• Save
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Upcoming SlideShare
Loading in...5
×
 

AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices

on

  • 2,806 views

Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to ...

Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to protect the security of our customers’ content is of utmost importance to AWS, as is maintaining customer trust and confidence. Under the AWS shared responsibility model, AWS provides a secure global infrastructure, including compute, storage, networking and database services, as well as a range of high level services. AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This webinar focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives.

Statistics

Views

Total Views
2,806
Views on SlideShare
2,783
Embed Views
23

Actions

Likes
10
Downloads
0
Comments
0

1 Embed 23

https://twitter.com 23

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices Presentation Transcript

    • Security  best  prac7ces  for  AWS                                                   Stephen  Quigg  –  Asia  Pacific  Security  Solu7ons  Architect                    
    • What  we  will  cover  today   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • Every  customer  has  access  to  the  same  security  capabili7es   AWS  maintains  a  formal  control  environment   •  SOC  1  (SSAE  16  &  ISAE  3204)  Type  II  (was  SAS70)   •  SOC  2  Type  1   •  ISO  27001  Cer@fica@on   •  Cer@fied  PCI  DSS  Level  1  Service  Provider     •  FedRAMP  (FISMA),  ITAR,  FIPS  140-­‐2     •  HIPPA  and  MPAA  capable   Founda7on  Services   Compute   AWS  Global   Infrastructure   Storage   Database   Networking   Availability  Zones   Regions   Edge  Loca7ons  
    • Customers   Security  is  a  shared  responsibility  between  AWS  and  our  customers   Pla[orm,  Applica@ons,  Iden@ty  &  Access  Management   Opera@ng  System,  Network  &  Firewall  Configura@on   Client-­‐side  Data   Encryp@on   Server-­‐side  Data   Encryp@on   Customers  configure  AWS   security  features   •  Get  access  to  a  mature   vendor  marketplace   •  Can  implement  and   manage  their  own  controls   •  Gain  addi@onal  assurance   above  AWS  controls   •  Customer  content   Network  Traffic   Protec@on   Founda7on  Services   Compute   AWS  Global   Infrastructure   Storage   Database   Networking   Availability  Zones   Regions   Edge  Loca7ons   Culture  of  security  and   con@nual  improvement   •  Ongoing  audits  and   assurance   •  Protec@on  of  large-­‐scale   service  endpoints   • 
    • Customers   You  can  build  end-­‐to-­‐end  compliance,  cer7fica7on  and  audit   Your  compliant   solu@ons   Your   cer@fica@ons   Your  external   audits  and   a_esta@ons   Achieve  PCI,  HIPAA  and   MPAA  compliance   •  Cer@fy  against  ISO27001   with  a  reduced  scope   •  Have  key  controls  audited   or  publish  your  own   independent  a_esta@ons   •  Founda7on  Services   Compute   AWS  Global   Infrastructure   Storage   Database   Networking   Availability  Zones   Regions   Edge  Loca7ons   Culture  of  security  and   con@nual  improvement   •  Ongoing  audits  and   assurance   •  Protec@on  of  large-­‐scale   service  endpoints   • 
    • Let  AWS  take  care  of  the  heavy  liMing  for  you   Customer Facilities Network configuration Physical security Security groups Compute infrastructure Storage infrastructure Network infrastructure + OS firewalls Operating systems Applications Virtualization layer (EC2) Proper service configuration Hardened service endpoints AuthN & acct management Rich IAM capabilities = Authorization policies Customers  get  to  choose  the  right  level  of  security  for  their  business.  As  an  AWS   customer  you  can  focus  on  your  business  and  not  be  distracted  by  the  muck.  
