Security best practices on AWS

Martin Yan – Head of Enterprise Sales, AWS HK/Taiwan
What we will cover today
1.

Quick intro on AWS

2.

Understanding shared responsibility for security

3.

Using AWS globa...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
What is AWS?
Deployment & Administration
Application Services

Compute

Storage
Networking
AWS Global Infrastructure

Data...
AWS Global Infrastructure

9 Regions
25+ Availability Zones
Continuous Expansion
• $5.2B retail business

Every day, AWS adds enough

• 7,800 employees

server capacity to power that

• A whole lot of se...
Solving Problems for Organizations Around the World
Compute Services
Amazon EC2

Auto Scaling

Elastic Load
Balancing

Elastic Virtual servers
in the cloud

Automated scaling...
Networking Services
Amazon VPC:
Private, isolated
section of the AWS
Cloud

AWS DirectConnect

Amazon Route 53

Private co...
Storage Services
Amazon EBS

Amazon S3

Amazon Glacier

AWS Storage Gateway

Block storage for use
with Amazon EC2

Intern...
Application Services
Amazon RDS

Amazon Dynamo
DB

Amazon CloudFront

Amazon
CloudSearch

Managed relational
database serv...
Big Data Services
Amazon EMR
(Elastic Map Reduce)

Amazon Redshift

AWS Data Pipeline

Hosted Hadoop
framework

Petabyte-s...
Deployment & Administration
Amazon
CloudWatch
Monitor resources

AWS IAM (Identity
& Access Mgmt)
Manage users,
groups &
p...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
Every customer has access to the same security capabilities
AWS maintains a formal control environment
•

SOC 1 (SSAE 16 &...
Customers

Security is a shared responsibility between AWS and our customers
•

Customer content

•
Platform, Applications...
Customers

You can build end-to-end compliance, certification and audit
Your compliant
solutions

Your
certifications

You...
Customers retain full ownership and control of their content
Customers retain ownership of their intellectual property and...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
AWS lets customers choose where their content goes
Region
US-WEST (N. California)

EU-WEST (Ireland)
GOV CLOUD

ASIA PAC (...
Take advantage of high availability in every Region
Availability Zone
US-WEST (N. California)

EU-WEST (Ireland)
GOV CLOUD...
Use edge locations to serve content close to your customers
Edge Locations
London(2)
Seattle

New York (2)

South Bend
New...
Build your solution for continuous, resilient operations
Scalable, fault tolerant services
Build resilient solutions opera...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
Availability Zone B

Availability Zone A

Each AWS Region has multiple availability zones
Availability Zone B

Availability Zone A

Your VPC spans every availability zone in the Region
Customers control their VPC IP address ranges

Choose your VPC address range
• Your own private, isolated
section of the A...
We will concentrate on a single availability zone just now

Availability Zone A

VPC A - 10.0.0.0/16
Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
...
Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

E...
Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16

“Web servers can connect to app
servers on port 80...
Each instance can be in up to five security groups
VPC A - 10.0.0.0/16

“Web servers can connect to app
servers on port 80...
Use separate security groups for applications and management
VPC A - 10.0.0.0/16

“Web servers can connect to app
servers ...
The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1....
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/...
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/...
Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16

NACLs are optional
NAT

•

Availability Zone A
...
Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16

NAT

Elastic Load
Balancer

Availa...
Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16

NAT

Elastic Load
Balancer

Availability Zo...
Your security can scale up and down with your solution
VPC A - 10.0.0.0/16

NAT

Elastic load balancers

Elastic Load
Bala...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
You have fine grained control of your AWS environment
AWS IAM enables you to securely control access to AWS services
and r...
Segregate duties between roles with IAM
AWS account
owner (master)

You get to choose who can
do what in your AWS
environm...
Use AWS CloudTrail (beta) to track access to APIs and IAM
Increase your visibility of what happened in your AWS
environmen...
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
•

Security analysi...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
AWS has many different content storage services

S3

DBA

RDS

EBS

Redshift
Making use of available Amazon S3 security features
Configure S3 access controls at bucket and object level
•
•

Restrict ...
Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases
•

Limit secu...
Encrypting EBS volumes on Amazon EC2 instances
Roll your own encryption or use commercial solutions
•

Windows BitLocker o...
Security best practices for AWS
1.

Quick Intro on AWS

2.

Understanding shared responsibility for security

3.

