© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Agenda
•  Our Security
•  Your Security
–  Account Management (the keys to the kingdom)
–  Service Isolation
–  Visibility...
Security is our #1 priority
Shared security responsibility
AWS
•  Facilities
•  Physical Security
•  Physical Infrastructure
•  Network Infrastructure
•  Virtualization Infrastructu...
AWS
•  Facilities
•  Physical Security
•  Physical Infrastructure
•  Network Infrastructure
•  Virtualization Infrastructu...
How does AWS get security?
•  Physical access is
recorded, videoed
•  Multi-factor authentication
for physical access
•  S...
How does AWS get security?
How does AWS get security?
Prove what AWS does!
•  Certifications
•  Audits & Attestations
–  Independent 3rd parties
–  Regularly refreshed
–  Avail...
Certifications & Approving
Industry Bodies
What does AWS do for its security?
November 2013
60 pages
freely available
aws.amazon.com/security/
AWS
•  Facilities
•  Physical Security
•  Physical Infrastructure
•  Network Infrastructure
•  Virtualization Infrastructu...
Secure your account
Identity and Access Management
•  Users & Groups
Identity and Access Management
•  Users & Groups
•  Unique Security
Credentials
Identity and Access Management
•  Users & Groups
•  Unique Security
Credentials
•  Temporary Security
Credentials
Identity and Access Management
•  Users & Groups
•  Unique Security
Credentials
•  Temporary Security
Credentials
•  Polic...
Identity and Access Management
•  Users & Groups
•  Unique Security
Credentials
•  Temporary Security
Credentials
•  Polic...
Identity and Access Management
•  Users & Groups
•  Unique Security
Credentials
•  Temporary Security
Credentials
•  Polic...
ProTip #1: Account Security
Identity and Access Management
1.  Secure your Master account with MFA
2.  Create an IAM Group for your Admin team
3.  Cre...
ProTip #2:
No hard-coded Credentials
EC2 Roles for Temporary Credentials
•  Remove hard-coded
credentials from scripts
and config files
•  Create an IAM Role a...
ProTip #3: Least Privilege Policies
IAM Policies
•  Group “DNS-Admins”, Policy:“Action” : {
“route53:List*”,
“route53:Get*”,
“route53ChangeResourceRecordSets”...
IAM Policies
Use Conditions to restrict key exposure
“Condition”: {
"IpAddress" : {
"aws:SourceIp" : ["192.0.2.0/24", "203...
ProTip #4: Test Your Policies
Identity and Access Management
Test your policies in
the Policy Simulator!
Secure your data in flight
Secure your data in flight
Credentials for talking to AWS APIs via REST:
•  ACCESS KEY
–  An identifier
•  SECRET KEY
–  U...
Secure your data in flight
Use SSL / TLS for all your traffic,
just like you do for your API access
ProTip: Validate the S...
Secure your data in flight
SSL offload to the Elastic
Load Balancing Service
Secure your data in flight
•  RDS connections
–  MySQL
–  PostgreSQL
–  Oracle
•  Get Public Key from AWS:
https://rds.ama...
Secure your data at rest
Secure your data at rest
•  Use encrypted file systems on EBS and StorageGateway
–  dm-crypt/LUKS
–  Windows BitLocker
–  ...
Secure your data at rest
Redshift
•  By Default:
–  Full disk encryption by default
–  Uses SSL to talk to S3
•  Optionall...
Secure your data at rest
CloudHSM: Hardware
Security Modules in the cloud
•  Single Tenancy
•  Private key material never
...
Isolate your services
Isolate your services
Virtual Private Cloud
•  Security Groups
–  Don’t use 0.0.0.0/0
•  Subnet separation of instances wi...
Isolate your services
One application per instance
•  Simplify forensics
•  Simplify Security Groups
•  Swim-lane capacity...
VPC Peering
VPC Peering
•  Connect two VPCs in the
same Region
–  No IP address conflicts
•  Bridged by routing table
entries (both si...
Log (& review) your API calls
CloudTrail
Your staff or scripts
make calls…
on AWS API
endpoints…
CloudTrail logs this
to an S3 bucket…
so you can
review...
CloudTrail
•  Who made the API call?
•  When was the API call made?
•  What was the API call?
•  What were the resources t...
CloudTrail Partners
Support: Trusted Advisor
Customer story: Luke Chadwick
Billing Alerts
Luke’s Summary
•  Turn on MFA for root and IAM user accounts
•  Look at IAM Roles for EC2 Instances
•  Create a few Billin...
Bonus Australian Information
Australian Privacy
Considerations Whitepaper
https://aws.amazon.com/whitepapers/
Auditing
Logging
Risk
Compliance
Security
Visit the Solution Architecture Team today,
Please fill in feedback forms!
Questions on security: talk to AWS
James Brombe...
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
Upcoming SlideShare
Loading in...5
×

