3. Agenda
• Sources of Best Practices
• A Bad Day
• Best of the Best Practices
• Infrastructure Security
• Data Protection
• Identity and Access Management
• Logging and Monitoring
• Tools and Automation
• At Scale
4. Sources of Best Practices
AWS Cloud Adoption
Framework (CAF)
AWS Security Best
Practices
Center for Internet
Security (CIS)
Benchmarks
How to move to the cloud securely
including the “Core Five Epics”:
• Identity and Access Management
• Logging and Monitoring
• Infrastructure Security
• Data Protection
• Incident Response
Whitepaper with 44 best practices
including:
• Identity and Access Management
(10 best practices)
• Logging and Monitoring (4)
• Infrastructure Security (15)
• Data Protection (15)
148 detailed recommendations for
configuration and auditing covering:
• “AWS Foundations” with 52
checks aligned to AWS Best
Practices
• “AWS Three-Tier Web
Architecture” with 96 checks for
web applications
8. S3 Bucket
“Data
Backup”
Internal
Data ServiceBad Person
S3 Bucket
“Website
Images”
Web Server
InstanceInternet
AWS Account
Internet
Gateway
1 2
3 4
5
Bill’sBadDay
Bill
1
Access the
vulnerable web
application
2
Pivot to the data
service
3
Delete the website
image files
4
Change
permissions to the
data backup
5
Download the data
backup
9. S3 Bucket
“Website
Images”
Web Server
InstanceInternet
AWS Account
Internet
Gateway
Bill’sBadDay
Bill
No web application
protection
2 No segmentation
3 One account
4
All permissions
granted
5
Sensitive data not
encrypted
1
6
No logging,
monitoring, alerting
… now let’s help Andy
have a great day! :-)
Andy S3 Bucket
“Data
Backup”
Internal
Data Service
10. Best of the Best Practices: Infrastructure Security
1) Create a Threat
Prevention Layer using
AWS Edge Services
2) Create network zones
with Virtual Private Clouds
(VPCs) and Security Groups
3) Manage vulnerabilities
through patching and
scanning
Use the 70 worldwide points
of presence in the AWS
Edge Network to provide
scalability, protect from
denial of service attacks,
and protect from web
application attacks.
Implement security controls
at the boundaries of hosts
and virtual networks within
the cloud environment to
enforce access policy.
Test virtual machine images
and snapshots for operating
system and application
vulnerabilities throughout
the build pipeline and into
the operational environment.
AWS WAFAWS Shield
Amazon
CloudFront
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
Security Group
Amazon
Inspector
Amazon EC2
Systems
Manager
11. InfrastructureSecurity
AWS WAF
AWS Shield
S3 Bucket
“Website
Images”
Amazon
CloudFront
Internet
AWS Account
Internet
Gateway
1
Andy
Web Server
Instance
Security Group Security Group
Amazon
Inspector
S3 Bucket
“Data
Backup”
Internal
Data Service
12. Best of the Best Practices: Data Protection
4) Encrypt data at rest (with
the occasional exception)
5) Use server-side
encryption with provider
managed keys
6) Encrypt data in transit
(with no exceptions)
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS KMS
Data
Encryption Key
AWS KMS Amazon S3 Amazon
CloudFront
Internet
Gateway
SSL / TLS /
HTTPS
Enabling encryption at rest
helps ensure the
confidentiality and integrity
of data. Consider encrypting
everything that is not public.
AWS Key Management
Service (KMS) is seamlessly
integrated with 18 other
AWS services. You can use
a default master key or
select a custom master key,
both managed by AWS.
Encryption of data in transit
provides protection from
accidental disclosure,
verifies the integrity of the
data, and can be used to
validate the remote
connection.
13. AWS WAF
AWS KMS
AWS Shield
S3 Bucket
“Website
Images”
Amazon
CloudFront
AWS KMS
Data
Encryption Key
Internet
Internet
Gateway
2
Andy
Amazon
Inspector
S3 Bucket
“Data
Backup”
DataProtection
AWS Account
Web Server
Instance
Security Group Security Group
Internal
Data Service
14. Best of the Best Practices: Identity and Access Mgmt
7) Use multiple AWS
accounts to reduce blast
radius
8) Use limited roles and
grant temporary security
credentials
9) Federate to an existing
identity service
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
Production Staging
Temporary
Security
Credentials
IAM IAM
MFA token
AWS Directory
Service
IAM Roles
AWS accounts provide
administrative isolation
between workloads across
different lines of business,
regions, stages of
production and types of data
classification.
