SlideShare a Scribd company logo
1 of 52
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security best practices the well-
architected way
Ben Potter
Security Lead, Well-Architected
Amazon Web Services
@benji_potter
S D D 3 1 8
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS Well-Architected introduction
Incident response
AWS Identity and Access Management (IAM)
Detective controls
Infrastructure protection
Data protection
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/well-architected/
https://wa.aws.amazon.com
https://wellarchitectedlabs.com
AWS Well-Architected
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Are you Well-Architected?
Security Reliability
Performance
efficiency
Cost
optimization
Operational
excellence
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
History
Well-Architected
started
2012
Questions across
four pillars
2014
Operational
excellence
2016
Self-service,
imp. plans
2018
AWS SA reviews
2013
Published framework
2015
APN partners, lens
2017 2019
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS
Well-Architected
Framework?
Learn AWS best practices
Build and deploy faster
Lower or mitigate risks
Make informed decisions
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Well-Architected Tool
It is in the console
If its not in your region, use North Virginia
Use it as a training/learning tool
Create a dummy workload and start
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Use automation
Enable detection
Prepare for an incident
What should you do first?
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design principles
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Keep people away from data
Prepare for security events
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System (Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Instance
Application
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Amazon GuardDuty as a starting point
Threat intel,
ML/AI
anomaly
detection
Alert
+
Respond
Backdoor
Behavior
CryptoCurrency
PenTest
Persistence
Policy
PrivilegeEscalation
Recon
ResourceConsumption
Stealth
Trojan
Unauthorized
Amazon
GuardDuty
VPC Flow Logs
DNS logs
AWS CloudTrail
events
High
Medium
Low
FindingsData sourcesFinding types
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Amazon GuardDuty as a starting point
Threat intel,
ML/AI
Anomaly
Detection
Alert
+
Respond
Backdoor
Behavior
CryptoCurrency
PenTest
Persistence
Policy
PrivilegeEscalation
Recon
ResourceConsumption
Stealth
Trojan
Unauthorized
Amazon
GuardDuty
VPC flow logs
DNS Logs
CloudTrail Events
HIGH
MEDIUM
LOW
FindingsData SourcesFinding Types
New!
Guide: http://bit.ly/2EWlARo
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Playbooks
Working definition:
Playbooks provide adequately skilled team members, who are unfamiliar with
the workload, the guidance necessary to gather applicable information, identify
potential sources of failure, isolate faults, and determine root cause of issues.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Playbooks—Example
# Scenario title:
Malicious IP action
# Scenario description:
An API was invoked from a known malicious IP address
# Data to gather:
CloudTrail + application logs
# Investigation steps:
CloudTrail history of IP, ASN, IP info, created resources
# Escalation & communication:
High severity infosec ticket
# Resolution steps:
Disabled credentials, remove resources
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to run a gameday
1. Schedule time block
2. Find a prize
3. Supply junk food and beverages
4. Pick relevant finding from: https://amzn.to/2PetNro
5. Create a playbook
6. Learn
7. Have fun!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System
AWS Lambda
Role
Amazon Simple
Notification Service
Amazon Simple
Storage Service (S3)
Instance
Application
IR Playbooks IR Tools Access
Amazon GuardDuty
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://github.com/awslabs/aws-well-architected-
labs/tree/master/Security/300_Incident_Response_with_AWS_C
onsole_and_CLI
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Federation tip
https://aws.amazon.com/identity/federation/
Blog: https://amzn.to/2Wvh2LS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Requirement: users and roles
created by delegated admins must
have a permissions boundary
Ability: can create users and roles
that have permissions boundaries
attached
Admins
Delegated
admins
“Bound” IAM
users and roles
Create delegated admins Create “bound” users and roles Users and roles restricted by
permissions boundaries
Result: permissions boundary
restrict the permissions of the users
and roles
Restricted resources
Permissions for resources
restricted
Permissions of the roles attached to
resources like Lambda functions are
limited by the permissions boundary
Permission boundaries
Lab: http://bit.ly/WALpb
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate credential management
• Disable / delete unused access keys
• Cleanup after federation
• Regularly remind people for having an access key
• Remove leavers
• Constantly reduce permission
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda assuming role
RoleLambda function
Account 1 Account 2
Role Sign URL
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda example
exports.handler = async (event) => {
// Parameters
var AWS = require('aws-sdk’);
var s3_params = {Bucket: 'bucket', Key: event.Records[0].file_name};
var sts_params = {
DurationSeconds: 900,
RoleArn: "arn:aws:iam::012345678901:role/service-role/assumed_role",
RoleSessionName: "Session”
};
// Assume the role with STS, an async call to get creds
var sts = new AWS.STS();
