This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

1. ARC308
Architecting for End-to-End Security in the
Enterprise
Hart Rossman, Principal Security Consultant
Bill Shinn, Principal Security Solutions Architect
November 14, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. A Typical Enterprise
Security Journey:
1.
2.
3.
4.
Integrate AWS into the
Enterprise Security Strategy
Deploy Defense in Depth:
Enterprise Security
Architecture in the Cloud
Convert Strategy to Tactics:
Security Playbook
Instrument for Operations:
Privilege Isolation, Bastion
Role, and Auditing Role
Strategy
Playbook
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations

3. Enterprise Security
Strategy
Economics
Strategy
Strategy
Playbook
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations

4. Security Economies of Scale
• AWS control objectives idempotent across the
entire cloud
• Reduced compliance scope
• Defense in depth layers are variable cost
• Security benefits from automation

5. Why Update Your Security Strategy for
AWS?
• Communicate the CISO’s intent & Concept of
Operations (CONOPS)
• Articulate a vision for the desired end-state

6. Enterprise Security
Architecture
Capabilities Framework
Defense in Depth Architecture
Strategy
Playbook
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations

7. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

8. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

9. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
AMIs
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudWatch
SSL API, CLI,
Console
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
Server
Certificates
People
SSH Keys
MS-SQL TDE
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
AWS
CloudTrail
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
Governance
Management
AWS Security
& Compliance
CloudFormation
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

10. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
SQL SSL
Clients
AWS Certifications
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

11. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Oracle TDE
MySQL, MSSQL SSL
SQL SSL
Clients
Lifecycle Rules
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
S3 MFA
Delete
Route 53
CloudHSM
Monitoring
Snapshots &
Replication
Log, Audit, & Analyze
CloudFormatio
n
Resource
Tagging
DB Logs
Host Security
Software
Database
Oracle NNE
SSL API, CLI,
Console
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Storage & Content
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

12. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

13. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
AMIs
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudWatch
SSL API, CLI,
Console
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
Server
Certificates
People
SSH Keys
MS-SQL TDE
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
AWS
CloudTrail
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
Governance
Management
AWS Security
& Compliance
CloudFormation
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

14. Instance
IAM MFA
IAM + STS
Federation
Security
Operations
Center
SNS
Notifications
Bastion Host
Auto Scaling
Managed
Encryption
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
MS-SQL TDE
SSH Keys
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AWS Abuse
Notifications
CloudWatch
Server
Certificates
Management
AMIs
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

15. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
MS-SQL TDE
Security Groups
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC VPN
Gateway
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

16. Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS
Support
AWS SA’s &
Proserv
Instance
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
MS-SQL TDE
IAM Users, Groups & Roles
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

17. Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS
Support
AWS SA’s &
Proserv
Instance
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
MS-SQL TDE
Redshift CloudHSM Support
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

18. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

19. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
AMIs
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudWatch
SSL API, CLI,
Console
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
Server
Certificates
People
SSH Keys
SQL SSL
Clients
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
AWS
CloudTrail
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
Governance
Management
AWS Security
& Compliance
CloudFormation
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

20. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudHSM
Log, Audit, & Analyze
Monitoring
Resource
Tagging
Route 53
MySQL, MSSQL SSL
SQL SSL
Clients
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Storage & Content
Access Policy
Language
Snapshots &
Replication
Oracle TDE
Amazon CloudTrail
CloudFormatio
n
Host Security
Software
Database
Oracle NNE
SSL API, CLI,
Console
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
DB Logs
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

21. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
SQL &
Amazon Elastic Oracle NNE
MapReduce SSL
Clients
Amazon Redshift
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
VPC NACLs
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
OS Logs
Storage & Content
Network

22. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
SQL SSL
Clients
Security Operations Center
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS Security
& Compliance
AWS
Certifications
Auto Scaling
Oracle NNE
SSL API, CLI,
Console
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

23. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

24. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
AMIs
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudWatch
SSL API, CLI,
Console
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
Server
Certificates
People
SSH Keys
SQL SSL
Clients
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
AWS
CloudTrail
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
Governance
Management
AWS Security
& Compliance
CloudFormation
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

25. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
SQL SSL
Clients
Resource Tagging
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

26. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
SQL SSL
Clients
AWS Support
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

