This presentation showcases the "best of the best" practices for operating securely at scale on AWS, taken from real customer examples, incorporating practical examples found in the Center for Internet Security’s CIS AWS Foundation and CIS AWS Three-Tier Web Architecture benchmarks. Come learn how to "Just Turn It On!"
2. Agenda
• Sources of Best Practices
• A Bad Day
• Best of the Best Practices
– Identity and Access Management
– Logging and Monitoring
– Infrastructure Security
– Data Protection
• Click, Script, Commit
• Tools and Automation
3. Sources of Best Practices
AWS Cloud Adoption
Framework (CAF)
AWS Security Best
Practices
Center for Internet
Security (CIS)
Benchmarks
How to move to the cloud securely
following the Security Perspective
Core Capabilities:
• Identity and Access Management
• Logging and Monitoring (Detect)
• Infrastructure Security
• Data Protection
• Incident Response
Whitepaper with 44 best practices
including:
• Identity and Access Management
(10 best practices)
• Logging and Monitoring (4)
• Infrastructure Security (15)
• Data Protection (15)
148 detailed recommendations for
configuration and auditing covering:
• “AWS Foundations” with 52
checks aligned to AWS Best
Practices
• “AWS Three-Tier Web
Architecture” with 96 checks for
web applications
7. S3 Bucket
“Data
Backup”
Internal
Data ServiceBad Person
S3 Bucket
“Website
Images”
Web Server
InstanceInternet
AWS Account
Internet
Gateway
1 2
3 4
5
Bill’sBadDay
Bill
1
Access the
vulnerable web
application
2
Pivot to the data
service
3
Delete the website
image files
4
Change
permissions to the
data backup
5
Download the data
backup
8. S3 Bucket
“Website
Images”
Web Server
InstanceInternet
AWS Account
Internet
Gateway
Bill’sBadDay
Bill
No web application
protection
2 One account
3 No segmentation
4
All permissions
granted
5
Sensitive data not
encrypted
1
6
No logging,
monitoring, alerting
… now let’s help Andy
have a great day! :-)
Andy S3 Bucket
“Data
Backup”
Internal
Data Service
9. Best of the Best Practices: Identity and Access Mgmt
1) Use multiple AWS
accounts to reduce blast
radius
2) Use limited roles and
grant temporary security
credentials
3) Federate to an existing
identity service
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
Production Staging
Temporary
Security
Credentials
IAM IAM
MFA token
AWS Directory
Service
IAM Roles
AWS accounts provide
administrative isolation
between workloads across
different lines of business,
regions, stages of
production and types of data
classification.
IAM roles and temporary
security credentials mean
you don't always have to
manage long-term
credentials and IAM users
for each entity that requires
access to a resource.
Control access to AWS
resources, and manage the
authentication and
authorisation process
without needing to re-create
all your corporate users as
IAM users.
11. Best of the Best Practices: Logging and Monitoring
4) Turn on logging in all
accounts, for all services, in
all regions
5) Use the AWS platform’s
built-in monitoring and
alerting features
6) Use a separate AWS
account to fetch and store
copies of all logs
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
CloudWatch
Alarms
Production Security
The AWS API history in
CloudTrail enables security
analysis, resource change
tracking, and compliance
auditing. CloudWatch
collects and tracks metrics
and monitors log files.
Monitoring a broad range of
sources will ensure that
unexpected occurrences are
detected. Establish alarms
and notifications for
anomalous or sensitive
account activity.
Configuring a security
account to copy logs to a
separate bucket ensures
access to information which
can be useful in security
incident response
workflows.
13. Best of the Best Practices: Infrastructure Security
7) Create a threat
prevention layer using
AWS edge services
8) Create network zones
with Virtual Private Clouds
(VPCs) and security groups
9) Manage vulnerabilities
through patching and
scanning
Use the 70 worldwide points
of presence in the AWS
edge network to provide
scalability, protect from
denial of service attacks,
and protect from web
application attacks.
Implement security controls
at the boundaries of hosts
and virtual networks within
the cloud environment to
enforce access policy.
Test virtual machine images
and snapshots for operating
system and application
vulnerabilities throughout
the build pipeline and into
the operational environment.
AWS WAFAWS Shield
Amazon
CloudFront
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
Security Group
Amazon
Inspector
14. InfrastructureSecurity
AWS WAF
AWS Shield
S3 Bucket
“Website
Images”
Amazon
CloudFront
Internet
Internet
Gateway
3
Andy
Web Server
Instance
Security Group Security Group
Amazon
Inspector
S3 Bucket
“Data
Backup”
Internal
Data Service
Temporary
Security
Credentials
IAM
MFA token
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
AWS Directory
Service
AWS Account AWS Account
15. Best of the Best Practices: Data Protection
10) Encrypt data at rest
(with occasional exceptions)
11) Use server-side
encryption with provider
managed keys
12) Encrypt data in transit
(with no exceptions)
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS KMS
Data
Encryption Key
AWS KMS Amazon S3 Amazon
CloudFront
Internet
Gateway
SSL / TLS /
HTTPS
Enabling encryption at rest
helps ensure the
confidentiality and integrity
of data. Consider encrypting
everything that is not public.
AWS Key Management
Service (KMS) is seamlessly
integrated with 18 other
AWS services. You can use
a default master key or
select a custom master key,
both managed by AWS.
Encryption of data in transit
provides protection from
accidental disclosure,
verifies the integrity of the
data, and can be used to
validate the remote
connection.
16. AWS WAF
AWS KMS
AWS Shield
S3 Bucket
“Website
Images”
Amazon
CloudFront
AWS KMS
Data
Encryption Key
Internet
Internet
Gateway
Andy
Amazon
Inspector
S3 Bucket
“Data
Backup”
DataProtection
Security Group
Web Server
Instance
Internal
Data Service
Temporary
Security
Credentials
IAM
MFA token
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
AWS Directory
Service
AWS Account AWS Account
4
Security Group Security Group
17. AWS WAF
AWS KMS
AWS Shield
Temporary
Security
Credentials
IAM
S3 Bucket
“Website
Images”
Amazon
CloudFront
MFA token
Web Server
Instance
AWS KMS
Data
Encryption Key
Internet
AWS Account AWS Account
Security Group Security Group
Internet
Gateway
Andy
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
Amazon
Inspector
AWS Directory
Service
S3 Bucket
“Data
Backup”
Internal
Data Service
BestPractices
26. Three Stages of Cloud Security Maturity
Stage One “Click”
Manual Best Practices
Static Workloads
Release 1x per month
Stage Two “Script”
Automated Controls
Evolving Workloads
Release 1-10x per
month
Stage Three “Commit”
Continuous Security
Agile Workloads
Release 10-100x per
month
… DevSecOps?
27. Tools and Automation
Amazon
Inspector
Amazon
CloudWatch Events
AWS
Config Rules
An automated security
assessment service that helps
improve the security and
compliance of applications
deployed on AWS. Amazon
Inspector automatically assesses
applications for vulnerabilities or
deviations from best practices.
A monitoring service for AWS
cloud resources and the
applications you run on AWS.
You can easily build workflows
that automatically take actions
you define, such as invoking an
AWS Lambda function, when an
event of interest occurs.
A fully managed service that
provides you with an AWS
resource inventory, configuration
history, and configuration change
notifications. Config Rules
enables you to create rules that
automatically check the
configuration of AWS resources
recorded by AWS Config.
AWS re:Invent 2016: “5 Security Automation Improvements You Can Make
by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)