© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

June 2016

Using AWS Networking and Logging Features to Enhance Security

Nathan McGuirt, Senior Solutions Architect, AWSDave Rogers, Head of Architecture & Security, UK MOJ Digital & Technology

Expectations

Managing traditional networks is hard

Lack of visibility Heavy technical lift

Crunchy exterior, soft center

credit: theilr/flickr

Network enforcement tools

Server 192.168.0.3

Server 192.168.0.4

Server 192.168.1.3

Server 192.168.1.410.0.0.3

10.0.0.4

10.0.0.4

10.0.0.2

10.0.0.5

10.0.0.3

Mapping service

10.0.0.2

Amazon Virtual Private Cloud VPC A

VPC B

Enforcement—security groupsWeb Server Security GroupAllow Inbound HTTP from 0.0.0.0/0

Allow Inbound HTTPS from 0.0.0.0/0

Allow Outbound SQL to DB Servers

DB Security GroupAllow Inbound SQL from Web Servers

AD Member Security GroupAllow Outbound AD traffic to AD Servers

XTCP 139

Enforcement—VPC subnet ACLs

Subnet ACL

VPC Subnet

Security Group

Enforcement—VPC route tables

VPC subnet VPC subnet

0.0.

0.0/

0

0.0.0.0/0

0.0.0.0/0

VPC subnet

X

X

Local routes only

0.0.0.0/0

Enforcement: AWS WAF (Web Application Firewall)

AWS Management ConsoleAdmins

Developers AWS APIWeb app in

Amazon CloudFront

Define rules

Deploy protection

AWS WAF

Traffic isolation—VPN and AWS Direct Connect

Customer gateway

Virtual gateway

Two IPSec tunnels

192.168.0.0/16 172.31.0.0/16

192.168/16

Private fiber via peering facility

Traffic isolation—VPC endpoints

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

Isolation—VPC peering

Logging

Amazon CloudWatch Logs

Logging: VPC Flow Logs

10.10.0.0/16

10.10.1.0/24AZ A

10.10.2.0/24AZ B

Logging—AWS CloudTrail

"Records": [{ "eventVersion": "1.0", "userIdentity": {... "arn": "arn:aws:iam::123456789012:user/Alice",... }, "eventTime": "2015-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55",...

Logging—Elastic Load Balancing, CloudFront, Amazon S3 access logs

Logging destination bucket

Elastic Load Balancing

logs

CloudFront logs

Amazon S3 bucket logs

Change control

Normalize

RecordChanging resources

Deliver

Stream

Snapshot (ex. 2014-11-05)AWS Config

APIs

Store

History

Change control—AWS Config

Change control—AWS CloudFormation

Template StackAWSCloudFormation

Orchestrate changes across AWS services

Use as foundation to AWS Service Catalog products

Use with source code repositories to manage infrastructure changes

JSON-based text file describing infrastructure

Resources created from a template

Can be updated Updates can be

restricted

Change control—CloudFormation change sets

Separation of Duties

Making use of logs

Example events of concern

• Configuration changes that impact ability to detect or understand events

• Activities that are inconsistent with expectations• Activities that violate policy

Monitoring logging status—CloudTrailCloudTrail EventsCloudTrail

CloudWatch Logs CloudWatch Logs Filter

Metric filter"FilterPattern": ”{ ($.eventName = StopLogging) }",

CloudWatch metric

Air-raid siren

CloudWatch Alarm

Monitoring for unexpected (network) behavior

VPC

VPC Flow LogsAt some meaningful rate,

fire an alarm

Filter: RejectedFilter: Source: Internal

Take an automated action:Cut off network access

CloudWatch Logs Metric Filter CloudWatch Alarm AWS Lambda Function

Watching for disallowed configurations

AWS Config

Config Rule

Email alert

Automated action:modify SG

No TCP 22 from 0.0.0.0/0 in Production

SO’s mailbox

VPC Flow Logs—network dashboard

• Amazon Elasticsearch Service

• Amazon CloudWatch Logs subscriptions

All of this can be automatedSo what does that do for practices in the cloud?

Automation, enabled by public cloud, leads to continuous practice

continuous delivery is the foundation

continuous securityprevention & response

continuous deliverycontinuous security testingcontinuous hacking continuous risk managementcontinuous assurancecontinuous compliance

continuous security testing

continuous hacking

continuous risk management

continuous compliance the public cloud provides a platform

continuous securitydetection

continuous intrusion detectioncontinuous health checkingcontinuous anomaly detectioncontinuous capacity managementcontinuous scaling

continuous prevention& response

continuous detection

continuous delivery is hard

DevOps

Continuous

Delivery

DevOps is hard

because change toward DevOps is culture change

DevOps is culture changeNew skillsNew methodologiesNew hours & working locationsNew careersNew ways of thinkingNew planningNew governanceSometimes, new clothes

Rising cyber security threats require us to be adaptive.

Security conservatism, attempting to achieve stability through restricted change, increases risk.

We must embrace continuous practice.

Thank you!