Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Invent 2018

394 views

Published on

In an ever-growing cloud environment, scaling to a number of accounts can range in the thousands— where edge cases dominate your firm’s spectrum and changes in your environment happen quickly. The Goldman Sachs cloud engineering team finds enforcement of best security practice as a growing concern. With developers managing infrastructure as code (IaC), learn how Goldman Sachs uses distributed serverless logging pipelines and leverages AWS formal verification tools to help enforce access policy in the process. In this session, we cover AWS Config, AWS Lambda, Amazon DynamoDB, and Amazon Simple Notification Service (Amazon SNS) as distributed infrastructure that can help catch security issues early and remediate those that happen unexpectedly.

  • Be the first to comment

Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy Verification and Enforcement at Scale with AWS S E C 3 2 0 Kai Huang Vice President Goldman Sachs Sujoy Saha Software Engineer Goldman Sachs Victor Padron-Blanco Software Engineer Goldman Sachs With an introduction by: Byron Cook Director, Automated Reasoning at AWS
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Introduction Challenges with enterprise scale Automated reasoning tool: Zelkova Implementation at scale Policy as code
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provable security Provable security verify the correctness of
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provable security and the shared responsibility model AWS GLOBAL INFRASTRUCTURE RESPONSIBLE FOR SECURITY “IN” THE CLOUD RESPONSIBLE FOR SECURITY “OF” THE CLOUD • Tiros • ZELKOVA • Crypto protocols • Boot code • Verifying compliance with regulatory frameworks
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Provable security core applications
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Making the impossible possible Making NP-complete problems feel P-time in practice polynomial time (tractable) nondeterministic polynomial time (intractable) Making undecidable problems feel decidable in practice e.g., dictionary lookup e.g., halting problem, airline safety
  7. 7. Zelkova provides provable security for customers “in the cloud” by leveraging automated reasoning to verify key AWS Identity and Access Management (IAM) enterprise governance & data privacy controls are implemented as intended, at scale
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. More information about provable security https://aws.amazon.com/security/provable-security/
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Thursday, November 29 SEC330 - Automating Compliance Certification with Automated Mathematical Proof 1:45-2:45 | ARIA West, Level 3, Ironwood 3 Thursday, November 29 SEC302 - How LogMeIn Automates Governance and Empowers Developers at Scale 1:45-2:45 | MGM, Level 1, Grand Ballroom 116 Thursday, November 29 SEC302 – Packetless Port Scanning: Automate DevSecOps with Amazon Inspector 3:15-4:15 | Mirage St., Thomas B
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Come to the Automated Reasoning Lounge 10:00AM-2:00PM | Encore, Encore 5 Thursday, November 29 Automated Reasoning Lounge
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Goldman Sachs brings people, capital, and ideas together to help our clients and the communities we serve Innovation is at the heart of Goldman Sachs As our services grow and evolve, we believe that public cloud brings the scaling, flexibility, and innovation we need Partnering with AWS has helped us adopt public cloud while maintaining control of our environment and keeping data privacy Who we are
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Business principle #12 We regularly receive confidential information as part of our normal client relationships To breach a confidence or to use confidential information improperly or carelessly would be unthinkable Who we are
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud adoption Use cases
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Business • Developer enablement • Agile delivery of products and services Enterprise IT • Scaling • Management and governance Scale Managed Agile Our objectives
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Embracing scale
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits • Well-defined boundaries • An AWS account per deployment environment within a single application • Limit blast radius • Billing • Clear separation of function for enterprise teams Challenges • Different applications, different security requirements • Flexible security policies and their enforcement while being scalable • Decentralizing traditional processes Benefits and challenges
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Intent User wants to block principals from another AWS account, 11112222333, accessing their Amazon Simple Storage Service (Amazon S3) bucket User intent versus result
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Result != Intent Policy allows access for everybody in the world who is not a principal in that account This means almost everybody now has access to user’s bucket, including anonymous unauthorized users How to reason about this across hundreds of accounts? User intent versus result
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. For all values of x, y x + y > x – y Is this true? From Wikipedia: Satisfiability modulo theories (SMT) problem is a decision problem for logical formulas with respect to combinations of background theories expressed in classical first-order logic with equality SMT can be thought of as a form of the constraint satisfaction problem and thus a certain formalized approach to constraint programming Primer on satisfiability modulo theories (SMT)
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to satisfy the constraint? Assume that y is positive! (y > 0) ⇒ (x + y > x – y) An SMT solver will now respond that the formula is true for all values of the variables x and y Primer on satisfiability modulo theories (SMT)
