Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018

3,053 views

Published on

In this interactive workshop, we provide practical advice and guidance for designing and building secure Amazon Virtual Private Clouds (Amazon VPCs). Using a hands-on approach, we take you through using Amazon VPC features such as subnets, security groups, AWS PrivateLink, network ACLs, routing, flow logs, and service endpoints. We also share best practices for VPC design and management based on our experience supporting customers running large-scale infrastructures. We recommend you bring your own laptop.

  • Be the first to comment

Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Corina Motoi Solutions Architect AWS UK Public Sector Matt Johnson Manager, Solutions Architecture AWS UK Public Sector Best Practices for Securing Amazon VPC N E T 3 1 8
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS re:Invent this workshop In this interactive workshop, we provide practical advice and guidance for designing and building secure Amazon Virtual Private Clouds (Amazon VPCs). Using a hands-on approach, we take you through using Amazon VPC features such as subnets, security groups, AWS PrivateLink, network ACLs, routing, flow logs, and service endpoints. We also share best practices for VPC design and management based on our experience supporting customers running large-scale infrastructures.
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Welcome to the workshop • We have a number of AWS staff in the room: • Amazonians, please identify yourselves! • Your fellow conference attendees at your table • Say hello, make a new friend  • Work on your own, or get together in small teams (2-3 people) • Decide who will be following along with their laptop • Please feel free to ask questions at any time
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. If you want to go hands-on, you will need… • Your laptop (use tablets at your own risk!) • An AWS account with: • Full AWS Identity and Access Management (IAM) administrator access • Recommended regions: EU (Dublin, Frankfurt, London), Asia (Singapore, Sydney, Tokyo) • Ability to create two VPCs in your chosen region • Pro tip: Choose a region you don’t normally work in, to avoid hitting limits! • To start the AWS CloudFormation deployment — NOW! • http://bit.ly/net318workshop/ Note: we will provide a $20 credit voucher at the end of the workshop to cover the costs of deploying the workshop resources
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC monitoring & automated remediation Monitoring tools Automated remediation Show&tell Controlling VPC traffic flows VPC security basics External AWS traffic VPC private connectivity Gateway endpoints Interface endpoints PrivateLink Securing the Amazon VPC control plane Securing VPC config Track/audit changes Least privileged access/VPC flow logs What we are going to cover today
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tuesday, November 27 AIOPs – Find Your Needle in the Haystack 1:00 PM – 2:00 PM | Mirage, Montego D, T1 Wednesday, November 28 NET303 - Advanced VPC Design and New Capabilities for Amazon VPC 4:00 PM – 5:00 PM | Aria West, Level 3, Ironwood 5, T1 Wednesday, November 28 NET301 – Best Practices for AWS PrivateLink 4:45 PM – 5:45 PM | Venetian, Level 2, Venetian F, T2
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Assumptions This workshop assumes an introductory (200 level) familiarity with: • Amazon VPC concepts • Subnets, route tables, gateways • Amazon EC2 concepts • AWS load balancing, • IAM concepts • Users, groups, policies, roles • Other AWS services • AWS Identity and Access Management (IAM) • Amazon CloudWatch • AWS CloudFormation
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Today’s objectives • By the end of the workshop, you should have built a fully functional VPC architecture, aligned with security best practices in three areas:  VPC control plane  Traffic control  VPC monitoring • You should understand how to implement security measures in a VPC • You (hopefully) have learned something new that you can apply back at your organization
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Auto Scaling group Users Auto Scaling group AWS Cloud Region VPC VPC High-level architecture Deployment guide here: http://bit.ly/net318workshop/
  11. 11. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table App instances APP-VPC App instances AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table S3 gateway endpoint Region S3 logging bucket PUB-A PUB-B Internet gateway SecurityUser policy SecurityUser role Endpoint Policy Endpoint policy
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objective of this chapter Learn how to configure permissions to manage your VPC and track/audit any changes to its configuration
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why secure the Amazon VPC control plane? Securing VPC config Track/audit changes in your VPC environment
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objective of this chapter Learn how to configure permissions to manage your VPC and track/audit any changes to its configuration
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Identity and Access Management (IAM) Assess the following: • What types of users access the resources in a VPC? • What kind of VPC resources are users allowed to access? • What tasks do users need to perform? General rule: • Allow least privilege access when accessing your VPC resources Least privilege access: • Identities: users, groups, roles • Access management: policies and permissions
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How IAM works • Principal • Authorization • Action-level permissions • Resource-level permissions • Resource-based permissions • Tag-based permissions • Service-linked roles • Resources
