So You've Got ATO - Are You Sure You are Secure?

P U B L I C S E C T O R
S U M M I T
Washingt on DC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
So You've Got ATO - Are You Sure
You are Secure?
Stephen Alexander
Sr Solutions Architect
Amazon Web Services
3 0 2 8 0 6

S U M M I T
Agenda
• Understand your blast radius
• Multi Account Strategy
• Least Privilege access to AWS
• So…AWS Identity and Access Management (IAM) Users is not the best way to do this?
• Collect and leverage logs – including AWS Service Logs?
• Wait…what logs?
• Treat your Infrastructure as Code
• What does this mean?
• Are you “AWS Well-Architected?”
• How can I tell?

S U M M I T
What does ATO mean?
Authority to Operate (ATO)
• Production system or service
• Beyond the “testing” phase
• Live “Mission” Workloads
VPC
AWS Cloud
Availability Zone 1
Auto Scaling group
Availability Zone 2
Auto Scaling group
NAT Gateway NAT Gateway
Instance Instance
Instance Instance
Amazon EC2 Auto
Scaling
Public subnet

S U M M I T

S U M M I T
First boundary…The AWS Account
 Billing and
financial
 Reserved instances
 Volume discounts
 Trusted advisor
Financial
responsibility
Resource containment
Security boundary
 Resources boundary
 AWS resources soft
and hard limit
 Access granted to users,
groups, and resources
 Data boundary

S U M M I T
Why should I use Multi-Accounts?
• Limit workload discoverability
• Environment isolation
• Minimize blast radius
• Account level service limits
• Allow for agility with control
• Cost allocation / chargeback

S U M M I T
Billing account
Cost monitors
Security and audit account
Shared-services
account
Application account
(Prod/non-prod)
Corp Net
Central logging
CloudTrail
AWS Config
CloudWatch
VPC Flow
Billing
Peering
DX/VPN
Logging
Security
Directory
Service
Cross-account
manager
Role
Role Role
VPC VPC VPC
Example

S U M M I T
AWS Identity & Access Management Questions
• Did you lockdown root?
• Are you using 2 Person integrity?
• Why are you using IAM Users?
• Multiple Accounts…Multiple Passwords?
• Don’t tell me you have issued AK/SKs?!
• Are you using MFA?
• Do you use Permission Boundaries?
• Are you using Service Control Policies?

S U M M I T
• Identities
• Identity of actors, known as principals (users, groups, roles)
• AWS IAM/Directory can manage cloud identities or you can
federate through your own identity provider
• API Actions
• What does the API do or how does it respond
• Resources
• AWS resources that IAM actions apply to
• Some resource types support resource policies that further define
allowed actions
• Conditions
• Precisely define required characteristics of identities, actions,
resources, and other requests parameters to allow an action
AWS Identity & Access Management Overview

S U M M I T
AWS IAM Example Policy
Managed Policy for an IAM User, Group or Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"],
"Resource":
"arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals":
{"ec2:ResourceTag/department": "dev”}
}}
]}

S U M M I T
AWS Resource Policy Example
S3 Bucket Policy
{
"Version": "2012-10-17",
"Id": “S3BucketPolicyExample",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource":
"arn:aws:s3:::bucket/taxdocuments/*",
"Condition": { "Null": {
"aws:MultiFactorAuthAge": true }}
}
]}

S U M M I T
Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are
accessible. Filter:
Define the list of APIs that are allowed – whitelisting.
Define the list of APIs that must be blocked – blacklisting.
• Cannot be overridden by local administrator (including the
root user).
• Resultant permission on IAM user/role is the intersection
between the SCP and assigned IAM permissions.

S U M M I T
AWS
CloudTrail
AWS
Config
Amazon
CloudWatch
Amazon Virtual Private Cloud
(Amazon VPC) Flow logs
Record AWS API calls
Enable Governance,
Compliance & Auditing
Monitor resources &
your applications on
AWS. Collect metrics,
set alarms, and
automatically
react to changes
Resource inventory,
configuration history,
and configuration
change notifications to
enable security and
governance
Capture information about
the IP traffic going to and
from network interfaces in
your VPC
Account Resources Network
Amazon
GuardDuty
Intelligent threat
detection &
continuous
monitoring to
protect your AWS
accounts and
workloads
Auditing and Visibility

S U M M I T
VPC subnet
Amazon
EC2
Flow logs
AWS
CloudTrail
Amazon S3
Amazon
CloudWatch
AWS Lambda
Amazon
Elasticsearch
Service
Log Transform Search
Centralized logging makes it easy for security
teams to consolidate AWS logs and analyze
them to detect incidents
You can do this using:
• Amazon ES
• CloudTrail logs
• Amazon Elastic Compute Cloud
(Amazon EC2) server logs
• Application Logs
• Amazon VPC flow logs
• Amazon S3 Server Access Logs
• Elastic Load Balancing (ELB) Logs
• Relational Database Service (RDS)
Logs
• Other logs??
Consolidate the logging

