Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

3,666 views

Published on

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,666
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
261
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Architecting for End-to-End Security in the Enterprise (ARC308) | AWS re:Invent 2013

  1. 1. ARC308 Architecting for End-to-End Security in the Enterprise Hart Rossman, Principal Security Consultant Bill Shinn, Principal Security Solutions Architect November 14, 2013 © 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. A Typical Enterprise Security Journey: 1. 2. 3. 4. Integrate AWS into the Enterprise Security Strategy Deploy Defense in Depth: Enterprise Security Architecture in the Cloud Convert Strategy to Tactics: Security Playbook Instrument for Operations: Privilege Isolation, Bastion Role, and Auditing Role Strategy Playbook Operations Architecture Enterprise Security Planning Enterprise Security Operations
  3. 3. Enterprise Security Strategy Economics Strategy Strategy Playbook Operations Architecture Enterprise Security Planning Enterprise Security Operations
  4. 4. Security Economies of Scale • AWS control objectives idempotent across the entire cloud • Reduced compliance scope • Defense in depth layers are variable cost • Security benefits from automation
  5. 5. Why Update Your Security Strategy for AWS? • Communicate the CISO’s intent & Concept of Operations (CONOPS) • Articulate a vision for the desired end-state
  6. 6. Enterprise Security Architecture Capabilities Framework Defense in Depth Architecture Strategy Playbook Operations Architecture Enterprise Security Planning Enterprise Security Operations
  7. 7. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  8. 8. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  9. 9. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center AMIs Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudWatch SSL API, CLI, Console Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE Server Certificates People SSH Keys MS-SQL TDE Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze AWS CloudTrail Monitoring Organize, Deploy, & Manage AWS Certifications Governance Management AWS Security & Compliance CloudFormation DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  10. 10. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE SQL SSL Clients AWS Certifications SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  11. 11. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Oracle TDE MySQL, MSSQL SSL SQL SSL Clients Lifecycle Rules AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies App Logs S3 Object Metadata CloudFront Signed URLs Redshfit Cluster Encryption DynamoDB, SimpleDB SSL S3 MFA Delete Route 53 CloudHSM Monitoring Snapshots & Replication Log, Audit, & Analyze CloudFormatio n Resource Tagging DB Logs Host Security Software Database Oracle NNE SSL API, CLI, Console Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys EMR Job Flow Roles RDS Auto Minor Patching Storage & Content S3, Glacier SSE S3, Glacier, CloudFront SSL Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  12. 12. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  13. 13. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center AMIs Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudWatch SSL API, CLI, Console Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE Server Certificates People SSH Keys MS-SQL TDE Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze AWS CloudTrail Monitoring Organize, Deploy, & Manage AWS Certifications Governance Management AWS Security & Compliance CloudFormation DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  14. 14. Instance IAM MFA IAM + STS Federation Security Operations Center SNS Notifications Bastion Host Auto Scaling Managed Encryption Bootstrapping CloudFront Load Distro Penetration Testing Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE MS-SQL TDE SSH Keys SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AWS Abuse Notifications CloudWatch Server Certificates Management AMIs Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  15. 15. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE MS-SQL TDE Security Groups SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC VPN Gateway VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  16. 16. Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS Support AWS SA’s & Proserv Instance IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE MS-SQL TDE IAM Users, Groups & Roles SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  17. 17. Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS Support AWS SA’s & Proserv Instance IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE MS-SQL TDE Redshift CloudHSM Support SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  18. 18. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  19. 19. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center AMIs Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudWatch SSL API, CLI, Console Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE Server Certificates People SSH Keys SQL SSL Clients Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze AWS CloudTrail Monitoring Organize, Deploy, & Manage AWS Certifications Governance Management AWS Security & Compliance CloudFormation DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  20. 20. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudHSM Log, Audit, & Analyze Monitoring Resource Tagging Route 53 MySQL, MSSQL SSL SQL SSL Clients Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Storage & Content Access Policy Language Snapshots & Replication Oracle TDE Amazon CloudTrail CloudFormatio n Host Security Software Database Oracle NNE SSL API, CLI, Console Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs DB Logs Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  21. 21. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL SQL & Amazon Elastic Oracle NNE MapReduce SSL Clients Amazon Redshift SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption AWS Internet Security Direct Connect Security Groups VPC VPN Gateway VPC NACLs Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs OS Logs Storage & Content Network