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The structure of an IAM policy • JSON-formatted documents • Contain a statement (permissions) that specifies • Which actions a principal can perform • Which resources can be accessed • You can have multiple statements and each statement is comprised of PARC { "Statement":[{ "Effect”: "Allow", "Principal": "*", "Action": "ec2:*", "Resource": "*", "Condition": { "condition": { "key": "value" } } }] }
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we have learned Learn how to configure permissions to manage your VPC and track/audit any changes to its configuration
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next to learn Learn how to configure permissions to manage your VPC and track/audit any changes to its configuration
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudTrail  Capture and log events related to AWS API calls  Increase visibility into your user and resource activity  Discover and troubleshoot security and operational issues
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config & AWS Config rules  Record configuration changes continuously  Time-series view of resource changes  Archive and compare  Enforce best practices  Automatically roll-back unwanted changes  Trigger additional workflow Rule
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on 2: Authorize the SecurityUser role to enable logging of VPC traffic, and to activate automated security monitoring
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Services we will be enabling: Amazon GuardDuty Amazon VPC flow logs VPC flow logs
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Do you have Amazon GuardDuty already enabled?
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on 2: Back to work! Authorize the SecurityUser role to enable logging of VPC traffic, and to activate automated security monitoring
  28. 28. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table App instances APP-VPC App instances AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table S3 gateway endpoint Region S3 logging bucket PUB-A PUB-B Internet gateway SecurityUser policy SecurityUser role Endpoint policy Endpoint policy
  29. 29. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table App instances APP-VPC App instances AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table S3 gateway endpoint Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs Lab guide: http://bit.ly/net318workshop/
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objective of this chapter Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Controlling VPC traffic flows Best practice VPC connectivity patterns VPC security basics Connectivity using VPC endpoints and AWS PrivateLink Internet gateway NAT gateway VPC Gateway Endpoint Peering
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s start Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC traffic security control mechanisms • Subnets • Are specific to an Availability Zone (AZ), and they can be public and private • Security group • Acts as a virtual firewall for your instance / elastic network interfaces (ENIs) to control inbound and outbound traffic; can be cross-referenced (within a region) • Route table • Contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table. • Network access control lists (NACLs) • Optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security groups vs. NACLs Security group Network ACL Operates at instance level Operates at subnet level Supports allow rules only Supports allow and deny rules Is stateful: return traffic is automatically allowed regardless of any rules Is stateless: return traffic must be explicitly allowed by rules All rules evaluated before deciding whether to allow traffic Rules evaluated in order when deciding whether to allow traffic Applies only to instances explicitly associated with the security group Automatically applies to all instances launched into associated subnets Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4 addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS server)
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reasons for using network ACLs • Allows for separation of duties • Different IAM actions mean that management of network ACLs can be handled separately from security group configuration • Gives the ability to specify explicit deny rules • Allows you to blacklist specific IP addresses/ports • Provides a mechanism to sever connection-tracked network flows • Immediately drop established connections when security group rules are changed* * docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security- group-connection-tracking
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gotchas • Security groups don’t implicitly allow east-west traffic • Instances within a security group can only talk to each other if explicitly allowed by relevant rule(s) • Note: the default security group has this exception! • Rules that use security group references and/or private address ranges will only work for connections that target private IP addresses • Connections from within the VPC to public IP addresses will be rejected, because the source will appear to be from a public IP address • When using network ACLs and Amazon Elastic Load Balancers (ELBs) • Allow health check traffic from the ELB subnets to the backend subnets
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we have learned Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next to learn in this chapter Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing internet connectivity—Inbound VPC AWS Cloud Availability zone 1 AWS Region App servers Router Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id 10.0.0.0/24 10.0.1.0/24 Internet Custom route tableInternet gateway Do I really need inbound internet traffic to my VPC? Subnet Best practices to secure your instances