S U M M I T
Amazon
Simple Notification
Service (Amazon
SNS)
CloudWatch
Logs
Mission
Application
AWS
Lambda
If SSH REJECT > 10, then…
Elastic
Network
Interface
Metric filter
Filter on all SSH
REJECTFlow Logs group
CloudWatch
alarm
Source IPPrivate
subnet
VPC Flow Logs: Automation

S U M M I T
Manual vs Infrastructure as Code (IaC)
Allows you to replicate your entire
environment in an entirely
different Region
Effective for DR/COOP
Allows you to automate validation
and approve “Reference
Architecture”
Allows you to have version control
and better Change Management to
include Rollback

S U M M I T
AWS CloudFormation Overview
• JSON/YAML format template
• Presents template to AWS CloudFormation service
• AWS CloudFormation translates that to API request
• Forms a stack of resources
• Pay only for the resources created
• All regions
• API are called in parallel
• Manages dependencies/relationships
API calls made on
your behalf
Template Stack
The Running Environment

S U M M I T
AWS CloudFormation Template Examples
NewVolumeLinux5:
Type: AWS::EC2::Volume
Properties:
Size:
Ref: DataStorageSize
Encrypted: 'true'
KmsKeyId:
Fn::FindInMap:
- BIDMCEnvironment
- Ref: VPCName
- KMSkey
VolumeType:
Ref: DataStorageType
Tags:
- Key: Name
Value: “App1 Encrypted Data Volume”

S U M M I T
AWS CloudFormation Template Example
AWSTemplateFormatVersion: '2010-09-09'
Resources:
sgResearchVPCLinuxCommonServices:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: AD, DNS, McAfee, Nexpose,
Satellite,.
VpcId: vpc-abcdefg
Tags:
- Key: Name
Value: sg-research-linux-svcs
sgResearchVPCWindowsCommonServices:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: AD, DNS, McAfee, Nexpose, SCCM
VpcId: vpc-abcdefg
Tags:
- Key: Name
Value: sg-research-windows-svcs
ingress72:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId:
Ref: sgResearchVPCLinuxCommonServices
IpProtocol: udp
FromPort: '389'
ToPort: '389'
SourceSecurityGroupId: sg-b54499c8
ingress73:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId:
Ref: sgResearchVPCLinuxCommonServices
IpProtocol: udp
FromPort: '53'
ToPort: '53'
SourceSecurityGroupId: sg-63051219

S U M M I T
AWS: CloudFormation StackSets
Stack set
Administrator Account
Region
Stack
Target
account: A
Stack
Target
account: B
account: C account: D account: E …
Region
Stack
Target
account: A
Stack
Target
account: B
account: C account: D account: E …
Template

S U M M I T
Why AWS
Well-Architected
Framework?
Learn AWS best practices
Build and deploy faster
Lower or mitigate risks
Make informed decisions

S U M M I T
What is the AWS Well-Architected Framework?
Design principles QuestionsPillars

S U M M I T
Pillars of AWS Well-Architected
Security Reliability
Performance
efficiency
Cost
optimization
Operational
excellence
Security Reliability Performance
Efficiency
Cost
Optimization

S U M M I T
Pillar area
Question
Context
Best practices
Questions
Failure management

S U M M I T
What is available?
Helpful resources
Videos
Inline glossary
Workloads
Review (Q&A)
Dashboard
Report (PDF)
Review approach
Self-service
Partner
SA-led
Resources from partners
APN
Marketplace
Improvement plans
Framework
• Design principles
Pillars (areas)
• Design principles
• Questions
• Best practices
Whitepapers (PDF, Kindle)
Training
Website
Document workloads
• Description
• Regions
• Pillar priority
Review
• Rating
• Answers
• Notes
• Milestones
Tool Data
Content

S U M M I T
AWS Well-Architected Tool

S U M M I T
Summary
• Isolate Workloads
• Understand IAM and Resource Policies and use Least Privilege
• Collect all of the logs and know what to do with them
• Use Infrastructure as Code to control Change and Configuration
Management
• Incorporate best practices into design reviews and assessments like the
Well-Architected Review

S U M M I T
Thank you!
S U M M I T
Stephen Alexander
sfalex@amazon.com

So You've Got ATO - Are You Sure You are Secure?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to So You've Got ATO - Are You Sure You are Secure?

Similar to So You've Got ATO - Are You Sure You are Secure? (20)

More from Amazon Web Services

More from Amazon Web Services (20)

So You've Got ATO - Are You Sure You are Secure?