Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a Secured Network environment on AWS

1,905 views

Published on

In this session, we will explore common use cases for (server based or generally load balanced) workloads in AWS and how they compare with the on-prem deployment patterns. you will learn the architectural patterns and line of thinking for deploying security perimeters and segmentation across a multiple account/vpc strategy, Edge security. also, you how you can make sure the pattern you develop will be applied uniformly across your current and future environments.

Building a Secured Network environment on AWS

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lior Pollack, Solutions Architect Feb 2019 Redefining perimeter security on AWS
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda Quickly get up to speed with AWS’s network- and identity- based security controls Recognize the patterns for securing your AWS resources See some examples AWS cloud IAM VPC controls
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. (Non exhaustive) Types of threats that exist today Bots/TakeoversDDoS App vulnerabilities HTTP floods Reflection attack Application SQL injection Cross-site scripting (XSS) Other OWASP Top 10 Common vulnerabilities and exposures (CVE) Under the radar Lateral Movement Privilege Escalation
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges in managing security for Cloud Native Variety of applications and access channels Diverse set of tools create complexity Dynamic Development Process
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Blast radius Segregate Classify Flexibility Innovation Elasticity Security is always the number one priority We need it to constantly evolve in today’s environment
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS operational responsibility models On-Premises Cloud Less More Compute Virtual Machine EC2 Elastic Beanstalk AWS LambdaFargate Databases MySQL MySQL on EC2 RDS MySQL RDS Aurora Aurora Serverless DynamoDB Storage Storage S3 Security Network Perimeter Product on EC2 AWS WAF GuardDuty Analytics Hadoop Hadoop on EC2 EMR Elasticsearch Service Athena NFS Share on EC2 Elastic File System Security Groups Shield
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS and compliance standards… = industry or global standard
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building the baseline defense
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common perimeter use cases • Edge Protection • Application Delivery (DDoS, WAF, Content Delivery) • Network access & protection (VPC/Security Groups/Firewalls/VPNs). • Identity and Access Management. • Outbound Protection (Web Filtering, Bot Detection, DLP..) • Segmentation (IPS/IDS, Firewall/Next Gen Threat Prevention) • Application (& Service native controls)
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common applications Dynamic applications Personalized content Static assets API AWS End users Database Analytics Storage Application
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common applications AWS End users Dynamic Web Application Amazon S3 Bucket For Static Content Amazon VPC Amazon DynamoDB
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Primer AWS Region Availability zone 2 VPC Availability zone 1 Private subnet Private subnet Public subnet Public subnet VPC CIDR 10.1.0.0/16
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda VPC Primer AWS Region Availability zone 2 VPC Availability zone 1 Private subnet VPC VGW VPC Peering VPC Flow Logs VPN AWS Direct Connect The Internet Private subnet Public subnet InstanceA Public subnet AWS IoTAmazon DynamoDB Amazon S3 Amazon SQS Amazon SNS VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceB 10.1.1.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 DXGW + Expand + IPv6 IGWVPCE Intra or Inter region NAT On-Premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 NAT-GW
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Primer AWS Region Availability zone 2 VPC Availability zone 1 Private subnet Private subnet Public subnet InstanceA Public subnet VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceB 10.1.1.11/24 InstanceC 10.1.2.11/24 InstanceD 10.1.3.11/24 + Expand + IPv6 VPC AWS PrivateLink Service Provider VPC NLB AWS PrivateLink NAT NAT-GW • API Endpoints for Amazon EC2 and Elastic Load Balancing (ELB) • Amazon Kinesis Data Streams • AWS Service Catalog • Amazon EC2 Systems Manager
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Subnet 10.0.0.0/24 Subnet 10.0.1.0/24 Internet GatewayVPN Gateway VPC Router 10.0.0.0/16 Security Group Security Group Security Group Network ACL Network ACL Routing Table Routing Table instance instance instance instance Security in a VPC • Security Groups • NACLs • Configuration (i.e. policy controls segregation of duties, like modify network settings) • Monitor/Audit
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda But wait…Where is my perimeter? AWS Region Availability zone 2 VPC Availability zone 1 Private subnet VPC Flow Logs Private subnet Public subnet InstanceA Public subnet AWS IoTAmazon DynamoDB Amazon S3 Amazon SQS Amazon SNS VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceB 10.1.1.11/24 InstanceC 10.1.2.11/24 10.1.3.11/24 IGWVPCE AWS Directory Service Amazon RDS • Security Groups • NACLs • Configuration (i.e. policy controls segregation of duties, like modify network settings) • Monitor/Audit
