Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Best Practices on AWS

19,676 views

Published on

Security Best Practises on AWS presented by Simon Elisha during the AWS APAC Webinar series.

Published in: Technology
  • I think you need a perfect and 100% unique academic essays papers have a look once this site i hope you will get valuable papers, ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I have always found it hard to meet the requirements of being a student. Ever since my years of high school, I really have no idea what professors are looking for to give good grades. After some google searching, I found this service ⇒ www.WritePaper.info ⇐ who helped me write my research paper. The final result was amazing, and I highly recommend ⇒ www.WritePaper.info ⇐ to anyone in the same mindset as me.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My only statement is "WOW"...I thought your other systems were special but this is going to turn out to be the "Holy Grail" of all MLB systems, no doubt! ➤➤ http://t.cn/A6zP2GDT
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2F4cEJi ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ♥♥♥ http://bit.ly/2F4cEJi ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Security Best Practices on AWS

  1. 1. Security Best Practices on AWS Simon Elisha – Principal Solution Architect @simon_elisha
  2. 2. All lines are muted.You can ask questions at any time in the Question box. We will answer some at the end of the session and all via email.
  3. 3. Agenda The Shared Responsibility Model Taking Advantaged of the Shared Model Using the AWS Security Features Underlying AWS Infrastructure Security Your Responsibilities
  4. 4. In the cloud security is a shared responsibilityHow do we secure our How can you secure yourInfrastructure? application and what is Infrastructure Application your responsibility? Security Security Services Security What security options and features are available to you?
  5. 5. Leverage shared security model Understand your customer & form correct security stance
  6. 6. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience
  7. 7. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience IAM InternalAdministration audience Architecture
  8. 8. Leverage shared security model Understand your customer & form security stance Penetration test requests Your certifications Your processes External audience IAM AWS Certifications Internal RegulatedAdministration AWS White audience audience Papers Architecture AWS QSA Process
  9. 9. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC1…) As with any infrastructure provider, security assessments take time Derive value from architecture reviews early in deployment cycle
  10. 10. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWShttp://aws.amazon.com/security/ Risk and compliance paper AWS security processes paper NEW! CSA consensus assessments initiative questionnaire
  11. 11. Leverage shared security model Understand your customer & form security stance Engage with security assessors early in adoption cycle Use comprehensive materials and certifications provided by AWS Build upon features of AWS and implement a ‘security by design’ environment
  12. 12. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
  13. 13. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
  14. 14. Build upon AWS features Tiered Access Security Groups VPC Direct Connect & VPN IAM Instance firewalls Network control Private connections to VPC Control users and allow AWS to Firewall control on instances via Create low level networking Secured access to resources in AWS manage credentials in running Security Groups constraints for resource access, such over software or hardware VPN and instances for service access as public and private subnets, dedicated network links (allocation, rotation) CLIs and APIs internet gateways and NATs Instantly audit your entire AWS APIs vs Instance infrastructure from scriptable APIs – Bastion hostsProvide developer API credentials generate an on-demand IT inventory Only allow access for management and control access to SSH keys enabled by programmatic nature of of production resources from a AWS bastion host. Turn off when not Temporary Credentials neededProvide developer API credentials Dedicated Instances and control access to SSH keys Only allow access for management of production resources from a bastion host. Turn off when not needed
  15. 15. Identity & access management Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin
  16. 16. Identity & access management Groups Account Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication
  17. 17. Identity & access management Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication AWS system entitlements
  18. 18. IAM policies { "Statement": [ { "Effect": "Allow", "Action": [ "elasticbeanstalk:*",Policy driven "ec2:*", "elasticloadbalancing:*",Declarative definition of rights for groups "autoscaling:*", "cloudwatch:*",Policies control access to AWS APIs "s3:*", "sns:*" ], "Resource": "*" } ] }
  19. 19. IAM RolesAids AutomationAssign role to EC2 instancesControl access without passingcredentials at boot timeIntegrated into SDKs
  20. 20. Key Management Decide upon a key Consider SSH key management rotation & strategy automationControl access to EC2 instances Limit exposure to private key via SSH and embedded public compromise by rotating keys key: and replacing e.g. EC2 Key Pair per group of authorized_keys listings instances, EC2 Key Pair per on running instances account Consider bootstrap automation to grant developer access withCan use your existing SSH or AD developer unique keypairs strategy
  21. 21. Temporary Security CredentialsContaining Identity for authentication Access Policy to control permissions Configurable Expiration (1 – 36 hours)Supports AWS Identities (including IAM Users) Federated Identities (users customer’s system to authenticate)Scales to millions of users No need to create an IAM identity for every userUse Cases Identity Federation to AWS APIs Mobile and browser-based applications Consumer applications with unlimited users
  22. 22. Security credentials – the hotel metaphor AWS Account’s IAM User Temporary Security Access Key ID Credentials
