Security Best Practices on          AWS     Simon Elisha – Principal Solution Architect                  @simon_elisha
All lines are muted.You can ask questions at any time in the             Question box. We will answer some at the end of t...
Agenda    The Shared Responsibility Model    Taking Advantaged of the Shared Model    Using the AWS Security Features    U...
In the cloud security is a shared responsibilityHow do we secure our                                      How can you secu...
Leverage shared security model Understand your customer & form correct security stance
Leverage shared security model Understand your customer & form security stance                                        Pene...
Leverage shared security model  Understand your customer & form security stance                                          P...
Leverage shared security model  Understand your customer & form security stance                                          P...
Leverage shared security model Understand your customer & form security stance Engage with security assessors early in ado...
Leverage shared security model   Understand your customer & form security stance   Engage with security assessors early in...
Leverage shared security model Understand your customer & form security stance Engage with security assessors early in ado...
Shared responsibility                                                      Customer Data                       Platform, A...
Shared responsibility                                                      Customer Data                       Platform, A...
Build upon AWS features      Tiered Access                       Security Groups                                  VPC     ...
Identity & access management                                 Account               Administrators   Developers   Applicati...
Identity & access management              Groups                         Account                Administrators            ...
Identity & access management              Groups                         Account                   Roles                Ad...
IAM policies                                              {                                                  "Statement": ...
IAM RolesAids AutomationAssign role to EC2 instancesControl access without passingcredentials at boot timeIntegrated into ...
Key Management Decide upon a key                  Consider SSH key   management                          rotation &      s...
Temporary Security CredentialsContaining  Identity for authentication  Access Policy to control permissions  Configurable ...
Security credentials – the hotel metaphor      AWS Account’s            IAM User     Temporary Security       Access Key I...
Security GroupsControl ingress of data by port, IP & Security GroupVPC also supports egress data controlUser configurable ...
CLI & API Instantly audit the state of your entire environment using       the APIRegular calls via command lineor API to ...
Virtual Private Cloud (VPC)Logically Isolated EnvironmentPrivate IP address ranges & subnetsIngress and Egress Network Acc...
EC2 Dedicated InstancesAvailable within VPCInstances launched on hardware dedicated to a single customerCan mix-and-match ...
Bastion HostsServer (or servers) used for system managementAccess tightly controlledManagement only enabled from these hos...
Certifications      Certifications                Physical Security               HW, SW, Network  SOC 1 Type 2 (formerly ...
Security standards                  ISO 27001                                 PCI DSS Level 1                 Achieved 11/...
Location of data – Your choice   Deployment & Administration            App Services  Compute     Storage      Database   ...
Global infrastructure   Deployment & Administration           App Services Compute     Storage      Database        Availa...
Global infrastructure    Deployment & Administration            App Services  Compute     Storage      Database        Edg...
Shared responsibility                                                      Customer Data                       Platform, A...
Ensure good security practice  Encrypt sensitive data both “in-flight” and “at-rest”Use SSL for all AWS API calls & your o...
Ensure good security practice   Encrypt sensitive data both “in-flight” and “at-rest”   Operate host-based IDS/IPS and reg...
Ensure good security practice  Encrypt sensitive data both “in-flight” and “at-rest”   Operate host-based IDS/IPS and regu...
Ensure good security practice  Encrypt sensitive data both “in-flight” and “at-rest”  Operate host-based IDS/IPS and regul...
Ensure good security practice  Encrypt sensitive data both “in-flight” and “at-rest”  Operate host-based IDS/IPS and regul...
Test and RetestPenetration TestingCheck to see how secure your application is fromexternal attackMust obtain authorization...
Where to find more information?   Risk and compliance paper   AWS security processes paper   NEW! CSA consensus assessment...
Save the Date                aws.amazon.com/apac/arc-anz
Catch the AWS Podcasthttp://aws.amazon.com/podcast
Questions? Enter them in the Questionarea of the console and we will cover as            many as we can.
Thank youSimon Elisha – Principal Solution Architect             @simon_elisha
Upcoming SlideShare
Loading in...5
×

Security Best Practices on AWS

10,377

Published on

Security Best Practises on AWS presented by Simon Elisha during the AWS APAC Webinar series.