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Lambda But wait…Where is my perimeter? AWS Region Availability zone 2 VPC Availability zone 1 Private subnet VPC Flow Logs Private subnet Public subnet InstanceA Public subnet AWS IoTAmazon DynamoDB Amazon S3 Amazon SQS Amazon SNS VPC CIDR 10.1.0.0/16 10.1.0.11/24 InstanceB 10.1.1.11/24 InstanceC 10.1.2.11/24 10.1.3.11/24 IGWVPCE AWS Directory Service Amazon RDS
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The ABCs of AWS IAM • I: Identity. AWS IAM lets you create identities in your AWS account who can make authenticated requests to AWS • AM: Access Management. AWS IAM is your tool for defining who has permissions to do what to which resources in IAM. • IAM is the AWS-wide permissions control system. So you need to know it. IAM
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Term: IAM Principal An IAM Principal is an identity defined within an AWS account. IAM IAM Roles IAM Users IAM Roles are for: • Automated processes • AWS Services • Federated identities IAM Roles authenticate using short-lived credentials. IAM Users are for: • Direct human access IAM Users authenticate using long-lived credentials
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Term: IAM Policy IAM • Every AWS service supports authorization via IAM Policy • AWS authorizes every API call against the IAM Policies that apply • IAM Policies can be attached to IAM Roles, Users, and Groups • Deny always prevails
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Where does IAM Policy matter? Everywhere in AWS. For an authenticated call to succeed: • The request must have a valid signature for an IAM Principal • IAM Policy must specifically authorize the call
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common perimeter use cases • Edge Protection • Application Delivery (DDoS, WAF, Content Delivery) • Network access & protection (VPC/Security Groups/Firewalls/VPNs). • Identity and Access Management.
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Design considerations Dynamic applications Personalized content Static assets API AWSEnd users DDoS Web exploits Bots • Security • Authentication • Encryption (TLS) • Layered protection • Availability • Resiliency/Fault tolerance • Request handling capacity • Blocking bad traffic • Performance • Routing • Throttling • Alerting & monitoring
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Layered perimeter protection – Edge Protection (Perimeter) S3 Bucket Public Subnet Application Front End Middle Tier ALB RDS Backend Internal Tiers Dynamic applications Static assets API EC2 Internal Apps
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS building blocks for baseline defense Amazon Virtual Private Cloud (Amazon VPC) Amazon CloudFront Amazon Route 53 • Security groups • Network ACLs • Transit Gateway (New!) • Global presence • SSL/TLS • Origin shielding • Resilience (TTL) • DNS header validations • Priority-based traffic shaping • Failover
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront’s Secure Global Network
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Setting up your baseline defense Users Amazon CloudFront Amazon Route 53 Dynamic Web Application Amazon S3 Bucket For Static Content Amazon VPC
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How AWS WAF can help you Automate using AWS Lambda based security automations Utilize Managed Rules from the AWS Marketplace for hassle-free protection and deployment AWS WAF Customize security to your applications using custom rules Monitor using Amazon CloudWatch metrics or third-party log processors
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploying AWS WAF is easy CloudFront AWS Application Load Balancer Amazon API Gateway AWS WAF
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS WAF capabilities Malicious traffic–blocking • SQL injection conditions • XSS conditions • AWS CloudFormation- based security automation • AWS Marketplace Managed Rules Web traffic filtering • Rate-based rules • IP-match & Geo-IP filters • Regex & string match conditions • Size constraint conditions Visibility and Debugging • CloudWatch metrics and alarms • Sampled logs • Comprehensive logging
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Foundational security Managed rules for AWS WAF • Rules written, updated and managed by Security Experts • Pay as you go : No Lock-in / Long term commitment • Easy to Deploy • Choice of Protections • OWASP Top 10 & other web exploits • Common Vulnerabilities and Exposures (CVE) • Bot protection • IP Reputation lists • CMS rules (Wordpress, Joomla and others) • Apache and Nginx vulnerabilities
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security analytics common use cases 3rd party integrations
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Software Automation of Security: Lambda-based AWS WAF Automations Bad Bot / Scanner / Known attackers AWS WAF Integration with Amazon GuardDuty DevOps friendly: Full Featured APIs and Fast Rule Updates Blog / Webinar : “Automate Threat Mitigation Using AWS WAF and Amazon GuardDuty” AWS Answers: “AWS WAF Security Automations”
