Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019

328 views

Published on

As you continually evolve your use of the AWS platform, it’s important to consider ways to improve your security posture and take advantage of new security services and features. In this advanced session, we share architectural patterns for meeting common challenges, service limits and tips, tricks, and ways to continually evaluate your architecture against best practices. Automation and tools are featured throughout, and there will be code giveaways! Be prepared for a technically deep session on AWS security.

  • Be the first to comment

Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security best practices the well- architected way Ben Potter Security Lead, Well-Architected Amazon Web Services @benji_potter S D D 3 1 8
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS Well-Architected introduction Incident response AWS Identity and Access Management (IAM) Detective controls Infrastructure protection Data protection
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. https://aws.amazon.com/well-architected/ https://wa.aws.amazon.com https://wellarchitectedlabs.com AWS Well-Architected
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Are you Well-Architected? Security Reliability Performance efficiency Cost optimization Operational excellence © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. History Well-Architected started 2012 Questions across four pillars 2014 Operational excellence 2016 Self-service, imp. plans 2018 AWS SA reviews 2013 Published framework 2015 APN partners, lens 2017 2019
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS Well-Architected Framework? Learn AWS best practices Build and deploy faster Lower or mitigate risks Make informed decisions
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Well-Architected Tool It is in the console If its not in your region, use North Virginia Use it as a training/learning tool Create a dummy workload and start
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Use automation Enable detection Prepare for an incident What should you do first?
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Design principles Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and at rest Keep people away from data Prepare for security events
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Instance Application
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI anomaly detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC Flow Logs DNS logs AWS CloudTrail events High Medium Low FindingsData sourcesFinding types
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI Anomaly Detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC flow logs DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData SourcesFinding Types New! Guide: http://bit.ly/2EWlARo
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks Working definition: Playbooks provide adequately skilled team members, who are unfamiliar with the workload, the guidance necessary to gather applicable information, identify potential sources of failure, isolate faults, and determine root cause of issues.
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks—Example # Scenario title: Malicious IP action # Scenario description: An API was invoked from a known malicious IP address # Data to gather: CloudTrail + application logs # Investigation steps: CloudTrail history of IP, ASN, IP info, created resources # Escalation & communication: High severity infosec ticket # Resolution steps: Disabled credentials, remove resources
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to run a gameday 1. Schedule time block 2. Find a prize 3. Supply junk food and beverages 4. Pick relevant finding from: https://amzn.to/2PetNro 5. Create a playbook 6. Learn 7. Have fun!
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System AWS Lambda Role Amazon Simple Notification Service Amazon Simple Storage Service (S3) Instance Application IR Playbooks IR Tools Access Amazon GuardDuty
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. https://github.com/awslabs/aws-well-architected- labs/tree/master/Security/300_Incident_Response_with_AWS_C onsole_and_CLI
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Federation tip https://aws.amazon.com/identity/federation/ Blog: https://amzn.to/2Wvh2LS
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Requirement: users and roles created by delegated admins must have a permissions boundary Ability: can create users and roles that have permissions boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” users and roles Users and roles restricted by permissions boundaries Result: permissions boundary restrict the permissions of the users and roles Restricted resources Permissions for resources restricted Permissions of the roles attached to resources like Lambda functions are limited by the permissions boundary Permission boundaries Lab: http://bit.ly/WALpb
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate credential management • Disable / delete unused access keys • Cleanup after federation • Regularly remind people for having an access key • Remove leavers • Constantly reduce permission
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda assuming role RoleLambda function Account 1 Account 2 Role Sign URL
