Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security best practices the well- architected way Ben Potter Security Lead, Well-Architected Amazon Web Services @benji_potter S D D 3 1 8

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS Well-Architected introduction Incident response AWS Identity and Access Management (IAM) Detective controls Infrastructure protection Data protection

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Are you Well-Architected? Security Reliability Performance efficiency Cost optimization Operational excellence © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. History Well-Architected started 2012 Questions across four pillars 2014 Operational excellence 2016 Self-service, imp. plans 2018 AWS SA reviews 2013 Published framework 2015 APN partners, lens 2017 2019

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS Well-Architected Framework? Learn AWS best practices Build and deploy faster Lower or mitigate risks Make informed decisions

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Well-Architected Tool It is in the console If its not in your region, use North Virginia Use it as a training/learning tool Create a dummy workload and start

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Design principles Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and at rest Keep people away from data Prepare for security events

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Instance Application

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI anomaly detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC Flow Logs DNS logs AWS CloudTrail events High Medium Low FindingsData sourcesFinding types

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI Anomaly Detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC flow logs DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData SourcesFinding Types New! Guide: http://bit.ly/2EWlARo

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks Working definition: Playbooks provide adequately skilled team members, who are unfamiliar with the workload, the guidance necessary to gather applicable information, identify potential sources of failure, isolate faults, and determine root cause of issues.

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks—Example # Scenario title: Malicious IP action # Scenario description: An API was invoked from a known malicious IP address # Data to gather: CloudTrail + application logs # Investigation steps: CloudTrail history of IP, ASN, IP info, created resources # Escalation & communication: High severity infosec ticket # Resolution steps: Disabled credentials, remove resources

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to run a gameday 1. Schedule time block 2. Find a prize 3. Supply junk food and beverages 4. Pick relevant finding from: https://amzn.to/2PetNro 5. Create a playbook 6. Learn 7. Have fun!

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System AWS Lambda Role Amazon Simple Notification Service Amazon Simple Storage Service (S3) Instance Application IR Playbooks IR Tools Access Amazon GuardDuty

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Requirement: users and roles created by delegated admins must have a permissions boundary Ability: can create users and roles that have permissions boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” users and roles Users and roles restricted by permissions boundaries Result: permissions boundary restrict the permissions of the users and roles Restricted resources Permissions for resources restricted Permissions of the roles attached to resources like Lambda functions are limited by the permissions boundary Permission boundaries Lab: http://bit.ly/WALpb

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate credential management • Disable / delete unused access keys • Cleanup after federation • Regularly remind people for having an access key • Remove leavers • Constantly reduce permission

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda example exports.handler = async (event) => { // Parameters var AWS = require('aws-sdk’); var s3_params = {Bucket: 'bucket', Key: event.Records[0].file_name}; var sts_params = { DurationSeconds: 900, RoleArn: "arn:aws:iam::012345678901:role/service-role/assumed_role", RoleSessionName: "Session” }; // Assume the role with STS, an async call to get creds var sts = new AWS.STS(); await sts.assumeRole(sts_params, function(err, data) { var s3 =new AWS.S3({region: 'ap-southeast-2’, sessionToken:data.Credentials.SessionToken}); // Sign the URL var url = s3.getSignedUrl('getObject', s3_params); // Return the response const response = { statusCode: 200, body: JSON.stringify('Hello from Lambda!’), }; return response;}).promise();

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role Instance VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detective controls Amazon GuardDuty AWS Config AWS CloudTrail AWS CloudFormation Lab: http://bit.ly/2WIz2SY https://amzn.to/2Wp3GkT http://bit.ly/CRuleRem

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Have you created a threat model? Every threat has a MOM: Method: The skills, knowledge, tools to pull off the attack Opportunity: The time and access to accomplish the attack Motive: A reason to want to perform this attack Have you tested your detective and responsive controls? Threat model

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge How would you detect credential stuffing? 2019-05-23 01:13:12 LAX1 2390282 2001:0db8:85a3:0000:0000:8a2e:0370:1337 POST d111111abcdef8.cloudfront.net /myloginapi/login.do 200

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role VPC Flow Logs

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. TPZ Egress Transit gateway Security inspection services Security inspection services TPZ ingress Xero threat protection zone

37. Share subnets between accounts in an AWS Organization Account Account Account Account Resource share Resource share Infrastructure account VPC sharing and resource access manager

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate protection AWS WAF automation: https://amzn.to/2MzNdpH Whitelist Blacklist SQL Injection XSS HTTP Flood Scanners & Probes IP Reputation Lists Bad Bot Amazon CloudFront Application Load Balancer Web Application Resources Amazon Kinesis Data Firehose Amazon S3 Web ACL Traffic Information Amazon API Gateway Amazon Athena AWS Lambda Log Passer Amazon Athena AWS Lambda Access Handler AWS Lambda IP Lists Passer Amazon CloudWatch Event Amazon S3 Access Logs AWS WAF Requests WAF Logs APP Logs Hourly

40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Load Balancer Application Load Balancer Amazon Elastic File System (Amazon EFS) Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF

41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow logs Load Balancer Application Load Balancer Amazon Elastic File System Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF http://bit.ly/315r99k http://bit.ly/2Z2tDn7

43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Keep people away from data Don’t store Don’t grant Encrypt Mask Tokenize Isolate Tooling Eliminate direct access Operations as code Version control Implementing DevSecOps: https://amzn.to/313DMlD

45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detection of data leak • Consider all sources of data! • Interesting API calls: • Any service that hosts data • Pre-signed URL generation • S3 access logs: • Custom access log information • Data classification code for analysis Amazon CloudWatch Events s3.amazonaws.com/awsexamplebucket/photos/puppy.jpg ?x-code=example

47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS + AWS Encryption SDK Customer master key (CMK) Data key Encrypted data AWS Key Management Service (AWS KMS) "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name" } Example: https://amzn.to/2WlLK5I

48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Amazon Elastic File System (Amazon EFS) Endpoints AWS Lambda RoleNAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Endpoints AMI Amazon Route 53 AWS WAF Amazon Inspector AWS Certificate Manager Private Certificate Authority AWS KMSAWS Security Hub Amazon Macie Amazon CloudFront Application Encrypted Instances DLP Shared Load Balancer Application Load Balancer Database Encrypted Amazon Aurora

51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action! Main: https://aws.amazon.com/well-architected/ Framework: https://wa.aws.amazon.com Labs: http://bit.ly/WASecurityLabs Solutions: https://aws.amazon.com/solutions