Understanding AWS Security 
James Bromberger 
Solutions Architect, Amazon Web Services 
© 2014 Amazon.com, Inc. and its af...
Agenda 
• Our Security 
– Compliance 
• Your Security 
– Account Management (the keys to the kingdom) 
– Service Isolation...
Security is our #1 priority
Shared security responsibility
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastr...
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastr...
How does AWS get security? 
• Physical access is recorded, videoed, 
stored, reviewed 
• Multi-factor authentication for p...
How does AWS get security?
How does AWS get security?
Prove what AWS does! 
• Certifications 
• Audits & Attestations 
– Independent 3rd parties 
– Regularly refreshed 
– Avail...
Certifications & Approving Industry Bodies
What does AWS do for its security? 
June 2014 
68 pages 
freely available 
aws.amazon.com/security/
AWS 
• Facili'es* 
• Physical*Security* 
• Physical*Infrastructure* 
• Network*Infrastructure* 
• Virtualiza'on* 
Infrastr...
Secure your account
Identity and Access Management 
• Users & Groups
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Poli...
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Poli...
Identity and Access Management 
• Users & Groups 
• Unique Security Credentials 
• Temporary Security 
Credentials 
• Poli...
ProTip #1: Account Security
Identity and Access Management 
1. Secure your Master account with MFA 
2. Create an IAM Group for your Admin team 
3. Cre...
Identity and Access Management 
New: 
• Enhanced password 
management 
– Expiry 
– reuse check 
– change on next log in 
•...
ProTip #2: 
No hard-coded Credentials
EC2 Roles for Temporary Credentials 
• Remove hard-coded 
credentials from scripts 
and config files 
• Create an IAM Role...
ProTip #3: Least Privilege Policies
IAM Policies 
• )Gro$ up* “D'NS-Admins”, Policy: 
) %$
#$* 
) %$
$* 
) %$
# % $#* 
( 
“Resource” : { 
“arn:aws:route53:::hostedzone/ZONEID” 
}
IAM Policies 
Use Conditions to restrict key exposure 
) $ *' 
!##' 
# %!
				

	 
( 
}
ProTip #4: Test Your Policies
Identity and Access Management 
• Test your policies in 
the Policy Simulator!
API Credentials 
Credentials for talking to AWS APIs via REST: 
• ACCESS KEY 
– An identifier 
• SECRET KEY 
– Used to sig...
Secure your data in flight
Secure your data in flight 
Use SSL / TLS for all your traffic, 
just like you do for your API access 
ProTip: Validate th...
Secure your data in flight 
SSL offload to the Elastic 
Load Balancing Service
Secure your data in flight 
• RDS connections 
– MySQL 
– PostgreSQL 
– Oracle 
• Get Public Key from AWS: 
https://rds.am...
Secure your data at rest
Secure your data at rest 
Amazon S3
S3 – Server Side Encryption (SSE) 
• Available Since 2011 
• AES 256-bit 
• Totally transparent to 
customers 
• AWS Key M...
S3 – NEW: SSE with customer keys 
• Available Since June 2014 
• AES 256-bit, but encryption/decryption on AWS 
• Customer...
S3 – Client-side encryption (CSE) 
• Customer key management 
• Customer premise encryption/ 
decryption 
• Keys never sen...
Secure your data at rest 
Amazon RDS
RDS 
• Secure data at rest in your database 
– RDS Oracle (EE) 
• Transparent Data Encryption 
– SQL Server (EE BYOL) 
• T...
Secure your data at rest 
Amazon EBS 
AWS Storage 
Gateway
EBS  Storage Gateway 
• Use encrypted file systems on block storage (EBS, Storage 
Gateway…) 
– dm-crypt/LUKS 
– Windows B...
EBS – NEW: Encrypted Volumes 
• Available since May 2014 
• AWS’ rigid key management 
• Encryption on server 
hosting the...
Securing your data at rest 
Amazon 
Redshift
Redshift 
• By Default: 
– Full disk encryption 
– Uses SSL to talk to S3 
• Optionally you can: 
– Set S3 backups to be e...
Secure your data at rest 
CloudHSM: Hardware Security 
Modules in the cloud 
• Single Tenancy 
• Private key material neve...
Isolate your services
Isolate your services 
One application per instance 
• Simplify forensics 
• Simplify Security Groups 
• Swim-lane capacit...
Isolate your services 
Virtual Private Cloud 
• Security Groups 
– Don’t use 0.0.0.0/0 
• Subnet separation of instances w...
VPC Peering
VPC Peering 
• Connect two VPCs in the 
same Region 
– No IP address conflicts 
• Bridged by routing table 
entries (both ...
Log ( review) your API calls
CloudTrail 
Your staff or scripts 
make calls… 
on AWS API 
endpoints… 
CloudTrail logs this 
to an S3 bucket… 
so you can...
CloudTrail 
• Who made the API call? 
• When was the API call made? 
• What was the API call? 
• What were the resources t...
CloudTrail 
• May: Includes 
CloudFront events 
• June: Available in all 
standard Regions 
• July: Includes ASG  
SQS eve...
CloudTrail Partners
Support: Trusted Advisor
Billing Alerts
Bonus Australian Information
Australian Privacy Considerations Whitepaper
https://aws.amazon.com/whitepapers/ 
Auditing 
Logging 
Risk 
Compliance 
Security
James’ Recommendations 
Turn on your MFA access for your Root account 
Use IAM Users, Groups and Policies 
Never use Root ...
Visit the Solution Architecture Team today, 
Please fill in feedback forms! 
Questions on AWS security, risk and 
complian...
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Upcoming SlideShare
Loading in...5
×

