security best practices on aws cloud

Martin Yan – Head of Enterprise Sales, AWS HK/Taiwan

Security best practices on AWS

What we will cover today

1. Quick intro on AWS

2. Understanding shared responsibility for security

3. Using AWS global reach and availability features

4. Building a secure virtual private cloud

5. Using AWS Identity and Access Management

6. Protecting your content on AWS

7. Building secure applications on AWS

Security best practices for AWS

1. Quick Intro on AWS







What is AWS?

AWS Global Infrastructure

Application Services

Networking

Deployment & Administration

Database Storage Compute

AWS Global Infrastructure

9 Regions

25+ Availability Zones

Continuous Expansion

• $5.2B retail business

• 7,800 employees

• A whole lot of servers

Every day, AWS adds enough

server capacity to power that

whole $5B enterprise

Solving Problems for Organizations Around the World

Compute Services

Amazon EC2 Auto Scaling Elastic Load

Balancing

Actual

EC2

Elastic Virtual servers

in the cloud

Dynamic traffic

distribution

Automated scaling

of EC2 capacity

Networking Services

Amazon VPC: AWS DirectConnect Amazon Route 53

Availability

Zone B Availability

Zone A

Private, isolated

section of the AWS

Cloud

Private connectivity

between AWS and your

datacenter

Domain Name System

(DNS) web service.

Storage Services

Amazon EBS

EBS

Block storage for use

with Amazon EC2

Amazon S3

Images

Videos

Files

Binaries

Snapshots

Internet scale

storage via API

AWS Storage Gateway

S3,

Glacier

Integrates on-premises

IT and AWS storage

Amazon Glacier

Images

Videos

Files

Binaries

Snapshots

Storage for archiving

and backup

Application Services

Amazon CloudFront Amazon RDS Amazon Dynamo

DB

distribute content

globally

Managed relational

database service Managed NoSQL

database service

DBA

Amazon

CloudSearch

Managed search

service

Big Data Services

Amazon EMR

(Elastic Map Reduce)

Amazon Redshift AWS Data Pipeline

Hosted Hadoop

framework

Petabyte-scale data

warehouse service Move data among AWS

services and on-

premises data sources

Deployment & Administration

Amazon CloudWatch

AWS IAM (Identity

& Access Mgmt)

AWS OpsWorks

AWS CloudFormation

AWS Elastic Beanstalk

Web App

Enterprise

App

Database

Monitor resources Manage users,

groups &

permissions

Dev-Ops framework

for application

lifecycle management

Templates to deploy

& manage Automate resource

management






5. Using AWS Identity and Access Management Features



Every customer has access to the same security capabilities

AWS maintains a formal control environment

• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)

• SOC 2 Type 1

• ISO 27001 Certification

• Certified PCI DSS Level 1 Service Provider

• FedRAMP (FISMA), ITAR, FIPS 140-2

• HIPAA and MPAA capable

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Foundation Services



Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Cu

sto

mer

s

• Culture of security and continual improvement

• Ongoing audits and assurance

• Protection of large-scale service endpoints

• Customers configure AWS security features

• Get access to a mature vendor marketplace

• Can implement and manage their own controls

• Gain additional assurance above AWS controls

Security is a shared responsibility between AWS and our customers

Foundation Services



Availability Zones

Edge Locations

Your compliant solutions

Cu

sto

mer

s

• Culture of security and continual improvement

• Ongoing audits and assurance

• Protection of large-scale service endpoints

You can build end-to-end compliance, certification and audit

Your certifications

Your external audits and

attestations

• Achieve PCI, HIPAA and MPAA compliance

• Certify against ISO27001 with a reduced scope

• Have key controls audited or publish your own independent attestations

Customers retain ownership of their intellectual property and content

• Customers manage their privacy objectives how they choose to

• Select the AWS geographical Region and no automatic replication elsewhere

• Customers can encrypt their content, retain management and ownership of keys

and implement additional controls to protect their content within AWS

The security of our services and customers is key to AWS

• Security starts at the top in Amazon with a dedicated CISO and strong

cultural focus

• Dedicated internal teams constantly looking at the security of our services

• AWS support personnel have no access to customer content

Customers retain full ownership and control of their content






5. Using AWS Identity and Access Management Features



Region

US-WEST (N. California) EU-WEST (Ireland)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

