aws security in plain english – aws security day
TRANSCRIPT
Maitreya Ranganath [email protected]
Jeremy Cowan [email protected]
Larry Gilreath [email protected]
Job Zero
Network
SecurityPhysical
Security
Platform
SecurityPeople &
Procedures
SHARED
constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
ust
om
ers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
WHO CAN DO WHAT
0. Create individual users. Benefits
• Unique credentials
• Individual credential rotation
• Individual permissions
1. Grant least privilege.
Benefits
• Less chance of people making
mistakes
• Easier to relax than tighten up
• More granular control
2. Manage permissions with groups.
Benefits
• Easier to assign the same
permissions to multiple users
• Simpler to reassign permissions
based on change in
responsibilities
• Only one change to update
permissions for multiple users
3. Restrict privileged access further with conditions.
Benefits
• Additional granularity when
defining permissions
• Can be enabled for any AWS
service API
• Minimizes chances of
accidentally performing
privileged actions
Allow selected actions Production us-east-1
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow”,
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances",
"ec2:TerminateInstances"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Environment":”Production"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/*"
]
}
]
}
4. Enable AWS CloudTrail and AWS Config
Benefits
• Visibility into your user activity by recording AWS API calls to an Amazon S3 bucket
• Track changes to your resources over time.
Enabling AWS Config
5. Configure a strong password policy. Benefits
• Ensures your users and your
data are protected
Applying Password Policy
6. Rotate security credentials regularly.
Benefits
• Normal best practice
7. Enable MFA for privileged users.
Benefits
• Supplements user name and
password to require a one-time
code during authentication
Turning MFA on AWS Root Acct
8. Use IAM roles to share access. Benefits
• No need to share security
credentials
• No need to store long-term
credentials
• Use cases
- Cross-account access
- Intra-account delegation
- Federation
9. Use IAM roles for Amazon EC2 instances.
Benefits
• Easy to manage access keys on
EC2 instances
• Automatic key rotation
• Assign least privilege to the
application
• AWS SDKs fully integrated
• AWS CLI fully integrated
10. Reduce or remove use of root.
Benefits
• Reduce potential for misuse of
credentials
10. Reduce or remove use of root.
11. Get alerted on use of Root and sensitive actions
Benefits
• Automate monitoring and
alerting of actions
Get Alerted on AWS Root Use
11
0. Users
1. Permissions
2. Groups
3. Conditions
4. Auditing
5. Password
6. Rotate
7. MFA
8. Sharing
9. Roles
10. Root
11. Alerting -
NETWORK
Ava
ila
bilit
y Z
on
e A
Ava
ila
bilit
y Z
on
e B
AWS Virtual Private
Cloud • Provision a logically isolated
section of the AWS cloud
• You choose a private IP range
for your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security• AWS network will prevent
spoofing and other common
layer 2 attacks
• You cannot sniff anything but
your own EC2 host network
interface
• Control all external routing and
connectivity
Web App
DBWeb
App
DBWeb
Web
Deny all traffic
Allow
App
DBWeb
WebPort 443
Port
443
App
DBWeb
WebPUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPCs in private and
peer specific subnets
between each VPC
Even between AWS
accountsCommon Services
AWS VPC
Peering
resiliently and directly
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Websites
Big Data
Analytics
Dev and
Test
Enterprise
Apps
AWS
Internet
VPN
Physical Data Center AWS VPC
VLANs / Subnets Subnets
Routers & Routing Protocols Route Tables
Stateful Firewalls Security Groups
Network ACL NACLs
Web Application Firewall AWS WAF or Partner Products
Network based IDS/IPS Host based IDS/IPS
Internet Connection Internet Gateway
Inter Data Center Links IPSec VPN or Direct Connect
Amazon Inspector
Security assessment tool analyzing end-to-end
application configuration and activity
Configuration Scanning Engine
Activity monitoring
Built-in content library
Automatable via API
Fully auditable
CVE
Network Security Best Practices
Authentication Best Practices
Operating System Best Practices
Application Security Best Practices
PCI DCSS 3.0 Readiness
Increased agility
Embedded expertise
Improved security posture
Streamlined compliance
AWS Config Rules
Flexible rules evaluated continuously and retroactively
Dashboard and reports for common goals
Customizable remediation
API automation
ecosystem
Continuous monitoring for unexpected changes
Shared compliance across your organization
Simplified management of configuration changes
https://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
http://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
http://aws.amazon.com/answers
https://youtu.be/fCH4r3s4THQ
https://youtu.be/_wiGpBQGCjU
https://youtu.be/5_bQ6Dgk6k8
https://youtu.be/ykmqjgLdmL4
https://youtu.be/3qln2u1Vr2E