27. Security Capabilities Framework
Anticipate
Deter
Detect
• Policies and Standards
• Threat Intelligence
• Access Control
• Network Architecture
• Active Response
• IDS
• Log analysis
• Alerting
• Security Operations Center
Respond
• Incident Response to
Compromise
Recover
• Disaster Recovery/BCP
• Known Good State
• Forensics

28. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
AMIs
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
CloudWatch
SSL API, CLI,
Console
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
Server
Certificates
People
SSH Keys
SQL SSL
Clients
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
AWS
CloudTrail
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
Governance
Management
AWS Security
& Compliance
CloudFormation
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

29. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
SQL SSL
Clients
Snapshots & Replication
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
VPC NACLs
Resource
Tagging
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
Storage & Content
Network
OS Logs
AWS Internet
Security
Direct
Connect
Security
Groups
VPC VPN
Gateway
EMR, Redshift
Analytics
Geographic
Diversity
ELB SSL
VPC Subnets
VPC Routing
Tables

30. Instance
Trusted Advisor
IAM Password
Policy
Monitor & Alert
Authenticate & Authorize
AWS SA’s &
Proserv
AWS
Support
IAM Users,
Groups &
Roles
IAM MFA
IAM + STS
Federation
Security
Operations
Center
Auto Scaling
Managed
Encryption
AWS Abuse
Notifications
Bastion Host
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
SNS
Notifications
Host Security
Software
Database
Oracle TDE
MySQL, MSSQL SSL
Oracle NNE
SQL SSL
Clients
Geographic Diversity
SSL API, CLI,
Console
Redshfit
Cluster
Encryption
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
RDS Auto
Minor
Patching
AWS
CloudTrail
Access Policy
Language
S3, CloudFront
Access Logs
S3 ACLs,
Bucket
Policies
S3 MFA
Delete
Lifecycle
Rules
S3, Glacier
SSE
S3, Glacier,
CloudFront
SSL
App Logs
S3 Object
Metadata
CloudFront
Signed URLs
Client-Side
Encryption
Storage
Gateway SSL
EBS Volume
Encryption
Direct
Connect
Security
Groups
VPC VPN
Gateway
VPC NACLs
ELB SSL
VPC Subnets
VPC Routing
Tables
Resource
Tagging
Snapshots &
Replication
Route 53
CloudHSM
Log, Audit, & Analyze
CloudFormatio
n
Monitoring
Organize, Deploy, & Manage
AWS
Certifications
AWS Security
& Compliance
People
Governance
AMIs
CloudWatch
Server
Certificates
Management
SSH Keys
DB Logs
OS Logs
EMR, Redshift
Analytics
Storage & Content
Network
AWS Internet
Security

31. Defense-in-Depth Architecture
Internet
Internet
Gateway
Existing
VPN
AWS Direct
Perimeter
Connect Customer
Security Stack
GW
Corporate Data Center

32. Network Protection
App Tier
Web Tier
Protect
Tier
Internet
Gateway
Route Table
NACL
Internet
IAM
DB Tier
VPN
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center

33. Instance Protection
Instance
Protect
Tier
Internet
Gateway
SSH Keys
Auto Scaling
Managed
Encryption
Host Security
Software
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
App Tier
Web Tier
Bastion Host
AMIs
Internet
IAM
DB Tier
VPN
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center

34. Database Protection
Protect Tier
Internet
Gateway
Internet
DB Tier
App Tier
Web Tier
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center
IAM
Database
Oracle TDE
VP
N
Oracle NNE
MySQL, MSSQL SSL
Redshfit
Cluster
Encryption
EMR Job Flow
Roles
SQL SSL
Clients
DynamoDB,
SimpleDB SSL
RDS Auto
Minor Patching

35. In-line Threat Management:
Protect
Web
App
DB
Protect Tier
Bastion
Bastion Host

36. In-line Threat Management:
EIP
2
EIP
4
IPS NAT Layer
App
IPS NAT Layer
EIP
3
Web
EIP
1
Protect
IPS/IDS NAT HA
App Layer
Availability Zone A
Availability Zone B
DB
App Layer

37. CloudFront
Protect Tier
Route Table
Web Tier
Internet
Gateway
NACL
App Tier
Internet
IAM
DB Tier
VPN
S3
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center