await sts.assumeRole(sts_params, function(err, data) {
var s3 =new AWS.S3({region: 'ap-southeast-2’,
sessionToken:data.Credentials.SessionToken});
// Sign the URL
var url = s3.getSignedUrl('getObject', s3_params);
// Return the response
const response = {
statusCode: 200,
body: JSON.stringify('Hello from Lambda!’),
};
return response;}).promise();
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
Role
Instance
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role
Instance
VPC
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Amazon GuardDuty
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate detective controls
Amazon GuardDuty
AWS Config
AWS CloudTrail
AWS CloudFormation
Lab: http://bit.ly/2WIz2SY
https://amzn.to/2Wp3GkT
http://bit.ly/CRuleRem
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Have you created a threat model?
Every threat has a MOM:
Method: The skills, knowledge, tools to pull off the attack
Opportunity: The time and access to accomplish the attack
Motive: A reason to want to perform this attack
Have you tested your detective and responsive controls?
Threat model
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to look for
Recon
DNS
Denies
404’s
Logins / time
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge
How would you detect credential stuffing?
2019-05-23 01:13:12 LAX1 2390282 2001:0db8:85a3:0000:0000:8a2e:0370:1337 POST
d111111abcdef8.cloudfront.net /myloginapi/login.do 200
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge
• MFA
• Throttle
• Captive portal
• Fingerprint*
• Partners
https://haveibeenpwned.com/Passwords
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous evaluation
CIS Quick Start: https://amzn.to/2XE5SSp
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
Role
Instance
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
VPC Flow
Logs
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
TPZ Egress
Transit
gateway
Security inspection
services
Security inspection
services
TPZ ingress
Xero threat protection zone
Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource share
Resource share
Infrastructure
account
VPC sharing and resource access manager
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate protection
AWS WAF automation: https://amzn.to/2MzNdpH
Whitelist
Blacklist
SQL Injection
XSS
HTTP Flood
Scanners & Probes
IP Reputation Lists
Bad Bot
Amazon CloudFront Application Load
Balancer
Web Application Resources
Amazon Kinesis
Data Firehose
Amazon S3
Web ACL
Traffic Information
Amazon API Gateway
Amazon Athena AWS Lambda
Log Passer
Amazon Athena
AWS Lambda
Access Handler
AWS Lambda
IP Lists Passer
Amazon CloudWatch
Event
Amazon S3
Access Logs
AWS WAF
Requests
WAF Logs
APP Logs
Hourly
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools
Source code and
dependency:
OWASP
Dependency-check
NPM audit + fix
RetireJS
boofuzz
Radamsa
american fuzzy lop
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow Logs
Load Balancer
Application
Load Balancer
Amazon Elastic
File System
(Amazon EFS)
Database
Amazon Aurora Endpoints
AWS Lambda
Role
Shared
NAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Amazon Inspector AWS Security
Hub
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Instances
Endpoints
Application
AMI
Amazon CloudFrontAmazon Route 53 AWS WAF
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow logs
Load Balancer
Application
Load Balancer
Amazon Elastic
File System
Database
Amazon Aurora Endpoints
AWS Lambda
Role
Shared
NAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Amazon Inspector AWS Security
Hub
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Instances
Endpoints
Application
AMI
Amazon CloudFrontAmazon Route 53 AWS WAF
http://bit.ly/315r99k
http://bit.ly/2Z2tDn7
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keep people away from data
Don’t store
Don’t grant
Encrypt
Mask
Tokenize
Isolate
Tooling
Eliminate direct
access
Operations
as code
Version control
Implementing DevSecOps: https://amzn.to/313DMlD
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data exfiltration
Host based
SaaS
Partners
DNS
Logs
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate detection of data leak
• Consider all sources of data!
• Interesting API calls:
• Any service that hosts data
• Pre-signed URL generation
• S3 access logs:
• Custom access log information
• Data classification code for analysis
Amazon CloudWatch
Events
s3.amazonaws.com/awsexamplebucket/photos/puppy.jpg
?x-code=example
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default Amazon EBS encryption
New!
Blog: https://amzn.to/2HYQURb
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS + AWS Encryption SDK
Customer master
key (CMK)
Data key Encrypted data
AWS Key Management
Service (AWS KMS)
"encryptionContext": { "aws:s3:arn":
"arn:aws:s3:::bucket_name/file_name" }
Example: https://amzn.to/2WlLK5I
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow Logs
Amazon Elastic
File System
(Amazon EFS)
Endpoints
AWS Lambda
RoleNAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Endpoints
AMI
Amazon Route 53 AWS WAF
Amazon Inspector AWS Certificate
Manager
Private Certificate Authority
AWS KMSAWS Security
Hub
Amazon Macie
Amazon CloudFront
Application
Encrypted
Instances
DLP
Shared
Load Balancer
Application
Load Balancer
Database
Encrypted
Amazon Aurora
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action!
Main: https://aws.amazon.com/well-architected/
Framework: https://wa.aws.amazon.com
Labs: http://bit.ly/WASecurityLabs
Solutions: https://aws.amazon.com/solutions
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ben Potter
Are you Well-Architected?
@benji_potter