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What about DDoS attacks? AWS Shield
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS mitigation on the AWS Edge Network • Fully inline packet inspection blocks known bad traffic, scores suspicious traffic • Sub-second latency to detect and mitigate attacks • SYN proxy challenges illegitimate connections without maintaining state • Anycast routing and DNS-based traffic direction
  37. 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ü Baselining and anomaly detection across all AWS ü Mitigation with proprietary packet filtering stacks using suspicion based scoring ü Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region ü Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53 AWS Shield Standard: Layer 3/4 protection for everyone Automatic Protection across customers
  38. 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Shield Advanced: Enhanced protection • Enhanced Layer 3/4 attack detection baselined to you • Layer 7 attack detection • Pre-configured mitigations scoped to resource type • Advanced mitigations like SYN Throttling • Customer defined L3/4 Mitigations (for regional svcs) Detection Mitigation • Help in Incident triaging and mitigation • Automatically engaged for availability impacting L3/L4 events. • Customer driven support cases through AWS Support or Shield Engagement Lambda Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT)
  39. 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recent significant attacks March 2018: Web application targeted by 1.4 Tbps memcached reflection attack, mitigated with Amazon CloudFront and AWS Shield Advanced November 2018: Web application running on Amazon CloudFront targeted by 20 million requests per second, automatically mitigated by Amazon CloudFront and AWS Shield Advanced
  40. 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. There we have it AWS Shield Dynamic Web Application Users Amazon S3 Bucket For Static Content Amazon CloudFront Amazon Route 53 Amazon VPC AWS WAF
  41. 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lets look at additional requirements: • Outbound Protection (Web Filtering, Bot Detection, DLP..) • Segmentation (IPS/IDS, Firewall/Next Gen Threat Prevention)
  42. 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Outbound Protection Application Instances AWS Services External Services Amazon VPC Update Repositories Private Connectivity Application / Data Control Policy Threat Detection / Mitigation
  43. 43. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Segmentation VPN WAN AWS Direct Connect Virtual private gateway Dev Prod
  44. 44. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenge: Adding more VPCs VPN WAN AWS Direct Connect Lots of connections Dev Prod Dev Prod Dev Prod
  45. 45. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN WAN AWS Direct Connect Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Scaling connections? Scaling VPC peering? Shared services? Firewall and services?
  46. 46. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPN WAN AWS Direct Connect Transit Gateway AWS Transit Gateway Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod Dev Prod New
  47. 47. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Internet VPC Account Account Account Account Development VPC Account Account Account Account Testing VPC Account Account Account Account Production VPC Outbound URL filtering NAT gateway DLP / Proxy VPC Edge services WAF / ADC SD-WAN VPN / Firewall VPC IDS / IPS Firewall / NGFW Inline services VPC Shared services Authentication, Monitoring VPN AWS Direct Connect * Account Account Account Account Administrative accounts (logging, AWS Organizations, billing, landing zone) IAM, Cross-account roles Route tables Route tables Transit Gateway East-West + North-South Available Q1 2019 AWS Transit Gateway Reference Architecture
  48. 48. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Transit Gateway launch partners Outbound services Edge services Inline services Management O E I M O E I M O E I M O E I MO E I MO E I M O E I M O E I M vEdge SD-WAN ProxySG VM-Series
  49. 49. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common perimeter use cases • Application (& Service native controls)
  50. 50. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Imagine a file transfer app… S3 Bucket User
  51. 51. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s see what kind of controls we can use Allow - S3::PutObject Resource: /customer/user/uploads/* Condition: Must use SecureTransport (HTTPS). APP Allow - S3::GetObject /customer/user/uploads/* S3 Bucket User Role Policy Policy Policy: Default (At Rest) Encryption Bucket Policy: Only allow read from APP VPC (Deny Everything Else)
  52. 52. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. I got to go… What’s the Take-outs? How we think and practice security Needs to evolve Identity and Access Management is Key Use native cloud controls and augment with 3rd party (AWS Partner) tools.
  53. 53. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank You. Lior Pollack – Solutions Architect

×