    • Customers  retain  full  ownership  and  control  of  their  content   Customers  retain  ownership  of  their  intellectual  property  and  content   •  Customers  manage  their  privacy  objec@ves  how  they  choose  to   •  Select  the  AWS  geographical  Region  and  no  automa@c  replica@on  elsewhere   •  Customers  can  encrypt  their  content,  retain  management  and  ownership  of   keys  and  implement  addi@onal  controls  to  protect  their  content  within  AWS   The  security  of  our  services  and  customers  is  key  to  AWS   •  Security  starts  at  the  top  in  Amazon  with  a  dedicated  CISO  and  strong   cultural  focus   •  Dedicated  internal  teams  constantly  looking  at  the  security  of  our  services   •  AWS  support  personnel  have  no  access  to  customer  content  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management  Features   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • AWS  lets  customers  choose  where  their  content  goes   Region   US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo) ASIA PAC (Sydney)
    • Take  advantage  of  high  availability  in  every  Region   Availability  Zone   US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo) ASIA PAC (Sydney)
    • Use  edge  loca7ons  to  serve  content  close  to  your  customers   Edge  Loca@ons   London(2) Seattle South Bend New York (2) Newark Palo Alto Dublin Amsterdam Stockholm Tokyo San Jose Paris(2) Ashburn(2) Los Angeles (2) Frankfurt(2) Milan Osaka Jacksonville Dallas(2) Hong Kong Mumbai Chennai St.Louis Miami Singapore(2) Sao Paulo Sydney
    • Build  your  solu7on  for  con7nuous,  resilient  opera7ons   Scalable,  fault  tolerant  services   Build  resilient  solu@ons  opera@ng  in  mul@ple  datacenters   AWS  helps  simplify  ac@ve-­‐ac@ve  opera@ons   All  AWS  facili@es  are  always  on   No  need  for  a  “Disaster  Recovery  Datacenter”  when  you  can   have  resilience   Every  one  managed  to  the  same  global  standards   Robust  connec@vity  and  bandwidth   Each  AZ  has  mul@ple,  redundant  Tier  1  ISP  Service  Providers   Resilient  network  infrastructure  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • Availability Zone B Availability Zone A Each  AWS  Region  has  mul7ple  availability  zones  
    • Availability Zone B Availability Zone A Your  VPC  spans  every  availability  zone  in  the  Region  
    • Customers  control  their  VPC  IP  address  ranges   Choose  your  VPC  address  range   •  Your  own  private,  isolated   sec@on  of  the  AWS  cloud   •  Every  VPC  has  a  private  IP   address  space   •  That  maximum  CIDR  block  you   can  allocate  is  /16   •  For  example  10.0.0.0/16  –  this   allows  256*256  =  65,536  IP   addresses   Select  IP  addressing  strategy   •  You  can’t  change  the  VPC   address  space  once  it’s   created   •  Think  about  overlaps  with   other  VPCs  or  exis@ng   corporate  networks   •  Don’t  waste  address  space,   but  don’t’  constrain  your   growth  either   Availability Zone B Availability Zone A VPC A - 10.0.0.0/16
    • We  will  concentrate  on  a  single  availability  zone  just  now   Availability Zone A VPC A - 10.0.0.0/16
    • Segment  your  VPC  address  space  into  mul7ple  subnets   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   10.0.2.0/24 EC2   10.0.3.0/24 10.0.4.0/24 10.0.5.0/24
    • Place  your  EC2  instances  in  subnets  according  to  your  design   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Log   10.0.5.0/24
    • Use  VPC  security  groups  to  firewall  your  instances   VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Log   10.0.5.0/24
    • Each  instance  can  be  in  up  to  five  security  groups   VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   “Allow outbound connections to the log server” 10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Log   10.0.5.0/24
    • Use  separate  security  groups  for  applica7ons  and  management   VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   “Allow outbound connections to the log server” 10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   “Allow SSH and ICMP from hosts in the Jump Hosts security group” Log   10.0.5.0/24
    • Security  groups  are  stateful  with  both  ingress  and  egress  rules   VPC A - 10.0.0.0/16 Security  groups   NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   •  •  •  •  Operate  at  the  instance  level   Supports  ALLOW  rules  only   Are  stateful   Max  50  rules  per  security  group   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Log   10.0.5.0/24
    • The  VPC  router  will  allow  any  subnet  to  route  to  another  in  the  VPC   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Use  Network  Access  Control  Lists  to  restrict  internal  VPC  traffic   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Use  Network  Access  Control  Lists  to  restrict  internal  VPC  traffic   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 “Deny all traffic between the web server subnet and the database server subnet” Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Use  Network  Access  Control  Lists  for  defence  in  depth   VPC A - 10.0.0.0/16 NACLs  are  op@onal   NAT   Availability Zone A 10.0.1.0/24 Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 •  Applied  at  subnet  level,  stateless  and   permit  all  by  default   •  ALLOW  and  DENY   •  Applies  to  all  instances  in  the  subnet   •  Use  as  a  second  line  of  defence   Jump   Router Log   10.0.5.0/24
    • Use  Elas7c  Load  Balancers  to  distribute  traffic  between  instances   VPC A - 10.0.0.0/16 NAT   Elas7c  Load   Balancer   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Elas7c  Load  Balancers  are  also  placed  in  security  groups   VPC A - 10.0.0.0/16 NAT   Elas7c  Load   Balancer   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Your  security  can  scale  up  and  down  with  your  solu7on   VPC A - 10.0.0.0/16 NAT   Elas@c  load  balancers   Elas7c  Load   Balancer   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   •  Instances  can  automa@cally  be   added  and  removed  from  the   balancing  pool  using  rules   •  You  can  add  instances  into   Auto   security  groups  at  launch  @me   scaling   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Jump   Router Log   10.0.5.0/24