AWS lets customers choose where their content goes

Availability Zone

Take advantage of high availability in every Region

US-WEST (N. California) EU-WEST (Ireland)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

Edge Locations

Dallas(2)

St.Louis

Miami

Jacksonville Los Angeles (2)

Palo Alto

Seattle

Ashburn(2)

Newark New York (2)

Dublin

London(2)

Amsterdam Stockholm

Frankfurt(2) Paris(2)

Singapore(2)

Hong Kong

Tokyo

Sao Paulo

South Bend

San Jose

Osaka Milan

Sydney

Chennai Mumbai

Use edge locations to serve content close to your customers

Build your solution for continuous, resilient operations

Scalable, fault tolerant services Build resilient solutions operating in multiple datacenters

AWS helps simplify active-active operations

All AWS facilities are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards

Robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure

Each AWS Region has multiple availability zones A

va

ila

bil

ity Z

on

e A

Ava

ila

bil

ity Z

on

e B

Your VPC spans every availability zone in the Region A

va

ila

bil

ity Z

on

e A

Ava

ila

bil

ity Z

on

e B

Customers control their VPC IP address ranges

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

Ava

ila

bil

ity Z

on

e B

Choose your VPC address range

• Your own private, isolated

section of the AWS cloud

• Every VPC has a private IP

address space

• That maximum CIDR block you

can allocate is /16

• For example 10.0.0.0/16 – this

allows 256*256 = 65,536 IP

addresses

Select IP addressing strategy

• You can’t change the VPC

address space once it’s

created

• Think about overlaps with

other VPCs or existing

corporate networks

• Don’t waste address space,

but don’t’ constrain your

growth either

We will concentrate on a single availability zone just now

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

Segment your VPC address space into multiple subnets

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

NAT

10.0.5.0/24 10.0.4.0/24

EC2

EC2 Web

Place your EC2 instances in subnets according to your design

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Use VPC security groups to firewall your instances

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App

“Web servers can connect to app

servers on port 8080”

Log

EC2 Web

Each instance can be in up to five security groups

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App



“Allow outbound

connections to

the log server”

Log

EC2 Web

Use separate security groups for applications and management

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App



“Allow outbound

connections to

the log server” “Allow SSH and

ICMP from hosts

in the Jump Hosts

security group”

Log

EC2 Web

The VPC router will allow any subnet to route to another in the VPC

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

“Deny all traffic between the web

server subnet and the database

server subnet”

Use Network Access Control Lists for defence in depth

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

NACLs are optional • Applied at subnet level, stateless and

permit all by default

• ALLOW and DENY

• Applies to all instances in the subnet

• Use as a second line of defence

Use Elastic Load Balancers to distribute traffic between instances

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web

Elastic Load Balancer

Elastic Load Balancers are also placed in security groups

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web EC2 EC2 EC2 Web


Your security can scale up and down with your solution

VPC A - 10.0.0.0/16

Ava

ila

bil

ity Z

on

e A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web EC2 EC2 Web

Elastic load balancers

• Instances can automatically be

added and removed from the

balancing pool using rules

• You can add instances into

security groups at launch time


Auto scaling

AWS IAM enables you to securely control access to AWS services

and resources

• Fine grained control of user permissions, resources and actions

• Now includes support for RunInstances

• Add multi factor authentication

• Hardware token or smartphone apps

• Test out your new policies using the Identity and Access

Management policy simulator

You have fine grained control of your AWS environment

Segregate duties between roles with IAM

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

You get to choose who can do what in your AWS environment and from where

AWS account owner (master)

Network management

Security management

Server management

Storage management

Manage and operate

Increase your visibility of what happened in your AWS

environment

• CloudTrail will record access to API calls and save logs in

your S3 buckets, no matter how those API calls were

made

• Who did what and when and from what IP address

• Be notified of log file delivery using the AWS Simple

Notification Service

• Support for many AWS services including EC2, EBS, VPC,

RDS, IAM, STS and RedShift

• Aggregate log information into a single S3 bucket

Out of the box integration with log analysis tools from

AWS partners including Splunk, AlertLogic and

SumoLogic.

