Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS re:Inforce 2019

511 views

Published on

Capital One innovates by leveraging AWS managed services such as AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), Amazon RDS for SQL Server and EC2 to deploy critical Windows workloads securely in an automated fashion. In this session, attendees will learn how Capital One uses AWS Managed Microsoft AD with their on-premises domain to provide secure and highly available authentication and authorization services for its Windows workloads, such as Amazon RDS for SQL Server. You also learn security best practices for setting up AWS Managed Microsoft AD including implementing MFA, AD Trust options, AWS account isolation, security log collection, and more. In addition, we detail how Capital One uses AWS Managed Microsoft AD and Lambda Functions to simplify and automate Windows workload deployments across multiple AWS accounts and Amazon VPCs.

  • Get paid to post comments on Facebook - $25 per hour  https://tinyurl.com/rbrfd6j
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • High paying Twitter jobs? $25 per hour, start immediately ★★★ http://t.cn/AieXiXbg
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Deploying critical Microsoft workloads on AWS at Capital One Vinod Madabushi Enterprise Solutions Architect AWS S D D 3 3 7 Kenny Hill Director, Distinguished Engineer Capital One, Identity & Access Management
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Running Windows workloads on AWS • Introduction to AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) • Security best practices: Capital One • Cloud journey: Capital One • AWS Active Directory account access: Capital One • AWS Managed Microsoft AD deployment: Capital One
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Wednesday, June 26 FND306-R1: How to secure your Active Directory deployment on AWS 3:30 – 4:30 PM | Level 0, Hall B2, Blue Wednesday, June 26 FND322: How I learned to stop worrying and love the cloud 5:00 – 6:00 PM | Level 2, Room 258B
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS is the best place to run Windows workloads Only managed AD that preserves user experience in hybrid IT use cases Richest set of managed AD features supports the most AD-aware applications Highly available managed Microsoft AD in the AWS Cloud; built from actual Microsoft AD 57.7% of Windows workloads in the cloud run in AWS1 1IDC, Windows Server Operating Environment Market Update, Doc # US44217118, Aug 2018
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SaaS applications AWS Managed Microsoft AD: User domain AWS applications & services Amazon RDS for SQL Server Amazon EC2 AWS Single Sign-On Amazon WorkSpaces Amazon AppStream 2.0 Amazon FSx AD-aware workloads .NET applications SharePoint Server SQL Server Always On User domain use case AWS Managed Microsoft AD Amazon QuickSight Amazon Connect Amazon Chime
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. SaaS applications AWS Managed Microsoft AD: Resource domain On-premises Domain controllers AD AWS applications & services Amazon RDS for SQL Server Amazon EC2 AWS Single Sign-On Amazon WorkSpaces Amazon AppStream 2.0 Amazon FSx AD-aware workloads .NET applications SharePoint Server SQL Server Always-On User domain use case AWS Managed Microsoft AD Amazon QuickSight Amazon Connect Amazon Chime
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS responsibility Customer responsibility Protect hardware, software, and networking Administer users, groups, GPOs, etc. Provide isolation between customers Create AD trusts Protect enterprise/domain admin credential Configure networking connectivity Apply updates and security patches Extend the AD schema Encrypt Amazon EBS volumes Configure security groups Monthly uptime of +99.9% (SLA) Configure LDAPS to support applications Perform AD replication Configure RADIUS & MFA integration Perform daily snapshot Add more domain controllers AWS Managed Microsoft AD shared responsibility
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Managed Microsoft AD certifications
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security best practices Multi-factor authentication (MFA) MFA all privileged authentication Privileged passwords Vault & rotate privileged accounts frequently AD administrative tier model Deny all logins except domain admin to domain controllers, and support applications & infrastructure Just in time Utilize no Always On privileged access everywhere possible
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security best practices (continued) Bastion hosts and PAWS Isolated Tier 0 management with authentication silos AD third-party protection products LSAS hook to block risky activity Monitor all logs Use cloud, streaming, and big data capabilities to enrich and gain a deeper view of risk, authentication, & authorization patterns Health check + monitor DC state – Services and event logs running – No drift in configuration state
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Capital One’s cloud journey AD AWS Directory Service
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Capital One’s cloud journey AD AWS Directory Service
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AD cloud journey (2015) Line of business application Line of business application Line of business application Amazon EC2 AWS Direct ConnectAWS Direct Connect gateway On-premises • Latency • Single point of failure • Loss of next-closest site On-premises Domain controllers AD
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC VPC VPC VPC AD cloud journey (2016–2018) Line of business application Line of business application Line of business application AWS Direct Connect Elastic Load Balancing Amazon Route 53 AD Amazon EC2 domain controllers Peering AWS Direct Connect gateway 100 peers & routes 100 peers & routes Shared services account 100 peers & routes Amazon RDS SQL Amazon EC2 AWS Directory Service On-premises Domain controllers AD
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC VPC AD cloud journey (2018) Line of business application Line of business application Line of business application AWS Direct Connect ADPeering AWS Direct Connect gateway • Increased peer and route limits • Prod & non-prod VPCs Shared services account AWS Directory Service On-premises Domain controllers AD Elastic Load Balancing Amazon Route 53 Amazon EC2 domain controllers Amazon RDS SQL Amazon EC2
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AD cloud journey (2019) AWS Lambda IAM AD application AWS Directory Service AWS Direct Connect AWS Direct Connect gateway Elastic Load BalancingAmazon Route 53 AWS Transit Gateway Regional hub Domain controllers AD • Peer & route increases and AWS Transit Gateway • Migrate to isolated AD AWS account for more security, and leverage a centrally managed AD VPC VPC AD Amazon EC2 domain controllers Shared services account
