cloud security with amazon web services
TRANSCRIPT
Securityin theAWS Cloud
Steve [email protected]@steveriley@awscloudhttp://stvrly.wordpress.comhttp://aws.typepad.com
Amazon Web Services: 4 regionsAmazon CloudFront: 16 edge locations
http://status.aws.amazon.com/
Amazon S3Amazon
SimpleDBAmazon RDS (multi
AZ)
Amazon EBSAmazon RDS (one
AZ)
Amazon EC2
++++
++
000000
0 0 0 0 0
0 0 0 0 0
/ /////
/ / / / /
/ / / / /null zzzzzz
DoD 5220.22-M and NIST 800-88
Hypervisor layer
Physical interfaces
AWS firewall
Customer 1security groups
Customer 2security groups
Customer nsecurity groups
Customer 1virtual interfaces
Customer 2virtual interfaces
Customer nvirtual interfaces
Customer 1 Customer 2 Customer n…
…
…
AWS admins onlySSH via bastionsAudits reviewed
Customer onlyInbound flowsDefault deny
Customer onlySSH, ID/pw, X.509Root/admin
• DDoS attacks
• MITM attacks
• IP spoofing• Packet
sniffing• Port
scanning
Hypervisor layer
Physical interfaces
AWS firewall
Customer 1security groups
Customer 2security groups
Customer nsecurity groups
Customer 1virtual
interfaces
Customer 2virtual
interfaces
Customer nvirtual
interfaces
Customer 1 Customer 2 Customer n…
…
…
AWS admins onlySSH via bastionsAudits reviewed
Customer onlyInbound flowsDefault deny
Customer onlySSH, ID/pw, X.509Root/admin control
AW
SYou
Web tier Application tier Database tier
HTTP/HTTPSfrom Internet
SSH/RDP management
from corpnet
SSH/RDP management
from corpnet
SSH/RDP managementfrom corpnet, vendor
ec2-authorize WebSG -P tcp -p 80 -s 0.0.0.0/0ec2-authorize WebSG -P tcp -p 443 -s 0.0.0.0/0ec2-authorize WebSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize AppSG -P prot -p AppPortRange -o WebSGec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize DBSG -P prot -p DBPortRange -o AppSGec2-authorize DBSG -P tcp -p 22|3389 -s CorpNetec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
ec2-authorize InspSG -P prot -p port -s 0.0.0.0/0. . .
ec2-authorize WebSG -P tcp -p 80 -o InspSGec2-authorize WebSG -P tcp -p 443 -o InspSGec2-authorize WebSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize AppSG -P prot -p AppPortRange -o WebSGec2-authorize AppSG -P tcp -p 22|3389 -s CorpNet
ec2-authorize DBSG -P prot -p DBPortRange -o AppSGec2-authorize DBSG -P tcp -p 22|3389 -s CorpNetec2-authorize DBSG -P tcp -p 22|3389 -s Vendor
Your corporate network
AmazonWeb ServicesCloud
Your VPC
IPsec tunnel mode128-bit AES, SHA-1, PFS, BGP
Your corporate network
AmazonWeb ServicesCloud
Your VPC
Currently• EC2 on-demand and reserved• EBS• CloudWatch• Linux/Unix and Windows• US-East, EU-West
Upcoming• >1 AZ, >1 router• Bidirectional Internet• Elastic IPs• Elastic Load Balancing• Autoscaling• DevPay• Inter-subnet security groups• Subnet ACLs
Things to know• “Key” = name of object• 99.999999999% annual durability• Versioning support
• List•Upload/delete•View permissions• Edit permissions
•Open/download•View Permissions• Edit Permissions
Bucket policiesBucket policy Access control list
Grant/deny an account access to multiple resources Grant user access to single resource
Restrict based on custom conditions• Strings, numbers, booleans• Dates, times• IP addresses• Amazon resource names
No conditions
Policies can include request attributes• Current time• Whether using SSL• Source IP• User agent• Epoch• Referrer
No request attributes
• Choice of 25 operations on objects, buckets, and bucket sub-resources• Know your JSON
• AWS services• Resources
• Source IP• Time of day• Use of SSL
http://aws.amazon.com/iam/
IAM details
• Preview beta includes:– Amazon EC2, S3, VPC, SQS, SNS, RDS,
SimpleDB, Auto Scaling, ELB– Configured via API calls– Add users, define groups and hierarchies, set
permissions, enable API calls, assign MFAs
• Future:– User login to console, user management
console
• No additional charge
http://aws.amazon.com/mfa/
*:*
Compliance
• HIPAA– Current customer deployments–Whitepaper describes the specifics
• SAS 70 type II–Multiple audits– Simplified process to get your copy
• FISMA moderate Authority to Operate
• ISO 27001/27002
SAS 70 Type II controlsSecurity Organization Controls provide reasonable assurance that there is a clear information security policy that
is communicated throughout the organization to users.
Amazon Employee Lifecycle
Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.
Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.
Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately.
Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.
Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.
Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Data Integrity, Availability, and Redundancy
Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.
https://aws.amazon.com/security/aws-pgp-public-key/
http://aws.amazon.com/security/
Thank you very much!
Steve [email protected]@steveriley@awscloudhttp://stvrly.wordpress.comhttp://aws.typepad.com