    • Connec7ng  your  VPC  to  the  Internet  
    • Add  an  Internet  Gateway  to  route  Internet  traffic  from  your  VPC   Internet  Gateway   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 VPC Router
    • You  choose  what  subnets  can  route  to  the  Internet   Internet  Gateway   VPC A - 10.0.0.0/16 Internet  rou@ng   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 VPC Router •  Add  route  tables  to  subnets  to   control  Internet  traffic  flows  –   these  become  Public  subnets   •  Internet  Gateway  rou@ng  allows   you  to  allocate  a  sta@c  Elas7c  IP   address  or  use  AWS-­‐managed   public  IP  addresses  to  your   instance  
    • NAT  instances  allow  outbound  Internet  traffic  from  private  subnets   Internet  Gateway   VPC A - 10.0.0.0/16 Internet  rou@ng   NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 VPC Router •  Use  a  NAT  instance  to  provide   Internet  connec@vity  for  private   subnets  -­‐  required  to  access   AWS  update  repositories   •  This  will  also  allow  back-­‐end   servers  to  route  to  AWS  APIs  –   for  example  storing  logs  on  S3,   or  using  Dynamo,  SQS,  SNS  and   SWS  
    • Access  AWS  API  endpoints  through  the  Internet  Gateway   Internet  Gateway   VPC A - 10.0.0.0/16 NAT   Amazon S3 Amazon  SQS   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Amazon  SNS   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Amazon  Glacier   DynamoDB   Amazon  SES  
    • Integra7ng  your  VPC  with  your  exis7ng  infrastructure   Your  premises  
    • Add  a  Virtual  Private  Gateway  to  route  traffic  to  your  premises   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway  
    • You  can  create  mul7ple  IPSEC  tunnels  to  your  own  VPN  endpoints   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Customer Gateway
    • You  can  also  connect  privately  using  AWS  Direct  Connect   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Direct Connect Customer Gateway
    • You  can  also  create  VPNs  over  Direct  Connect  if  required   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Direct Connect Customer Gateway
    • You  can  route  VPC  Internet  connec7ons  through  your  own  gateways   VPC A - 10.0.0.0/16 NAT   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Direct Connect Customer Gateway
    • You  can  have  both  Internet  and  private  connec7vity  to  your  VPC   Internet  Gateway   VPC A - 10.0.0.0/16 NAT   Amazon S3 DynamoDB   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Direct Connect Customer Gateway
    • You  can  access  AWS  Internet  endpoints  using  Direct  Connect   Internet  Gateway   VPC A - 10.0.0.0/16 NAT   Amazon S3 DynamoDB   Availability Zone A 10.0.1.0/24 EC2   Web   EC2   Web   EC2   Web   EC2   VPC Router Your  premises   10.0.2.0/24 EC2   App   EC2   10.0.3.0/24 10.0.4.0/24 Virtual  Private   Gateway   Direct Connect Customer Gateway
    • You  can  distribute  load  across  availability  zones  to  build  resilience   Internet  Gateway   VPC A - 10.0.0.0/16 Public subnet Web   Web   Web   Web   Private subnet Private subnet Elas7c  Load   Balancer   EC2   Private subnet Auto   scaling   Applica7on   Private subnet Applica7on   EC2   Auto   scaling   Elas7c  Load   Balancer   Private subnet Applica7on   Applica7on   EC2   Private subnet Auto   scaling   Availability Zone B Auto   scaling   Elas7c  Load   Balancer   Public subnet Availability Zone A Elas7c  Load   Balancer  
    • ELBs  will  balance  traffic  in  an  AZ  and  redirect  in  case  of  failure   Internet  Gateway   VPC A - 10.0.0.0/16 Public subnet Web   Web   Web   Web   Private subnet Private subnet Elas7c  Load   Balancer   EC2   Private subnet Auto   scaling   Applica7on   Private subnet Applica7on   EC2   Auto   scaling   Elas7c  Load   Balancer   Private subnet Applica7on   Applica7on   EC2   Private subnet Auto   scaling   Availability Zone B Auto   scaling   Elas7c  Load   Balancer   Public subnet Availability Zone A Elas7c  Load   Balancer  
    • VPC  security  7p   Don’t  have  any  elas7c  IP  addresses   •  For  web  applica@ons,  the  only  elements  requiring  external  connec@vity  are  the  ELBs  and  the  NAT   instance   •  •  Web  servers  can  sit  in  a  private  subnet   •  •  AWS  manage  ELB  security,  customer  just  has  to  configure  them   Also  a  separate  security  group  from  ELBs   Use  jump  hosts  in  the  VPC  to  manage  hosts  rather  than  directly  connec@ng  from  external  addresses   •  Security  group  access  on  produc@on  hosts  can  be  limited   •  Enforce  a  single  point  of  control,  redundant  across  availability  zones  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • You  have  fine  grained  control  of  your  AWS  environment   AWS  IAM  enables  you  to  securely  control  access  to  AWS  services   and  resources   •  Fine  grained  control  of  user  permissions,  resources  and  ac@ons   •  Now  includes  support  for  RunInstances   •  Add  mul@  factor  authen@ca@on   •  Hardware  token  or  smartphone  apps   •  Test  out  your  new  policies  using  the  Iden@ty  and  Access   Management  policy  simulator  
    • Segregate  du7es  between  roles  with  IAM   AWS  account   owner  (master)   You  get  to  choose  who  can   do  what  in  your  AWS   environment  and  from   where   Network   management   Security   management   Server   management   Storage   management   VPC A - 10.0.0.0/16 Internet   Subnet 10.0.1.0/24 Availability Zone Router   Manage  and  operate   Internet   Gateway   Customer   Gateway   Subnet 10.0.2.0/24 Availability Zone Region
    • Use  AWS  CloudTrail  (beta)  to  track  access  to  APIs  and  IAM   Increase  your  visibility  of  what  happened  in  your  AWS   environment   •  CloudTrail  will  record  access  to  API  calls  and  save  logs  in   your  S3  buckets,  no  ma_er  how  those  API  calls  were   made   •  Who  did  what  and  when  and  from  what  IP  address   •  Be  no@fied  of  log  file  delivery  using  the  AWS  Simple   No@fica@on  Service   •  Support  for  many  AWS  services  including  EC2,  EBS,  VPC,   RDS,  IAM,  STS  and  RedShim   •  Aggregate  log  informa@on  into  a  single  S3  bucket   Out  of  the  box  integra@on  with  log  analysis  tools  from   AWS  partners  including  Splunk,  AlertLogic  and  SumoLogic.  
