Understanding AWS Security

2,263 views
2,054 views

Published on

AWS Summit 2014 Perth - Breakout 3

The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Presenter: James Bromberger, Solutions Architect, Amazon Web Services

Published in: Technology
0 Comments
22 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,263
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
0
Comments
0
Likes
22
Embeds 0
No embeds

No notes for slide

Understanding AWS Security

  1. 1. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Agenda • Our Security – Compliance • Your Security – Account Management (the keys to the kingdom) – Service Isolation – Visibility and Auditing
  3. 3. Security is our #1 priority
  4. 4. Shared security responsibility
  5. 5. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  6. 6. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  7. 7. How does AWS get security? • Physical access is recorded, videoed, stored, reviewed • Multi-factor authentication for physical access • Segregation of duties: staff with physical access versus staff with logical access And every 90 days…
  8. 8. How does AWS get security?
  9. 9. How does AWS get security?
  10. 10. Prove what AWS does! • Certifications • Audits & Attestations – Independent 3rd parties – Regularly refreshed – Available to customers aws.amazon.com/compliance
  11. 11. Certifications & Approving Industry Bodies
  12. 12. What does AWS do for its security? June 2014 68 pages freely available aws.amazon.com/security/
  13. 13. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  14. 14. Secure your account
  15. 15. Identity and Access Management • Users & Groups
  16. 16. Identity and Access Management • Users & Groups • Unique Security Credentials
  17. 17. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  18. 18. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  19. 19. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  20. 20. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  21. 21. ProTip #1: Account Security
  22. 22. Identity and Access Management 1. Secure your Master account with MFA 2. Create an IAM Group for your Admin team 3. Create IAM Users for your Admin staff, as members of your Admin group 4. Turn on MFA for these users!
  23. 23. Identity and Access Management New: • Enhanced password management – Expiry – reuse check – change on next log in • Credential Report
  24. 24. ProTip #2: No hard-coded Credentials
  25. 25. EC2 Roles for Temporary Credentials • Remove hard-coded credentials from scripts and config files • Create an IAM Role and assign restricted policy • Launch instance into Role • AWS SDKs transparently get temporary credentials GET http://169.254.169.254/ latest/meta-data/iam/security-credentials/ { "Code" : "Success", "LastUpdated" s3access : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  26. 26. ProTip #3: Least Privilege Policies
  27. 27. IAM Policies • )Gro$ up* “D'NS-Admins”, Policy: ) %$
  28. 28. #$* ) %$
  29. 29. $* ) %$
  30. 30. # % $#* ( “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  31. 31. IAM Policies Use Conditions to restrict key exposure ) $ *' !##' # %! ( }
  32. 32. ProTip #4: Test Your Policies
  33. 33. Identity and Access Management • Test your policies in the Policy Simulator!
  34. 34. API Credentials Credentials for talking to AWS APIs via REST: • ACCESS KEY – An identifier • SECRET KEY – Used to sign requests – Shouldn’t traverse the network again • Not retrievable from AWS again – you lose it, generate a new pair
  35. 35. Secure your data in flight
  36. 36. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip: Validate the SSL Certificate!
  37. 37. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  38. 38. Secure your data in flight • RDS connections – MySQL – PostgreSQL – Oracle • Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
  39. 39. Secure your data at rest
  40. 40. Secure your data at rest Amazon S3
  41. 41. S3 – Server Side Encryption (SSE) • Available Since 2011 • AES 256-bit • Totally transparent to customers • AWS Key Management
  42. 42. S3 – NEW: SSE with customer keys • Available Since June 2014 • AES 256-bit, but encryption/decryption on AWS • Customer Key Management
  43. 43. S3 – Client-side encryption (CSE) • Customer key management • Customer premise encryption/ decryption • Keys never sent to AWS • Support in the Java AWS SDK: AmazonS3EncryptionClient
  44. 44. Secure your data at rest Amazon RDS
  45. 45. RDS • Secure data at rest in your database – RDS Oracle (EE) • Transparent Data Encryption – SQL Server (EE BYOL) • Transparent Data Encryption
  46. 46. Secure your data at rest Amazon EBS AWS Storage Gateway
  47. 47. EBS Storage Gateway • Use encrypted file systems on block storage (EBS, Storage Gateway…) – dm-crypt/LUKS – Windows BitLocker (whole disk), EFS (file level) – Products from Partners: Trend, Safenet, etc – and…
  48. 48. EBS – NEW: Encrypted Volumes • Available since May 2014 • AWS’ rigid key management • Encryption on server hosting the EC2 instance • Snapshots of encrypted volumes also encrypted – cannot be shared with other customers • Only on supported instance types
  49. 49. Securing your data at rest Amazon Redshift
  50. 50. Redshift • By Default: – Full disk encryption – Uses SSL to talk to S3 • Optionally you can: – Set S3 backups to be encrypted – Limit S3 bucket access – Connect using SSL – Run within VPC – Use CloudHSM key store – Backup access logs to S3 • Redshift retains 1 week
  51. 51. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud • Single Tenancy • Private key material never leaves the HSM • AWS provisioned, customer managed
  52. 52. Isolate your services
  53. 53. Isolate your services One application per instance • Simplify forensics • Simplify Security Groups • Swim-lane capacity overloads • Limit blast radius
  54. 54. Isolate your services Virtual Private Cloud • Security Groups – Don’t use 0.0.0.0/0 • Subnet separation of instances with: – Network ACLs, and IAM policy to prevent changes – Routing tables, and IAM policy to prevent changes – No Internet Gateway, and IAM policy to prevent changes
  55. 55. VPC Peering
  56. 56. VPC Peering • Connect two VPCs in the same Region – No IP address conflicts • Bridged by routing table entries (both sides of peering relationship) • Offer Accept model Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
  57. 57. Log ( review) your API calls
  58. 58. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  59. 59. CloudTrail • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  60. 60. CloudTrail • May: Includes CloudFront events • June: Available in all standard Regions • July: Includes ASG SQS events • July: Covers AWS Console sign-in events { eventVersion: 1.01, userIdentity: { type: IAMUser, principalId: AIDAJDPLRKLG7UEXAMPLE, arn: arn:aws:iam::123456789012:Alice, accountId: 123456789012 }, eventTime: 2014-07-08T17:36:04Z, eventSource: signin.amazonaws.com, eventName: ConsoleLogin, awsRegion: us-east-1, sourceIPAddress: 10.0.0.1, userAgent: AWS Console Access, requestParameters: null, responseElements: { ConsoleLogin: Success }, additionalEventData: { MobileVersion: No, LoginTo: https://console.aws.amazon.com/sns, MFAUsed: Yes }, eventID: example-even-tide-xamp-123456789012 }
  61. 61. CloudTrail Partners
  62. 62. Support: Trusted Advisor
  63. 63. Billing Alerts
  64. 64. Bonus Australian Information
  65. 65. Australian Privacy Considerations Whitepaper
  66. 66. https://aws.amazon.com/whitepapers/ Auditing Logging Risk Compliance Security
  67. 67. James’ Recommendations Turn on your MFA access for your Root account Use IAM Users, Groups and Policies Never use Root Account API keys Scope limit your policies
  68. 68. Visit the Solution Architecture Team today, Please fill in feedback forms! Questions on AWS security, risk and compliance: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger
  69. 69. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

×