Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architecting security & governance across your AWS environment

589 views

Published on

Many AWS customers use multiple accounts to meet their requirements for billing, infrastructure isolation, and separation of duties. In this session, we discuss the latest updates around establishing and building a multi-account security and governance strategy. We will also take a look at data protection strategies for ensuring data integrityand availability using the AWS native services.

  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Architecting security & governance across your AWS environment

  1. 1. S U M M I T L o n d o n
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Architecting security & governance across your AWS environment Esteban Hernandez Specialist SA for Security & Compliance EMEA AWS S E C 4 Simon Waring Head of Information Security Starling Bank
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Agenda Architecting security & governance across your AWS environment Starling bank’s managing security in AWS Automated Landing Zone
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Related breakouts SEC1 - Identity, and Access Management and Directory Services Bernard Cobus SEC2 - Threat detection & remediation in the Cloud Matt Pitchford
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Anatomy of an AWS Account AWS Account 1234567891011
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security/Resource Boundary API Limits/Throttling Billing Separation AWS Account
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Anatomy of an AWS Account AWS Account 1234567891011 Global services
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Anatomy of an AWS Account AWS Account 1234567891011 Global services Region nap-west-1eu-west-1us-east-1
  9. 9. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Restrict Actions from outside specific regions { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "route53:*", "budgets:*", "waf:*", "cloudfront:*", "globalaccelerator:*", "importexport:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] } } } ] }
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Reduce the scope AWS Account 1234567891011 Global services Region nap-west-1eu-west-1eu-central-1
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Account models One Account 1,000s of Accounts
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Why one account isn’t enough Billing Many Teams Security / Compliance Controls Business Process Isolation
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Guardrails NOT Blockers Auditable Flexible Automated Scalable Self-service Goals
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Account security considerations Baseline Requirements Lock Enable Define Federate Establish Identify
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What accounts should I create? Log Archive Security Shared Services Organizations Account Network Billing DevSandbox Pre-prod Prod Other
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T AWS Organizations Master AWS Organizations Master Network Path Data Center No connection to DC Service control policies Consolidated billing Volume discount Minimal resources Limited access Restrict Orgs role!
  17. 17. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP: Stop CloudTrail from being disabled { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ”cloudtrail:StopLogging", "Resource": "*" } ] }
  18. 18. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Granular SCP: No changes to Admin Role { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyChangesToAdminRole", "Effect": "Deny", "NotAction": [ "iam:GetContextKeysForPrincipalPolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", "iam:ListRoleTags" ], "Resource": [ "arn:aws:iam::*:role/AdminRole" ], "Condition": { "StringNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role /AdminRole" } } } ] }
  19. 19. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Restrict Actions from outside specific regions { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllOutsideEU", "Effect": "Deny", "NotAction": [ "iam:*", "organizations:*", "route53:*", "budgets:*", "waf:*", "cloudfront:*", "globalaccelerator:*", "importexport:*", "support:*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestedRegion": [ "eu-central-1", "eu-west-1" ] } } } ] }
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Core accounts Core Accounts AWS Organizations Master Network Path Data Center Foundational Building Blocks Once per organization Have their own development life cycle (dev/qa/prod)
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Log archive account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Versioned Amazon S3 bucket Restricted MFA delete CloudTrail logs Security logs Single source of truth Alarm on user login Limited access
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Security account Core Accounts AWS Organizations Master Log Archive Network Path Data Center Optional data center connectivity Security tools and audit GuardDuty Master Cross-account read/write Automated Tooling Limited access Security
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Shared services account Security Core Accounts AWS Organizations Master Log Archive Network Path Data Center Connected to DC DNS LDAP/Active Directory Shared Services VPC Deployment tools Golden AMI Pipeline Scanning infrastructure Inactive instances Improper tags Snapshot lifecycle Monitoring Limited access Shared Services
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Network account Security Core Accounts AWS Organizations Master Shared Services Log Archive Network Path Data Center Managed by network team Networking services AWS Direct Connect Limited access Network