    • AWS  CloudTrail  logs  can  be  used  for  many  powerful  use  cases   CloudTrail  can  help  you  achieve  many  tasks   •  Security  analysis   •  Track  changes  to  AWS  resources,  for  example   VPC  security  groups  and  NACLs   •  Compliance  –  understand  AWS  API  call  history   •  Troubleshoot  opera@onal  issues  –  quickly   iden@fy  the  most  recent  changes  to  your   environment     CloudTrail  is  currently  available  in  US-­‐WEST1   and  US-­‐EAST1  
    • Federate  AWS  IAM  with  your  exis7ng  directories   Keep  control  of  who  can  do  what  on  AWS  using   your  exis@ng  directory   •  AWS  IAM  now  supports  SAML  2.0   •  Federate  with  on-­‐premise  directories  like   Ac@ve  Directory  or  another  SAML  2.0   compliant  iden@ty  provider   •  Use  Ac@ve  Directory  users  and  groups  in  AWS   for  authen@ca@on  and  authoriza@on   •  E.g.  ‘Database  Administrators’  AD  security   group  can  have  access  to  create  and  manage   on-­‐premise  and  AWS  RDS  instances  
    • How  you  can  make  the  maximum  use  of  AWS  IAM  features   Rotate  your  AWS  access  keys  regularly   Avoid  hard-­‐coding   You  don’t  need  to  put  creden@als  into  applica@ons   Having  a  shorter  period  an  access  key  is  ac@ve   –  access  AWS  resources  using  IAM  roles  for  EC2   •  Search  your  source  code  for  hard-­‐coded   will  reduce  the  impact  if  compromised   •  the  one  in  use   access  keys   •  Create  IAM  roles  with  least-­‐privilege   •  Use  IAM  roles  in  your  applica@on  and  launch   •  You  can  also  use  this  technique  to  distribute   •  Validate  that  your  applica@ons  are  s@ll   working  as  expected   non-­‐AWS  creden7als  to  your  applica7ons  to   avoid  checking  them  into  GitHub!   Change  the  state  of  the  previous  access   key  to  inac@ve   your  EC2  instance  with  the  role   •  Update  all  your  applica@ons  to  use  the   new  access  key  and  validate  that  the   applica@ons  are  working   permissions  for  access  to  relevant  AWS   services,  e.g.  an  S3  bucket     •  Create  a  second  access  key  in  addi@on  to   •  Delete  the  inac@ve  access  key  
    • Integrate  AWS  IAM  with  web  iden77es  in  your  solu7ons   Use  IAM  roles  to  authorise  web  iden@@es  access  to  AWS  resources   •  Your  users  can  sign-­‐in  with  mul@ple  authen@ca@on  op@ons   •  Roles  can  be  created  on-­‐the-­‐fly  to  permit  AWS  resource  access   •  Token  validity  can  be  limited   •  No  need  to  run  your  own  EC2  endpoints  
    • Your  solu7ons  can  also  use  your  exis7ng  directories   Your  applica@ons  don’t  need  to  use   AWS  IAM   •  Customers  retain  their  own  design   choices   •  Extend  internal  directories  into   AWS  over  private  connec@ons   •  Replicate  internal  directories  into   your  VPC  or  use  trust  domains   •  Create  new  directories  within  your   VPC  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • AWS  has  many  different  content  storage  services   S3   DBA   RDS   EBS Redshim  
    • Making  use  of  available  Amazon  S3  security  features     Configure  S3  access  controls  at  bucket  and  object  level   •  Restrict  access  and  rights  as  @ghtly  as  possible  and  regularly  review   access  logs     •  Use  versioning  for  important  file,  with  MFA  required  for  delete     Use  S3  cryptographic  features   •  Use  SSL  to  protect  data  in  transit   •  S3  server  side  encryp@on   •  AWS  will  transparently  encrypt  your  objects  using  AES-­‐256  and  manage   the  keys  on  your  behalf   •  Use  S3  client  side  encryp@on   •  •  Encrypt  informa@on  before  sending  it  to  S3   Build  yourself  or  use  the  AWS  Java  SDK   •  Use  MD5  checksums  to  verify  the  integrity  of  objects  loaded  into  S3
    • Understanding  Amazon  RedShiM  security  features   Redshim  has  one-­‐click  full  disk  encryp@on  as  standard   •  If  chosen,  backups  to  S3  are  also  encrypted   •  You  can  use  the  AWS  CloudHSM  to  store  your  keys   Customers  s@ll  need  to  manage  access  to  their  RedShim  clusters   •  Backup  access  logs  to  S3  for  later  analysis  –  RedShim  will  only   store  them  for  one  week   Configure  security  groups  and  consider  deploying  within  VPC   •  RedShim  loads  data  from  S3  over  SSL   •  Limit  access  to  those  S3  buckets  and  consider  the  end-­‐to-­‐end   data  load  process  from  source   Use  SSL  to  protect  data  in  transit  if  querying  over  the  Internet  
