Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security Deep Dive

166 views

Published on

AWS Security Deep Dive

  • Be the first to comment

  • Be the first to like this

AWS Security Deep Dive

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Security Deep Dive Margo Cronin Solutions Architect S E C 0 0 1 & S E C 0 0 2
  2. 2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Introduction - Broad Security & Identity Portfolio • SEGMENTATION • Identify and sort workloads by classification • PROTECT • What are we protecting? • Identity, Boundaries, Data • IDENTIFICATION • Threat Detection and Remediation
  4. 4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Segmentation – On Premise nature VPC Prod UAT Dev SIT VPC VPC VPC
  6. 6. https://flic.kr/p/HSQdeq License
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS CloudFormation VPC Prod UAT Dev SIT VPC VPC VPC AWS CloudFormation Infrastructure as code
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Cloud Formation VPC Prod UAT Dev SIT VPC VPC VPC AWS CloudFormation Infrastructure as code
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T In the beginning…. Your AWS account You
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Today Jump account Your cloud team Dev account Prod account Data science account Security account Cross- account trusts Cross-account resource access You
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations AWS Organizations • Centrally govern your environment • Manage billing • Automate account creation • Create groups (organizational units) to reflect business needs • Apply “Service Control Policies” to a unit to control the behavior of those accounts • Control access, compliance and security
  12. 12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP Fine Grained Permission Control { "Version": "2012-10-17", "Statement": [ { "Sid": ”security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }
  13. 13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP Fine Grained Permission Control { "Version": "2012-10-17", "Statement": [ { "Sid": "security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }
  14. 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP Fine Grained Permission Control { "Version": "2012-10-17", "Statement": [ { "Sid": "security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }
  15. 15. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP Fine Grained Permission Control { "Version": "2012-10-17", "Statement": [ { "Sid": "security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1"] } } }
  16. 16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SCP Fine Grained Permission Control { "Version": "2012-10-17", "Statement": [ { "Sid": “security", "Effect": "Deny", "Resource": "*", "NotAction": [ "cloudfront:*", "iam:*", "route53:*", "support:*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": ["eu-central-1", "eu-west-1”] } } }
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Resource Access Manager § AWS Resource Access Manager (RAM) helps securely share AWS resources with any AWS account or within AWS Organizations § Accessed from Console, CLI or API § Resource Shares can be tagged and you can reference the tags in IAM policies to create a tag-based permission system. You can add and remove accounts and resources from a Resource Share at any time.
  18. 18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads (the subject) Principle Resources Actions Conditions
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads (the subject) Principle Resources Actions Conditions
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Disambiguation Identity Authentication, authorization, audit, and governance for your cloud workloads Our scope for today AWS Identity and Access Management (IAM) (the service) Authenticates and authorizes AWS APIs Includes (the subject)
  22. 22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  23. 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Access Management Policies Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy
  24. 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM User Policy Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy
  25. 25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – User Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”s3:listAllMyBuckets”, ”s3:PutObject”, ”s3:GetObject”, ”s3:DeleteObject” ], "Resource": "arn:aws:s3:::2x2demo/*" } ] }
  26. 26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – User Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”s3:listAllMyBuckets”, ”s3:PutObject”, ”s3:GetObject”, ”s3:DeleteObject” ], "Resource": "arn:aws:s3:::2x2demo/*" } ] }
  27. 27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – User Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”s3:listAllMyBuckets”, ”s3:PutObject”, ”s3:GetObject”, ”s3:DeleteObject” ], "Resource": "arn:aws:s3:::2x2demo/*" } ] }
  28. 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – User Policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ ”s3:listAllMyBuckets”, ”s3:PutObject”, ”s3:GetObject”, ”s3:DeleteObject” ], "Resource": "arn:aws:s3:::2x2demo/*" } ] }
  29. 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Resource Policy Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy
  30. 30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  31. 31. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  32. 32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  33. 33. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  34. 34. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  35. 35. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Resource Policy { "Version": "2012-10-17", ”Id": “12345”, "Statement": [ { "Effect": ”Deny", ”Principal": ”*", "Action": ”s3:*", "Resource": "arn:aws:s3:::2x2demo/*”, "Condition": { ”Null": {”aws:MultiFactorAuthAge":true} } } ] }
  36. 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Access Management Policies Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy
  37. 37. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Endpoint Policy Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy
  38. 38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Endpoint Policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }
  39. 39. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Endpoint Policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }
