Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security by Design

581 views

Published on

AWS Security by Design

AWS Security by Design

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shafreen Sayyed Solutions Architect, Amazon Web Services AWS Security by Design 10th May 2018
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security by Design Principles • Implement a segregated account environment • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data (in transit and at rest) • Prepare for security events
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. An Expansive Ecosystem Products integrated with AWS platform and easy to test
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implement a segregated account environment
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Developer Sandbox Dev Pre-Prod BU/Product/Resource Accounts Developer Accounts Security AWS Organizations Organization Accounts Shared Services Organization Master Account Billing Tooling Amazon CloudFormation StackSets Sandbox Direct Conn. Account Internal Audit External Data centre Logging Prod Shared Services AWS Organizations (Outline Multi-Account Structure)
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Implement a strong identity foundation
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity Access Management (IAM) Ensure only authorized and authenticated users are able to access resources: • Define users, groups, services and roles • Protect AWS credentials • Use fine grained authorization/access control
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Define access Users Groups Services Roles • Think carefully • SAML 2.0 • Define a management policy • Logically group users • Apply group policies • Least privilege access • Be granular • Use roles for instances and functions • Avoid using API keys in code
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protecting AWS credentials • Establish Least-privileged Users access • Enable MFA on the root account • Consider federation • Set a password policy • MFA for users and/or certain operations (s3 delete) • Avoid storing API Keys in source control • Use temporary credentials via AWS STS
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Fine grained access control • Establish least privilege principle • Users have no permissions • Groups have permission to assume a Role • Roles have permissions to do necessary stuff, according to least privileges • Use AWS Organizations to centrally manage access
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty • A Threat Detection Service Re-Imagined for the Cloud • Continuously monitors and protects AWS Accounts along with the applications and services running within them • Detects known threats as well as unknown threats (Zero-Days) • Makes Use of Artificial Intelligence / Machine Learning • Integrated threat intelligence • Operates on CloudTrail, VPC FlowLogs & DNS • Detailed & Actionable Findings, Emitted as CloudWatch Events and Console Reports
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detecting Known Threats Threat Intelligence • GuardDuty consumes feeds from various sources • AWS Security • Commercial feeds • Open source feeds • Customer-provided threat intel (STIX) • Known malware-infected hosts • Anonymising Proxies • Sites hosting malware & hacker tools • Crypto-currency mining pools and wallets
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detecting Unknown Threats Anomaly Detection • Algorithms to detect unusual behavior • Inspecting signal patterns for signatures • Profiling normal and looking at deviations • Machine Learning Classifiers
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What can the service detect? RDP Brute Force RAT Installed Exfiltrate temp IAM creds over DNS Probe api with temp creds Attempt to compromise account Malicious or Suspicious IP Unusual Ports DNS Exfiltration RDP Brute Force Unusual Traffic VolumeConnect to Blacklisted Site Recon Anonymizing Proxy Temp credentials Used off-instance Unusual ISP Caller Bitcoin Activity Unusual Instance Launch https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html#actual-types
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. GuardDuty Partners
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources AWS IAM - https://aws.amazon.com/iam/ AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS Organizations - https://aws.amazon.com/organizations/ https://www.youtube.com/watch?v=ZKpkF17d0Oo&feature=youtu.be AWS Git-Secrets- https://github.com/awslabs/git-secrets AWS Multi-account strategy - https://www.youtube.com/watch?v=71fD8Oenwxc AWS GuardDuty Finding types - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding- types.html#actual-types https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guar dduty_filter-findings
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable traceability
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective controls Identifying a potential security threat is essential for legal compliance assurance, key areas in this are: • Capture and analyze logs • Integrate auditing controls with notifications and workflow / Use your logs
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail AWS Config Amazon CloudWatch Logs VPC Flow Logs ELB logs API Endpoint Logs Amazon Redshift Logs ... (If it doesn’t move, watch it ‘til it moves – then log it!) If it moves…log it!