    • Making  the  most  of  Amazon  RDS  security  features   RDS  can  reduce  the  security  burden  of  running  your  databases   •  Limit  security  group  access  to  RDS  instances   •  Limit  RDS  management  plane  access  with  AWS  IAM  permissions   Encrypt  data  in  flight   •  DBA   Oracle  Na@ve  Network  Encryp@on,  SSL  for  SQL  Server,  MySQL  and   PostgreSQL  –  especially  if  the  database  is  accessible  from  the  Internet   Encrypt  data  at  rest  in  sensi@ve  table  space   •    Na7ve  RDS  via  SQL  Server  and  Oracle  Transparent  Data  Encryp@on   •  Encrypt  sensi@ve  informa@on  at  applica@on  level  or  use  a  DB  proxy   Configure  automa@c  patching  of  minor  updates  –  let  AWS  do  the  heavy  liming   for  you  within  a  maintenance  window  you  choose   RDS  
    • Use  fine-­‐grained  security  with  Amazon  DynamoDB   Fine-­‐grained  security  restricts  access  to  columns  and  rows   •  Will  reduce  the  impact  of  loss  of  Dynamo  DB  access   creden@als  or  coding  vulnerability   •  Each  user  can  update  their  own  row  of  data,  but  has  no   access  to  any  other  row   •  Negates  the  need  to  proxy  DynamoDB  access  –  your  end-­‐user   applica@on  can  directly  call  the  relevant  APIs   Three  easy  steps  to  implement  fine-­‐grained  security   ①  Create  an  access  policy   ②  Create  an  IAM  role   ③  Assign  your  access    policy  to  the  role  
    • Use  fine-­‐grained  security  with  Amazon  DynamoDB   Your  end-­‐user  applica@on  can  now  call  DynamoDB  directly  using  temporary  IAM  creden@als   generated  from  a  role  
    • Encryp7ng  EBS  volumes  on  Amazon  EC2  instances   Roll  your  own  encryp@on  or  use  commercial  solu@ons   •  Windows  BitLocker  or  Linux  LUKS  for  encrypted  volumes  and   TrueCrypt  for  containers   •  SafeNet  Protect-­‐V,  Trend  Secure  Cloud,  Voltage  –  some  vendors  offer   boot  volume  encryp@on   •  MapReduce  volumes  can  use  Gazzang   Managing  encryp@on  keys  is  cri7cal  and  difficult!   •  How  will  you  manage  keys  and  make  sure  they  are  available  when   required,  for  example  at  instance  start-­‐up?   •  How  will  you  keep  them  available  and  prevent  loss?   •  How  will  you  rotate  keys  on  a  regular  basis  and  keep  them  private?   EBS
    • Use  the  AWS  CloudHSM  to  store  encryp7on  keys   Tamper-­‐resistant,  customer  controlled  hardware  security   module  within  your  VPC   •  Industry-­‐standard  SafeNet  Luna  devices.  Common   Criteria  EAL4+,  NIST  FIPS  140-­‐2  cer@fied   •  No  access  from  Amazon  administrators  who  manage   and  maintain  the  appliance   •  High  availability  and  replica@on  to  on-­‐premise  HSMs   Reliable  &  Durable  Key  Storage   •  Use  for  transparent  data  encryp@on  on  self-­‐ managed  databases  and  na@vely  with  AWS  Redshim   •  Integrate  with  applica@ons  using  Java  APIs   •  Integra@on  with  marketplace  disk-­‐encryp@on  and   SSL  services  coming  soon  
    • Security  best  prac7ces  for  AWS   1.  Understanding  shared  responsibility  for  security   2.  Using  AWS  global  reach  and  availability  features   3.  Building  a  secure  virtual  private  cloud   4.  Using  AWS  Iden@ty  and  Access  Management   5.  Protec@ng  your  content  on  AWS   6.  Building  secure  applica@ons  on  AWS  
    • Controlling  and  launching  your  Amazon  EC2  instances   You  choose  the  base  image   Amazon  maintained  images     They  are  stored  as  Amazon   Machine  Images  (AMIs)   AWS  maintains  a  catalogue  of  opera@ng  system  images  and  regularly   refreshes  them  so  you  have  a  known  baseline   •  Amazon,  RedHat,  Ubuntu  or  SUSE  Linux   •  Microsom  Windows  2008  and  2012   Your  own  images   •  You  can  save  your  OS  configura@ons  as  private  AMIs   •  Can  reduce  @me  to  launch  new  servers,  for  example  save  a  pre-­‐ configured  web  server  and  use  it  when  auto-­‐scaling   Amazon  Marketplace  images   •  Maintained  by  Amazon’s  partner  community   Community  images   AMI  catalogue   •  Images  other  people  have  made  public   •  Many  popular  free  packages  and  tools  