  23. 23. Security GroupsControl ingress of data by port, IP & Security GroupVPC also supports egress data controlUser configurable via API, CLI, GUI Web TierCreate “defence in depth” Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Sync with on-premises Amazon EC2 database Security Grou Firewall All other Internet ports blocked by default
  24. 24. CLI & API Instantly audit the state of your entire environment using the APIRegular calls via command lineor API to determine which web- based infrastructure services are being used at any timeStore and compare over time – track anomalies or non- governed usage
  25. 25. Virtual Private Cloud (VPC)Logically Isolated EnvironmentPrivate IP address ranges & subnetsIngress and Egress Network Access Control InternetElastic IP addresses, NAT & and Internet GatewayHardware encrypted VPN connections and/or Direct ConnectWizard-based setup
  26. 26. EC2 Dedicated InstancesAvailable within VPCInstances launched on hardware dedicated to a single customerCan mix-and-match use of dedicated and non-dedicated instances
  27. 27. Bastion HostsServer (or servers) used for system managementAccess tightly controlledManagement only enabled from these hostsStop host when not in useAccess only allowed from specified IP addresses TCP 22 “Bastion” TCP 22 “Bastion” TCP 22 “Bastion” Web App DB Server Server Server Bastion Host Web Security App Security DB Security Group Group Group Bastion TCP 80,443 “ELB” TCP 8080 “Web” TCP 3306 “App” Security Group SSH Admin
  28. 28. Certifications Certifications Physical Security HW, SW, Network SOC 1 Type 2 (formerly SAS- Datacenters in nondescript Systematic change 70) facilities management ISO 27001 Physical access strictly Phased updates deployment controlled PCI DSS for Safe storage decommission EC2, S3, EBS, VPC, RDS, ELB, I Must pass two-factor AM authentication at least twice Automated monitoring and for floor access self-audit FISMA Moderate Compliant Controls Physical access logged and Advanced network protection audited HIPAA & ITAR Compliant Architecture
  29. 29. Security standards ISO 27001 PCI DSS Level 1 Achieved 11/2010 Use normally, no special configuration Follows ISO 27002 best practice guidance Certified services include: EC2, S3, EBS, VPC, RDS, ELB, IAM, underlying physical Covers the AWS Information Security infrastructure & AWS Management Management System (ISMS) Environment Includes all Regions Leverage the work of our QSA ISO certifying agent: EY CertifyPoint AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) Certified in all Regions
  30. 30. Location of data – Your choice Deployment & Administration App Services Compute Storage Database Regions An independent collection of AWS resources in a defined Networking geography A solid foundation for meeting location-dependent privacy AWS Global Infrastructure and compliance requirements
  31. 31. Global infrastructure Deployment & Administration App Services Compute Storage Database Availability Zones Designed as independent failure zones Networking Physically separated within a typical metropolitan region AWS Global Infrastructure
  32. 32. Global infrastructure Deployment & Administration App Services Compute Storage Database Edge Locations To deliver content to end users with lower latency Networking A global network of edge locations Supports global DNS infrastructure (Route53) and Cloud AWS Global Infrastructure Front CDN
  33. 33. Shared responsibility Customer Data Platform, Applications, Identity & Access Management You Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity) Foundation Services Amazon Compute Storage Database Networking Availability Zones AWS Global Edge Locations Infrastructure Regions
  34. 34. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest”Use SSL for all AWS API calls & your own application communicationUse SSL Termination with Elastic Load Balancer (ELB) & back-end server authenticationS3 Server Side Encryption – free & easy. Can also implement client-side encryptionOperating system level encryption tools available (e.g. TrueCrypt, BitLocker, etc)
  35. 35. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoringMaintain OS-level firewalls for additional monitoring and controlInstall logging tools and log to a separate, central location (e.g. S3)Partner solutions available (including Trend Micro, Symantec, Check Point, etc.)Extend your current management and logging tools to the AWS environment
  36. 36. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and application libraries patched and up-to-dateUse automated package update services (e.g. YUM, WSUS, YAST, etc)Apply updates to installed applications, languages, SDKs etcEasy to do “rolling updates” by creating new AMIs and instantiating a new fleetRelational Database Service (RDS) provides automated patch application
  37. 37. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and applications libraries patched and up-to-date Design application to protect against Layer 7 attacks (SQL Injection, etc)Design security into your application from the startEnsure all entered data is validated and correctly formattedPerform API authorization and authentication for API-based applicationsUse partner solutions (e.g. Layer7tech, SafeNet, AiCache, Incapsula, etc)
  38. 38. Ensure good security practice Encrypt sensitive data both “in-flight” and “at-rest” Operate host-based IDS/IPS and regular auditing and monitoring Keep operating systems and applications libraries patched and up-to-date Design application to protect against Layer 7 attacks (SQL Injection, etc) Actively manage your AWS environment to leverage all of the capabilities availablePerform regular security reviewsRotate keys and credentialsUse AWS Trusted Advisor Security Checks to detect open ports
  39. 39. Test and RetestPenetration TestingCheck to see how secure your application is fromexternal attackMust obtain authorization firstPartners also provide this service on & from AWShttp://aws.amazon.com/security
  40. 40. Where to find more information? Risk and compliance paper AWS security processes paper NEW! CSA consensus assessments initiative questionnairehttp://aws.amazon.com/security
  41. 41. Save the Date aws.amazon.com/apac/arc-anz
  42. 42. Catch the AWS Podcasthttp://aws.amazon.com/podcast
  43. 43. Questions? Enter them in the Questionarea of the console and we will cover as many as we can.
  44. 44. Thank youSimon Elisha – Principal Solution Architect @simon_elisha

×