More Related Content

What's hot

AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAmazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAmazon Web Services
 
Executing a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWSExecuting a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWSAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...Amazon Web Services
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...Amazon Web Services
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Amazon Web Services
 
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...Amazon Web Services
 
Technical Essentials Training: AWS Innovate Ottawa
Technical Essentials Training: AWS Innovate OttawaTechnical Essentials Training: AWS Innovate Ottawa
Technical Essentials Training: AWS Innovate OttawaAmazon Web Services
 
CI/CD for Containers: A Way Forward for Your DevOps Pipeline
CI/CD for Containers: A Way Forward for Your DevOps PipelineCI/CD for Containers: A Way Forward for Your DevOps Pipeline
CI/CD for Containers: A Way Forward for Your DevOps PipelineAmazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon Web Services
 
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기Amazon Web Services Korea
 

What's hot (20)

Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
Executing a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWSExecuting a Large-Scale Migration to AWS
Executing a Large-Scale Migration to AWS
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
 
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
AWS Networking – Advanced Concepts and new capabilities | AWS Summit Tel Aviv...
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
 
Technical Essentials Training: AWS Innovate Ottawa
Technical Essentials Training: AWS Innovate OttawaTechnical Essentials Training: AWS Innovate Ottawa
Technical Essentials Training: AWS Innovate Ottawa
 
CI/CD for Containers: A Way Forward for Your DevOps Pipeline
CI/CD for Containers: A Way Forward for Your DevOps PipelineCI/CD for Containers: A Way Forward for Your DevOps Pipeline
CI/CD for Containers: A Way Forward for Your DevOps Pipeline
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 
Are you Well-Architected?
Are you Well-Architected?Are you Well-Architected?
Are you Well-Architected?
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
AWS Summit Seoul 2023 | 다중 계정 및 하이브리드 환경에서 안전한 IAM 체계 만들기
 

Similar to Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019

AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Riyadh User Group
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...Amazon Web Services
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsAmazon Web Services
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitAmazon Web Services
 
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudHumans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudAmazon Web Services
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitAmazon Web Services
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Amazon Web Services
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Amazon Web Services
 
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAmazon Web Services
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security FeaturesAmazon Web Services
 

Similar to Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 (20)

AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in awsAWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's AccountsLock it Down: How to Secure your AWS Account and your Organization's Accounts
Lock it Down: How to Secure your AWS Account and your Organization's Accounts
 
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
Finding all the threats: AWS threat detection and remediation - SEC303 - Chic...
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Threat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS SummitThreat detection - SEC207 - New York AWS Summit
Threat detection - SEC207 - New York AWS Summit
 
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudHumans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
 
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
Module 4: Secure your cloud applications - AWSome Day Online Conference 2019
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS SummitThreat detection and mitigation at AWS - SEC201 - New York AWS Summit
Threat detection and mitigation at AWS - SEC201 - New York AWS Summit
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
 
Keeping Humans Away From Data
Keeping Humans Away From DataKeeping Humans Away From Data
Keeping Humans Away From Data
 
