Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

138 views

Published on

Many enterprises use Active Directory for authentication, server and workstation management, group policy management, and more. It’s also one of the first applications to be deployed on AWS by those building or migrating Windows applications at scale. There are two primary models for running Active Directory on AWS: AWS Managed Microsoft AD and self-managed Active Directory on Amazon EC2. We discuss best practices for securing Active Directory deployment on AWS and the shared responsibility model for running AWS Managed Microsoft AD. We also examine a reference architecture that follows these best practices. Services include AWS Managed Microsoft AD, Amazon EC2, Amazon EBS, Amazon VPC, and AWS KMS.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inforce 2019

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How to secure your Active Directory deployment on AWS Vinod Madabushi Enterprise Solutions Architect Amazon Web Services F N D 3 0 6
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Agenda • Active Directory basics • Typical deployment patterns • Securing Active Directory on Amazon EC2 • AWS Managed Microsoft AD security • Q&A
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What we won’t cover in this session today • Best practices for organizing/managing Active Directory data • Design considerations for your Active Directory infrastructure • Comparison of features in AWS Managed Microsoft AD vs. AD on Amazon EC2
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. What is Active Directory? Organize users, groups, computers, and devices for administration Specify policies for user and computer configurations (group policy objects) Control user access to applications within the enterprise
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Why do customers deploy Active Directory on AWS? Support Windows workloads running on AWS Reduce latency for applications and improve resiliency Manage AWS services and resources
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Choices for running Active Directory on AWS Self-managed, Amazon EC2 AWS-managed Microsoft AD
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Extending on-premises AD domain to AWS on Amazon EC2 Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet Domain controllers Domain controllers AD AD AD replication Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database Auth/LDAP
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Using AWS Managed AD as a resource domain Corporate data center Region AD Domain controllers Remote users/adminsAuth/ LDAP VPN AWS Direct Connect Application Availability Zone Availability Zone Private subnet Private subnet AWS Managed AD One-way trust Private subnet Web servers App servers Database Auth/LDAP Private subnet Web servers App servers Database AWS Managed AD
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Deploy AD to Amazon EC2 • Want to extend the existing forest/domain to AWS • Need for domain/enterprise admin privilege • Extend existing users, groups, OUs, and GPOs • Single unified environment between on-premises and AWS cloud
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. How do customers choose between these options? Managed AD as resource domain • Want to minimize AD infrastructure operational management in the cloud • Allow delegation of cloud AD management to a separate team while maintaining control of user identity • Need delineation between on-premises and AWS environments • Need native integration with Amazon RDS, Amazon FSx, AWS Single Sign-On, etc.
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Shared responsibility model
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account structure framework AWS master account Log archive account Security accountShared services account Domain controllers AD AWS Organizations Amazon GuardDuty (master) Aggregate AWS CloudTrail and AWS Config logs
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Account security • Place all the domain controllers in a single AWS account • If there are multiple teams operating in a single account, consider using tag- based policies to restrict access • Restrict access to Amazon EC2 start/stop/terminate • Restrict access to Amazon EBS volumes/snapshots • Follow best practices to secure the AWS account’s root credentials
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Security groups AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller 1 Domain controller 2 Domain members Domain members Domain members Source Protocol Ports VPC1 TCP UDP AD ports VPC2 TCP UDP AD ports VPC3 TCP UDP AD ports On- premises DCs TCP UDP Trust ports DC1 DC2 All All Inbound security group rules
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Active Directory ports Port and protocol Purpose Type of traffic TCP and UDP 389 Directory, replication, user and computer authentication, group policy, trusts LDAP TCP 636 Directory, replication, user and computer authentication, group policy, trusts LDAP SSL TCP 3268, 3269 Directory, replication, user and computer authentication, group policy, trusts LDAP GC, LDAP GC SSL TCP and UDP 88 User and computer authentication, forest level trusts Kerberos TCP and UDP 464 Replication, user and computer authentication, trusts Kerberos change/set password TCP 445 Replication, user and computer authentication, group policy, trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP and UDP 53 User and computer authentication, name resolution, trusts DNS UDP 123 Windows time, trusts NTP TCP 135 Replication RPC, EPM UDP 138 DFS, group policy DFSN, NetLogon, NetBIOS datagram service TCP 139 User and computer authentication, replication DFSN, NetBIOS session service, NetLogon TCP 49152 - 65535 Replication, user and computer authentication, group policy, trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS Restricting AD ports: https://support.microsoft.com/en-us/help/224196/restricting-active-directory-rpc-traffic-to-a-specific-port