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Zelkova—Provable security • Automated reasoning group within AWS • Implements SMT solvers, translates policy into a mathematical formula, then compares (Resource = “arn:aws:s3:::test-bucket”) ∧ (Principal ≠ 11112222333) Example: Zelkova compares user policy against the world readable/writable public bucket policy • Compare if user policy is more or less permissive • If user policy is more permissive, then Zelkova flags policy, allows public access AWS Zelkova
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison can be made against a custom-defined baseline policy Example: Amazon S3 buckets to be only accessible by the company Define a baseline policy to allow only company’s accounts • Compare user policy with baseline • If user policy is more permissive, then flag as an issue 1. For more examples, see AWS New York Summit 2018 - Bridgewater's Model-Based Verification of AWS Security Controls (FSI304) Baseline
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defining least privileges Application inventory management An inventory that defines requirements and metadata about an application • Business unit • Data classification • Dependencies • Entitlement • Environment (deployment) • An AWS account simply represents as another environment for application to deploy within • Same classification, policies, requirements applies to AWS deployment
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defining least privileges Application scope • Business application • One application environment per AWS account • Recruiting web app – Dev, QA, UAT, Prod each a separate AWS account • Tie to existing application inventory management AWS Cloud On-Premise AWS Account #012345678901 AWS Account #000000000000 AWS Account #000011112222 Inventory Management
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS IAM policies are default deny, only allow statement needed Given Application resources must be accessible by the application If The application is scoped to an AWS account, with entitlement declared Then AWS resources must allow the account itself and declared entitlement Applying least privileges
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Least privileges: AWS KMS key example Application requirement example • All data must be stored encrypted • Environment separation must be enforced • Production data must be only accessible by a production application Application adopted patterns • Application uses customer-managed key (CMK) to encrypt application data • Application role declared in entitlement under application inventory
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compare user-defined policy { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::PROD_APP_ACCOUNT_NUMBER:role/ role_declared", "arn:aws:iam::QA_ACCOUNT_NUMBER:role/role_declared", "arn:aws:iam::DEV_ACCOUNT_NUMBER:role/role_declared "] }, "Action": "kms:*", "Resource": "*" } Least privileges: AWS KMS key example Zelkova solver: {'comparison': 'more-permissive'} Application baseline { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::PROD_APP_ACCOUNT_NUMBER:role/ role_declared"}, "Action": "kms:*", "Resource": "*" }
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Tool for IAM and across a variety of other offerings Service control policy • Macro-level enforcement Zelkova • Micro-level verification • Provable security—formal verification of intent • Allows users to automate verification at scale Use cases for Zelkova
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Architecture Event-driven lambda
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Architecture Amazon Macie Zelkova Flow logs Our building blocks AWS services
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Runtime verification @ scale Macie Zelkova User log policy analysis Risk classifier Storage Flow logs Remediation User logs Client account Central logging account Central security account Alerting Security and DLP
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-account management At client account creation by AWS Organizations, using an event-driven lambda: • Setup AWS Config to send AWS Config snapshot to central logging account • Setup CloudTrail to send user logs to central logging account • Setup GuardDuty to send alerts to central security account • Setup Macie to send alerts to central security account • Create IAM roles and permissions for: • AWS Config IAM role • AWS CloudTrail IAM role • Default user access role • Auto-remediation role Bootstrapping AWS account for runtime checks
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Client Account Client Account Runtime policy check with Zelkova Client Account Central Logging Account Zelkova Event-driven lambda 1. Amazon S3 notification trigger 2. Identify resource policies 3. Look up baseline for the account 4. Invoke Zelkova to compare policies from snapshot vs. baseline 5. Send alert if more permissive 6. Auto-remediate to baseline policy Event Notification S3 Bucket with Config Snapshots Config Verification Lambda Changes in any IAM policy SNS topic for reports
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Discussion Advantages 1. Continuous formal verification of IAM policies after deployment 2. Continuous remediation of grossly misconfigured policies after deployment 3. Prevents drift in AWS account environment with auto-remediation 4. Alerts on non-user-initiated changes and security incidents You might have noticed: this model is reactive, not proactive
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure as code (IaC) AWS CloudConfiguration Graph Volume Instance
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check @ code commits Terraform Plan Policy Zelkova
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check @ code commits Level 1 Level 2 Level 3 Internal Policy Repository
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check @ code commits Level 1 Level 2 Level 3 User Internal Policy Repository
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Policy as code
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Concluding thoughts What we learned • Collaborate with AWS engineering teams • Cloud shift—same security principals as traditional on premise, but tooling must be able to adopt with changes Opportunities • Growing use cases • User education and repeatable patterns
  43. 43. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kai Huang Kai.Huang@gs.com Sujoy Saha Sujoy.Saha@gs.com Victor Padron Blanco Victor.PadronBlanco@gs.com
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×