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Developer sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path No connection to DC Innovation space Fixed spending limit Autonomous ExperimentationDeveloper Sandbox Developer Accounts
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Team/group accounts Developer Sandbox Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Based on level of needed isolation Match your development lifecycle Think Small Team/Group Accounts
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Dev Developer Sandbox Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Develop and iterate quickly Collaboration space Stage of SDLCDev
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Pre-production Developer Sandbox Dev Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production-like Staging Testing Automated Deployment Pre-Prod
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Production Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Network Path Developer Accounts Data Center Connected to DC Production applications Promoted from Pre-Prod Limited access Automated Deployments Prod
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Team shared services Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Master Shared Services Network Log Archive Prod Network Path Developer Accounts Data Center Grows organically Shared to the team Product-specific common services Data lake Common tooling Common services Team Shared Services
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Innovation pipeline Developer Accounts Developer Accounts PoC Developer Accounts Developer Accounts Dev Pre-Prod Team/Group Accounts Prod Shared Services PoC New initiatives Experimentation Innovation
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Special/exception Be flexible Regulatory/compliance Additional isolation/security controls (PCI)
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Managing Security in AWS Simon Waring Head of Information Security
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T StarlingBank • Technology company with a banking licence • Cloud Native, mobile-only • Mastercard debit card • DDs and faster payments • Location-enriched transaction feed • ApplePay, GooglePay, FitBitPay... • Spending insights • Granular card control • Open APIs & developer platform
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Webuiltabankinayear Jan 2014 - Founded by Anne Boden Jun 2014 - Kick-off with Regulators Sep 2015 - Technical prototypes Jul 2016 - Granted a partial banking license Nov 2016 - Launching the alpha app Feb 2017 - Launching the beta app Apr 2017 - Granted a full banking license May 2017 - Public launch Mar 2018 - Awarded Best British Bank Mar 2019 - Awarded Best British Bank, Best Current Account Provider, Best Business Banking Provider
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Compute EC2 EKS Lambda ElasticBeanstalk Storage S3 EFS Database RDS DynamoDB Networking&ContentDelivery VPC CloudFront Route53 APIGateway DirectConnect CloudWatch AWSAutoScaling CloudFormation CloudTrail Analytics ElasticsearchService Security,Identity,&Compliance IAM SecretsManager GuardDuty AWSOrganizations KeyManagementService Shield Artifact SecurityHub ApplicationIntegration StepFunctions SimpleNotificationService SimpleQueueService AWSCostManagement AWSCostExplorer AWSMarketplaceSubscriptions
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T SecurityDesignPrinciples • AWS Well-Architected Security Framework • Keep it simple and clear • Visibility of privileged activity • Try to make engineers self-sufficient • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events
  38. 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T IAMImplementation • Multi-account model • Clear RBAC roles • Segregation of duties • No standing privileged access • CloudWatch Alerting • GuardDuty
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T IAM- Multi-AccountModel • Access to target account by assuming role once logged into “Users” account • Clear & appropriate roles • But how to manage privilege elevation?
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T IAM- Segregationof duties Security • Configure IAM • Provision User Accounts • Review privileged access logs • Build and operate security monitoring tools Engineering • Utilise IAM roles • Peer authorisation of privilege elevation • Build infrastructure as code • Deploy infrastructure and applications via automation Everyone • Access to AWS metadata • Visibility of privileged access • Visibility of IAM changes
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T ElevatedPrivilegedAccess Management StarBot - Automated ChatOps • 4 Eyes Controls • Peer “4 eyes” authorisation • High Visibility • Logged and Auditable Internal Slack Channel
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Logging
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T High visibility of sensitive activity and IAM changes: • Slack notifications of privilege elevation • Email notifications of any changes to IAM configuration • Slack notifications of elastalert alarms • Cloudwatch Alarms for unexpected behaviour: • Any Root (AWS) account login attempts • Attempted user logins to (AWS) accounts other than in the “Users” account • Failed login attempts to (AWS) accounts Monitoring andAlerting
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T GuardDuty • Not our first ML based Monitoring System • Good for identifying abnormal behavior: • API/Console access from locations not seen before • Unusual network traffic patterns • Services being brute forced • Suspicious AWS API activity • Integrates with CloudWatch for notifications...
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T GuardDuty Alerting Lambda CloudWatch configured to trigger on Medium severity and above GuardDuty events