AWS Summit Sydney 2014 | Understanding AWS Security

624

Published on

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Published in: Technology

AWS Summit Sydney 2014 | Understanding AWS Security

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS Security James Bromberger Amazon Web Services
  2. 2. Agenda •  Our Security •  Your Security –  Account Management (the keys to the kingdom) –  Service Isolation –  Visibility and Auditing •  Special Guest
  3. 3. Security is our #1 priority
  4. 4. Shared security responsibility
  5. 5. AWS •  Facilities •  Physical Security •  Physical Infrastructure •  Network Infrastructure •  Virtualization Infrastructure •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  6. 6. AWS •  Facilities •  Physical Security •  Physical Infrastructure •  Network Infrastructure •  Virtualization Infrastructure •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  7. 7. How does AWS get security? •  Physical access is recorded, videoed •  Multi-factor authentication for physical access •  Segregation of duties: staff with physical access versus staff with logical access •  And every 90 days…
  8. 8. How does AWS get security?
  9. 9. How does AWS get security?
  10. 10. Prove what AWS does! •  Certifications •  Audits & Attestations –  Independent 3rd parties –  Regularly refreshed –  Available to customers aws.amazon.com/compliance
  11. 11. Certifications & Approving Industry Bodies
  12. 12. What does AWS do for its security? November 2013 60 pages freely available aws.amazon.com/security/
  13. 13. AWS •  Facilities •  Physical Security •  Physical Infrastructure •  Network Infrastructure •  Virtualization Infrastructure •  Operating System •  Application •  Security Groups •  OS Firewalls •  Network Configuration •  Account Management Customer
  14. 14. Secure your account
  15. 15. Identity and Access Management •  Users & Groups
  16. 16. Identity and Access Management •  Users & Groups •  Unique Security Credentials
  17. 17. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials
  18. 18. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions
  19. 19. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles
  20. 20. Identity and Access Management •  Users & Groups •  Unique Security Credentials •  Temporary Security Credentials •  Policies & Permissions •  Roles •  Multi-factor Authentication
  21. 21. ProTip #1: Account Security
  22. 22. Identity and Access Management 1.  Secure your Master account with MFA 2.  Create an IAM Group for your Admin team 3.  Create IAM Users for your Admin staff, as members of your Admin group 4.  Turn on MFA for these users!
  23. 23. ProTip #2: No hard-coded Credentials
  24. 24. EC2 Roles for Temporary Credentials •  Remove hard-coded credentials from scripts and config files •  Create an IAM Role and assign restricted policy •  Launch instance into Role •  AWS SDKs transparently get temporary credentials { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/ K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" } GET http://169.254.169.254/latest/meta- data/iam/security-credentials/s3access
  25. 25. ProTip #3: Least Privilege Policies
  26. 26. IAM Policies •  Group “DNS-Admins”, Policy:“Action” : { “route53:List*”, “route53:Get*”, “route53ChangeResourceRecordSets” } “Resource” : { “arn:aws:route53:::hostedzone/ZONEID” }
  27. 27. IAM Policies Use Conditions to restrict key exposure “Condition”: { "IpAddress" : { "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"] } }