  22. 22. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL SQL SSL Clients Security Operations Center Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Security & Compliance AWS Certifications Auto Scaling Oracle NNE SSL API, CLI, Console People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  23. 23. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  24. 24. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center AMIs Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudWatch SSL API, CLI, Console Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE Server Certificates People SSH Keys SQL SSL Clients Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze AWS CloudTrail Monitoring Organize, Deploy, & Manage AWS Certifications Governance Management AWS Security & Compliance CloudFormation DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  25. 25. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE SQL SSL Clients Resource Tagging SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  26. 26. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE SQL SSL Clients AWS Support SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  27. 27. Security Capabilities Framework Anticipate Deter Detect • Policies and Standards • Threat Intelligence • Access Control • Network Architecture • Active Response • IDS • Log analysis • Alerting • Security Operations Center Respond • Incident Response to Compromise Recover • Disaster Recovery/BCP • Known Good State • Forensics
  28. 28. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center AMIs Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications CloudWatch SSL API, CLI, Console Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE Server Certificates People SSH Keys SQL SSL Clients Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze AWS CloudTrail Monitoring Organize, Deploy, & Manage AWS Certifications Governance Management AWS Security & Compliance CloudFormation DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  29. 29. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE SQL SSL Clients Snapshots & Replication SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption VPC NACLs Resource Tagging Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs Storage & Content Network OS Logs AWS Internet Security Direct Connect Security Groups VPC VPN Gateway EMR, Redshift Analytics Geographic Diversity ELB SSL VPC Subnets VPC Routing Tables
  30. 30. Instance Trusted Advisor IAM Password Policy Monitor & Alert Authenticate & Authorize AWS SA’s & Proserv AWS Support IAM Users, Groups & Roles IAM MFA IAM + STS Federation Security Operations Center Auto Scaling Managed Encryption AWS Abuse Notifications Bastion Host Bootstrapping CloudFront Load Distro Penetration Testing SNS Notifications Host Security Software Database Oracle TDE MySQL, MSSQL SSL Oracle NNE SQL SSL Clients Geographic Diversity SSL API, CLI, Console Redshfit Cluster Encryption DynamoDB, SimpleDB SSL EMR Job Flow Roles RDS Auto Minor Patching AWS CloudTrail Access Policy Language S3, CloudFront Access Logs S3 ACLs, Bucket Policies S3 MFA Delete Lifecycle Rules S3, Glacier SSE S3, Glacier, CloudFront SSL App Logs S3 Object Metadata CloudFront Signed URLs Client-Side Encryption Storage Gateway SSL EBS Volume Encryption Direct Connect Security Groups VPC VPN Gateway VPC NACLs ELB SSL VPC Subnets VPC Routing Tables Resource Tagging Snapshots & Replication Route 53 CloudHSM Log, Audit, & Analyze CloudFormatio n Monitoring Organize, Deploy, & Manage AWS Certifications AWS Security & Compliance People Governance AMIs CloudWatch Server Certificates Management SSH Keys DB Logs OS Logs EMR, Redshift Analytics Storage & Content Network AWS Internet Security
  31. 31. Defense-in-Depth Architecture Internet Internet Gateway Existing VPN AWS Direct Perimeter Connect Customer Security Stack GW Corporate Data Center
  32. 32. Network Protection App Tier Web Tier Protect Tier Internet Gateway Route Table NACL Internet IAM DB Tier VPN VPN AWS DX Existing CGW Perimeter Security Stack Corporate Data Center
  33. 33. Instance Protection Instance Protect Tier Internet Gateway SSH Keys Auto Scaling Managed Encryption Host Security Software Bootstrapping CloudFront Load Distro Penetration Testing App Tier Web Tier Bastion Host AMIs Internet IAM DB Tier VPN VPN AWS DX Existing CGW Perimeter Security Stack Corporate Data Center
  34. 34. Database Protection Protect Tier Internet Gateway Internet DB Tier App Tier Web Tier VPN AWS DX Existing CGW Perimeter Security Stack Corporate Data Center IAM Database Oracle TDE VP N Oracle NNE MySQL, MSSQL SSL Redshfit Cluster Encryption EMR Job Flow Roles SQL SSL Clients DynamoDB, SimpleDB SSL RDS Auto Minor Patching
  35. 35. In-line Threat Management: Protect Web App DB Protect Tier Bastion Bastion Host
  36. 36. In-line Threat Management: EIP 2 EIP 4 IPS NAT Layer App IPS NAT Layer EIP 3 Web EIP 1 Protect IPS/IDS NAT HA App Layer Availability Zone A Availability Zone B DB App Layer
  37. 37. CloudFront Protect Tier Route Table Web Tier Internet Gateway NACL App Tier Internet IAM DB Tier VPN S3 VPN AWS DX Existing CGW Perimeter Security Stack Corporate Data Center
  38. 38. Security Playbook Rehearsed actions Task automation Strategy Document approved configurations Playbook Operations Architecture Enterprise Security Planning Enterprise Security Operations
  39. 39. Why Build a Security Operations Playbook? • Empower CISO organization to operate their cloud enterprise securely • Enable CISO business partners to secure deployments and manage mission risk
  40. 40. Typical Components • Overview of the AWS service or enterprise process • Requirements/Dependencies • Workflow • Exceptions
  41. 41. Requirements/De pendencies Workflow Sample Entry: Amazon S3 Overview of the AWS service or enterprise process Exceptions Description • Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. Secure Configuration • Data stored in Amazon S3 is secure by default; only bucket and object owners have access to the Amazon S3 resources they create. For customers who must comply with regulatory standards such as PCI and HIPAA, Amazon S3’s data protection features can be used as part of an overall strategy to achieve compliance.
