Infrastructure Security: Your Minimum Security Baseline

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
CAF Infrastructure Security: Your minimum security baseline
Steven Laino, CISSP / ISSAP, CCSP, CISM
Global Security Architect
Professional Services | Global Security, Risk & Compliance

Infrastructure Security
• Least Privilege
• Infrastructure Security
• Virtual Private Cloud (VPC)
• AWS Shield / WAF
• Connectivity
• Quickstart templates
• Endpoint Security
• AMI Build
• Inspector
• EC2 Systems Manager (SSM)

Least privilege
• Only the permissions required to perform the function
• Apply at various layers (App, Endpoint, Infra)
• User accounts
– Only give admin if required
• Security groups/NACLS
– Only allow ports that are necessary to the function
– Only allow connections that have a business need
• EC2 instances
– Only run services necessary
– Do not run more than one function/service

Virtual Private Cloud (VPC)
Boundary Defense
• Control inbound and
outbound access to VPC,
instances and subnets
• Route Tables
• Network Access Control List
• Security Groups

Security Groups / Network ACL Comparison
Security Group Network ACL
Operates at the instance level Operates at the subnet level
Supports allow rules only Supports allow rules and deny rules
Stateful: Return traffic is automatically
allowed, regardless of any rules
Stateless: Return traffic must be explicitly
allowed by rules
We evaluate all rules before deciding whether
to allow traffic
We process rules in number order when
deciding whether to allow traffic
Applies to an instance only if the security
group is specified
Automatically applies to all instances in the
subnets

VPC Connectivity
• Internet Gateway
• Nat Gateway
• VPN
• Direct Connect
• VPC peering

Defense in Depth
users
Applicatio
nservers
Private subnet
security
group
Public subnet
ELB IPS/IDS
Private subnet
ELB
security group
WAF
Private subnet
ELB
security group security group
ELB

Quickstart Templates
• NIST 800-53
• PCI / HIPAA
• Deploy in a few minutes
• Best practices implemented
• Great starting point
• Free
• https://aws.amazon.com/qui
ckstart/

Egress Control
Controlling traffic flows
• In addition to Security Groups,
NACLs & Routes
• VPC endpoints
• NAT gateways
• Inline Gateways
• DLP
• IDS
• App Filtering
• Host Tools
• DLP
• IDS
• FIM

• VPC Endpoint: Gateway
• Gateway
– Access supported AWS
services without going to
internet
• Amazon S3
• DynamoDB

VPC Endpoint: Interface
PrivateLink
• Access AWS & Partner
services without going to
Internet
• Create private endpoints for
services you provide
• Marketplace has SaaS
products available that use
PrivateLink

Network Address Translation (NAT)
• 2 types: Gateway / Instance
• Allows Instances on private
subnets to communicate out
to the internet

Elastic Load Balancers (ELB)
Feature ALB NLB CLB
Protocols HTTP, HTTPS TCP
TCP, SSL,
HTTP, HTTPS
Health Checks
✔ ✔ ✔
Load Balancing multiple ports ✔ ✔
Path-Based Routing ✔
Cross-zone load balancing ✔ ✔
SSL offloading ✔ ✔
Server Name Indication (SNI) ✔
Back-end server encryption ✔ ✔
• Application LB
– Layer 7
– SSL
• Network LB
– Layer 4 (TCP)
– Ultra low latency
• Classic LB
– Layer 4/7
– Only for EC2 Classic
– Not recommended

Certificate Manager
• Protect & Secure Websites
• Secure Key Management
• Managed Cert Renewal
• No Cost

Web Application Firewall (WAF)
• AWS Managed rules
• Create your own rules
• AWS marketplace rulesets
• Blacklist / Whitelist
• Monitor mode
• Layer 7 DDoS Protection

AWS Shield
Managed DDoS Protection
• Shield Standard for All
• Protect from common attack
– Layer 3 & 4
– SYN/ACK
– UDP Flood
– Reflection
• Add WAF for Layer 7
• Shield Advanced ($)
– Sophisticated attacks
– Access to DDoS Team
– Cost protection Amazon
Route 53
CloudFront
users
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB

Separation of services
Amazon
Route 53
CloudFront
security group
Public subnet
servers
Private subnet
ELB
www.foo.commail.foo.com
security group
Public subnet
Mail servers
Private subnet
ELB
security group
Public subnet
Web servers
Private subnet
ELB
mail.foo.com
www.foo.com

AMI Factory
• Create secure baseline
• Monitor compliance
• Scan for vulnerabilities
• Remediate & Update
• Inspector, Config & SSM

Vulnerability Management
Inspector
• Scan AMI as part of build
– CVE
– Configuration
• Scan / Patch Frequently
• Use with SSM to automate
patching
• Integrates with CI/CD Tools
• CVSS Scoring

Amazon EC2 Systems Manager
• A set of capabilities that...
• ...enable automated configuration...
• ...and ongoing management of systems at scale...
• ...across all of your Windows and Linux workloads...
• ...running in Amazon EC2 or on-premises…
• ...at no charge; only pay for AWS resources you manage

Amazon EC2 Systems Manager – Components
Run Command State Manager Inventory Maintenance
Window
Patch Manager Automation Parameter Store

Remotely and securely manage servers or virtual machines at
scale running in your data center or in AWS
§ Automate common administrative tasks
§ Execute commands across multiple instances simultaneously
§ Support for AWS and on-premises infrastructure
§ Granular permissions to control access through AWS Identity &
Access Management
§ Logging using AWS CloudTrail
Run Command: Overview

Provides visibility into the software catalogue and configuration
for your Amazon EC2 instances and on-premises servers
§ Gather detail on a variety of attributes, such as:
– Installed applications & OS details
– AWS components and agents
– Network configuration
§ Inventory attributes are stored in AWS Config for auditing
§ Assess compliance of configurations using AWS Config Rules
Inventory: Overview

Provides secure storage for configuration data & secrets
• Store configuration data and secure strings in hierarchies and track
versions.
• Control and audit access at granular levels.
• Reference parameters across AWS services such as Amazon EC2,
Amazon EC2 Container Service, AWS Lambda, AWS
CloudFormation
Parameter Store: Overview

Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
§ Control configuration details such as anti-virus settings, iptables, etc.
§ Define your own schedules for deployment reviews
§ Compare actual deployments against specified configuration policy
§ State Manager reapplies policies if state drift is detected
§ Query State Manager to view status of deployments
State Manager: Overview

Automated tool that helps you simplify your Windows operating
system patching process
§ Select the patches you want to deploy
§ Control timing for patch roll-outs and instance reboots
§ Define auto-approval rules for patches
§ Ability to black-list or white-list specific patches
§ Schedule the automatic roll out through maintenance windows
Patch Manager: Overview

Summary
• Ingress filtering capability: use VPC design in combination with security groups and NACLs to
establish boundaries
• Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC
endpoints
• DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks
• Vulnerability & Patch management capability: use Inspector and SSM
• Use SSM for:
– Configuration and patch compliance
– Secure privileged access to instances
– Automated patch management
– Software inventory & licensing compliance
– Secrets vaulting

Thank You!

Further Reading
• https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild-and-
hashicorp-packer/
• https://d0.awsstatic.com/aws-answers/AWS_Securing_EC2_Instances.pdf
• https://aws.amazon.com/ec2/systems-manager/

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Infrastructure Security: Your Minimum Security Baseline

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Infrastructure Security: Your Minimum Security Baseline

Similar to Infrastructure Security: Your Minimum Security Baseline (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Infrastructure Security: Your Minimum Security Baseline