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM AD application AWS Managed Microsoft AD account access Read role AWS Identity and Access Management (IAM) Read policies + open support case – AD group name mapped to ARNMFAAccount read role AD group Engineer SAML Engineer read access (Always On)
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. + IAM AD application AWS Managed Microsoft AD account access Read role AWS Identity and Access Management (IAM) Limited read, write & full policies – AD group name mapped to role – ARN mapped to AD group JIT account support role AD group Workflow MFASAML Engineer elevated access (just in time) Engineer Elevated engineer Temp access JIT account support role AD group
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM AD application AWS Managed Microsoft AD account access Read role AWS Identity and Access Management (IAM) Read policies + open support case Engineer Workflow Pipeline deployment Vault Repository System account Deployment access (pipeline) Approver No direct engineer access
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Line of business application AWS Managed AD cross-account SG benefits (2017) Amazon RDS Amazon EC2 AD On-premises Domain controllers AD VPC 1 Amazon RDS Amazon EC2 Security group VPC 2 Amazon EC2 domain controllers 3 – AD ports for one-way trust creation Security group AWS Directory Service Security group AWS Directory Service IAM AD application 2 – DC-to-DC ports 1 – authentication & authorization ports
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Line of business application AWS Managed AD cross-account SG benefits (2017) Amazon RDS Amazon EC2 AD On-premises Domain controllers AD VPC 1 Amazon RDS Amazon EC2 Security group VPC 2 3 – AD ports for one-way trust creation Security group Security group AWS Directory Service Security group AWS Directory Service IAM AD application 2 – DC-to-DC ports 1 – authentication & authorization ports Amazon EC2 domain controllers
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Line of business application AWS Managed AD cross-account SG benefits IAM AD application Amazon RDS Amazon EC2 AD On-premises Domain controllers AD VPC 1 Amazon RDS Amazon EC2 Security group VPC 2 Amazon EC2 domain controllers 3 – AD ports for one-way trust creation 1 – authentication & authorization ports 2 – DC-to-DC ports Security group Security group AWS Directory ServiceAWS Directory Service Shared directory 3 – AD ports to wide CIDR no longer needed (2018)(2019)
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AD AWS architecture AWS Lambda AWS Lambda Cloud resource management IAM AD applicationLine of business application Line of business application Line of business application Amazon RDS SQL Amazon EC2 AWS Step Functions AWS Directory Service AWS Direct Connect AWS Direct Connect gateway Elastic Load BalancingAmazon Route 53 AD Amazon EC2 domain controllers AWS Transit Gateway Regional hub Domain controllers AD Shared AWS Directory
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Line of business application Regional hub AWS Managed Microsoft AD trust IAM AD application Domain controllers • Resource forest with one-way trust • Authentication & authorization occurs with current enterprise directory users and groups • AD site name that matches between enterprise and managed directories • Selective authentication AD user object AD group object Amazon RDS AWS Directory Service Amazon EC2 domain controllers AD Shared directory
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Selective authentication on trust AD AWS Directory ServiceAmazon EC2 Domain joined One-way forest trust User • Doubles authorization checks • Integrate with provisioning system for audit trail • Prevents undesired local access granted inside user data
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Group policy object (GPO) local admin rights Using Local administrator password solution (LAPS) with custom UI + RBAC GPO preference %attribute% – Continuously empty local administrators group and apply application-specific group – Audit trail through provisioning system & ability to restrict certain group types ✅ 🚫 Not using AD GPO restricted groups are not the most secure in the cloud GPO preference %computerName% groups are difficult to maintain
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. GPO link GPO preference %attribute% Computer object AWS Directory Service Windows instance OU xyzAttrib = <ApplicationName> Admin group policy Amazon EC2 instance contents GroupGroups Users Local administrators 1 – Environment variable • Variable = %AppName% • LDAP query = (&(objectCategory=computer)(cn=%ComputerName%)) • Attribute = xyzAttrib 2 – Local users and groups • Delete all member users = Enabled • Delete all member groups = Enabled • Add members • <Managed Domain>AWS-Temp-%AppName%-Admin
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Managed Microsoft AD monitoring Log everything • Monitor and alert with respect to all AWS account activity (AWS CloudTrail, Amazon CloudWatch, Amazon Kinesis, and more) • Amazon VPC flow logs • Capture all security, application, system, and directory services logs from enterprise domain controllers • Compare and alert with respect to all IAM changes with expected state (policies, Amazon S3, roles, and system accounts) • Alert on metrics of key components • Forward AWS Managed Microsoft AD security logs to Amazon CloudWatch
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Managed Microsoft AD monitoring Forward AWS Managed Microsoft AD security logs to log collection platform IAM AD application AWS Directory Service Amazon CloudWatch AWS Lambda Log aggregation Security logs 1 – Enable logging 2 – Create Amazon CloudWatch group 3 – Create AWS Lambda & subscribe to Amazon CloudWatch group 4- Configure log aggregation, monitors, & dashboards
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation AWS Lambda deploy Cloud resource management Deploy AWS Step Functions IAM AD application AWS Directory Service Line of business application Line of business application Line of business application Shared AWS directory AWS Lambda share managed AD Validate domain and DC health, add domain controllers, open support case, and log metrics AWS Lambda health check managed AD Share managed AD & assume role in line of business account to accept share request and update tags AWS Lambda unshare managed AD DS master role DS minion role
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AD AWS Directory Services • Decreased operational overhead • Continue to maintain authentication & authorization from enterprise directory • Speed and resiliency • Increased security • API functionality for management AWS Managed Microsoft AD benefits
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

×