AWS Summit 2011: Application Security Best Practices


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AWS Summit 2011: Application Security Best Practices

  1. 1. Application Security Best Practices Matt Tavis | Principal Solutions Architect
  2. 2. Application Security Best Practices is a Complextopic!• Design scalable and fault tolerant applications – See Architecting for the Cloud• Most traditional best practices still apply• There are ways AWS can help
  3. 3. Built Around the Shared Responsibility Model…AWS Customer• Facilities • Operating System• Physical Security • Application • Security Groups• Physical Infrastructure • OS Firewalls• Network Infrastructure • Network Configuration• Virtualization • Account Management Infrastructure
  4. 4. …and AWS Certifications• AWS Environment – SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA)• Customers have deployed various compliant applications: – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA (US Federal Government) – DIACAP MAC III Sensitive IATO
  5. 5. Resources and data are in your control• Specify what Region and AZ to launch in• Customize your AMIs• Create distinct Security Groups groups of EC2 Instances – use rules for controlling access between layers – restrict external access to specific IP ranges• Use AWS Identity & Access Management (IAM) – upload your own keys – use MultiFactor Authentication (MFA)• AWS personnel can’t login to your Instances
  6. 6. Protect your data with encryption• Encrypt data “in-transit” (SSL/TLS)• Encrypt data “at-rest” – Encrypt records before writing in database – Encrypt objects before storing them – Consider encrypted file systems for sensitive data • Windows Bitlocker • Truecrypt • dm-crypt • SafeNet
  7. 7. Traditional Network Topologies in VPC• Create multiple Subnets – specify IP Ranges• Specify Instance private IP Address• Manage Routing• Inbound & Outbound filters – Security Groups: stateful – Network Access Control Lists (ACLs): stateless• Use NAT Instances – Enhance NAT Instances with software VPNs, IDS, logging, etc…
  8. 8. Security best practices still apply• Secure coding standards• Perform penetration testing –• Antivirus where appropriate• Intrusion Detection – Host-based Intrusion Detection (e.g., OSSEC)• Log events• Role-based access control – AWS Identity & Access Management – LDAP and/or Active Directory for Operating Systems & Applications
  9. 9. AWS Credential and Key Management Tips• Create limited IAM Users for application needs• Don’t package privileged key in Instance• Periodic key rotation• One way to pass the application key to an Instance – On the Instance • Decryption key • IAM User with read-only access to a private S3 Bucket that contains the encrypted key – Retrieve the full key and then decrypt it – Use Bucket Logging to monitor attempts to access the key
  10. 10. Extend Your Credentials into AWS• Often done in VPC – easier with static IP for DCs – use egress control• Use Read-only Domain Controllers to scale better• Whitepaper: Using Windows ADFS for Single Sign-On to EC2 C2_ADFS_howto_2.0.pdf
  11. 11. New Security Opportunities Arise on AWSIssue OpportunitySpending too much time Throw it away and just replace it.troubleshooting issues?Found questionable log entries? Launch an EMR job and find correlating events.Tired of patching? Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements.High risk site in your datacenter? Move it to AWS and reduce threat vectors to other applications.
  12. 12. Security Belongs In Every Layer
  13. 13. Using AWS Account Isolation to ProtectResources • Environment – development, test, integration, performance, production • Major system • Line of business / function • Customer • Risk levelConsolidated Billing lets you bring it all together under one bill!
  14. 14. Leverage Multiple Layers of DefenseFeature Standard EC2 Virtual Private CloudSecurity Groups Inbound Inbound and OutboundNetwork ACLs n/a Inbound and OutboundOperating System Use as-is Use as-isfirewallsBorder firewall Manual configuration* NAT InstanceVPN Manual configuration* VPN GatewayBastion Host Enforce via Security Enforce via Security Groups Groups or Network ACLsIDS HIDS* HIDS* & NAT Instance* Third-party tools / solutions
  15. 15. Public EC2 Multi-tier Security Group Approach Web Tier ssh Application & Bastion Tier Database Tier sshPorts 80 and 443 only open to the Internet Engineering staff have ssh Sync with on-premises Amazon EC2 database Security Group Firewall All other Internet ports blocked by default
  16. 16. You may still need to patch!• Most traditional tools will work• Emerging options – puppet ( – chef ( – fabric/cuisine ( – capistrano (
  17. 17. Monitoring Tools• Cloud Watch (now with console!)• Application Monitoring – Cacti – CloudWatch User Metrics• Instance Monitoring – CloudWatch – Nagios • Nagios CloudWatch plugin
  18. 18. Approaches to Log Management• Distributed Approach – Highly scalable, but not always real-time – Instance-based (push to S3) – Facebook’s Scribe• Centralized Approach – Real-time, but not highly scalable – syslog – Windows Event Logging Service• Analytics – Custom EMR jobs – Splunk (
  19. 19. Example Application DNS (Route 53) ELB Auto-scaling group : Web Tier Auto-scaling group : Web Tier Web Web Web Web Server Server Server Server SLB SLB App Server App Server App Server App Server Cloud Tomcat Tomcat Front Auto-scaling group : App Tier Auto-scaling group : App Tier RDS RDS S3 Master Slave Availability Zone #1 Availability Zone #2 Availability Zone #n
  20. 20. Example: Build Security into Every Layer DNS (Route 53)HA Architecture ELBSecurity Characteristics:- Route 53 (highly scalable Auto-scaling group : Web Tier Auto-scaling group : Web TierDNS) Web Web Web Web- Autoscaling Groups Server Server Server Server- Security Groups- ELB Security Group- OS Firewalls (on Instances) SLB SLB- RDS - DB Security Groups - backup window App Server App Server App Server App Server Cloud Tomcat Tomcat - snapshots Front Auto-scaling group : App Tier Auto-scaling group : App Tier - multi-AZ- CloudFront - Private Distribution - pre-signed URLs RDS RDS S3 Master Slave- S3 Bucket Policies - private bucket Availability Zone #1 Availability Zone #2 Availability Zone #n
  21. 21. Thank You!• More reading: – Security Center: