Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - AWS re:Invent 2018

309 views

Published on

New to AWS?  Given the number of AWS services there are, you may think that it’s going to take a lot of work to get your security house in order in the cloud.  In fact, across AWS, there are only a few simple patterns you need to know to be effective at security in the cloud.  In this session, we’ll focus on the permissions controls offered by Identity and Access Management (IAM) and the network security controls offered by Virtual Private Cloud (VPC).  You’ll walk away having seen concrete examples that illustrate the patterns that enable you to properly secure any workload in AWS.

  • The VPC section (p.42) is excellent.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

A Practitioner's Guide to Securing Your Cloud (Like an Expert) (SEC203-R1) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. A Practitioner’s Guide to Securing Your Cloud (Like an Expert) Becky Weiss Senior Principal Engineer AWS Identity S E C 2 0 3
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda: Develop your cloud security know-how Become familiar with the different types of AWS resources Quickly get up to speed with a practical overview of AWS’s identity- based and network-based security controls Know how to interpret and implement AWS security controls AWS cloud IAM VPC controls
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table $ dig mydatabase.cumxp40klozz.us- east-2.rds.amazonaws.com +short 10.0.51.81
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table $ dig sqs.us-east-2.amazonaws.com +short 52.95.18.51
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Determining a method for securing AWS resources If it’s in your VPC • Identity and Access Management (IAM) permissions • VPC network security controls If it’s not in your VPC • Identity and Access Management (IAM) permissions
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The ABCs of AWS Identity and Access Management (IAM) • I: Identity. IAM lets you create identities in your AWS Account who can make authenticated requests to AWS • AM: Access Management. IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. IAM
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans  IAM Users IAM IAM user long-term security credential IAM user long-term security credential Amazon DynamoDB Human user Human user
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Robots  IAM roles IAM EC2 instance Lambda function IAM Role IAM Role Amazon DynamoDB Application Auto Scaling
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. I is for Identity: Humans with external identities Amazon DynamoDB Corporate identities (analysts) IAM Role: Developers Corporate identities (developers) IAM Role: Analysts IAM Corporate Identification Provider
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Term: IAM principal An IAM principal is an identity defined within an AWS Account IAM IAM Roles IAM Users IAM roles authenticate using short-lived credentials IAM users authenticate using long-lived credentials
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How it works: Authenticating to AWS This is done for you by the AWS Command Line Interface (AWS CLI) and SDKs IAM
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Authenticating to AWS This is done for you by the AWS CLI and SDKs IAM POST https://dynamodb.us-east-2.amazonaws.com/ HTTP/1.1 Host: dynamodb.us-east-2.amazonaws.com X-Amz-Date: 20180918T150746Z X-Amz-Target: DynamoDB_20120810.ListTables X-Amz-Security-Token: FQoGZXIvYXdzEKH////////// … Content-Type: application/x-amz-json-1.0 Authorization: AWS4-HMAC-SHA256 Credential=ASIAXXXXXXXXXXXXXXXX/20180918/us-east- 1/dynamodb/aws4_request, SignedHeaders=content- type;host;x-amz-date;x-amz-security-token;x-amz- target, Signature=c1b4bc2df0c47c86cbcfa54d932e8aaa455b6b7c38e 65d840f722254add1ea9e
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Term: IAM policy IAM
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where does IAM policy matter? Everywhere in AWS For an authenticated call to succeed • The request must have a valid signature for an IAM principal • IAM policy must specifically authorize the call
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS-managed IAM policies IAM
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reading an IAM policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": "*" } ] } IAM In English: Allowed to take all DynamoDB actions
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing more granular IAM Policies: Actions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query" ], "Resource": "*" } ] } IAM In English: Allowed to take only a few specific DynamoDB actions
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing more granular IAM Policies: Resource-level IAM Policies { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Query", ], "Resource": [ "arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName", "arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName/index/*" ] } ] } IAM In English: Allowed to take specific DynamoDB actions on a specific table and its indexes
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Term: Amazon Resource Name (ARN) Resource: A thing in AWS. Examples: S3 bucket, DynamoDB table, EC2 instance, VPC. Even IAM principals have ARNs. ARN: A fully-qualified name for that resource, used throughout AWS arn:aws:dynamodb:us-east-2:111122223333:table/MyTableName service region accountId service-specific name IAM
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Writing more granular IAM policies: Conditions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:*“ ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": [ "us-east-2" ] } } ] } IAM In English: Allowed to use DynamoDB only in the us- east-2 region
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing AWS resources across multiple accounts IAM
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing AWS resources across multiple accounts AWS Organizations IAM
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example: Resource-based policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal“: { "AWS": [ { "arn:aws:iam::444455556666:role/MyRole" } ], "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::my-s3-bucket/some/path/*" } ] } IAM In English: The “MyRole” IAM Role in account 444455556666 (a different account) can read objects from this bucket under /some/path/
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Authorization of cross-account access IAM S3 bucket IAM principal IAM principal S3 bucket
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM authorization of cross-account access IAM Amazon DynamoDB
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The IAM Reference IAM
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region Availability Zone Availability Zone Availability Zone Virtual private cloud VPC subnet VPC subnet VPC subnet EC2 instance EC2 instance EC2 instance RDS DB instance RDSDB instancestandby AWS Directory Service AWS Directory Service Amazon S3 bucket Amazon SQS queue Amazon DynamoDB table