Published in: Technology
0 Comments
31 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,377
On Slideshare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
0
Comments
0
Likes
31
Embeds 0
No embeds

No notes for slide
  • In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud.
  • Security and Operational Excellence is the Top most priority. Its Priority 0. No exceptions allowed. We understand that Security and governance are often the top issues identified when we talk to our customers. Instead of tossing this over the fence, we really advice and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
  • Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter.  Amazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more http://aws.amazon.com/security/.Certifications and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. PCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope.  Physical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.Secure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. Data Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)
  • Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter.  Amazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more http://aws.amazon.com/security/.Certifications and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. PCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope.  Physical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.Secure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. Data Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)
  • In this webinar I am going to introduce Amazon Web Services, also known as AWS, and some of the fundamental concepts behind the Amazon Cloud.
  • Transcript of "Security Best Practices on AWS"

    1. 1. Security Best Practices on AWS Simon Elisha – Principal Solution Architect @simon_elisha
    2. 2. All lines are muted.You can ask questions at any time in the Question box. We will answer some at the end of the session and all via email.
    3. 3. Agenda The Shared Responsibility Model Taking Advantaged of the Shared Model Using the AWS Security Features Underlying AWS Infrastructure Security Your Responsibilities
    4. 4. In the cloud security is a shared responsibilityHow do we secure our How can you secure yourInfrastructure? application and what is Infrastructure Application your responsibility? Security Security Services Security What security options and features are available to you?
    5. 5. Leverage shared security model Understand your customer & form correct security stance
    6. 6. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience
    7. 7. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience IAM InternalAdministration audience Architecture
    8. 8. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience IAM AWS Certifications Internal RegulatedAdministration AWS White audience audience Papers Architecture AWS QSA Process
    9. 9. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC1…) As with any infrastructure provider, security assessments take time Derive value from architecture reviews early in deployment cycle
    10. 10. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWShttp://aws.amazon.com/security/ Risk and compliance paper AWS security processes paper NEW! CSA consensus assessments initiative questionnaire
    11. 11. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a ‘security by design’ environment
    12. 12. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
    13. 13. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
    14. 14. Build upon AWS features Tiered Access Security Groups VPC Direct Connect & VPN IAM Instance firewalls Network control Private connections to VPC Control users and allow AWS to Firewall control on instances via Create low level networking Secured access to resources in AWS manage credentials in running Security Groups constraints for resource access, such over software or hardware VPN and instances for service access as public and private subnets, dedicated network links (allocation, rotation) CLIs and APIs internet gateways and NATs Instantly audit your entire AWS APIs vs Instance infrastructure from scriptable APIs – Bastion hostsProvide developer API credentials generate an on-demand IT inventory Only allow access for management and control access to SSH keys enabled by programmatic nature of of production resources from a AWS bastion host. Turn off when not Temporary Credentials neededProvide developer API credentials Dedicated Instances and control access to SSH keys Only allow access for management of production resources from a bastion host. Turn off when not needed
    15. 15. Identity & access management Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin
    16. 16. Identity & access management Groups Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication
    17. 17. Identity & access management Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication AWS system entitlements
    18. 18. IAM policies { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*",Policy driven "ec2:*", "elasticloadbalancing:*",Declarative definition of rights for groups "autoscaling:*", "cloudwatch:*",Policies control access to AWS APIs "s3:*", "sns:*" ], "Resource": "*" } ] }
    19. 19. IAM RolesAids AutomationAssign role to EC2 instancesControl access without passingcredentials at boot timeIntegrated into SDKs
    20. 20. Key Management Decide upon a key Consider SSH key management rotation & strategy automationControl access to EC2 instances Limit exposure to private key via SSH and embedded public compromise by rotating keys key: and replacing e.g. EC2 Key Pair per group of authorized_keys listings instances, EC2 Key Pair per on running instances account Consider bootstrap automation to grant developer access withCan use your existing SSH or AD developer unique keypairs strategy
    21. 21. Temporary Security CredentialsContaining Identity for authentication Access Policy to control permissions Configurable Expiration (1 – 36 hours)Supports AWS Identities (including IAM Users) Federated Identities (users customer’s system to authenticate)Scales to millions of users No need to create an IAM identity for every userUse Cases Identity Federation to AWS APIs Mobile and browser-based applications Consumer applications with unlimited users