Using AW...
You decide how to configure your instance environment
You take responsibility for final configuration
User administration
...
Where you can go for help and further information
Browse and read AWS security whitepapers and good practices
• http://aws...
Get training and become AWS certified in your discipline
Get training from an instructor or try the self-paced labs
•

htt...
Thank you for your time today

Any questions?
Martin Yan
ymartin@amazon.com
Upcoming SlideShare
Loading in...5
×

Security best practices on AWS cloud

3,420

Published on

Published in: Technology

Transcript of "Security best practices on AWS cloud"

  1. 1. Security best practices on AWS Martin Yan – Head of Enterprise Sales, AWS HK/Taiwan
  2. 2. What we will cover today 1. Quick intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  3. 3. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  4. 4. What is AWS? Deployment & Administration Application Services Compute Storage Networking AWS Global Infrastructure Database
  5. 5. AWS Global Infrastructure 9 Regions 25+ Availability Zones Continuous Expansion
  6. 6. • $5.2B retail business Every day, AWS adds enough • 7,800 employees server capacity to power that • A whole lot of servers whole $5B enterprise
  7. 7. Solving Problems for Organizations Around the World
  8. 8. Compute Services Amazon EC2 Auto Scaling Elastic Load Balancing Elastic Virtual servers in the cloud Automated scaling of EC2 capacity Dynamic traffic distribution EC2 Actual
  9. 9. Networking Services Amazon VPC: Private, isolated section of the AWS Cloud AWS DirectConnect Amazon Route 53 Private connectivity between AWS and your datacenter Domain Name System (DNS) web service. Availability Zone A Availability Zone B
  10. 10. Storage Services Amazon EBS Amazon S3 Amazon Glacier AWS Storage Gateway Block storage for use with Amazon EC2 Internet scale storage via API Storage for archiving and backup Integrates on-premises IT and AWS storage S3, Glacier EBS Images Videos Files Binaries Snapshots Images Videos Files Binaries Snapshots
  11. 11. Application Services Amazon RDS Amazon Dynamo DB Amazon CloudFront Amazon CloudSearch Managed relational database service Managed NoSQL database service distribute content globally Managed search service DBA
  12. 12. Big Data Services Amazon EMR (Elastic Map Reduce) Amazon Redshift AWS Data Pipeline Hosted Hadoop framework Petabyte-scale data warehouse service Move data among AWS services and onpremises data sources
  13. 13. Deployment & Administration Amazon CloudWatch Monitor resources AWS IAM (Identity & Access Mgmt) Manage users, groups & permissions AWS OpsWorks AWS CloudFormation AWS Elastic Beanstalk Dev-Ops framework for application lifecycle management Templates to deploy & manage Automate resource management Web App Enterprise App Database
  14. 14. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management Features 6. Protecting your content on AWS 7. Building secure applications on AWS
  15. 15. Every customer has access to the same security capabilities AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Type 1 • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • HIPAA and MPAA capable Foundation Services Compute AWS Global Infrastructure Storage Database Networking Availability Zones Edge Locations Regions
  16. 16. Customers Security is a shared responsibility between AWS and our customers • Customer content • Platform, Applications, Identity & Access Management • Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption • Network Traffic Protection Customers configure AWS security features Get access to a mature vendor marketplace Can implement and manage their own controls Gain additional assurance above AWS controls Foundation Services • Compute Storage Database Networking • AWS Global Infrastructure Availability Zones Edge Locations Regions • Culture of security and continual improvement Ongoing audits and assurance Protection of large-scale service endpoints
  17. 17. Customers You can build end-to-end compliance, certification and audit Your compliant solutions Your certifications Your external audits and attestations • • • Achieve PCI, HIPAA and MPAA compliance Certify against ISO27001 with a reduced scope Have key controls audited or publish your own independent attestations Foundation Services • Compute Storage Database Networking • AWS Global Infrastructure Availability Zones Edge Locations Regions • Culture of security and continual improvement Ongoing audits and assurance Protection of large-scale service endpoints
  18. 18. Customers retain full ownership and control of their content Customers retain ownership of their intellectual property and content • Customers manage their privacy objectives how they choose to • Select the AWS geographical Region and no automatic replication elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS The security of our services and customers is key to AWS • Security starts at the top in Amazon with a dedicated CISO and strong cultural focus • Dedicated internal teams constantly looking at the security of our services • AWS support personnel have no access to customer content
  19. 19. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management Features 6. Protecting your content on AWS 7. Building secure applications on AWS
  20. 20. AWS lets customers choose where their content goes Region US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo) ASIA PAC (Sydney)