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Different log categories AWS infrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs  … AWS service logs  Amazon S3  Elastic Load Balancing  Amazon CloudFront  AWS Lambda (sometimes)  AWS Elastic Beanstalk  … Host-based logs  Messages  Security  NGINX/Apache/  Syslog etc  Performance Monitoring  … Security-related events
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multiple levels of automation Self managed  AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch Alerts  AWS CloudTrail -> Amazon SNS -> AWS Lambda Compliance validation  AWS Config Rules Host-based compliance checking  Amazon Inspector Active change remediation  Amazon CloudWatch Events
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Trusted Advisor checks your account
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources AWS Config – https://aws.amazon.com/config/ AWS Config Rules – https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by- aws-config.html Amazon Inspector - https://aws.amazon.com/inspector/ Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/ Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/ Amazon Athena – https://aws.amazon.com/athena/ Amazon Glacier – https://aws.amazon.com/glacier/ AWS Lambda – https://aws.amazon.com/lambda/
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Apply Security at all layers
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defence-in-depth
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure protection Protect network and host level boundaries System security config and management Enforce service-level protection
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect network and host level boundaries VPC considerations: • Subnets to separate workloads • Use NACLs to prevent access between subnets • Use route tables to deny internet access from protected subnets • Use Security groups to grant access to and from other security groups Limit what you run in public subnets: • ELBs , ALBs and NLBs • Bastion hosts • Try and avoid where possible having a system directly accessible from the internet External connectivity for management: • Use VPN gateways to your on premise systems • Direct Connect
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. AWS Shield For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases. Standard Protection Advanced Protection
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield AWS Integration DDoS protection without infrastructure changes Affordable Don’t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications Always-On Detection and Mitigation Minimize impact on application latency Four key pillars…
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced Always-on monitoring & detection Advanced L3/4 & L7 DDoS protection Attack notification and reporting 24x7 access to DDoS Response Team AWS bill protection
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF – Layer 7 application protection Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning Managed WAF rules available on AWS Marketplace
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Artifact Service
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Systems Manager Capabilities Run Command Maintenance Windows Inventory State Manager Parameter Store Patch Manager Automation Configuration, Administration Update and Track Shared Capabilities
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. System security config and management • OS based firewalls • Remove unnecessary packages from OS • Remove direct access to machines – System manager • Amazon Inspector to scan OS and applications for CVE (Common Vulnerabilities Exposure) • Don’t forget Security Groups
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/vpc/ AWS Direct Connect – https://aws.amazon.com/directconnect/ Amazon Inspector - https://aws.amazon.com/inspector/ AWS KMS - https://aws.amazon.com/kms/ AWS System Manager - https://aws.amazon.com/systems-manager/ AWS WAF – https://aws.amazon.com/waf/ AWS Shield - https://aws.amazon.com/shield/ AWS Artifact - https://aws.amazon.com/waf/
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate security best practices
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ensure best practice • Template everything (CloudFormation, Terraform, etc) • Utilise CI/CD pipelines • Set custom AWS Config rules s3-bucket-public-write-prohibited s3-bucket-public-read-prohibited • Amazon Inspector to detect known vulnerabilities • Automate response to non compliant infrastructure
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Event Response Automation Playbook… CloudWatch Events event Adversary (or Intern) Your environment Lambda Responder
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Only allow EC2 instances launched from approved AMIs and with appropriate subnets and Security Groups” Example:
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. ImageId=ami-f9dd458a SubnetId=subnet-a8aa4ef0 SecurityGroups=[ GroupId=sg-45533823 ] EC2
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Events event { "detail-type": [ "EC2 Instance State-change Notification" ], "detail": { "state": [ "pending" ] }, "source": [ "aws.ec2" ] }
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responder # check if the AMI is approved # check if AMI is used in correct subnet # check if AMI was launched with approved security group
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon DynamoDB { "ami": "ami-0d77397e", "region": "eu-west-1", "security_groups": [ "sg-cc9a3aaa" ], "subnets": [ "subnet-ac3d7cda", "subnet-2f9c1677" ] }, { "ami": "ami-f9dd458a", "region": "eu-west-1", "security_groups": [ "sg-ee9a3a88" ], "subnets": [ "subnet-ad3d7cdb", "subnet-2e9c1676" ] }