Understanding AWS Security

1,615

Published on

AWS Summit 2014 Perth - Breakout 3

The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Presenter: James Bromberger, Solutions Architect, Amazon Web Services

Published in: Technology

Understanding AWS Security

  1. 1. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  2. 2. Agenda • Our Security – Compliance • Your Security – Account Management (the keys to the kingdom) – Service Isolation – Visibility and Auditing
  3. 3. Security is our #1 priority
  4. 4. Shared security responsibility
  5. 5. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  6. 6. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  7. 7. How does AWS get security? • Physical access is recorded, videoed, stored, reviewed • Multi-factor authentication for physical access • Segregation of duties: staff with physical access versus staff with logical access And every 90 days…
  8. 8. How does AWS get security?
  9. 9. How does AWS get security?
  10. 10. Prove what AWS does! • Certifications • Audits & Attestations – Independent 3rd parties – Regularly refreshed – Available to customers aws.amazon.com/compliance
  11. 11. Certifications & Approving Industry Bodies
  12. 12. What does AWS do for its security? June 2014 68 pages freely available aws.amazon.com/security/
  13. 13. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  14. 14. Secure your account
  15. 15. Identity and Access Management • Users & Groups
  16. 16. Identity and Access Management • Users & Groups • Unique Security Credentials
  17. 17. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  18. 18. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  19. 19. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  20. 20. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  21. 21. ProTip #1: Account Security
  22. 22. Identity and Access Management 1. Secure your Master account with MFA 2. Create an IAM Group for your Admin team 3. Create IAM Users for your Admin staff, as members of your Admin group 4. Turn on MFA for these users!
  23. 23. Identity and Access Management New: • Enhanced password management – Expiry – reuse check – change on next log in • Credential Report
  24. 24. ProTip #2: No hard-coded Credentials
  25. 25. EC2 Roles for Temporary Credentials • Remove hard-coded credentials from scripts and config files • Create an IAM Role and assign restricted policy • Launch instance into Role • AWS SDKs transparently get temporary credentials GET http://169.254.169.254/ latest/meta-data/iam/security-credentials/ { "Code" : "Success", "LastUpdated" s3access : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  26. 26. ProTip #3: Least Privilege Policies
  27. 27. IAM Policies • )Gro$ up* “D'NS-Admins”, Policy: ) %$
  28. 28. #$* ) %$
  29. 29. $* ) %$
  30. 30. # % $#* ( “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  31. 31. IAM Policies Use Conditions to restrict key exposure ) $ *' !##' # %! ( }
  32. 32. ProTip #4: Test Your Policies
  33. 33. Identity and Access Management • Test your policies in the Policy Simulator!
  34. 34. API Credentials Credentials for talking to AWS APIs via REST: • ACCESS KEY – An identifier • SECRET KEY – Used to sign requests – Shouldn’t traverse the network again • Not retrievable from AWS again – you lose it, generate a new pair
  35. 35. Secure your data in flight
  36. 36. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip: Validate the SSL Certificate!
  37. 37. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  38. 38. Secure your data in flight • RDS connections – MySQL – PostgreSQL – Oracle • Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
  39. 39. Secure your data at rest
  40. 40. Secure your data at rest Amazon S3
  41. 41. S3 – Server Side Encryption (SSE) • Available Since 2011 • AES 256-bit • Totally transparent to customers • AWS Key Management