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing internet connectivity—Inbound VPC AWS Cloud Availability zone 1 AWS Region App servers Router Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id 10.0.0.0/24 10.0.1.0/24 Internet Custom route tableInternet gateway Do I really need inbound internet traffic to my VPC? Secure traffic by applying the VPC security controls discussed in the previous chapter Subnet Best practices to secure your instances NACL NACL
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing internet connectivity - outbound VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region App servers Private subnet Router Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id 198.51.100. 4 (Elastic IP) 10.0.0.0/24 10.0.1.0/24 Internet Do I really need outbound internet access from the instances in the private subnet? Route table Internet gateway Do I really need outbound internet access from my VPC? NAT gateway
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing internet connectivity - outbound VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region App servers Private subnet Router Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id 198.51.100. 4 (Elastic IP) 10.0.0.0/24 10.0.1.0/24 Internet Do I really need outbound internet access from the instances in the private subnet? Route table Internet gateway Do I really need outbound internet access from my VPC? NAT gateway
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing internet connectivity - outbound VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region App servers Private subnet Router Internet gateway Destination Target 10.0.0.0/16 local 0.0.0.0/0 igw_id 198.51.100. 4 (Elastic IP) 10.0.0.0/24 10.0.1.0/24 Internet Destination Target 10.0.0.0/16 local 0.0.0.0/0 Nat_gateway_i d Do I really need outbound internet access from the instances in the private subnet? Route table Route table Internet gateway Do I really need outbound internet access from my VPC? Secure traffic by applying the VPC security controls discussed in the previous chapter NAT gateway NACL NACL
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Options for on-premises connectivity Option Use Case Internet connection required Dedicated network connection Traffic encryption AWS Managed VPN AWS managed IPsec VPN connection over the internet YES YES Software VPN Software appliance-based VPN connection over the internet YES YES AWS Direct Connect Dedicated network connection over private lines YES AWS Direct Connect Plus Software VPN Software appliance-based VPN connection over private lines YES YES AWS Direct Connect Plus managed VPN AWS Managed IPsec VPN connection via DX Public VIF YES (DX public VIF) YES YES
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we have learned Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next to learn Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Private connectivity to AWS services Use cases • Scenarios where you have only DX/VPN connectivity to VPCs • No egress from the VPC to public networks (and hence AWS API endpoints) Best practice: • Reduces the attack surface by only allowing outbound traffic initiated from the VPC Supporting services • VPC endpoints
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet Internet gateway 198.51.100. 4 (Elastic IP) 10.0.0.0/24 10.0.1.0/24 Internet App servers Service VPC
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints VPC Public subnet AWS Cloud Availability zone 1 AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 App servers Service VPC No IGW, NGW, or public IP addresses required
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints VPC gateway endpoints • Private routed access to Amazon S3 and Amazon DynamoDB • IAM-based access control VPC Public subnet AWS Cloud Availability zone 1 AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 VPC gateway endpoint App servers Service VPC No IGW, NGW, or public IP addresses required
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC endpoints VPC Public subnet AWS Cloud Availability zone 1 AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 VPC gateway endpoint App servers Service VPC VPC interface endpoints (AWS PrivateLink) • Private IP access to specific AWS service endpoints and customer endpoints • Security group access controls No IGW, NGW, or public IP addresses required VPC gateway endpoints • Private routed access to Amazon S3 and DynamoDB • IAM-based access control
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway endpoints—Access control VPC Public subnet AWS Cloud Availability zone 1 AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 VPC gateway endpoint App servers Service VPC Robust access control • Route table association • Resource policies (for Amazon S3 endpoints) • VPC endpoints policies • Prefix lists within security groups Destination Target 10.0.1.0/16 local Prefix List for S3 us-west- 2 VPCE
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway endpoints—VPC endpoints policies • A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint • An endpoint policy does not replace IAM user policies or service-specific policies (such as S3 bucket policies) • You cannot attach more than one policy to an endpoint { "Statement": [ { "Sid": "vpce-restrict-to-backup-bucket", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject” ], "Effect": "Allow", "Resource": ["arn:aws:s3:::backups-reinvent", "arn:aws:s3:::backups-reinvent/*"] } ] }
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gateway endpoints—Prefix list & security groups • Logical route destination target • Amazon S3 prefix lists abstract changes to S3 IP ranges • Can be used in security group rules aws ec2 describe-prefix-lists PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3 CIDRS 54.231.160.0/19 CIDRS 52.218.128.0/18
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.  VPC traffic control mechanisms  Private connectivity to AWS services  VPC gateway endpoints Let’s take a break—Hands-on time!