  28. 28. ProTip #4: Test Your Policies
  29. 29. Identity and Access Management Test your policies in the Policy Simulator!
  30. 30. Secure your data in flight
  31. 31. Secure your data in flight Credentials for talking to AWS APIs via REST: •  ACCESS KEY –  An identifier •  SECRET KEY –  Used to sign requests –  Shouldn’t traverse the network again •  Not retrievable from AWS again – you lose it, generate a new pair
  32. 32. Secure your data in flight Use SSL / TLS for all your traffic, just like you do for your API access ProTip: Validate the SSL Certificate!
  33. 33. Secure your data in flight SSL offload to the Elastic Load Balancing Service
  34. 34. Secure your data in flight •  RDS connections –  MySQL –  PostgreSQL –  Oracle •  Get Public Key from AWS: https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
  35. 35. Secure your data at rest
  36. 36. Secure your data at rest •  Use encrypted file systems on EBS and StorageGateway –  dm-crypt/LUKS –  Windows BitLocker –  Windows EFS (file level) •  In your database –  RDS Oracle & SQL Server – Transparent Data Encryption •  Object Level into S3
  37. 37. Secure your data at rest Redshift •  By Default: –  Full disk encryption by default –  Uses SSL to talk to S3 •  Optionally you can: –  Set S3 backups to be encrypted –  Limit S3 bucket access –  Connect using SSL –  Run within VPC –  Use CloudHSM key store –  Backup access logs to S3 •  Redshift retains 1 week
  38. 38. Secure your data at rest CloudHSM: Hardware Security Modules in the cloud •  Single Tenancy •  Private key material never leaves the HSM •  AWS provisioned, customer managed
  39. 39. Isolate your services
  40. 40. Isolate your services Virtual Private Cloud •  Security Groups –  Don’t use 0.0.0.0/0 •  Subnet separation of instances with: –  Network ACLs, and IAM policy to prevent changes –  Routing tables, and IAM policy to prevent changes –  No Internet Gateway, and IAM policy to prevent changes
  41. 41. Isolate your services One application per instance •  Simplify forensics •  Simplify Security Groups •  Swim-lane capacity overloads •  Limit blast radius
  42. 42. VPC Peering
  43. 43. VPC Peering •  Connect two VPCs in the same Region –  No IP address conflicts •  Bridged by routing table entries (both sides of peering relationship) •  Offer & Accept model Customer B receives request from ACustomer A initiates peer to B
  44. 44. Log (& review) your API calls
  45. 45. CloudTrail Your staff or scripts make calls… on AWS API endpoints… CloudTrail logs this to an S3 bucket… so you can review this log
  46. 46. CloudTrail •  Who made the API call? •  When was the API call made? •  What was the API call? •  What were the resources that were acted up on in the API call? •  Where was the API call made from?
  47. 47. CloudTrail Partners
  48. 48. Support: Trusted Advisor
  49. 49. Customer story: Luke Chadwick
  50. 50. Billing Alerts
  51. 51. Luke’s Summary •  Turn on MFA for root and IAM user accounts •  Look at IAM Roles for EC2 Instances •  Create a few Billing Alerts! •  Visit aws.amazon.com/security •  Talk to the AWS Solution Architecture Team about security and compliance
  52. 52. Bonus Australian Information
  53. 53. Australian Privacy Considerations Whitepaper
  54. 54. https://aws.amazon.com/whitepapers/ Auditing Logging Risk Compliance Security
  55. 55. Visit the Solution Architecture Team today, Please fill in feedback forms! Questions on security: talk to AWS James Bromberger jameseb@amazon.com @JamesBromberger

×