    22. 22. Security credentials – the hotel metaphor AWS Account’s IAM User Temporary Security Access Key ID Credentials
    23. 23. Security GroupsControl ingress of data by port, IP & Security GroupVPC also supports egress data controlUser configurable via API, CLI, GUI Web TierCreate “defence in depth” Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Sync with on-premises Amazon EC2 database Security Grou Firewall All other Internet ports blocked by default
    24. 24. CLI & API Instantly audit the state of your entire environment using the APIRegular calls via command lineor API to determine which web- based infrastructure services are being used at any timeStore and compare over time – track anomalies or non- governed usage
    25. 25. Virtual Private Cloud (VPC)Logically Isolated EnvironmentPrivate IP address ranges & subnetsIngress and Egress Network Access Control InternetElastic IP addresses, NAT & and Internet GatewayHardware encrypted VPN connections and/or Direct ConnectWizard-based setup
    26. 26. EC2 Dedicated InstancesAvailable within VPCInstances launched on hardware dedicated to a single customerCan mix-and-match use of dedicated and non-dedicated instances
    27. 27. Bastion HostsServer (or servers) used for system managementAccess tightly controlledManagement only enabled from these hostsStop host when not in useAccess only allowed from specified IP addresses TCP 22 “Bastion” TCP 22 “Bastion” TCP 22 “Bastion” Web App DB Server Server Server Bastion Host Web Security App Security DB Security Group Group Group Bastion TCP 80,443 “ELB” TCP 8080 “Web” TCP 3306 “App” Security Group SSH Admin
    28. 28. Certifications Certifications Physical Security HW, SW, Network SOC 1 Type 2 (formerly SAS- Datacenters in nondescript Systematic change 70) facilities management ISO 27001 Physical access strictly Phased updates deployment controlled PCI DSS for Safe storage decommission EC2, S3, EBS, VPC, RDS, ELB, I Must pass two-factor AM authentication at least twice Automated monitoring and for floor access self-audit FISMA Moderate Compliant Controls Physical access logged and Advanced network protection audited HIPAA & ITAR Compliant Architecture
    29. 29. Security standards ISO 27001 PCI DSS Level 1 Achieved 11/2010 Use normally, no special configuration Follows ISO 27002 best practice guidance Certified services include: EC2, S3, EBS, VPC, RDS, ELB, IAM, underlying physical Covers the AWS Information Security infrastructure & AWS Management Management System (ISMS) Environment Includes all Regions Leverage the work of our QSA ISO certifying agent: EY CertifyPoint AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) Certified in all Regions
    30. 30. Location of data – Your choice Deployment & Administration App Services Compute Storage Database Regions An independent collection of AWS resources in a defined Networking geography A solid foundation for meeting location-dependent privacy AWS Global Infrastructure and compliance requirements
    31. 31. Global infrastructure Deployment & Administration App Services Compute Storage Database Availability Zones Designed as independent failure zones Networking Physically separated within a typical metropolitan region AWS Global Infrastructure
    32. 32. Global infrastructure Deployment & Administration App Services Compute Storage Database Edge Locations To deliver content to end users with lower latency Networking A global network of edge locations Supports global DNS infrastructure (Route53) and Cloud AWS Global Infrastructure Front CDN
    33. 33. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
    34. 34. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest”Use SSL for all AWS API calls & your own application communicationUse SSL Termination with Elastic Load Balancer (ELB) & back-end server authenticationS3 Server Side Encryption – free & easy. Can also implement client-side encryptionOperating system level encryption tools available (e.g. TrueCrypt, BitLocker, etc)
    35. 35. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoringMaintain OS-level firewalls for additional monitoring and controlInstall logging tools and log to a separate, central location (e.g. S3)Partner solutions available (including Trend Micro, Symantec, Check Point, etc.)Extend your current management and logging tools to the AWS environment
    36. 36. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and application libraries patched and up-to-dateUse automated package update services (e.g. YUM, WSUS, YAST, etc)Apply updates to installed applications, languages, SDKs etcEasy to do “rolling updates” by creating new AMIs and instantiating a new fleetRelational Database Service (RDS) provides automated patch application
    37. 37. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and applications libraries patched and up-to-date Design application to protect against Layer 7 attacks (SQL Injection, etc)Design security into your application from the startEnsure all entered data is validated and correctly formattedPerform API authorization and authentication for API-based applicationsUse partner solutions (e.g. Layer7tech, SafeNet, AiCache, Incapsula, etc)
    38. 38. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and applications libraries patched and up-to-date Design application to protect against Layer 7 attacks (SQL Injection, etc) Actively manage your AWS environment to leverage all of the capabilities availablePerform regular security reviewsRotate keys and credentialsUse AWS Trusted Advisor Security Checks to detect open ports
    39. 39. Test and RetestPenetration TestingCheck to see how secure your application is fromexternal attackMust obtain authorization firstPartners also provide this service on & from AWShttp://aws.amazon.com/security
    40. 40. Where to find more information? Risk and compliance paper AWS security processes paper NEW! CSA consensus assessments initiative questionnairehttp://aws.amazon.com/security
    41. 41. Save the Date aws.amazon.com/apac/arc-anz
    42. 42. Catch the AWS Podcasthttp://aws.amazon.com/podcast
    43. 43. Questions? Enter them in the Questionarea of the console and we will cover as many as we can.
    44. 44. Thank youSimon Elisha – Principal Solution Architect @simon_elisha

    ×