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
 
What's New in AWS Security Features
What's New in AWS Security FeaturesWhat's New in AWS Security Features
What's New in AWS Security Features
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security best practices the well- architected way Ben Potter Security Lead, Well-Architected Amazon Web Services @benji_potter S D D 3 1 8
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS Well-Architected introduction Incident response AWS Identity and Access Management (IAM) Detective controls Infrastructure protection Data protection
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. https://aws.amazon.com/well-architected/ https://wa.aws.amazon.com https://wellarchitectedlabs.com AWS Well-Architected
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Are you Well-Architected? Security Reliability Performance efficiency Cost optimization Operational excellence © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. History Well-Architected started 2012 Questions across four pillars 2014 Operational excellence 2016 Self-service, imp. plans 2018 AWS SA reviews 2013 Published framework 2015 APN partners, lens 2017 2019
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why AWS Well-Architected Framework? Learn AWS best practices Build and deploy faster Lower or mitigate risks Make informed decisions
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Well-Architected Tool It is in the console If its not in your region, use North Virginia Use it as a training/learning tool Create a dummy workload and start
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Use automation Enable detection Prepare for an incident What should you do first?
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Design principles Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and at rest Keep people away from data Prepare for security events
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Instance Application
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI anomaly detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC Flow Logs DNS logs AWS CloudTrail events High Medium Low FindingsData sourcesFinding types
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Amazon GuardDuty as a starting point Threat intel, ML/AI Anomaly Detection Alert + Respond Backdoor Behavior CryptoCurrency PenTest Persistence Policy PrivilegeEscalation Recon ResourceConsumption Stealth Trojan Unauthorized Amazon GuardDuty VPC flow logs DNS Logs CloudTrail Events HIGH MEDIUM LOW FindingsData SourcesFinding Types New! Guide: http://bit.ly/2EWlARo
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks Working definition: Playbooks provide adequately skilled team members, who are unfamiliar with the workload, the guidance necessary to gather applicable information, identify potential sources of failure, isolate faults, and determine root cause of issues.
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Playbooks—Example # Scenario title: Malicious IP action # Scenario description: An API was invoked from a known malicious IP address # Data to gather: CloudTrail + application logs # Investigation steps: CloudTrail history of IP, ASN, IP info, created resources # Escalation & communication: High severity infosec ticket # Resolution steps: Disabled credentials, remove resources
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How to run a gameday 1. Schedule time block 2. Find a prize 3. Supply junk food and beverages 4. Pick relevant finding from: https://amzn.to/2PetNro 5. Create a playbook 6. Learn 7. Have fun!
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System AWS Lambda Role Amazon Simple Notification Service Amazon Simple Storage Service (S3) Instance Application IR Playbooks IR Tools Access Amazon GuardDuty
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. https://github.com/awslabs/aws-well-architected- labs/tree/master/Security/300_Incident_Response_with_AWS_C onsole_and_CLI
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Federation tip https://aws.amazon.com/identity/federation/ Blog: https://amzn.to/2Wvh2LS
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Requirement: users and roles created by delegated admins must have a permissions boundary Ability: can create users and roles that have permissions boundaries attached Admins Delegated admins “Bound” IAM users and roles Create delegated admins Create “bound” users and roles Users and roles restricted by permissions boundaries Result: permissions boundary restrict the permissions of the users and roles Restricted resources Permissions for resources restricted Permissions of the roles attached to resources like Lambda functions are limited by the permissions boundary Permission boundaries Lab: http://bit.ly/WALpb
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate credential management • Disable / delete unused access keys • Cleanup after federation • Regularly remind people for having an access key • Remove leavers • Constantly reduce permission
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda assuming role RoleLambda function Account 1 Account 2 Role Sign URL
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda example exports.handler = async (event) => { // Parameters var AWS = require('aws-sdk’); var s3_params = {Bucket: 'bucket', Key: event.Records[0].file_name}; var sts_params = { DurationSeconds: 900, RoleArn: "arn:aws:iam::012345678901:role/service-role/assumed_role", RoleSessionName: "Session” }; // Assume the role with STS, an async call to get creds var sts = new AWS.STS(); await sts.assumeRole(sts_params, function(err, data) { var s3 =new AWS.S3({region: 'ap-southeast-2’, sessionToken:data.Credentials.SessionToken}); // Sign the URL var url = s3.getSignedUrl('getObject', s3_params); // Return the response const response = { statusCode: 200, body: JSON.stringify('Hello from Lambda!’), }; return response;}).promise();