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. { 'Time': int(time.time()), 'Source': 'auto.responder.level1', 'Resources': [ str(instance_id) ], 'DetailType': 'activeResponse', 'Detail': { 'instance': instance_id, 'actionsRequested': 'instanceTermination' } } Event
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Event events { "detail-type": [ "activeResponse" ], "source": [ "auto.responder.level1" ] }
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. L2 responder ec2.terminate_instances
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Amazon VPC – https://aws.amazon.com/ AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/ Inspector - https://aws.amazon.com/inspector/ AWS CloudFormation - https://aws.amazon.com/cloudformation/ AWS SAM - https://github.com/awslabs/serverless-application-model AWS Pipeline - https://aws.amazon.com/codepipeline/ AWS KMS - https://aws.amazon.com/kms/ Terraform - https://www.terraform.io/
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Protect data – At Rest In Transit In Use (?)
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Protection AWS CloudHSM AWS Key Management Service AWS Certificate Manager
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Protection - Encryption Encryption In-Transit SSL/TLS VPN / IPSEC SSH Encryption At-Rest Object Database Filesystem Disk
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data In-Transit AWS endpoints are HTTPS, but what can you do? • VPN connectivity to VPC • TLS application communication • ELB/ALB or CloudFront, with ACM
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data At-Rest Inbuilt encryption • S3: select KMS key on upload • EBS and RDS snapshots: automatically encrypt data at rest • DynamoDB: encrypt backups Bring your own Key Encrypt data locally before uploading SSE-C (server side encryption with customer key)
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Key Management Service (AWS KMS) • Managed service that simplifies creation, control, rotation, deletion, and use of AES256 encryption keys in your applications • Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, Amazon WorkMail, Amazon WorkSpaces, AWS CloudTrail, and Amazon Elastic Transcoder • Integrated with AWS client-side encryption • AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with AWS CloudTrail to provide auditable logs of key usage for regulatory and compliance activities • Available in all commercial regions except China
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your application or AWS service + Data key Encrypted data key Encrypted data Master keys in customer’s account KMS How AWS services use your KMS keys 1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your account. 2. Client request is authenticated based on permissions set on both the user and the key. 3. A unique data encryption key is created and encrypted under the KMS master key. 4. The plaintext and encrypted data key is returned to the client. 5. The plaintext data key is used to encrypt data and is then deleted when practical. 6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources AWS KMS - https://aws.amazon.com/kms/ https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation- program/documents/security-policies/140sp3139.pdf AWS KMS Crypto Details - https://d0.awsstatic.com/whitepapers/KMS-Cryptographic- Details.pdf https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation- program/documents/security-policies/140sp3139.pdf https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3139 Amazon Macie – https://aws.amazon.com/macie/ AWS Cloud HSM – https://aws.amazon.com/cloudhsm/ Amazon EBS – https://aws.amazon.com/ebs/ S2n - https://github.com/awslabs/s2n Mitigating DDoS Attacks on AWS - https://www.youtube.com/watch?v=w9fSW6qMktA
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Prepare for security events
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Incident response “Even with a mature preventative and detective solution in place, you should consider a mitigation plan”
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Clean room • Use Tags to quickly determine impact and escalate • Get the right people access and on the call • Use Cloud API’s to automate and isolate instances • CloudFormation – recreate clean / update environments easily for production or investigation purposes
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/ Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security- Pillar.pdf AWS_CIS_Foundation_Benchmark - https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchm ark.pdf AWS Crypto Intro - https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html AWS Re:Invent Security Track - https://aws.amazon.com/blogs/security/videos- and-slide-decks-from-the-aws-reinvent-2017-security-compliance-identity-track
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Summing up  Enforce separation of duties and least privilege accounts  Federate users; enforce using IAM policies  Ensure security logs are separated from troubleshooting logs  Storage for logs is cheap; the consequences of missing something through not logging, may not be  Alerting is good, automating your security response is better  Use managed services and built-in reporting to offload and automate  See the big picture: what info do you need and which tool can provide you that
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank You!

×