38. Security Playbook
Rehearsed actions
Task automation
Strategy
Document approved configurations
Playbook
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations

39. Why Build a Security Operations
Playbook?
• Empower CISO organization to operate their
cloud enterprise securely
• Enable CISO business partners to secure
deployments and manage mission risk

40. Typical Components
• Overview of the AWS service or enterprise
process
• Requirements/Dependencies
• Workflow
• Exceptions

41. Requirements/De
pendencies
Workflow
Sample Entry: Amazon S3
Overview of the
AWS service or
enterprise
process
Exceptions
Description
• Amazon S3 provides a simple web services interface that can
be used to store and retrieve any amount of data, at any
time, from anywhere on the web.
Secure Configuration
• Data stored in Amazon S3 is secure by default; only bucket
and object owners have access to the Amazon S3 resources
they create. For customers who must comply with regulatory
standards such as PCI and HIPAA, Amazon S3’s data
protection features can be used as part of an overall strategy
to achieve compliance.

42. Granularity
Purpose
Application
IAM Access Policy
Fine grained
Role-based access control
(RBAC)
Apply to IAM groups, roles,
users
Bucket Policy
Fine grained
Grant permissions without IAM and
provide cross-account access
Apply to S3 buckets
Requirements/De
pendencies
Workflow
Choosing Controls
Overview of the
AWS service or
enterprise
process
Exceptions
ACLs
Coarse grained
Grant simple, broad
permissions
Apply to buckets and objects

43. Bucket ACL
Requirements/De
pendencies
Workflow
Mapping ACLs to Policy Actions
Overview of the
AWS service or
enterprise
process
Exceptions
Bucket Policy Actions
READ
s3:ListBucket, s3:ListBucketVersions, s3:ListBucketMultipartUploads
WRITE
s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion (owner only)
READ_ACP
s3:GetBucketAcl
WRITE_ACP
s3:PutBucketAcl
FULL_CONTROL
(READ + WRITE + READ_ACP + WRITE_ACP)
Object ACL
Object Policy Actions
READ
s3:GetObject, s3:GetObjectVersion, s3:GetObjectTorrent
READ_ACP
s3:GetObjectAcl, s3:GetObjectVersionAcl
WRITE_ACP
s3:PutObjectAcl, s3:PutObjectVersionAcl
FULL_CONTROL
(READ + READ_ACP + WRITE_ACP)

44. {
"Id": "S3PolicyId1",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": { }
},
{
"Effect": "Allow",
"Principal": { "AWS": "*" },
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.10.1.0/24"
}
}
}
]
}
Requirements/De
pendencies
Workflow
Using Access Policy Conditions
Overview of the
AWS service or
enterprise
process
Exceptions

45. {
"Statement": [
{
"Version": "2012-10-17",
"Principal": "*",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition":{
"Bool":{
"aws:SecureTransport":"false"
}
}
}
]
}
Requirements/De
pendencies
Workflow
Enforcing SSL
Overview of the
AWS service or
enterprise
process
Exceptions

46. {
"Version":"2008-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{"AWS":"*"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
Requirements/De
pendencies
Workflow
Enable & Enforce SSE
Overview of the
AWS service or
enterprise
process
Exceptions

47. {
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template for S3 Bucket Policy",
CloudFormation
Template
"Resources" : {
"S3BucketCFn" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain"
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument": {
"Version"
: "2012-10-17",
"Id"
: "MyPolicy",
"Statement" : [
{
"Sid"
: "ContributorAccess",
"Action"
: ["s3:GetObject"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::",
"Principal" : { "AWS": "*" }
},
{
"Sid"
: "ListAccess",
"Action"
: ["s3:ListBucket"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::",
"Principal" : { "AWS": "*" }
},
{
"Sid"
: "EnforceSSL",
"Action"
: ["s3:*"],
"Effect" : "Deny",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::",
"Principal" : { "AWS": "*" },
"Condition" : { "Bool": {"aws:SecureTransport":
}
]
},
"Bucket" : {"Ref" : "S3BucketCFn"}
}
}
},
Creates an S3 bucket with a
randomized name with the following
permissions:
• Allow anyone to LIST the
bucket
• Allow anyone to GET objects
• Require SSL encryption in
transit
"Outputs" : {
"BucketName" : {
"Value" : { "Ref" : "S3BucketCFn" },
"Description" : "Name of newly created S3 bucket"
}
}
}
{"Ref" : "S3BucketCFn"}]]},
{"Ref" : "S3BucketCFn"}, "/*"]]},
false}}
Requirements/De
pendencies
Workflow
{"Ref" : "S3BucketCFn"} , "/*"]]},
Overview of the
AWS service or
enterprise
process
Exceptions

