Management Service (KMS)• Enabling you to have complete control over encryption keys

• AWS CloudHSM• Hardware based cryptographic key storage

Inventory/Config : Monitoring and Logging

• AWS Config• Inventory and configuration management tools

• AWS CloudTrail• Logs each and every API call to your AWS infrastructure

• Amazon CloudWatch• Alert notifications can be raised on crossing certain thresholds

AWS Security Best Practices Do’s and Don’ts

Best Practices : EC2 Key Pair

• Do’s• Rotate SSH keys regularly• Create Key Pairs Using Passphrase• Enable Google Authenticator based MFA for SSH• Change SSH from port 22 to a non standard port

• Don’ts• Do not keep private keys in temp or home directories• Do not keep unused EC2 key pairs

Best Practices : Identity and Access Management

• Do’s

• Create individual IAM users• Unique credentials• Individual credential rotation• Individual permissions

• Grant least privilege• Less chance of people making mistakes• Easier to relax than to tighten up• More granular control to API and resources• Avoid assigning *:* policy• Use policy templates

Best Practices : Identity and Access Management (cont.)

• Do’s

• Use groups to assign permissions to IAM users• Easier to assign the same permissions to multiple users• Simple to re-assign based on change in responsibilities• Can be used to map permissions to a specific business function• Easily add/remove users

• Restrict privileged access further with conditions• Additional level of granularity when defining permissions • Minimizes chances of accidentally performing privileged actions• Can define tag based or specific resource based access

Best Practices : Identity and Access Management (cont.)

• Do’s

• Configure a strong password policy for your users• Password expiration• Password strength• Password re-use

• Enable MFA for all users not just privileged users, why take chance• Use roles for applications that run on Amazon EC2 instances

• Automatic key rotation• Rotate credentials regularly

Best Practices : Identity and Access Management (cont.)

• Don’ts• Do not use your root account access keys

• Create an IAM user for yourself and forget the root account• Stop using any third party tools that asks for Access Keys & Secret Keys

• It isn’t safe• What if their database is compromised• Use roles for cross-account access instead

• Do not have single role for all the users• Do not have too many users with administrative access• Do not use old access keys. Rotate it.

Best Practices : Network Security

• Do’s• Keep only those instances in public subnet which needs to be accessed

directly from internet.

Best Practices : Network Security (cont.)

• Do’s• Access private machines within your VPC from outside via a bastion host

• Install OSSEC – A host based intrusion detection system• Provide limited access to common administrative ports to only a small subset

of addresses. • This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC).

• Provide limited access to common database ports.• Try to use non-standard ports for your internal applications• ELB listener security

• Use HTTPS or SSL

Best Practices : Network Security (cont.)

• Don’ts• Never create security group rules like 0.0.0.0/0

• Follow the rule of least privilege here as well• Specially do not open port 22 for everyone

• Do not allow UDP / ICMP on private instances.• Do not use IPs to allow intra-instance network access

• Use security groups instead

Best Practices : Data Security

• Do’s• Ensure all sensitive data are encrypted at rest

• Use native encryption provided with RDS, S3, EBS, etc• Ensure proper permissions for your S3 buckets

• Do not give read/write access to everyone• Use HTTPs/SSL almost always when transferring data over internet or across

regions

Best Practices : Inventory/Config

• Do’s• Enable AWS CloudTrail Logs

• Even in regions where you don’t have instances• Enable VPC Flow Logs• Enable ELB Access Logs• Enable AWS Config• Enable Termination Protection

How Botmetric can help you

Performs Regular Security Scans

Detects and Report Best Practices Violations

• Proactively sends a summary email having list of important audit violations

• You can view major violations detected by Security Audit from a single pane

Act on Audit Violations Right from BotmetricProvides one click fix to many of the audit violations.

Provides step by step guidelines to fix the audit violations.Supplies your team with enough information to help them go from problem to solution, 10x faster.

Provides Audit History and Ability for On-Demand Audit

Lets you view audit history in detail. You can also download historical audit reports.

Apart from daily automated audits, you can also execute audit whenever you want.

You can execute audit on AWS account of your choice.

When Should You Perform a Security Audit• On a periodic basis• When there are changes in your organization• If you have stopped using any AWS service• If you have added or removed software• If you suspect an unauthorized access

Recap

• Be vigilant• Audit regularly• Rotate keys and credentials• Always follow the principle of least permissions• Do not use root account• Keep your security group rules tight• Wherever possible, enable MFA

Further reading

• AWS Security Features• AWS Security Blog• AWS Security Best Practices White Paper

Thou shalt relax and ask questions :)

Signup for a 14-day free trialwww.botmetric.com

Follow us for more events and webinars

Amarkant SinghDirector, Product Engineering