    • You  decide  on  network  placement  and  security  group  membership   You  choose  the  instance   configura@on   Host  configura@on   •  CPU,  memory,  architecture  type   •  You  can  ver@cally  scale  this  any@me  by  simply  restar@ng  with  a  new  configura@on   Network  placement   •  VPC  subnet,  or  EC2  classic   •  Choose  whether  to  automa@cally  a_ach  an  Internet  IP  address   Security  groups   •  Add  up  to  five  security  groups  at  launch,  or  any@me   Access  keys  and  IAM  roles Launch   instance   AMI  catalogue   EC2   Running  instance  
    • You  decide  how  to  configure  your  instance  environment   You  take  responsibility  for  final  configura@on   User  administra@on   Harden  opera@ng  system  and  pla[orms   •  •  Use  standard  hardening  guides  and  techniques   Apply  latest  security  patches  –  Amazon  maintains  repositories   Whitelis@ng  and  integrity   Malware  and  IPS   Use  host-­‐based  protec@on  somware   •  Vulnerability  management   Think  of  how  they  will  work  in  an  elas@c  environment  -­‐  hosts  may  only   be  in  use  for  hours  before  being  replaced   Audit  and  logging   Think  about  how  you  will  manage  administra@ve  users   •  Hardening  and  configura@on   Restrict  access  as  much  as  possible   Build  out  the  rest  of  your  standard  security  environment       Launch   instance   AMI  catalogue   EC2   Running  instance   Opera@ng  system   Configure   instance   Your  instance  
    • Test  the  security  of  your  solu7ons  before  go-­‐live   You  need  to  apply  the  same  secure  coding   principles  as  you  currently  do   •  •  •  •  Build  secure  applica@ons  that  can  defend   against  common  threats  like  XSS  and  SQL   Injec@on   Implement  the  OWASP  Top  10  for  web  apps   Perform  regular  penetra@on  and  web   applica@on  security  tests   Don’t  wait  for  Li_le  Bobby  Tables  to  find  your   applica@on!   Run  through  AWS  best  prac@ces,  audit  and   opera@onal  checklists  before  release  
    • Patch  applica7ons  and  plaeorms  regularly   Frequent  patching  is  one  of  the  most  effec@ve  controls   •  Design  applica@ons  that  can  survive  regular  recycling  and   rebuilding  of  hosts  –  queues  and  workers   •  Customers  are  responsible  for  patching  their  EC2  instances   •  Keep  track  of  patch  levels  and  dependencies  which  mean   applica@ons  can’t  be  patched   •  Aim  to  patch  cri@cal  vulnerabili@es  in  hours  or  days,  not  weeks   •  Subscribe  to  security  mailing  lists  and  news  sources     AWS  Elas@c  Beanstalk  can  help  reduce  patching  burden  for   most  web  applica@on  pla[orms  
    • Check  the  integrity  of  configura7ons  and  plaeorms   Is  your  solu@on  s@ll  configured  the  way  you  intended?   •  Are  you  using  CloudTrail  to  monitor  changes  made  through  APIs?   •  Is  the  configura@on  of  your  AWS  services  correct?   •  VPC  networks,  Security  groups  and  NACLs   •  IAM  policies  and  rights  –  who  has  access  and  why   Script  and  automate  describing  your  en@re  AWS  environment  and  compare   the  results  on  an  ongoing  basis   •  Consider  using  configura@on  integrity  checking  for  EC2  instances   –  Tripwire,  Chef  and  Puppet   •  Have  uncontrolled  changes  been  applied?   •  •  If  so,  how  did  it  happen?  Can  you  prevent  reoccurrence?   Try  and  whitelist  what  can  be  installed  and  ran  on  hosts   Perform  these  checks  on  a  regular  basis  
    • Monitor  for  security  incidents  and  have  a  plan  to  respond   Customers  are  responsible  for  detec@ng  and  responding  to  security  incidents   within  their  solu@ons   •  What  sources  of  informa@on,  logging  and  data  are  available  to  you?  AWS  CloudTrail   will  capture  and  log  API  and  IAM  ac@vity   •  How  do  you  plan  to  monitor  these?  AWS  CloudWatch  can  help  you  monitor  your  AWS   resources  and  no@fy  you  when  alarms  go  off   •  How  will  you  know  if  an  incident  has  taken  place?   •  What  will  you  do  if  you  detect  an  incident?   •  What  data  may  have  been  accessed  and  what  would  be  the  impact  of  disclosure?    