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda example exports.handler = async (event) => { // Parameters var AWS = require('aws-sdk’); var s3_params = {Bucket: 'bucket', Key: event.Records[0].file_name}; var sts_params = { DurationSeconds: 900, RoleArn: "arn:aws:iam::012345678901:role/service-role/assumed_role", RoleSessionName: "Session” }; // Assume the role with STS, an async call to get creds var sts = new AWS.STS(); await sts.assumeRole(sts_params, function(err, data) { var s3 =new AWS.S3({region: 'ap-southeast-2’, sessionToken:data.Credentials.SessionToken}); // Sign the URL var url = s3.getSignedUrl('getObject', s3_params); // Return the response const response = { statusCode: 200, body: JSON.stringify('Hello from Lambda!’), }; return response;}).promise();
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role Instance VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detective controls Amazon GuardDuty AWS Config AWS CloudTrail AWS CloudFormation Lab: http://bit.ly/2WIz2SY https://amzn.to/2Wp3GkT http://bit.ly/CRuleRem
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Have you created a threat model? Every threat has a MOM: Method: The skills, knowledge, tools to pull off the attack Opportunity: The time and access to accomplish the attack Motive: A reason to want to perform this attack Have you tested your detective and responsive controls? Threat model
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What to look for Recon DNS Denies 404’s Logins / time
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge How would you detect credential stuffing? 2019-05-23 01:13:12 LAX1 2390282 2001:0db8:85a3:0000:0000:8a2e:0370:1337 POST d111111abcdef8.cloudfront.net /myloginapi/login.do 200
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge • MFA • Throttle • Captive portal • Fingerprint* • Partners https://haveibeenpwned.com/Passwords
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous evaluation CIS Quick Start: https://amzn.to/2XE5SSp
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role VPC Flow Logs
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. TPZ Egress Transit gateway Security inspection services Security inspection services TPZ ingress Xero threat protection zone
  37. 37. Share subnets between accounts in an AWS Organization Account Account Account Account Resource share Resource share Infrastructure account VPC sharing and resource access manager
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate protection AWS WAF automation: https://amzn.to/2MzNdpH Whitelist Blacklist SQL Injection XSS HTTP Flood Scanners & Probes IP Reputation Lists Bad Bot Amazon CloudFront Application Load Balancer Web Application Resources Amazon Kinesis Data Firehose Amazon S3 Web ACL Traffic Information Amazon API Gateway Amazon Athena AWS Lambda Log Passer Amazon Athena AWS Lambda Access Handler AWS Lambda IP Lists Passer Amazon CloudWatch Event Amazon S3 Access Logs AWS WAF Requests WAF Logs APP Logs Hourly
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools Source code and dependency: OWASP Dependency-check NPM audit + fix RetireJS boofuzz Radamsa american fuzzy lop
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Load Balancer Application Load Balancer Amazon Elastic File System (Amazon EFS) Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow logs Load Balancer Application Load Balancer Amazon Elastic File System Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF http://bit.ly/315r99k http://bit.ly/2Z2tDn7
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Keep people away from data Don’t store Don’t grant Encrypt Mask Tokenize Isolate Tooling Eliminate direct access Operations as code Version control Implementing DevSecOps: https://amzn.to/313DMlD
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data exfiltration Host based SaaS Partners DNS Logs
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detection of data leak • Consider all sources of data! • Interesting API calls: • Any service that hosts data • Pre-signed URL generation • S3 access logs: • Custom access log information • Data classification code for analysis Amazon CloudWatch Events s3.amazonaws.com/awsexamplebucket/photos/puppy.jpg ?x-code=example
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Default Amazon EBS encryption New! Blog: https://amzn.to/2HYQURb
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS + AWS Encryption SDK Customer master key (CMK) Data key Encrypted data AWS Key Management Service (AWS KMS) "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name" } Example: https://amzn.to/2WlLK5I
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Amazon Elastic File System (Amazon EFS) Endpoints AWS Lambda RoleNAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Endpoints AMI Amazon Route 53 AWS WAF Amazon Inspector AWS Certificate Manager Private Certificate Authority AWS KMSAWS Security Hub Amazon Macie Amazon CloudFront Application Encrypted Instances DLP Shared Load Balancer Application Load Balancer Database Encrypted Amazon Aurora
  49. 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  50. 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action!
  51. 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action! Main: https://aws.amazon.com/well-architected/ Framework: https://wa.aws.amazon.com Labs: http://bit.ly/WASecurityLabs Solutions: https://aws.amazon.com/solutions
  52. 52. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ben Potter Are you Well-Architected? @benji_potter

×