Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network Security and Access Control within AWS

607 views

Published on

AWS provides security capabilities and services to provide control over your AWS resources, how they are accessed, who can access them, and what privileges they are allowed. Access Management, Identity management, change control, and auditing can all be achieved both at a macro and granular level.

In this session we’ll explore services such as AWS Identity Access Management (IAM), AWS CloudTrail, Amazon Directory Service and Amazon Inspector, so that you understand how use them effectively to manage user privilege and access. We’ll also look at Amazon Virtual Private Cloud (VPC) and how to use it’s features to build security at the network access layer. After this session you should understand and be able to: Configure Users, Groups, and Roles to manage actions, Configure monitoring and logging to audit changes in your system, and Design your AWS network using VPC for security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Network Security and Access Control within AWS

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Kiggins, Solutions Architect April 19, 2016 Network Security and Access Control within AWS
  2. 2. What to expect from the session • Configure network security using VPC • Configure users, groups and roles to manage actions • Configure monitoring and logging to audit changes
  3. 3. Network security
  4. 4. Network security tools • Amazon VPC • Subnet • Security groups • Network ACLs • Amazon CloudFront • Amazon Route 53 • IP tables
  5. 5. VPC VPC (BuildABeer-VPC-1) security group (BuildABeer-SG-1) HTTP GET Beer TCP(6) Port(80) NTP Buffer Overrun UDP(17) Port(123)
  6. 6. Network ACL VPC (BuildABeer-VPC-1) security group (BuildABeer-SG-1) HTTP GET Beer TCP(6) Port(80) HTTP GET Beer TCP(6) Port(80) srcIP=216.246.16.228
  7. 7. VPC (BuildABeer-VPC-1) Obfuscate Amazon Route 53 CloudFront Users security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB
  8. 8. FAIL
  9. 9. End run VPC (BuildABeer-VPC-1) Amazon Route 53 CloudFront security group (BuildABeer-SG-1) Public subnet servers Private subnet ELB load balancer www.foo.com mail.foo.com security group (BuildABeer-SG-1) Public subnet Mail servers Private subnet Elastic Load Balancing load balancer security group (BuildABeer-SG-2) Public subnet Web servers Private subnet ELB load balancer mail.foo.com www.foo.com
  10. 10. Hide ’n’ go seek ~>nslookup www.buildabeer.com Server: 10.43.23.72 Address: 10.43.23.72#53 Non-authoritative answer: www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net. Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.173 <snip> Name: d3u9qbug2y23to.cloudfront.net Address: 52.84.20.85 ~>nslookup ftp.buildabeer.com Server: 10.43.23.72 Address: 10.43.23.72#53 Non-authoritative answer: ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com. Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com Address: 54.148.117.41 <snip>
  11. 11. Layers of defense VPC (BuildABeer-VPC-1) users security group (BuildABeer-SG-1) Private subnet Web servers Private subnet ELBSecurity services (IPS/IDS, WAF, Firewall) Public subnet
  12. 12. Access denied
  13. 13. Access points to AWS AWS Command Line Interface API AWS Management Console ~>aws ec2 describe-instances { "Reservations": [ { "Groups": [], "Instances": [ { "KeyName": "kiggins-bab-ec1-t2micro-keypair_0217", "VirtualizationType": "hvm", "AmiLaunchIndex": 0, "SourceDestCheck": true, "PublicIpAddress": "52.37.47.60", "Architecture": "x86_64", "RootDeviceType": "ebs", #!/usr/bin/python3 import boto3 # Get the service resource ec2 = boto3.resource('ec2') # Print out each ec2 instance for instance in ec2.instances.all(): print(instance)
  14. 14. Who can access resources • Accounts • Users • AWS Identity and Access Management (IAM) Users • Federated users • Groups • Roles • Services IAM role IAM users IAM groups Amazon EC2 Federated user
  15. 15. Restricted access best practices • Do not use the root account • Create an administrative account • Enable MFA • Enforce strong passwords • Use groups to assign permissions • Use cross account access for secure logging
  16. 16. Managing your policies • IAM policies • Managed policies • Inline policies • Resource-based policies
  17. 17. IAM policies • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies: Created and maintained by AWS • Customer managed policies: Created and maintained by you • Up to 5K per policy • Up to 5 versions of a policy so you can roll back to a prior version • You can attach 10 managed policies per user, group, or role • You can limit who can attach which managed policies • Inline policies (older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  18. 18. Beyond IAM Amazon Directory Services AD Connector Customer Identity Broker AWS Directory Service SEC307 A Progressive Journey Through AWS IAM Federation Options - https://www.youtube.com/watch?v=-XARG9W2bGc
  19. 19. Configuring logging and monitoring
  20. 20. Services • AWS CloudTrail • AWS Config • Amazon Inspector • VPC Flow Logs
  21. 21. AWS CloudTrail us-east-2
  22. 22. Introduction to AWS CloudTrail Store/ archive Troubleshoot Monitor and alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls Amazon Elastic Block Store (Amazon EBS) Amazon S3 bucket
  23. 23. Use cases enabled by CloudTrail • IT and security administrators can perform security analysis • IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change • DevOps engineers can troubleshoot operational issues • IT auditors can use log files as a compliance aid • See: Security at Scale: Logging in AWS White Paper
  24. 24. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  25. 25. AWS Config
  26. 26. AWS Config
  27. 27. • Check configuration changes • Periodic • Event driven • Rules • Pre-built rules provided by AWS • Custom rules using AWS Lambda • Use dashboard for visualizing compliance and identifying offending changes Compliance guideline Action if noncompliance All EBS volumes should be encrypted Encrypt volumes Instances must be within a VPC Terminate instance Instances must be tagged with environment type Notify developer (email, page, Amazon SNS) AWS Config Rules
  28. 28. AWS Config Rules (Example—instances must be tagged with a data classification)
  29. 29. Amazon Inspector • Vulnerability Assessment Service • Built from the ground up to support DevOps model • Automatable by using API actions • AWS Context Aware • Static and dynamic telemetry • Integrated with CI/CD tools • On-demand pricing model • CVE and CIS rules packages • AWS AppSec best practices
  30. 30. Rule packages • CVE (common vulnerabilities and exposures) • 1000+ rules evaluated • CIS (Center for Internet Security Benchmarks) • OS hardening • Vulnerability • Patch • Inventory • Compliance • AWS Security best practices • AppSec learnings
  31. 31. VPC Flow Logs
  32. 32. Dumping out the heavy hitter IP addresses #!/usr/bin/python3 import boto3 # Get the service resource logs = boto3.client(’logs’) # Get the log groups groups = logs.describe_log_groups() for logGroup in groups[’logGroups’] : # Get the LogStream for each logGroup logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’]) for logStream in logStreamsDesc[’logStreams’]: events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’]) # Store each log entry by the src IP address ip_dict = {} for event in events_resp[’events’] : ip = event[cd ’message’].split()[4] if ip in ip_dict: ip_dict[ip] = ip_dict[ip] + 1 else : ip_dict[ip] = 1 for w in sorted(ip_dict, key=ip_dict.get, reverse=True): print (’{0:15} {1:8d}’.format(w, ip_dict[w])) #Early exit exit()
  33. 33. Partners
  34. 34. Thank you! aws.amazon.com/security aws.amazon.com/compliance
  35. 35. Remember to complete your evaluations! Remember to complete your evaluations!

×