Use AWS CloudTrail (beta) to track access to APIs and IAM

AWS CloudTrail logs can be used for many powerful use cases

CloudTrail can help you achieve many tasks

• Security analysis

• Track changes to AWS resources, for example

VPC security groups and NACLs

• Compliance – understand AWS API call history

• Troubleshoot operational issues – quickly

identify the most recent changes to your

environment

CloudTrail is currently available in US-WEST1 and US-EAST1

AWS has many different content storage services

EBS

DBA S3 RDS

Redshift

Configure S3 access controls at bucket and object level

• Restrict access and rights as tightly as possible and regularly review access logs

• Use versioning for important file, with MFA required for delete Use S3 cryptographic features

• Use SSL to protect data in transit

• S3 server side encryption

• AWS will transparently encrypt your objects using AES-256 and manage the keys on your behalf

• Use S3 client side encryption

• Encrypt information before sending it to S3

• Build yourself or use the AWS Java SDK

• Use MD5 checksums to verify the integrity of objects loaded into S3

Making use of available Amazon S3 security features

Making the most of Amazon RDS security features

RDS can reduce the security burden of running your databases

• Limit security group access to RDS instances

• Limit RDS management plane access with AWS IAM permissions

Encrypt data in flight

• Oracle Native Network Encryption, SSL for SQL Server, MySQL and

PostgreSQL – especially if the database is accessible from the Internet

Encrypt data at rest in sensitive table space

• Native RDS via SQL Server and Oracle Transparent Data Encryption

• Encrypt sensitive information at application level or use a DB proxy

Configure automatic patching of minor updates – let AWS do the heavy lifting

for you within a maintenance window you choose

DBA

RDS

Encrypting EBS volumes on Amazon EC2 instances

Roll your own encryption or use commercial solutions

• Windows BitLocker or Linux LUKS for encrypted volumes and

TrueCrypt for containers

• SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer

boot volume encryption

• MapReduce volumes can use Gazzang

Managing encryption keys is critical and difficult!

• How will you manage keys and make sure they are available when

required, for example at instance start-up?

• How will you keep them available and prevent loss?

• How will you rotate keys on a regular basis and keep them private?

EBS

You decide how to configure your instance environment

Launch instance

EC2

AMI catalogue Running instance Your instance

Hardening and configuration

Audit and logging

Vulnerability management

Malware and IPS

Whitelisting and integrity

User administration

Operating system

Configure instance

You take responsibility for final configuration Harden operating system and platforms

• Use standard hardening guides and techniques

• Apply latest security patches – Amazon maintains repositories

Use host-based protection software

• Think of how they will work in an elastic environment - hosts may only

be in use for hours before being replaced

Think about how you will manage administrative users

• Restrict access as much as possible

Build out the rest of your standard security environment

Browse and read AWS security whitepapers and good practices • http://aws.amazon.com/compliance

• http://aws.amazon.com/security

• Risk and compliance, including CSA questionnaire response

• Security best practices • Audit and operational checklists to help you assess security before

you go live Sign up for AWS support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment

Where you can go for help and further information

http://aws.amazon.com/compliance

http://aws.amazon.com/security

http://aws.amazon.com/support

http://aws.amazon.com/support

Get training from an instructor or try the self-paced labs • http://aws.amazon.com/training/

Become AWS certified and gain recognition and visibility • http://aws.amazon.com/certification

• Demonstrate that you have skills, knowledge and expertise to design, deploy

and manage projects applications on the AWS platform

• Prove skills and foster credibility with your employer and peers

Choose your discipline, or do all of them! • AWS Certified Solutions Architect – Associate Level

• AWS Certified Developer – Associate Level (Beta)

• AWS Certified SyOps Administrator – Associate Level (Beta)

Get training and become AWS certified in your discipline

http://aws.amazon.com/training/

http://aws.amazon.com/certification

Any questions? Martin Yan [email protected]

Thank you for your time today

security best practices on aws cloud

Technology

aws services

aws identity

aws storages3

aws hktaiwan

aws global reach

aws security features

security capabilities

services aws support