Understanding AWS Security

  • 1,187 views
Uploaded on

AWS Summit 2014 Perth - Breakout 3 …

AWS Summit 2014 Perth - Breakout 3

The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Presenter: James Bromberger, Solutions Architect, Amazon Web Services

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,187
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
0
Likes
16

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Understanding AWS Security James Bromberger Solutions Architect, Amazon Web Services © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
  • 2. Agenda • Our Security – Compliance • Your Security – Account Management (the keys to the kingdom) – Service Isolation – Visibility and Auditing
  • 3. Security is our #1 priority
  • 4. Shared security responsibility
  • 5. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 6. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 7. How does AWS get security? • Physical access is recorded, videoed, stored, reviewed • Multi-factor authentication for physical access • Segregation of duties: staff with physical access versus staff with logical access And every 90 days…
  • 8. How does AWS get security?
  • 9. How does AWS get security?
  • 10. Prove what AWS does! • Certifications • Audits & Attestations – Independent 3rd parties – Regularly refreshed – Available to customers aws.amazon.com/compliance
  • 11. Certifications & Approving Industry Bodies
  • 12. What does AWS do for its security? June 2014 68 pages freely available aws.amazon.com/security/
  • 13. AWS • Facili'es* • Physical*Security* • Physical*Infrastructure* • Network*Infrastructure* • Virtualiza'on* Infrastructure** Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
  • 14. Secure your account
  • 15. Identity and Access Management • Users & Groups
  • 16. Identity and Access Management • Users & Groups • Unique Security Credentials
  • 17. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials
  • 18. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions
  • 19. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles
  • 20. Identity and Access Management • Users & Groups • Unique Security Credentials • Temporary Security Credentials • Policies & Permissions • Roles • Multi-factor Authentication
  • 21. ProTip #1: Account Security
  • 22. Identity and Access Management 1. Secure your Master account with MFA 2. Create an IAM Group for your Admin team 3. Create IAM Users for your Admin staff, as members of your Admin group 4. Turn on MFA for these users!
  • 23. Identity and Access Management New: • Enhanced password management – Expiry – reuse check – change on next log in • Credential Report
  • 24. ProTip #2: No hard-coded Credentials
  • 25. EC2 Roles for Temporary Credentials • Remove hard-coded credentials from scripts and config files • Create an IAM Role and assign restricted policy • Launch instance into Role • AWS SDKs transparently get temporary credentials GET http://169.254.169.254/ latest/meta-data/iam/security-credentials/ { "Code" : "Success", "LastUpdated" s3access : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  • 26. ProTip #3: Least Privilege Policies
  • 27. IAM Policies • )Gro$ up* “D'NS-Admins”, Policy: )" %$
  • 28. #$* )" %$
  • 29. $* )" %$
  • 30. # %" "$#* ( “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  • 31. IAM Policies Use Conditions to restrict key exposure ) $ *' !"##' &# %"!        ( }
  • 32. ProTip #4: Test Your Policies
  • 33. Identity and Access Management • Test your policies in the Policy Simulator!
  • 34. API Credentials Credentials for talking to AWS APIs via REST: • ACCESS KEY – An identifier • SECRET KEY – Used to sign requests – Shouldn’t traverse the network again • Not retrievable from AWS again – you lose it, generate a new pair
  • 35. Secure your data in flight
  • 36. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip: Validate the SSL Certificate!
  • 37. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  • 38. Secure your data in flight • RDS connections – MySQL – PostgreSQL – Oracle • Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
  • 39. Secure your data at rest
  • 40. Secure your data at rest Amazon S3
  • 41. S3 – Server Side Encryption (SSE) • Available Since 2011 • AES 256-bit • Totally transparent to customers • AWS Key Management
  • 42. S3 – NEW: SSE with customer keys • Available Since June 2014 • AES 256-bit, but encryption/decryption on AWS • Customer Key Management
  • 43. S3 – Client-side encryption (CSE) • Customer key management • Customer premise encryption/ decryption • Keys never sent to AWS • Support in the Java AWS SDK: AmazonS3EncryptionClient
  • 44. Secure your data at rest Amazon RDS
  • 45. RDS • Secure data at rest in your database – RDS Oracle (EE) • Transparent Data Encryption – SQL Server (EE BYOL) • Transparent Data Encryption
  • 46. Secure your data at rest Amazon EBS AWS Storage Gateway
  • 47. EBS & Storage Gateway • Use encrypted file systems on block storage (EBS, Storage Gateway…) – dm-crypt/LUKS – Windows BitLocker (whole disk), EFS (file level) – Products from Partners: Trend, Safenet, etc – and…
  • 48. EBS – NEW: Encrypted Volumes • Available since May 2014 • AWS’ rigid key management • Encryption on server hosting the EC2 instance • Snapshots of encrypted volumes also encrypted – cannot be shared with other customers • Only on supported instance types
  • 49. Securing your data at rest Amazon Redshift
  • 50. Redshift • By Default: – Full disk encryption – Uses SSL to talk to S3 • Optionally you can: – Set S3 backups to be encrypted – Limit S3 bucket access – Connect using SSL – Run within VPC – Use CloudHSM key store – Backup access logs to S3 • Redshift retains 1 week
  • 51. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud • Single Tenancy • Private key material never leaves the HSM • AWS provisioned, customer managed
  • 52. Isolate your services
  • 53. Isolate your services One application per instance • Simplify forensics • Simplify Security Groups • Swim-lane capacity overloads • Limit blast radius
  • 54. Isolate your services Virtual Private Cloud • Security Groups – Don’t use 0.0.0.0/0 • Subnet separation of instances with: – Network ACLs, and IAM policy to prevent changes – Routing tables, and IAM policy to prevent changes – No Internet Gateway, and IAM policy to prevent changes
  • 55. VPC Peering
  • 56. VPC Peering • Connect two VPCs in the same Region – No IP address conflicts • Bridged by routing table entries (both sides of peering relationship) • Offer & Accept model Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
  • 57. Log (& review) your API calls
  • 58. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  • 59. CloudTrail • Who made the API call? • When was the API call made? • What was the API call? • What were the resources that were acted up on in the API call? • Where was the API call made from?
  • 60. CloudTrail • May: Includes CloudFront events • June: Available in all standard Regions • July: Includes ASG & SQS events • July: Covers AWS Console sign-in events { "eventVersion": "1.01", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJDPLRKLG7UEXAMPLE", "arn": "arn:aws:iam::123456789012:Alice", "accountId": "123456789012" }, "eventTime": "2014-07-08T17:36:04Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "10.0.0.1", "userAgent": "AWS Console Access", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "MobileVersion": "No", "LoginTo": "https://console.aws.amazon.com/sns", "MFAUsed": "Yes" }, "eventID": "example-even-tide-xamp-123456789012" }
  • 61. CloudTrail Partners
  • 62. Support: Trusted Advisor
  • 63. Billing Alerts
  • 64. Bonus Australian Information
  • 65. Australian Privacy Considerations Whitepaper
  • 66. https://aws.amazon.com/whitepapers/ Auditing Logging Risk Compliance Security
  • 67. James’ Recommendations Turn on your MFA access for your Root account Use IAM Users, Groups and Policies Never use Root Account API keys Scope limit your policies
  • 68. Visit the Solution Architecture Team today, Please fill in feedback forms! Questions on AWS security, risk and compliance: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger
  • 69. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.