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Virtual private cloud VPC subnet
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Virtual private cloud VPC subnet
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups: Stateful network firewalls Application Load Balancer Backend EC2 instances RDS database Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450 Port 443 (HTTPS) Port 8443 (HTTPS) Port 3306 (MySQL)
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups: Stateful network firewalls Application Load Balancer Backend EC2 instances RDS database Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450 Port 443 (HTTPS) Port 8443 (HTTPS) Port 3306 (MySQL)
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups: Stateful network firewalls Application Load Balancer Backend EC2 instances RDS database Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450 Port 443 (HTTPS) Port 8443 (HTTPS) Port 3306 (MySQL)
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Groups: Stateful network firewalls Application Load Balancer Backend EC2 instances RDS database Security Group sg-08eec15c2101526a1 Security Group sg-0bbef9ea1db9d2ddf Security Group sg-0b0a4f8118aa5d450 Port 443 (HTTPS) Port 8443 (HTTPS) Port 3306 (MySQL)
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Virtual private cloud VPC subnet
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing for least-privilege connectivity Availability Zone Availability Zone Availability Zone VPC subnet: 10.0.1.0/24 VPC subnet: 10.0.51.0/24 VPC subnet: 10.0.2.0/24 VPC subnet: 10.0.52.0/24 VPC subnet: 10.0.3.0/24 VPC subnet: 10.0.53.0/24
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing for least-privilege connectivity Availability Zone VPC subnet: 10.0.2.0/24 VPC subnet: 10.0.52.0/24
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: No outbound connectivity Availability Zone VPC Subnet: 10.0.2.0/24 VPC Subnet: 10.0.52.0/24 AWS Elasticache - RedisEC2 instances
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: Full internet connectivity Availability Zone VPC subnet: 10.0.2.0/24 VPC subnet: 10.0.52.0/24 AWS Elasticache - RedisEC2 instances Application Load Balancer Public-facing EC2 instance Internet gateway Public IP address
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing: Outbound-only internet connectivity Availability Zone VPC Subnet: 10.0.2.0/24 VPC Subnet: 10.0.52.0/24 AWS Elasticache - RedisEC2 instances Internet gateway Public IP address VPC NAT gateway
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Routing for least privilege: Summary • AWS offers a variety of routing options • Determine the different routing needs of different parts of your workload, and put them in different subnets • Have only the routes you need in each subnet.
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure connectivity with Amazon VPC • Security Groups: Authorize only the traffic you expect • Routing: Route traffic headed out of your VPC only to expected destinations • VPC Endpoints: Create specific, least-privilege points of connectivity Virtual private cloud VPC subnet
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Endpoints for secure cross-account connectivity Network Load Balancer VPC subnet Availability Zone Availability Zone VPC subnet 10.0.51.129 10.0.52.39 $ dig vpce-0622f1c0e5b3ccf9b-wzu403mr.vpce-svc-05af39ae671fc730e.us-east-2.vpce.amazonaws.com +short 10.0.51.129
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Endpoints for secure cross-account connectivity Network Load Balancer
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints for private connectivity to AWS services: Interface endpoints VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon CloudWatch Logs Internet gateway $ dig logs.us-east-2.amazonaws.com +short 52.95.20.179
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC NAT gateway VPC endpoints for private connectivity to AWS services: Interface endpoints VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon CloudWatch Logs $ dig logs.us-east-2.amazonaws.com +short 52.95.20.179
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Creating an interface VPC endpoint
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints for private connectivity to AWS services: Interface endpoints VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon CloudWatch Logs $ dig logs.us-east-2.amazonaws.com +short 10.55.2.191
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Endpoints for private connectivity to AWS services: Gateway Endpoints VPC Subnet Availability ZoneAvailability Zone VPC Subnet EC2 instances EC2 instances Amazon S3
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure all interactions over a VPC endpoint: VPC endpoint policies VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon S3 IAM
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure interaction with Amazon S3 from your VPC VPC endpoint policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::my-bucket-1/some/path/*", "arn:aws:s3:::my-bucket-2/some/path/*" ], "Condition": { "StringEquals": { "aws:PrincipalOrgID": [ "o-xxxxxxxxx" ] } } } ] } IAM In English: This VPC endpoints IAM policy says that all interactions with S3 can occur only from accounts in this AWS Organization and can only involve the listed S3 buckets.
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure all interactions over a VPC endpoint: VPC endpoint policies VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon S3 bucket IAM
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure interaction with S3 from your VPC S3 bucket policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "s3:*" ] "Resource": "*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-09aa0fdec92daeeee" } } } ] } IAM In English: This S3 bucket policy says that it will authorize these actions only when they come from this VPC endpoint
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure all interactions over a VPC Endpoint VPC endpoint policies VPC subnet Availability ZoneAvailability Zone VPC subnet EC2 instances EC2 instances Amazon S3 bucket IAM
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. You control your VPC like any other AWS resource
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we didn’t talk about • Encryption • Visibility and detective controls • Higher-level security services VPC Flow logs
  71. 71. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Becky Weiss AWS
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Monday, November 26 NET201 – Your Virtual Data Center: VPC Fundamentals and Connectivity Options 4:45 – 5:45 | Venetian, Level 4, Delfino 4002, T2 Wednesday, November 28 SEC401 – Mastering Identity at Every Layer of the Cake 1:45 – 2:45 | Venetian, Level 2, Venetian F, T2 Tuesday, November 27 SEC303 – Architecting Security and Governance Across a Multi-Account Strategy 4:45 – 5:45 | MGM, Level 3, Premier Ballroom 319, T2
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×