  21. 21. Take advantage of high availability in every Region Availability Zone US-WEST (N. California) EU-WEST (Ireland) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo) ASIA PAC (Sydney)
  22. 22. Use edge locations to serve content close to your customers Edge Locations London(2) Seattle New York (2) South Bend Newark Dublin Palo Alto Amsterdam Stockholm Tokyo San Jose Paris(2) Ashburn(2) Los Angeles (2) Frankfurt(2) Milan Osaka Jacksonville Dallas(2) Hong Kong Mumbai Chennai St.Louis Miami Singapore(2) Sao Paulo Sydney
  23. 23. Build your solution for continuous, resilient operations Scalable, fault tolerant services Build resilient solutions operating in multiple datacenters AWS helps simplify active-active operations All AWS facilities are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards Robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
  24. 24. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  25. 25. Availability Zone B Availability Zone A Each AWS Region has multiple availability zones
  26. 26. Availability Zone B Availability Zone A Your VPC spans every availability zone in the Region
  27. 27. Customers control their VPC IP address ranges Choose your VPC address range • Your own private, isolated section of the AWS cloud • Every VPC has a private IP address space • That maximum CIDR block you can allocate is /16 • For example 10.0.0.0/16 – this allows 256*256 = 65,536 IP addresses Select IP addressing strategy • You can’t change the VPC address space once it’s created • Think about overlaps with other VPCs or existing corporate networks • Don’t waste address space, but don’t’ constrain your growth either Availability Zone B Availability Zone A VPC A - 10.0.0.0/16
  28. 28. We will concentrate on a single availability zone just now Availability Zone A VPC A - 10.0.0.0/16
  29. 29. Segment your VPC address space into multiple subnets VPC A - 10.0.0.0/16 NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 10.0.2.0/24 EC2 10.0.3.0/24 10.0.4.0/24 10.0.5.0/24
  30. 30. Place your EC2 instances in subnets according to your design VPC A - 10.0.0.0/16 NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log 10.0.5.0/24
  31. 31. Use VPC security groups to firewall your instances VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log 10.0.5.0/24
  32. 32. Each instance can be in up to five security groups VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 “Allow outbound connections to the log server” 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log 10.0.5.0/24
  33. 33. Use separate security groups for applications and management VPC A - 10.0.0.0/16 “Web servers can connect to app servers on port 8080” NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 “Allow outbound connections to the log server” 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump “Allow SSH and ICMP from hosts in the Jump Hosts security group” Log 10.0.5.0/24
  34. 34. The VPC router will allow any subnet to route to another in the VPC VPC A - 10.0.0.0/16 NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  35. 35. Use Network Access Control Lists to restrict internal VPC traffic VPC A - 10.0.0.0/16 NAT Availability Zone A 10.0.1.0/24 EC2 Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  36. 36. Use Network Access Control Lists to restrict internal VPC traffic VPC A - 10.0.0.0/16 NAT Availability Zone A 10.0.1.0/24 “Deny all traffic between the web server subnet and the database server subnet” Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  37. 37. Use Network Access Control Lists for defence in depth VPC A - 10.0.0.0/16 NACLs are optional NAT • Availability Zone A 10.0.1.0/24 Web EC2 • • • Applied at subnet level, stateless and permit all by default ALLOW and DENY Applies to all instances in the subnet Use as a second line of defence 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  38. 38. Use Elastic Load Balancers to distribute traffic between instances VPC A - 10.0.0.0/16 NAT Elastic Load Balancer Availability Zone A 10.0.1.0/24 EC2 Web EC2 Web EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  39. 39. Elastic Load Balancers are also placed in security groups VPC A - 10.0.0.0/16 NAT Elastic Load Balancer Availability Zone A 10.0.1.0/24 EC2 Web EC2 Web EC2 Web EC2 EC2 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  40. 40. Your security can scale up and down with your solution VPC A - 10.0.0.0/16 NAT Elastic load balancers Elastic Load Balancer • Availability Zone A 10.0.1.0/24 EC2 Web EC2 Web EC2 Web EC2 Auto scaling • Instances can automatically be added and removed from the balancing pool using rules You can add instances into security groups at launch time 10.0.2.0/24 EC2 App EC2 10.0.3.0/24 10.0.4.0/24 Jump Log Router 10.0.5.0/24
  41. 41. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  42. 42. You have fine grained control of your AWS environment AWS IAM enables you to securely control access to AWS services and resources • Fine grained control of user permissions, resources and actions • Now includes support for RunInstances • Add multi factor authentication • Hardware token or smartphone apps • Test out your new policies using the Identity and Access Management policy simulator
  43. 43. Segregate duties between roles with IAM AWS account owner (master) You get to choose who can do what in your AWS environment and from where Network management Security management Server management Storage management VPC A - 10.0.0.0/16 Internet Subnet 10.0.1.0/24 Availability Zone Router Internet Gateway Manage and operate Customer Gateway Subnet 10.0.2.0/24 Availability Zone Region