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on 3: Configure (and test) the S3 gateway endpoint in the app VPC to allow instances to read data from the S3 logging bucket
  59. 59. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table App instances APP-VPC App instances AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table S3 gateway endpoint Region S3 logging bucket PUB-A PUB-B Internet gateway SecurityUser policy SecurityUser role Endpoint policy Endpoint policy WEB-VPC flow logs APP-VPC flow logs
  60. 60. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs App instances App instances S3 gateway endpoint Endpoint policy APP-VPC Lab guide: http://bit.ly/net318workshop/
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.  VPC traffic control mechanisms  Private connectivity to AWS services  VPC gateway endpoints  VPC interface endpoints
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC interface endpoints (AWS PrivateLink)—Access control VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 App servers Service VPC Interface endpoints are created directly inside your VPC • using elastic network interfaces (ENIs)—one per AZ • IP addresses in your VPC’s subnets • Accessible via DX, VPN, and inter- region peering Support for private DNS names Amazon VPC security groups
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC interface endpoints (AWS PrivateLink) Currently supported services • Specific AWS services (list here: https://docs.aws.amazon.com/vpc/latest/userguide/vpce- interface.html) • Endpoint services hosted by other AWS accounts • Supported AWS Marketplace partner services
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s take a break—Hands-on time!  VPC traffic control mechanisms  Private connectivity to AWS services  VPC gateway endpoints  VPC interface endpoints
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on 4: Establish private connectivity to push custom metric data from EC2 instances into Amazon CloudWatch
  67. 67. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table App instances APP-VPC App instances AWS interface endpoints AWS interface endpoints AWS interface endpoints AWS interface endpoints Main route table S3 gateway endpoint Region S3 logging bucket PUB-A PUB-B Internet gateway SecurityUser policy SecurityUser role Endpoint policy Endpoint policy WEB-VPC flow logs APP-VPC flow logs
  68. 68. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs App instances App instances S3 gateway endpoint Endpoint policy APP-VPC AWS interface endpoints AWS interface endpoints Lab guide: http://bit.ly/net318workshop/
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we have learned Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures .
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next to learn Understand VPC traffic control mechanisms and how to use them for external AWS connectivity, private connectivity to AWS services, or for multi-VPC architectures
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-VPC architecture Use cases • Peering two or more VPCs to provide access to resources • Peering to one VPC to access centralized resources Best practice • Minimize blast radius for users and networks Supporting services • VPC peering • AWS PrivateLink for customer and partner services
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC peering VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 App servers Service VPC • Networking connection between two VPCs • Peering connection can be made between • Your own VPCs, and/or… • …VPCs in another AWS account and/or… • …VPCs in another region • Uses the underlying Amazon VPC infrastructure • Doesn’t create a bottleneck • No single point of failure Peering
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS PrivateLink for customer and partner services VPC Private subnet 10.0.1.0/24 Instances Service VPC Service provider VPCService consumer VPC Private IP 10.0.1.5 Private IP 10.0.1.10 VPC endpoint network interface Private subnet 10.0.2.0/24 Instances • Great for vending SaaS services securely • Tenancy: • Single-tenant mode: create a PrivateLink NLB for every client/customer • Multi-tenant mode: allow many customers to use the same PrivateLink NLB • Endpoints have regional and zonal DNS names
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS PrivateLink—Good to know How do we tell endpoint traffic and different VPCs apart? Three options: 1. Use traditional accounts/passwords/security tokens at application level 2. Use separate NLBs and different listener ports on the targets 3. Enable the ProxyProtocolV2 preamble Supports traffic in one direction only Supports TCP, not UDP
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC peering vs AWS PrivateLink Use case VPC peering AWS PrivateLink Private connection between two VPCs YES YES Source IP identification YES NO Provide an endpoint service to another VPC NO YES Supports overlapping CIDR ranges NO YES Bidirectional traffic YES NO UDP support YES NO Connectivity from DX/VPN NO YES
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.  VPC traffic control mechanisms  Multi-VPC architectures  AWS PrivateLink Let’s take a break—Hands-on time!