  42. 42. Granularity Purpose Application IAM Access Policy Fine grained Role-based access control (RBAC) Apply to IAM groups, roles, users Bucket Policy Fine grained Grant permissions without IAM and provide cross-account access Apply to S3 buckets Requirements/De pendencies Workflow Choosing Controls Overview of the AWS service or enterprise process Exceptions ACLs Coarse grained Grant simple, broad permissions Apply to buckets and objects
  43. 43. Bucket ACL Requirements/De pendencies Workflow Mapping ACLs to Policy Actions Overview of the AWS service or enterprise process Exceptions Bucket Policy Actions READ s3:ListBucket, s3:ListBucketVersions, s3:ListBucketMultipartUploads WRITE s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion (owner only) READ_ACP s3:GetBucketAcl WRITE_ACP s3:PutBucketAcl FULL_CONTROL (READ + WRITE + READ_ACP + WRITE_ACP) Object ACL Object Policy Actions READ s3:GetObject, s3:GetObjectVersion, s3:GetObjectTorrent READ_ACP s3:GetObjectAcl, s3:GetObjectVersionAcl WRITE_ACP s3:PutObjectAcl, s3:PutObjectVersionAcl FULL_CONTROL (READ + READ_ACP + WRITE_ACP)
  44. 44. { "Id": "S3PolicyId1", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { } }, { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.10.1.0/24" } } } ] } Requirements/De pendencies Workflow Using Access Policy Conditions Overview of the AWS service or enterprise process Exceptions
  45. 45. { "Statement": [ { "Version": "2012-10-17", "Principal": "*", "Effect": "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::YourBucket/*", "Condition":{ "Bool":{ "aws:SecureTransport":"false" } } } ] } Requirements/De pendencies Workflow Enforcing SSL Overview of the AWS service or enterprise process Exceptions
  46. 46. { "Version":"2008-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":{"AWS":"*"}, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"AES256" } } } ] } Requirements/De pendencies Workflow Enable & Enforce SSE Overview of the AWS service or enterprise process Exceptions
  47. 47. { "AWSTemplateFormatVersion" : "2010-09-09", "Description" : "AWS CloudFormation Sample Template for S3 Bucket Policy", CloudFormation Template "Resources" : { "S3BucketCFn" : { "Type" : "AWS::S3::Bucket", "DeletionPolicy" : "Retain" }, "BucketPolicy" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "PolicyDocument": { "Version" : "2012-10-17", "Id" : "MyPolicy", "Statement" : [ { "Sid" : "ContributorAccess", "Action" : ["s3:GetObject"], "Effect" : "Allow", "Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", "Principal" : { "AWS": "*" } }, { "Sid" : "ListAccess", "Action" : ["s3:ListBucket"], "Effect" : "Allow", "Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", "Principal" : { "AWS": "*" } }, { "Sid" : "EnforceSSL", "Action" : ["s3:*"], "Effect" : "Deny", "Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", "Principal" : { "AWS": "*" }, "Condition" : { "Bool": {"aws:SecureTransport": } ] }, "Bucket" : {"Ref" : "S3BucketCFn"} } } }, Creates an S3 bucket with a randomized name with the following permissions: • Allow anyone to LIST the bucket • Allow anyone to GET objects • Require SSL encryption in transit "Outputs" : { "BucketName" : { "Value" : { "Ref" : "S3BucketCFn" }, "Description" : "Name of newly created S3 bucket" } } } {"Ref" : "S3BucketCFn"}]]}, {"Ref" : "S3BucketCFn"}, "/*"]]}, false}} Requirements/De pendencies Workflow {"Ref" : "S3BucketCFn"} , "/*"]]}, Overview of the AWS service or enterprise process Exceptions
  48. 48. Requirements/De pendencies Workflow Keys, Delimiters, and Tags Overview of the AWS service or enterprise process Exceptions Using Keys and Delimiters • S3 tags should not be used to configure permissions to resources • Instead, use keys and delimiters as described in the previous section to emulate “folder-level permissions”
  49. 49. Operations Privilege Isolation & Roles Refresher Strategy IAM Role – Bastion Host Playbook IAM Role – Auditing Role Operations Architecture Enterprise Security Planning Enterprise Security Operations 49