  40. 40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Endpoint Policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }
  41. 41. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Endpoint Policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }
  42. 42. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM example policies – Endpoint Policy { "Version": "2012-10-17", "Statement": [ { ”Sid”:“Access-to-specific-bucket-only”, "Effect": ”Allow", ”Principal": ”*", "Action": ”s3:*", "Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"] } ] }
  43. 43. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Access Management Policies Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy key Policy Server Side Encrytption
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Key Management Service • Managed service that simplifies creation, control, rotation, and use of encryption keys in your applications • FIPS-2 validated hardware security models to protect your keys • Integrated with AWS server-side encryption • S3, EBS, RDS, Amazon Aurora, Amazon Redshift, WorkMail, Amazon WorkSpaces, CloudTrail, Amazon Elastic Transcoder CodeCommit (using default service keys only),SES,Import/Export Snowball, DMS, and several other services • Integrated with AWS client-side encryption • AWS SDKs, AWS Encryption SDK, S3 encryption client, EMRFS client, and DynamoDB encryption client • Integrated with CloudTrail to provide auditable logs of key usage for regulatory and compliance activities
  45. 45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity Access Management Policies Role Endpoints S3 Bucket with objects Bucket Policy VPCe Policy IAM Policy key Policy Server Side Encrytption SCP Policy
  46. 46. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon Cognito § Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google. § Amazon Cognito offers user pools and identity pools. § User pools are user directories that provide sign-up and sign-in options for your app users. § Identity pools provide AWS credentials to grant your users access to other AWS services.
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Protect your boundaries – Cognito Edition AWS LambdaUsers Amazon S3 Public bucket Amazon S3 Private bucket Amazon Cognito Amazon CloudFront Authorization@Edge: https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Protect your boundaries – WAF Edition Your security team Malicious IPs AWS Lambda Amazon S3 bucket AWS WAF Amazon CloudWatch InstancesElastic Load Balancing AWS certified advanced networking: ISBN-13: 978-1119439837 Amazon CloudFront
  51. 51. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why is threat detection so hard? Skills shortageSignal to noiseLarge datasets
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Well-Architected - Security Design Principles Keep people away from data Implement a strong identity foundation Enable traceability Automate security best practices Protect data in transit and at rest Apply security at all layers Prepare for security events
  54. 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat Detection: Log Data Inputs AWS CloudTrail VPC Flow Logs DNS Logs Track user activity and API usage IP traffic to/from network interfaces in a VPC Monitor apps using log data, store & access log files Log of DNS queries in a VPC when using the VPC DNS resolver CloudWatch Logs
  55. 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat Detection: Machine Learning Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads Amazon Macie Machine learning-powered security service to discover, classify & protect sensitive data
  56. 56. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat Detection: Introducing AWS Security Hub • Comprehensive view of your security state within AWS. • Aggregates security findings and alerts generated by other AWS security services. • Analyze security trends and identify the highest priority security issues Amazon Inspector Amazon GuardDuty Amazon Macie AWS Security Hub Security findings providers Findings Insights AWS Security Partners
  57. 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Threat Detection: Evocations/Triggers Amazon CloudWatch Events AWS Config Rules Continuously tracks your resource configuration changes and if they violate any of the conditions in your rules Delivers a near real-time stream of system events that describe changes in AWS resources
  58. 58. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  59. 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Basic example - Lambda + CloudWatch Events CloudWatch Event GuardDuty findings Lambda function
  60. 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule EC2 instance contents Instance:~ ec2-user$ top Instance:~ ec2-user$ pcap Instance:~ ec2-user$ lime AWS Lambda Amazon GuardDuty Elastic Network Adapter Elastic Network Adapter Lambda function Amazon EBS volume
  61. 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Lambda + Systems Manager + CloudWatch AWS Systems Manager Documents Amazon CloudWatch Rule AWS Lambda Amazon GuardDuty Lambda function EBS volume Amazon EBS snapshot
  62. 62. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating Responses Based on Multiple Controls Amazon CloudWatch Events AWS CloudTrail AWS Config Lambda function AWS APIs Detect Investigate Respond Team collaboration (Slack etc.) Amazon GuardDuty VPC Flow Logs Amazon Inspector
  63. 63. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Broad Security & Identity Portfolio • AWS Identity & Access Management (IAM) • AWS Single Sign-On (SSO) • AWS Directory Service • Amazon Cloud Directory • AWS Secrets Manager • Amazon Cognito • AWS Organizations • AWS Resource Access Manager (RAM) • AWS Security Hub • Amazon GuardDuty • AWS CloudTrail • AWS Config • Amazon CloudWatch • VPC Flow Logs • AWS Systems Manager • AWS Shield • AWS Web Application Firewall (AWS WAF) • Amazon Inspector • Amazon Virtual Private Cloud (VPC) • AWS Key Management Service (KMS) • AWS CloudHSM • Amazon Macie • AWS Certificate Manager • Server-Side Encryption • AWS Config Rules • AWS Lambda Identity Detective control Infrastructure security Incident response Data protection
  64. 64. THINK LIKE PICASSO https://flic.kr/p/HSQdeq License
  65. 65. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×