48. Requirements/De
pendencies
Workflow
Keys, Delimiters, and Tags
Overview of the
AWS service or
enterprise
process
Exceptions
Using Keys and Delimiters
• S3 tags should not be used to configure
permissions to resources
• Instead, use keys and delimiters as described in
the previous section to emulate “folder-level
permissions”

49. Operations
Privilege Isolation & Roles
Refresher
Strategy
IAM Role – Bastion Host
Playbook
IAM Role – Auditing Role
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations
49

50. Overview of the
AWS service or
enterprise
process
Workflow
Privilege Isolation
AWS Account
IAM User/Group/Role
Region
Amazon VPC
Security Group
API Call
Resource
Requirements/De
pendencies
Exceptions

51. •
STS AssumeRole
•
Valid token for one hour
•
Returns access key ID, secret access key, and security token
Requirements/De
pendencies
Workflow
IAM / Security Token Service
Overview of the
AWS service or
enterprise
process
Exceptions

52. Resource Permissions by Service (by API call)
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html
•
•
•
•
•
•
•
•
•
•
•
Amazon DynamoDB (tables and indexes)
AWS Elastic Beanstalk (application, applicationversion, solutionstack)
Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes)
Amazon Glacier (vault)
AWS IAM (signing credentials, group, …)
Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group)
Amazon RDS
Amazon Route53 (hosted zone)
Amazon S3 (bucket)
Amazon SNS (topic)
Amazon SQS (queue)
Requirements/De
pendencies
Workflow
Privilege Isolation / Resources
Overview of the
AWS service or
enterprise
process
Exceptions

53. IAM Roles / EC2
•
Role
•
Instance Profile
•
Identity for the instance itself
•
Available to all application and users on host
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions

54. IAM Roles / Instance Metadata
Service
•
Entitlements of credentials => IAM role
•
Short-life & expiration of credentials provided by STS
•
Managed rotation
•
No stored credentials!
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions

55. •
Eliminates need for individual IAM credentials
•
Reduces or eliminates need for federation
•
Combine with auditing of shell commands
•
Control access by host / purpose
Requirements/De
pendencies
Workflow
Bastion Host Configuration
Overview of the
AWS service or
enterprise
process
Exceptions

56. •
Read-only access to AWS assets
•
Census picture of all assets (feed scanning & SIEM reconciliation)
•
RDS & Redshift query and connection auditing
•
Change detection of vital objects
Requirements/De
pendencies
Workflow
Security Auditing Configuration
Overview of the
AWS service or
enterprise
process
Exceptions

57. Security Auditing / EC2 Read-only Policy
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}

58. Security Auditing / RDS Read-only Policy
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DownloadDBLogFilePortion"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"streq": {
"rds:db-tag/environment": [
"prod",
"dr"
]
}
}
}]}

59. What to do after re:Invent
•
Update security strategy and vision
•
Map AWS features to strategic initiatives
•
Integrate AWS into your security operations
•
Document privilege isolation architecture
•
Begin transition to IAM roles for EC2
•
Enable IAM auditing role

60. References
• Updated Security Best Practices Whitepaper
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
• AWS Compliance Center
https://aws.amazon.com/compliance
• AWS Security Center
https://aws.amazon.com/security
• AWS Security Blog
http://blogs.aws.amazon.com/security/

61. Re:Invent Related Sessions
•
Come talk security with AWS - Thursday, 4-6pm in the Toscana 3605
room
•
SEC308 Auto-Scaling Web Application Security and AWS Thursday, 4:15pm
•
SEC402 Intrusion Detection in the Cloud -Thursday, 5:30pm
•
SEC304 Encryption and Key Management in AWS - Friday 9:00am
•
SEC306 Implementing Bulletproof HIPAA Solutions on AWS Friday, 11:30am

62. Please give us your feedback on this
presentation
ARC308
As a thank you, we will select prize
winners daily for completed surveys!