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on 5: Pass traffic directed to the /service/ URL from the front-end load balancer privately to the back-end load balancer
  79. 79. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint WEB-VPC Web instances Public route table AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs App instances App instances S3 gateway endpoint Endpoint policy APP-VPC AWS interface endpoints AWS interface endpoints
  80. 80. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint Web instances Public route table AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs S3 gateway endpoint Endpoint policy AWS interface endpoints AWS interface endpoints APP-VPC App instances App instances WEB-VPC Lab guide: http://bit.ly/net318workshop/
  81. 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  82. 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objective of this chapter Learn about the VPC-related monitoring tools and how to use them to detect and remediate security breaches
  83. 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Monitoring IP traffic flows • Detecting malicious or unauthorised behaviour • Triggering automated remediation What is the role of VPC monitoring? VPC Flow logs CloudWatch Events
  84. 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Objective of this chapter Learn about the VPC-related monitoring tools and how to use them to detect and remediate security breaches
  85. 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Services and tools for VPC monitoring Account Resources Network VPC Flow logs
  86. 86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 Web servers Service VPC ENI ENI App servers VPC flow logs Capture information about the IP traffic going to and from network interfaces in your VPC
  87. 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 Web servers Service VPC ENI ENI App servers VPC flow logs Capture information about the IP traffic going to and from network interfaces in your VPC
  88. 88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 Web servers Service VPC ENI ENI App servers VPC flow logs Capture information about the IP traffic going to and from network interfaces in your VPC
  89. 89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs VPC Public subnet AWS Cloud Availability zone 1 NAT gateway AWS Region Private subnet 10.0.0.0/24 10.0.1.0/24 Web servers Service VPC ENI ENI App servers VPC flow logs Capture information about the IP traffic going to and from network interfaces in your VPC Use cases • Diagnose overly restrictive security controls • Monitor the traffic reaching your instances • Identify trends and create alarms in response to specific types of traffic
  90. 90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs format
  91. 91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC flow logs—Good to know • If traffic is sent to a secondary IP address on an ENI, the flow log displays the primary IPv4 address in the destination IP address field • Flow log API actions don’t support resource-level permissions • Not all traffic is captured: • Traffic sent to the Amazon DNS Server • Traffic sent to the Windows License Activation server • Traffic sent to the 169.254.169.254 metadata server • DHCP request and response traffic • Traffic to the reserved IP address for the default VPC router
  92. 92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. HIGH MEDIUM LOW Amazon GuardDuty AWS Cloud VPC Flow logs DNS logs Threat intel, ML/AI, anomaly detection SIEM and/or RESPONDInstance compromise Reconnaissance Account compromise Intelligent continuous security monitoring and threat detection, fully managed, integrated threat intelligence, anomaly detection, and machine learning service
  93. 93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reconnaissance Instance compromise Account compromise Instance recon: • Port probe/accepted comm • Port scan (intra-VPC) • Brute force attack (IP) • Drop point (IP) • Tor communications Account recon: • Tor API call (failed) • C&C activity • Malicious domain request • EC2 on threat list • Drop point IP • Malicious comms (ASIS) • Bitcoin mining • Outbound DDoS • Spambot activity • Outbound SSH brute force • Unusual network port • Unusual traffic volume/direction • Unusual DNS requests • Domain generated algorithms • Malicious API call (bad IP) • Tor API call (accepted) • CloudTrail disabled • Password policy change • Instance launch unusual • Region activity unusual • Suspicious console login • Unusual ISP caller • Mutating API calls (create, update, delete) • High volume of describe calls • Unusual IAM user added *Signature-based stateless findings *Behavioral stateful findings and anomaly detections (ML driven) Amazon GuardDuty threat detection type details
  94. 94. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty—Good to know • You don’t need to have any logging turned on in account in order for GuardDuty to process any of the log types. • Currently, customers do not have direct access to the DNS logs and so GuardDuty is, in effect, their only means of monitoring these logs. • All the logging is all done on the back end as GuardDuty gets them directly from the relevant services. So, there is no need for architecture changes, no agents, and no account performance impact.
