How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How to secure your Active Directory deployment on AWS Vinod Madabushi Enterprise Solutions Architect Amazon Web Services F N D 3 0 6

2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda • Active Directory basics • Typical deployment patterns • Securing Active Directory on Amazon EC2 • AWS Managed Microsoft AD security • Q&A

3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What we won’t cover in this session today • Best practices for organizing/managing Active Directory data • Design considerations for your Active Directory infrastructure • Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2

5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What is Active Directory? Organize users, groups, computers, and devices for administration Specify policies for user and computer configurations (group policy objects) Control user access to applications within the enterprise

6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Why do customers deploy Active Directory on AWS? Support Windows workloads running on AWS Reduce latency for applications and improve resiliency Manage AWS services and resources

9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Extending on-premises AD domain to AWS on Amazon EC2 Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet Domain controllers Domain controllers AD AD AD replication Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database Auth/LDAP

10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Using AWS Managed AD as a resource domain Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet AWS Managed AD One-way trust Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database AWS Managed AD

11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Deploy AD to Amazon EC2 • Want to extend the existing forest/domain to AWS • Need for domain/enterprise admin privilege • Extend existing users, groups, OUs, and GPOs • Single unified environment between on-premises and AWS cloud

12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Managed AD as resource domain • Want to minimize AD infrastructure operational management in the cloud • Allow delegation of cloud AD management to a separate team while maintaining control of user identity • Need delineation between on-premises and AWS environments • Need native integration with Amazon RDS, Amazon FSx, AWS Single Sign-On, etc.

14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account structure framework AWS master account Log archive account Security accountShared services account Domain controllers AD AWS Organizations Amazon GuardDuty (master) Aggregate AWS CloudTrail and AWS Config logs

16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account security • Place all the domain controllers in a single AWS account • If there are multiple teams operating in a single account, consider using tag- based policies to restrict access • Restrict access to Amazon EC2 start/stop/terminate • Restrict access to Amazon EBS volumes/snapshots • Follow best practices to secure the AWS account’s root credentials

17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Security groups AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller 1 Domain controller 2 Domain members Domain members Domain members Source Protocol Ports VPC1 TCP UDP AD ports VPC2 TCP UDP AD ports VPC3 TCP UDP AD ports On- premises DCs TCP UDP Trust ports DC1 DC2 All All Inbound security group rules

18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Active Directory ports Port and protocol Purpose Type of traffic TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL TCP and UDP 88 User and computer authentication, forest level trusts Kerberos TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password TCP 445 Replication, user and computer authentication, group policy, trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP and UDP 53 User and computer authentication, name resolution, trusts DNS UDP 123 Windows time, trusts NTP TCP 135 Replication RPC, EPM UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port

19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Other considerations • Avoid using NACLS to filter Active Directory ports except when absolutely necessary (ephemeral ports can be tricky) • Place domain controllers in the private subnets • Place domain controllers in multiple AZs for availability • Routing table can be utilized as network control mechanism

20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Internet name resolution from the DCs AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller Domain controller Domain members Domain members Domain members Public subnet DNS server Internet gateway NAT gateway DNS server NAT gateway Amazon Route 53 .2 resolver

21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Data Security – Encryption • Enable LDAPS in the domain controllers for secure authentication. Active Directory Certificate Services (ADCS) can be used for this purpose. • Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by using AWS Key Management Service (KMS). • Consider using a separate customer master key (CMK) for Active Directory and restrict access appropriately. • If you want to use AWS CloudHSM to store your CMK, consider the custom key store.

22. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Private subnetPrivate subnet Encryption – Using CloudHSM KMS default key store AWS KMS KMS HSM fleet AWS services Custom key store connector Existing KMS APIsHSM VPC Active Directory VPC Amazon EBS volume Domain controller CloudHSM cluster

23. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Logging, monitoring, and alerting • Security logs are the best source of information for activities occurring on your identity store. Monitor security logs for anomalies. • Enable and monitor VPC Flow Logs for troubleshooting and security. • Consider setting up alerting for key security events in near real time. • Enable AWS CloudTrail logs in the AWS account and alert on key changes. • Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2 instance from a hardware or other failure.

24. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Other considerations • Restrict the number of users who have access to logging in to domain controllers • Perform AD administrative tasks from a management server • Perform regular backups of your Active Directory environment for recovery • Encrypt and secure your Active Directory backups

26. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD security • AWS Managed AD is single tenant. Your DCs only contain your data. • Most management tasks are done via automation. We have a process for operators when human touch is required. • AWS employees don’t have access to customer’s domain admin credentials. Those are under automated control. • Domain controller security logs are delivered to Amazon CloudWatch Logs. • Delegated admin access using predefined users, groups, and OUs.

27. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • Account security • Centralize AWS Managed Microsoft AD in a single AWS account • Restrict access to AWS Directory Service to limited users • Follow best practices to secure the AWS root credentials • Network security • Security group limits traffic to just AD ports and between domain controllers • Use management server for admin tasks; cannot RDP to domain controllers AWS Managed Microsoft AD security (cont’d)

28. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • DNS – Internet name resolution • AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries • Encryption • EBS volumes are encrypted by default using AWS KMS • All snapshots are encrypted and stored securely • AWS Managed AD supports LDAPS. Refer to this documentation: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html AWS Managed Microsoft AD security (cont’d)

29. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD shared responsibility AWS responsibility Customer responsibility Protect hardware, software, networking, and facilities that run AWS Managed AD Maintain and manage Active Directory data like users, groups, OUs, group policies, etc. Isolation of domain controllers between customers Configure and manage Active Directory trusts Protect enterprise/domain admin credential through automation Configure and manage network connectivity to AWS Managed AD VPC/subnets Apply updates and security patches to the domain controllers Providing compatible LDIF file for schema extensions Encrypt EBS volumes Manage security groups for AWS Managed AD Maintain availability of the directory Configure LDAPS to support applications Monitor and manage Active Directory replication Configure integration with RADIUS and MFA infrastructure Perform daily snapshots of the directory Adding more domain controllers based on performance requirements