    • Block  threats  to  your  applica7on   Tradi@onal  network  intrusion  detec@on  and  preven@on  is  less  relevant  now   •  Dude,  where’s  my  SPAN  port?   •  A_ackers  have  moved  to  layer  7  (HTTP)  so  we  need  to  follow  them  there   •  You  can  s@ll  build  an  effec@ve  DMZ  within  the  VPC  using  a  wide-­‐range  of   open  source  or  AWS  technology  partner  solu@ons   Drop  bad  traffic  before  it  hits  your  applica@on  and  databases   •  Can  be  deployed  in  two-­‐way  configura@on  to  implement  simple   DLP,  for  example  scan  outgoing  traffic  for  Credit  Card  Numbers   •  Design  for  scale  and  high-­‐availability  using  ELBs   •  Scale  fast  and  wide  to  cope  with  huge  traffic  volumes   •  Build  a  solu@on  designed  to  cope  with  volumetric  a_acks   Lets  build  an  example  in  the  next  slides    
    • Building  a  scalable  threat  protec7on  layer  in  your  VPC   Internet  Gateway   VPC A - 10.0.0.0/16 Public subnet WAF   WAF   WAF   WAF   Private subnet Private subnet Elas7c  Load   Balancer   EC2   Private subnet Auto   scaling   Web   Applica7on   Private subnet Web   Applica7on   EC2   Auto   scaling   Elas7c  Load   Balancer   Private subnet Web   Applica7on   Web   Applica7on   EC2   Private subnet Auto   scaling   Availability Zone B Auto   scaling   Elas7c  Load   Balancer   Public subnet Availability Zone A Elas7c  Load   Balancer  
    • You  can  achieve  very  large  scale  and  high  availability   Internet  Gateway   VPC A - 10.0.0.0/16 Public subnet WAF   WAF   WAF   WAF   Private subnet Private subnet Elas7c  Load   Balancer   EC2   Private subnet Auto   scaling   Web   Applica7on   Private subnet Web   Applica7on   EC2   Auto   scaling   Elas7c  Load   Balancer   Private subnet Web   Applica7on   Web   Applica7on   EC2   Private subnet Auto   scaling   Availability Zone B Auto   scaling   Elas7c  Load   Balancer   Public subnet Availability Zone A Elas7c  Load   Balancer  
    • You  don’t  have  to  be  alone  when  facing  volumetric  afacks  
    • You  can  build  a  solu7on  that  can  scale  and  offload  afacks   Auto   scaling   Player  one:  your  VPC  
    • You  choose  how  far  you  can  scale   Vital  sta7s7cs   You  can  scale  your  VPC  up  to  your   financial  threshold   •  Auto-­‐scale  your  applica@on   Use  queues  and  worker  instances  to   process  traffic   •  Player  one:  your  VPC   •  •  Auto   scaling   Unlimited  scale  and  bandwidth  at   your  disposal   Think  how  you  can  shard  your   databases  
    • You  can  also  bring  AWS  resources  to  your  assistance  to  help  you   CloudFront   Auto   scaling   Player  one:  your  VPC   S3   Route  53   Player  two:  AWS  
    • With  AWS  at  your  side  you  can  defend  against  the  largest  afacks   Vital  sta7s7cs   AWS  provides  large-­‐scale  Global   endpoints   CloudFront   •  46  CloudFront  edge  loca@ons  and   growing  all  the  @me   •  •  Auto   100%  Route53  availability  SLA   scaling   24x7  dedicated  teams  responding   •  Drop  malformed  requests   •  Soaking  up  load  and  watching  your   Route  53   back   Player  one:  your  VPC   S3   Player  two:  AWS  
    • Your  VPC  can  use  auto-­‐scaling  to  serve  dynamic  content   Customers   E C 2   E C 2   E C 2  
    • Serve  your  sta7c  content  from  S3   Region Customers   Amazon S3 S3  is  processing  >  1.5   million  requests/s   E C 2   E C 2   E C 2  
    • Use  CloudFront  to  cache  your  origin  servers   Region Amazon S3 Customers   CloudFront   Edge   Loca7on   CloudFront  has  46  global   edge  loca7ons   E C 2   E C 2   E C 2  
    • CloudFront  can  now  also  serve  your  dynamic  content   Region Customers   Amazon S3 Customers   Customers   E C 2   E C 2   E C 2  
    • CloudFront  can  unload  volume  from  your  VPC   Region Distributed   afackers   Amazon S3 Distributed   afackers   Distributed   afackers   E C 2   E C 2   E C 2  
    • Route  53  is  a  global,  resilient  DNS  to  keep  your  traffic  coming   Region Amazon S3 Distributed   afackers   Distributed   afackers   E C 2   Distributed   afackers   Route53   E C 2   E C 2  