  95. 95. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch—Good to know • CloudWatch offers a range of capabilities • Metrics • Dashboards • Logs • Events • Alarms • CloudWatch logs provides a range of benefits • A useful aggregation point for log data • The ability to push data into other services • Integration with third-party services
  96. 96. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we have learned Learn about the VPC-related monitoring tools and how to use them to detect and remediate security breaches
  97. 97. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What’s next to learn Learn about the VPC-related monitoring tools and how to use them to detect and remediate security breaches
  98. 98. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated remediation—VPC security breaches • Apply controls that can help restore the environment to the “desired” state based on information from detective controls • Respond with no (or limited) human interaction to security breaches • Provides a “failsafe” capability when preventive controls fail or are compromised Supporting services • CloudWatch Events • Custom Config rules • AWS Lambda
  99. 99. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Events concepts—Good to know • Driven by API activity • Concepts: • Event—indicates a change in your AWS environment • Target—processes events • Rule—matches incoming events and routes them to targets for processing • Amazon CloudWatch Event bus allows centralized CloudWatch Events within/between organizations
  100. 100. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automatic remediation within a VPCDetect Report Remediate CloudWatch EventsVPC flow logs Lambda Function
  101. 101. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  102. 102. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Show & Tell Maintain the security of the application VPC by removing any internet gateway that might get attached
  103. 103. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint Web instances Public route table AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs S3 gateway endpoint Endpoint policy AWS interface endpoints AWS interface endpoints APP-VPC App instances App instances WEB-VPC
  104. 104. AZ-A AZ-B PRI-A PRI-B APP-A VPCE-A APP-B VPCE-B AZ-A AZ-B VPCE-B VPCE-A WEB-B WEB-A Web instances Main route table S3 gateway endpoint Web instances Public route table AWS interface endpoints AWS interface endpoints Main route table Region S3 logging bucket PUB-A PUB-B Internet gateway Endpoint policy SecurityUser policy SecurityUser role WEB-VPC flow logs APP-VPC flow logs S3 gateway endpoint Endpoint policy AWS interface endpoints AWS interface endpoints App instances App instances WEB-VPC Internet gateway Event (event- based) Rule Detach gateway APP-VPC Lab guide: http://bit.ly/net318workshop/
  105. 105. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  106. 106. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC monitoring & automated remediation Monitoring tools Automated remediation Show&tell Controlling VPC traffic flows VPC security basics External AWS traffic VPC private connectivity Gateway endpoints Interface endpoints PrivateLink Securing the Amazon VPC control plane Securing VPC config Track/audit changes Least privileged access/VPC Flow logs What we’ve covered today
  107. 107. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Finally … • Don’t forget to delete the CloudFormation stack and any resources you have created today • http://bit.ly/net318cleanup/ • Complete the evaluation form (NET318) so we can improve this workshop next year • Enjoy the rest of the week!
  108. 108. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Corina Motoi Solutions Architect AWS UK Public Sector Matt Johnson Manager, Solutions Architecture AWS UK Public Sector
  109. 109. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×