  44. 44. Use AWS CloudTrail (beta) to track access to APIs and IAM Increase your visibility of what happened in your AWS environment • CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made • Who did what and when and from what IP address • Be notified of log file delivery using the AWS Simple Notification Service • Support for many AWS services including EC2, EBS, VPC, RDS, IAM, STS and RedShift • Aggregate log information into a single S3 bucket Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic.
  45. 45. AWS CloudTrail logs can be used for many powerful use cases CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources, for example VPC security groups and NACLs • Compliance – understand AWS API call history • Troubleshoot operational issues – quickly identify the most recent changes to your environment CloudTrail is currently available in US-WEST1 and US-EAST1
  46. 46. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  47. 47. AWS has many different content storage services S3 DBA RDS EBS Redshift
  48. 48. Making use of available Amazon S3 security features Configure S3 access controls at bucket and object level • • Restrict access and rights as tightly as possible and regularly review access logs Use versioning for important file, with MFA required for delete Use S3 cryptographic features • • Use SSL to protect data in transit S3 server side encryption • • AWS will transparently encrypt your objects using AES-256 and manage the keys on your behalf Use S3 client side encryption • • • Encrypt information before sending it to S3 Build yourself or use the AWS Java SDK Use MD5 checksums to verify the integrity of objects loaded into S3
  49. 49. Making the most of Amazon RDS security features RDS can reduce the security burden of running your databases • Limit security group access to RDS instances • Limit RDS management plane access with AWS IAM permissions Encrypt data in flight • DBA Oracle Native Network Encryption, SSL for SQL Server, MySQL and PostgreSQL – especially if the database is accessible from the Internet Encrypt data at rest in sensitive table space • Native RDS via SQL Server and Oracle Transparent Data Encryption • Encrypt sensitive information at application level or use a DB proxy Configure automatic patching of minor updates – let AWS do the heavy lifting for you within a maintenance window you choose RDS
  50. 50. Encrypting EBS volumes on Amazon EC2 instances Roll your own encryption or use commercial solutions • Windows BitLocker or Linux LUKS for encrypted volumes and TrueCrypt for containers • SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer boot volume encryption • MapReduce volumes can use Gazzang Managing encryption keys is critical and difficult! • How will you manage keys and make sure they are available when required, for example at instance start-up? • How will you keep them available and prevent loss? • How will you rotate keys on a regular basis and keep them private? EBS
  51. 51. Security best practices for AWS 1. Quick Intro on AWS 2. Understanding shared responsibility for security 3. Using AWS global reach and availability features 4. Building a secure virtual private cloud 5. Using AWS Identity and Access Management 6. Protecting your content on AWS 7. Building secure applications on AWS
  52. 52. You decide how to configure your instance environment You take responsibility for final configuration User administration Harden operating system and platforms • • Use standard hardening guides and techniques Apply latest security patches – Amazon maintains repositories Whitelisting and integrity Malware and IPS Use host-based protection software • Vulnerability management Think of how they will work in an elastic environment - hosts may only be in use for hours before being replaced Audit and logging Think about how you will manage administrative users • Hardening and configuration Restrict access as much as possible Build out the rest of your standard security environment Launch instance AMI catalogue EC2 Running instance Operating system Configure instance Your instance
  53. 53. Where you can go for help and further information Browse and read AWS security whitepapers and good practices • http://aws.amazon.com/compliance • http://aws.amazon.com/security • Risk and compliance, including CSA questionnaire response • Security best practices • Audit and operational checklists to help you assess security before you go live Sign up for AWS support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment
  54. 54. Get training and become AWS certified in your discipline Get training from an instructor or try the self-paced labs • http://aws.amazon.com/training/ Become AWS certified and gain recognition and visibility • • http://aws.amazon.com/certification Demonstrate that you have skills, knowledge and expertise to design, deploy and manage projects applications on the AWS platform • Prove skills and foster credibility with your employer and peers Choose your discipline, or do all of them! • • • AWS Certified Solutions Architect – Associate Level AWS Certified Developer – Associate Level (Beta) AWS Certified SyOps Administrator – Associate Level (Beta)
  55. 55. Thank you for your time today Any questions? Martin Yan ymartin@amazon.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×