    • AWS  is  delivering  and  defending  large-­‐scale  endpoints  24x7   Region Amazon S3 Distributed   afackers   Distributed   afackers   E C 2   Distributed   afackers   Route53   E C 2   E C 2  
    • You  can  out-­‐scale  your  afacker  un7l  their  resources  diminish     Region Amazon S3 Customers   Customers   E C 2   Customers   Route53   E C 2   E C 2  
    • Route  53  can  also  load  balance  traffic  across  mul7ple  AWS  Regions   DUBLIN EC2   Availability Zone A NAT  EC2   Route  53   NAT   EC2   Availability Zone B Availability Zone A NAT   EC2   Availability Zone B SYDNEY NAT  EC2   EC2  
    • You  can  use  health-­‐checks  to  failover  Regions  or  even  just  VPCs   DUBLIN EC2   Availability Zone A NAT  EC2   Route  53   NAT   EC2   Availability Zone B Availability Zone A NAT   EC2   Availability Zone B SYDNEY NAT  EC2   EC2  
    • Amazon  Route53  makes  DNS  easy  and  reliable   DNS  is  hard  and  complex  from  a  security  viewpoint   •  Route  53  lets  AWS  take  care  of  the  heavy-­‐liming   •  Customers  just  have  to  configure  DNS  entries   •  Get  latency-­‐based  rou@ng  and  health-­‐checking  features   •  Fall  back  to  sta@c  website  if  main  site  down   •  Round-­‐robin  load  balance  across  VPCs  /  Regions   Security  best  prac@ces  for  Route  53   •  DNS  is  a  cri@cal  service  –  understand  and  limit  who  can  access  and   change  Route  53  configura@ons  using  AWS  IAM   •  Use  two-­‐factor  authen@ca@on  for  those  users  
    • Amazon  CloudFront  will  deliver  your  content  from  the  nearest  edge   Use  CloudFront  to  increase  your  solu@ons  performance  and  availability   •  Cache  more  than  sta@c  content  –  now  with  more  supported  HTTP  verbs   •  Highly  reliable  global  network  of  edge  loca@ons   •  Can  help  absorb  volumetric  a_ack   Security  best  prac@ces  for  CloudFront   •  Use  private  content  op@on  to  authorise  only  signed  requests   •  Use  SSL  when  POSTing  sensi@ve  informa@on   •  Review  logs  for  a_ack  intelligence  –  are  you  being  targeted?   •  Lock  CloudFront  to  specific  S3  origin  buckets  when  possible   •  Configure  HTTPS  only  for  downloads  
    • AWS  partners  can  help  you  build  secure  solu7ons   AWS partner solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure + = Your  secure  AWS   solu@ons   Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability These  products  and  more  are  available  on  the  AWS  marketplace  -­‐  WAF,   VPN,  IPS,  AV,  API  gateways,  data  encryp@on,  user  management  
    • Where  you  can  go  for  help  and  further  informa7on   Browse  and  read  AWS  security  whitepapers  and  good  prac@ces   •  h_p://aws.amazon.com/compliance   •  h_p://aws.amazon.com/security   •  Risk  and  compliance,  including  CSA  ques@onnaire  response   •  Security  best  prac@ces   •  Audit  and  opera@onal  checklists  to  help  you  assess  security  before   you  go  live     Sign  up  for  AWS  support   •  h_p://aws.amazon.com/support   •  Get  help  when  you  need  it  most  –  as  you  grow   •  Choose  different  levels  of  support  with  no  long-­‐term  commitment  
    • Get  training  and  become  AWS  cer7fied  in  your  discipline   Get  training  from  an  instructor  or  try  the  self-­‐paced  labs   •  h_p://aws.amazon.com/training/     Become  AWS  cer@fied  and  gain  recogni@on  and  visibility   •  h_p://aws.amazon.com/cer@fica@on   •  Demonstrate  that  you  have  skills,  knowledge  and  exper@se  to  design,  deploy   and  manage  projects  applica@ons  on  the  AWS  pla[orm   •  Prove  skills  and  foster  credibility  with  your  employer  and  peers     Choose  your  discipline,  or  do  all  of  them!   •  AWS  Cer@fied  Solu@ons  Architect  –  Associate  Level   •  AWS  Cer@fied  Developer  –  Associate  Level  (Beta)   •  AWS  Cer@fied  SyOps  Administrator  –  Associate  Level  (Beta)    
    • Thank  you  for  your  7me  today   Any  ques@ons?     Stephen  Quigg   squigg@amazon.com   APAC  Security  Solu@ons  Architect