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Monitoring themonitoring • Fire Alarm Tests - “dead man’s switch” • Monitor the monitoring As you can see, we are into monitoring in a big way
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Independent Testing •Fixed (End-to-End) scope penetration testing of infrastructure and applications •Recurring test schedule •Dual industry leading organisations performing alternate tests •“Onion Ring” approach to testing All significant results from testing formally recorded, tracked and risk managed. SecurityTesting Internal Testing • Internal security testing function • Frequent penetration testing of features and controls • “Unhappy” path reviews • Threat modelling
  48. 48. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! CheckouttheStarlingPodcasts! https://www.starlingbank.com/blog/introducing-starling-developer-podcast/
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Multi-account approach Developer Sandbox Dev Pre-Prod Team/Group Accounts Security Core Accounts AWS Organizations Shared Services Network Log Archive Prod Team Shared Services Network Path Developer Accounts Data Center Orgs: Account management Log Archive: Security logs Security: Security tools, AWS Config rules Shared services: Directory, limit monitoring Network: Direct Connect Dev Sandbox: Experiments, Learning Dev: Development Pre-Prod: Staging Prod: Production Team SS: Team Shared Services, Data Lake
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T The AWS Landing Zone solution An easy-to-deploy solution that automates the setup of new AWS multi-account environments Based on AWS best practices and recommendations Initial security and governance controls Baseline accounts and account vending machine Automated deployment
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T AWS Landing Zone structure - Basic AWS Organizations Shared Services Log Archive Security Organizations Account • Account Provisioning • Account Access (SSO) Shared Services Account • Active Directory • Log Analytics Log Archive • Security Logs Security Account • Audit / Break-glass
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Account vending machine AWS Service Catalog Account Vending Machine (AWS Service Catalog) • Account creation factory • User Interface to create new accounts • Account baseline versioning • Launch constraints Creates/updates AWS account Apply account baseline stack sets Create network baseline Apply account security control policy Account Vending Machine AWS Organizations Security AWS Log Archive AWS Shared Services AWS AWS New AWS
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Next steps Define tagging strategy Define automation strategy Create Organizations Master account Create Log Archive account Create Security account Create Shared Services account Create Developer Sandbox account(s)
  54. 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Action Plan Create Organizations Master account • Create temporary s3 bucket for CloudTrail logs • Enable CloudTrail locally • Enable organizations full feature Create Log Archive account • Create bucket(s) for security logs (CloudTrail, AWS Config) • Enable MFA delete • Enable versioning • Define limited access bucket policy • Add SCP to prevent s3:delete • Backfill: Enable CloudTrail in organizations master account to send logs to Log Archive account • Backfill: Copy CloudTrail logs for actions that happened between Organizations Master creation and log archive Create Security account • Backfill: cross-account roles with trust to security account for organizations master and log archive • Read-only role • Read/Write role (fewer permissions for assumption) • <CommonCheckList> • Create security tooling/Lambda functions for security checks Create Shared Services account • <CommonCheckList> • Connect via DX/VPN to DC • Launch common services • Directory services • Limit monitoring Create AWS Network account • Order your Direct Connect • <CommonCheckList>
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Common Checklist • Secure Root credentials MFA • OTP • U2F could make this easier for managing them • https://aws.amazon.com/blogs/security/how- to-create-and-manage-users-within-aws-sso/ • Complex password • Establish rotation policy • Link to Organizations Master account if not already a member • Use group email/phone as the contact info • Enable CloudTrail in all regions, send to Log Archive account • Enable GuardDuty in all regions. • Security Account as GuardDuty master • Operationalize the findings • Enable AWS Config, send to Log Archive account • Enable appropriate AWS Config rules • s3 bucket encryptions • s3 world read/write • ebs encryption etc... • Create read-only cross-account Security role • Create read/write cross-account Security role • Create VPC (non-overlapping IP space) • Enable federation into account • http://federationworkshopreinvent2016.s3- website-us-east-1.amazonaws.com/ • Define roles and access policies • Peer/Privatelink VPC with Shared Services • Add a policy for prefix naming conditions to every account—For example, deny access to Lambda functions that start with “security*” • Review CIS Foundations Benchmark and leverage as appropriate
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U MMI T Putting it All Together Policy Enforcement AWS Landing Zone Policy Deployment Notification Remediation Account Metadata: Owner, Function, Policies, BU, SDLC, Cost Center etc… Prod • Encrypt EBS • No IGW • Guardrail “x” QA • Encrypt EBS • Guardrail “x” • Guardrail “y” Policy “p” • Encrypt EBS • No IGW • Guardrail “y”
  57. 57. Thank you! S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Esteban Hernández esaino@amazon.co.uk Simon Waring simon.waring@starlingbank.com
  58. 58. S U MMI T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×