Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SID206_Best Practices for Managing Security Operations on AWS

2,552 views

Published on

To help prevent unexpected access to your AWS resources, it is critical to maintain strong identity and access policies and track, effectively detect, and react to changes. In this session you will learn how to use AWS Identity and Access Management (IAM) to control access to AWS resources and integrate your existing authentication system with IAM. We will cover how to deploy and control AWS infrastructure using code templates, including change management policies with AWS CloudFormation. Further, effectively detecting and reacting to changes in posture or adverse actions requires the ability to monitor and process events. There are several services within AWS that enable this kind of monitoring such as CloudTrail, CloudWatch Events, and the AWS service APIs. We learn how Netflix utilizes a combination of these services to operationalize monitoring of their deployments at scale, and discuss changes made as Netflix’s deployment has grown over the years.

SID206_Best Practices for Managing Security Operations on AWS

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Best Practices for Managing Security Operations on AWS W i l l B e n g t s o n – N e t f l i x - S e n i o r S e c u r i t y E n g i n e e r A r m a n d o L e i t e – A W S - P r i n c i p a l S e c u r i t y A r c h i t e c t S I D 2 0 6 N o v e m b e r 2 7 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Blast radius Segregate Classify AWS Account as the boundary • Highest degree of segregation • By data classification • Business unit • Workload • Functional In-VPC • SGs, NACLs • AWS IAM Resource level constraints VPC as the boundary (single account) • Equivalent to separate networks • Peering, Routing (+all above) • AWS IAM similar to previous Flexibility Innovation Right-sizing
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. App A.1 App B.1 App A.2 App B.2 Logging Agg. Other (1..N) SecOps TeamBTeamAShared Regardless of boundary, consider: - How to aggregate logging - SecOps dedicated account BU A BU B Logging Agg. SecOps Conf A.2 Pub A.2 App A.1 App A.2
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From To
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation + AWS Organizations
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Battery of test cases Spec review
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Commit phase: source-control changes • Static code analysis: analyze the CFN templates against a set of security rules Acceptance phase: dev environment • Dynamic analysis: run template in sandbox/acceptance test environment Capacity/integration/staging phases: pre-prod environment • Load, performance, penetration, and failover testing Production phase: prod environment • Deploy...
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Monitor FixControl Monitor Fix
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Signal Noise Gather Remediate Do Nothing Correct Alert Enrich Stop Measure Spectrum of options
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. API calls (CloudTrail) are logged StopTrail/Change Turn back on Control Monitor Fix SSH only from bastion subnet Create/Change SGs validate source if port == 22 Change SG via Lambda All instances in patch up to date for XXX EC2 Systems Manager + AWS Config rules Patch via Systems Manager No root access CloudWatch Logs + Syslog Isolate and investigate No public objects in S3 Object level logging in CloudTrail Make object private
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://aws.amazon.com/blogs/security/how-to-detect-and- automatically-remediate-unintended-permissions-in-amazon- s3-object-acls-with-cloudwatch-events/
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Establishing platform security Establishing network security Establishing OS security Establishing data protection
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Establishing platform security Establishing network security Establishing OS security Establishing data protection Rest: - KMS - CloudHSM Transit - VPN - ACM *Thu, 3:15 p.m. SID330 AWS Key Management Service Architecture Best Practices
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Establishing platform security Establishing network security Establishing OS security Establishing data protection
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 Systems Manager Run Command State Manager Inventory Maintenance Window Patch Manager Automation Parameter Store Documents
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Understand the boundary Consistent controls Test often, fail early Closed-loop mechanisms Full stack Practice Visibility
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. *Security Incident Response Simulations S.I.R.S.
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jam Sessions @ The Park (Linq) Security Jam Tuesday the 28th Jam Lounge: Wednesday and Thursday (from 8 a.m.) Go bananas!
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architecture Visibility Audit W i l l B e n g t s o n - N e t f l i x S e c O p s N e t f l i x S e c u r i t y T o o l s a n d O p e r a t i o n s
  29. 29. Architecture Visibility Auditing
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  31. 31. Our security operations center is not bright dashboards that we watch all day © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  33. 33. CloudTrail CloudWatch SDKs © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  34. 34. CloudTrail CloudWatch SDKs © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Netflix is BIG
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. > 100,000 instances
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. > 33% USinternet traffic
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1,000s of changes
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1,000,000+ events/minute
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1,000,000+ events/minute in only two accounts
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multiple accounts
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  54. 54. Awwwdit © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  56. 56. Historical © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tag, you’re it! How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate- unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/ Implementing DevSecOps Using AWS CodePipeline https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws- codepipeline/ Automating Governance repo: https://github.com/awslabs/automating-governance-sample Tuesday, 27th November. 8 a.m.— Security Jam (HAC05) (Extra seating added – bring a laptop!)
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Tue start 8 a.m.—Security Jam Wed start 11 a.m.—Analytics Jam Thur start 11 a.m.—All-In Jam Jam Lounge Wed and Thur from 8 a.m. Drop by at any time William Bengtson@Netflix Armando Leite@AWS Your turn! Just need a laptop!
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Tue start 8 a.m.—Security Jam Wed start 11 a.m.—Analytics Jam Thur start 11 a.m.—All-In Jam Jam Lounge Wed and Thur from 8 a.m. Drop by at any time William Bengtson@Netflix Armando Leite@AWS Your turn! Just need a laptop!

×