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Network security – Other considerations • Avoid using NACLS to filter Active Directory ports except when absolutely necessary (ephemeral ports can be tricky) • Place domain controllers in the private subnets • Place domain controllers in multiple AZs for availability • Routing table can be utilized as network control mechanism
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Internet name resolution from the DCs AWS Region Shared services VPC Private subnet Availability Zone Availability Zone VPC 1 VPC 2 VPC 3 Domain controller Domain controller Domain members Domain members Domain members Public subnet DNS server Internet gateway NAT gateway DNS server NAT gateway Amazon Route 53 .2 resolver
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Data Security – Encryption • Enable LDAPS in the domain controllers for secure authentication. Active Directory Certificate Services (ADCS) can be used for this purpose. • Encrypt Amazon EBS volumes (including C:) attached to DCs. Easiest way is by using AWS Key Management Service (KMS). • Consider using a separate customer master key (CMK) for Active Directory and restrict access appropriately. • If you want to use AWS CloudHSM to store your CMK, consider the custom key store.
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Private subnetPrivate subnet Encryption – Using CloudHSM KMS default key store AWS KMS KMS HSM fleet AWS services Custom key store connector Existing KMS APIsHSM VPC Active Directory VPC Amazon EBS volume Domain controller CloudHSM cluster
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Logging, monitoring, and alerting • Security logs are the best source of information for activities occurring on your identity store. Monitor security logs for anomalies. • Enable and monitor VPC Flow Logs for troubleshooting and security. • Consider setting up alerting for key security events in near real time. • Enable AWS CloudTrail logs in the AWS account and alert on key changes. • Monitor DCs for availability. Set up Amazon EC2 auto recovery to recover the EC2 instance from a hardware or other failure.
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Other considerations • Restrict the number of users who have access to logging in to domain controllers • Perform AD administrative tasks from a management server • Perform regular backups of your Active Directory environment for recovery • Encrypt and secure your Active Directory backups
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD security • AWS Managed AD is single tenant. Your DCs only contain your data. • Most management tasks are done via automation. We have a process for operators when human touch is required. • AWS employees don’t have access to customer’s domain admin credentials. Those are under automated control. • Domain controller security logs are delivered to Amazon CloudWatch Logs. • Delegated admin access using predefined users, groups, and OUs.
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • Account security • Centralize AWS Managed Microsoft AD in a single AWS account • Restrict access to AWS Directory Service to limited users • Follow best practices to secure the AWS root credentials • Network security • Security group limits traffic to just AD ports and between domain controllers • Use management server for admin tasks; cannot RDP to domain controllers AWS Managed Microsoft AD security (cont’d)
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. • DNS – Internet name resolution • AWS Managed AD will use Route 53 (.2 resolver) for internet-bound queries • Encryption • EBS volumes are encrypted by default using AWS KMS • All snapshots are encrypted and stored securely • AWS Managed AD supports LDAPS. Refer to this documentation: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap.html AWS Managed Microsoft AD security (cont’d)
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD shared responsibility AWS responsibility Customer responsibility Protect hardware, software, networking, and facilities that run AWS Managed AD Maintain and manage Active Directory data like users, groups, OUs, group policies, etc. Isolation of domain controllers between customers Configure and manage Active Directory trusts Protect enterprise/domain admin credential through automation Configure and manage network connectivity to AWS Managed AD VPC/subnets Apply updates and security patches to the domain controllers Providing compatible LDIF file for schema extensions Encrypt EBS volumes Manage security groups for AWS Managed AD Maintain availability of the directory Configure LDAPS to support applications Monitor and manage Active Directory replication Configure integration with RADIUS and MFA infrastructure Perform daily snapshots of the directory Adding more domain controllers based on performance requirements
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed AD compliance certifications
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. AWS Managed Microsoft AD certifications
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved.
  33. 33. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates.All rights reserved. Vinod Madabushi vinodmb@amazon.com

×