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Role Instance VPC Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detective controls Amazon GuardDuty AWS Config AWS CloudTrail AWS CloudFormation Lab: http://bit.ly/2WIz2SY https://amzn.to/2Wp3GkT http://bit.ly/CRuleRem
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Have you created a threat model? Every threat has a MOM: Method: The skills, knowledge, tools to pull off the attack Opportunity: The time and access to accomplish the attack Motive: A reason to want to perform this attack Have you tested your detective and responsive controls? Threat model
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What to look for Recon DNS Denies 404’s Logins / time
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge How would you detect credential stuffing? 2019-05-23 01:13:12 LAX1 2390282 2001:0db8:85a3:0000:0000:8a2e:0370:1337 POST d111111abcdef8.cloudfront.net /myloginapi/login.do 200
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenge • MFA • Throttle • Captive portal • Fingerprint* • Partners https://haveibeenpwned.com/Passwords
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Continuous evaluation CIS Quick Start: https://amzn.to/2XE5SSp
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Application IR Playbooks IR Tools Access Role Instance AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager AWS Code Services AWS CloudFormation AWS Systems Manager Event Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon API Gateway Amazon Elastic File System (Amazon EFS) AWS Lambda Role VPC Flow Logs
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. TPZ Egress Transit gateway Security inspection services Security inspection services TPZ ingress Xero threat protection zone
  • 37. Share subnets between accounts in an AWS Organization Account Account Account Account Resource share Resource share Infrastructure account VPC sharing and resource access manager
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate protection AWS WAF automation: https://amzn.to/2MzNdpH Whitelist Blacklist SQL Injection XSS HTTP Flood Scanners & Probes IP Reputation Lists Bad Bot Amazon CloudFront Application Load Balancer Web Application Resources Amazon Kinesis Data Firehose Amazon S3 Web ACL Traffic Information Amazon API Gateway Amazon Athena AWS Lambda Log Passer Amazon Athena AWS Lambda Access Handler AWS Lambda IP Lists Passer Amazon CloudWatch Event Amazon S3 Access Logs AWS WAF Requests WAF Logs APP Logs Hourly
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tools Source code and dependency: OWASP Dependency-check NPM audit + fix RetireJS boofuzz Radamsa american fuzzy lop
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Load Balancer Application Load Balancer Amazon Elastic File System (Amazon EFS) Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow logs Load Balancer Application Load Balancer Amazon Elastic File System Database Amazon Aurora Endpoints AWS Lambda Role Shared NAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) Amazon Inspector AWS Security Hub IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Instances Endpoints Application AMI Amazon CloudFrontAmazon Route 53 AWS WAF http://bit.ly/315r99k http://bit.ly/2Z2tDn7
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Keep people away from data Don’t store Don’t grant Encrypt Mask Tokenize Isolate Tooling Eliminate direct access Operations as code Version control Implementing DevSecOps: https://amzn.to/313DMlD
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data exfiltration Host based SaaS Partners DNS Logs
  • 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate detection of data leak • Consider all sources of data! • Interesting API calls: • Any service that hosts data • Pre-signed URL generation • S3 access logs: • Custom access log information • Data classification code for analysis Amazon CloudWatch Events s3.amazonaws.com/awsexamplebucket/photos/puppy.jpg ?x-code=example
  • 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Default Amazon EBS encryption New! Blog: https://amzn.to/2HYQURb
  • 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS + AWS Encryption SDK Customer master key (CMK) Data key Encrypted data AWS Key Management Service (AWS KMS) "encryptionContext": { "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name" } Example: https://amzn.to/2WlLK5I
  • 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Amazon API Gateway VPC Flow Logs Amazon Elastic File System (Amazon EFS) Endpoints AWS Lambda RoleNAT Gateway AWS Organizations IAM AWS Single Sign-On MFA AWS Secrets Manager Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config Amazon Simple Notification Service (Amazon SNS) Amazon Simple Storage Service (Amazon S3) IR Playbooks IR Tools Access AWS Code Services AWS CloudFormation AWS Systems Manager Event Role Auto Scaling group Endpoints AMI Amazon Route 53 AWS WAF Amazon Inspector AWS Certificate Manager Private Certificate Authority AWS KMSAWS Security Hub Amazon Macie Amazon CloudFront Application Encrypted Instances DLP Shared Load Balancer Application Load Balancer Database Encrypted Amazon Aurora
  • 49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action!
  • 51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Action! Main: https://aws.amazon.com/well-architected/ Framework: https://wa.aws.amazon.com Labs: http://bit.ly/WASecurityLabs Solutions: https://aws.amazon.com/solutions
  • 52. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Ben Potter Are you Well-Architected? @benji_potter