  50. 50. Overview of the AWS service or enterprise process Workflow Privilege Isolation AWS Account IAM User/Group/Role Region Amazon VPC Security Group API Call Resource Requirements/De pendencies Exceptions
  51. 51. • STS AssumeRole • Valid token for one hour • Returns access key ID, secret access key, and security token Requirements/De pendencies Workflow IAM / Security Token Service Overview of the AWS service or enterprise process Exceptions
  52. 52. Resource Permissions by Service (by API call) http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html • • • • • • • • • • • Amazon DynamoDB (tables and indexes) AWS Elastic Beanstalk (application, applicationversion, solutionstack) Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes) Amazon Glacier (vault) AWS IAM (signing credentials, group, …) Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group) Amazon RDS Amazon Route53 (hosted zone) Amazon S3 (bucket) Amazon SNS (topic) Amazon SQS (queue) Requirements/De pendencies Workflow Privilege Isolation / Resources Overview of the AWS service or enterprise process Exceptions
  53. 53. IAM Roles / EC2 • Role • Instance Profile • Identity for the instance itself • Available to all application and users on host Overview of the AWS service or enterprise process Requirements/De pendencies Workflow Exceptions
  54. 54. IAM Roles / Instance Metadata Service • Entitlements of credentials => IAM role • Short-life & expiration of credentials provided by STS • Managed rotation • No stored credentials! Overview of the AWS service or enterprise process Requirements/De pendencies Workflow Exceptions
  55. 55. • Eliminates need for individual IAM credentials • Reduces or eliminates need for federation • Combine with auditing of shell commands • Control access by host / purpose Requirements/De pendencies Workflow Bastion Host Configuration Overview of the AWS service or enterprise process Exceptions
  56. 56. • Read-only access to AWS assets • Census picture of all assets (feed scanning & SIEM reconciliation) • RDS & Redshift query and connection auditing • Change detection of vital objects Requirements/De pendencies Workflow Security Auditing Configuration Overview of the AWS service or enterprise process Exceptions
  57. 57. Security Auditing / EC2 Read-only Policy Overview of the AWS service or enterprise process Requirements/De pendencies Workflow Exceptions { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", ], "Resource": [ "*" ], "Effect": "Allow" } ] }
  58. 58. Security Auditing / RDS Read-only Policy Overview of the AWS service or enterprise process Requirements/De pendencies Workflow Exceptions { "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DownloadDBLogFilePortion" ], "Resource": [ "*" ], "Effect": "Allow", "Condition": { "streq": { "rds:db-tag/environment": [ "prod", "dr" ] } } }]}
  59. 59. What to do after re:Invent • Update security strategy and vision • Map AWS features to strategic initiatives • Integrate AWS into your security operations • Document privilege isolation architecture • Begin transition to IAM roles for EC2 • Enable IAM auditing role
  60. 60. References • Updated Security Best Practices Whitepaper http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf • AWS Compliance Center https://aws.amazon.com/compliance • AWS Security Center https://aws.amazon.com/security • AWS Security Blog http://blogs.aws.amazon.com/security/
  61. 61. Re:Invent Related Sessions • Come talk security with AWS - Thursday, 4-6pm in the Toscana 3605 room • SEC308 Auto-Scaling Web Application Security and AWS Thursday, 4:15pm • SEC402 Intrusion Detection in the Cloud -Thursday, 5:30pm • SEC304 Encryption and Key Management in AWS - Friday 9:00am • SEC306 Implementing Bulletproof HIPAA Solutions on AWS Friday, 11:30am
  62. 62. Please give us your feedback on this presentation ARC308 As a thank you, we will select prize winners daily for completed surveys!

×