• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
AWS Security: A Practitioner's Perspective
 

AWS Security: A Practitioner's Perspective

on

  • 6,187 views

Presented at the SF AWS Users group on 4/17/2012.

Presented at the SF AWS Users group on 4/17/2012.

Statistics

Views

Total Views
6,187
Views on SlideShare
6,156
Embed Views
31

Actions

Likes
14
Downloads
0
Comments
0

7 Embeds 31

http://bitly.com 12
http://irq.tumblr.com 11
http://www.linkedin.com 4
http://us-w1.rockmelt.com 1
http://tweetedtimes.com 1
http://www.twylah.com 1
http://www.pinterest.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

AWS Security: A Practitioner's Perspective AWS Security: A Practitioner's Perspective Presentation Transcript

  • AWS Security:A Practitioner’s Perspective Jason Chan chan@netflix.com San Francisco AWS Users Group April 17, 2012
  • Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
  • Agenda• Goals and non-goals• AWS on one slide• Netflix in the cloud• AWS security: Overview• AWS security: Gotchas• AWS security: Recommendations• Takeaways
  • Non-Goals
  • Non-Goals• Primer on general cloud security issues
  • Non-Goals• Primer on general cloud security issues• AWS how-to
  • Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security
  • Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security• Info on designing for high-availability
  • AWS Overview
  • AWS on a Slide
  • AWS on a Slide
  • AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  • AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  • Netflix in the Cloud
  • Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests
  • Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  • Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  • Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11Datacenter(Capacity(
  • Netflix Deployed on AWS 2009 2009 2010 2010 2010 2011Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Config& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
  • AWS Security Overview Shared ResponsibilityAWS Credentials and IdentifiersServices, Actions, and Resources Controlling Network TrafficAWS Security-Related Services
  • SharedResponsibility
  • YOU SharedResponsibility
  • YOU SharedResponsibility
  • YOU SharedResponsibility AWS
  • YOU SharedResponsibility AWS
  • YOU SharedResponsibility AWS http://aws.amazon.com/security/
  • AWS Credentials and Identifiers
  • AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifierCanonical User ID Used for S3 permissioning
  • AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic
  • AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security
  • AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2
  • AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
  • AWS Services, Actions, and Resources
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent.
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  • Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }
  • Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html
  • Controlling Network Traffic in AWSApp Server TCP 3306 DB Server
  • Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
  • Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app
  • Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  • Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  • Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  • Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  • AWS Security-Related Services• Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS)• Virtual Private Cloud (VPC)
  • AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances
  • AWS Limits
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
  • AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests• NOTE: Track limits and inspect error messages
  • EC2 IP Addresses
  • EC2 IP Addresses• Each instance has two IPs - private and public
  • EC2 IP Addresses• Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...
  • EC2 IP Addresses• Name resolution depends on client location
  • EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  • EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  • EC2 IP Addresses
  • EC2 IP Addresses• Both public and private IPs are dynamic
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP:
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region
  • EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info
  • Elastic Load Balancers• Service availability and traffic balancing across EC2 Internet instances• Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.
  • Elastic Load Balancers
  • Elastic Load Balancers• ELB intercepts and forwards traffic
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases
  • Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases• NOTE:VPC ELBs can use security groups for limiting access
  • S3 Policies and Object Ownership
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner
  • S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner• Use “x-amz-acl” header on write to fix permissions
  • AWS Resource Logging
  • AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible
  • AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable
  • AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration
  • AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration• NOTE: AWS provides no capability for logging or auditing resource access
  • Delivering Credentials to EC2 Instances
  • Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
  • Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials
  • Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation
  • Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas:
  • Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html
  • AWS SecurityRecommendationsSystematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security
  • Systematic Approach to AWS Security
  • Systematic Approach to AWS Security• Understand shared responsibility model
  • Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS
  • Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services
  • Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security
  • Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security• Secure AWS operations
  • Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gapshttps://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
  • AWS Management
  • AWS Management• No longer any reason to not use IAM
  • AWS Management• No longer any reason to not use IAM• Enable:
  • AWS Management• No longer any reason to not use IAM• Enable: • IAM
  • AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)
  • AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model
  • AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model• Consider using separate top-level accounts for compartmentalization
  • AWS Security Features and Services
  • AWS Security Features and Services• Understand security features, limitations, and options of the features you use
  • AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning
  • AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination
  • AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination• Consider VPC based on use cases and requirements
  • AWS Resource Security
  • AWS Resource Security• Review access requirements for AWS resources
  • AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues
  • AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately
  • AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security
  • AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport
  • Secure AWSOperations
  • Secure AWS Operations• Understand security group/ACL differences
  • Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements
  • Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements• Actively manage and monitor accounts and credentials
  • OtherRecommendations
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on:
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html
  • Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30
  • Takeaways
  • Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model
  • Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer
  • Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
  • Thanks!Questions? chan@netflix.com
  • Backup Slides
  • Cloud and Platform Engineering EngineeringTools •  Orchestra*on,.build.and.deployment. CloudSolu0ons •  Monitoring,.consul*ng,.Simian.Army. CORE •  24/7.site.reliability.Pla5ormEngineering •  Core.shared.components.and.libraries. Security •  Applica*on,.engineering,.and.opera*onal. CloudDatabase •  Cassandra,.SDB,.RDS. Engineering CloudPerformance •  Tes*ng,.op*miza*on,.cost. CloudArchitecture •  Overall.design.paFerns.
  • Netflix PaaS• Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to• Supports multiple AWS thousands of instances accounts • Monitoring for millions of• One-click deployment and metrics load balancing across three datacenters • Base server and client• Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix
  • Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
  • Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
  • Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
  • Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
  • References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/