  42. 42. S3 – NEW: SSE with customer keys • Available Since June 2014 • AES 256-bit, but encryption/decryption on AWS • Customer Key Management
  43. 43. S3 – Client-side encryption (CSE) • Customer key management • Customer premise encryption/ decryption • Keys never sent to AWS • Support in the Java AWS SDK: AmazonS3EncryptionClient
  44. 44. Secure your data at rest Amazon RDS
  45. 45. RDS • Secure data at rest in your database – RDS Oracle (EE) • Transparent Data Encryption – SQL Server (EE BYOL) • Transparent Data Encryption
  46. 46. Secure your data at rest Amazon EBS AWS Storage Gateway
  47. 47. EBS Storage Gateway • Use encrypted file systems on block storage (EBS, Storage Gateway…) – dm-crypt/LUKS – Windows BitLocker (whole disk), EFS (file level) – Products from Partners: Trend, Safenet, etc – and…
  48. 48. EBS – NEW: Encrypted Volumes • Available since May 2014 • AWS’ rigid key management • Encryption on server hosting the EC2 instance • Snapshots of encrypted volumes also encrypted – cannot be shared with other customers • Only on supported instance types
  49. 49. Securing your data at rest Amazon Redshift
  50. 50. Redshift • By Default: – Full disk encryption – Uses SSL to talk to S3 • Optionally you can: – Set S3 backups to be encrypted – Limit S3 bucket access – Connect using SSL – Run within VPC – Use CloudHSM key store – Backup access logs to S3 • Redshift retains 1 week
  51. 51. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud • Single Tenancy • Private key material never leaves the HSM • AWS provisioned, customer managed
  52. 52. Isolate your services
  53. 53. Isolate your services One application per instance • Simplify forensics • Simplify Security Groups • Swim-lane capacity overloads • Limit blast radius
  54. 54. Isolate your services Virtual Private Cloud • Security Groups – Don’t use 0.0.0.0/0 • Subnet separation of instances with: – Network ACLs, and IAM policy to prevent changes – Routing tables, and IAM policy to prevent changes – No Internet Gateway, and IAM policy to prevent changes
  55. 55. VPC Peering
  56. 56. VPC Peering • Connect two VPCs in the same Region – No IP address conflicts • Bridged by routing table entries (both sides of peering relationship) • Offer Accept model Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
  57. 57. Log ( review) your API calls
  58. 58. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  59. 59. CloudTrail • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  60. 60. CloudTrail • May: Includes CloudFront events • June: Available in all standard Regions • July: Includes ASG SQS events • July: Covers AWS Console sign-in events { eventVersion: 1.01, userIdentity: { type: IAMUser, principalId: AIDAJDPLRKLG7UEXAMPLE, arn: arn:aws:iam::123456789012:Alice, accountId: 123456789012 }, eventTime: 2014-07-08T17:36:04Z, eventSource: signin.amazonaws.com, eventName: ConsoleLogin, awsRegion: us-east-1, sourceIPAddress: 10.0.0.1, userAgent: AWS Console Access, requestParameters: null, responseElements: { ConsoleLogin: Success }, additionalEventData: { MobileVersion: No, LoginTo: https://console.aws.amazon.com/sns, MFAUsed: Yes }, eventID: example-even-tide-xamp-123456789012 }
  61. 61. CloudTrail Partners
  62. 62. Support: Trusted Advisor
  63. 63. Billing Alerts
  64. 64. Bonus Australian Information
  65. 65. Australian Privacy Considerations Whitepaper
  66. 66. https://aws.amazon.com/whitepapers/ Auditing Logging Risk Compliance Security
  67. 67. James’ Recommendations Turn on your MFA access for your Root account Use IAM Users, Groups and Policies Never use Root Account API keys Scope limit your policies
  68. 68. Visit the Solution Architecture Team today, Please fill in feedback forms! Questions on AWS security, risk and compliance: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger
  69. 69. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

×