IAM roles and temporary
security credentials mean
you don't always have to
manage long-term
credentials and IAM users
for each entity that requires
access to a resource.
Control access to AWS
resources, and manage the
authentication and
authorization process
without needing to re-create
all your corporate users as
IAM users.
AWS
Organizations
15. AWS WAF
AWS Shield
Temporary
Security
Credentials
IAM
S3 Bucket
“Website
Images”
Amazon
CloudFront
MFA token
Internet
AWS Account AWS Account
Internet
Gateway
3
Andy
Amazon
Inspector
AWS Directory
Service
S3 Bucket
“Database
Backup”
AWS KMS AWS KMS
Data
Encryption Key
IdentityandAccessManagement
Web Server
Instance
Security Group Security Group
Internal
Data Service
16. Best of the Best Practices: Logging and Monitoring
10) Turn on logging in all
accounts, for all services, in
all regions
11) Use the AWS platform’s
built-in monitoring and
alerting features
12) Use a separate AWS
account to fetch and store
copies of all logs
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS Best
Practices Paper
CIS Web-Tier
Benchmark
CIS Foundation
Benchmark
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
CloudWatch
Alarms
Production Security
The AWS API history in
CloudTrail enables security
analysis, resource change
tracking, and compliance
auditing. CloudWatch
collects and tracks metrics
and monitors log files.
Monitoring a broad range of
sources will ensure that
unexpected occurrences are
detected. Establish alarms
and notifications for
anomalous or sensitive
account activity.
Configuring a security
account to copy logs to a
separate bucket ensures
access to information which
can be useful in security
incident response
workflows.
17. AWS WAF
AWS KMS
AWS Shield
Temporary
Security
Credentials
IAM
S3 Bucket
“Website
Images”
S3 Bucket
“Database
Backup”
Amazon
CloudFront
MFA token
AWS KMS
Data Encryption
Key
Internet
AWS Account AWS Account
Internet
Gateway
4Andy
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
Amazon
Inspector
AWS Directory
Service
LoggingandMonitoring
Web Server
Instance
Security Group Security Group
Internal
Data Service
18. AWS WAF
AWS KMS
AWS Shield
Temporary
Security
Credentials
IAM
S3 Bucket
“Website
Images”
Amazon
CloudFront
MFA token
Web Server
Instance
AWS KMS
Data
Encryption Key
Internet
AWS Account AWS Account
Security Group Security Group
Internet
Gateway
Andy
AWS
Config
Amazon
CloudWatch
AWS
CloudTrail
Amazon
Inspector
AWS Directory
Service
S3 Bucket
“Data
Backup”
Internal
Data Service
BestPractices
19. Tools and Automation
Amazon
Inspector
Amazon CloudWatch
Events
AWS
Config Rules
An automated security
assessment service that helps
improve the security and
compliance of applications
deployed on AWS. Amazon
Inspector automatically assesses
applications for vulnerabilities or
deviations from best practices.
A monitoring service for AWS
cloud resources and the
applications you run on AWS.
You can easily build workflows
that automatically take actions
you define, such as invoking an
AWS Lambda function, when an
event of interest occurs.
A fully managed service that
provides you with an AWS
resource inventory, configuration
history, and configuration change
notifications. Config Rules
enables you to create rules that
automatically check the
configuration of AWS resources
recorded by AWS Config.
AWS re:Invent 2016: “5 Security Automation Improvements You Can Make
by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
21. IAM
• Issue: At scale we have too many IAM Users
• Solution: IAM identity federation
• Benefits:
• Large reduction in the number of IAM users
• Benefit from existing staff account processes
• Issue: IAM users are still required in some cases
• Solution: Monitoring and automation around IAM users
• Benefits:
• Poorly configured or inactive IAM users automatically disabled and
removed
22. CloudTrail
• Issue: Impaired visibility has a negative impact on security, cost, and
compliance
• Solution:
• Enable log sources
• Automate configuration
• Log integrity checking
• Monitoring log events
• Benefit:
• Visibility of actions and activity
• Alarming and automation
23. AWS Config
• Issue: Insecure resource configurations
• Solution:
• AWS Config service
• Automate detection and reporting
• Benefit:
• History of resource configuration
• Near real-time identification of configuration violations
• Alarming and automation of operations and security
24. AWS WAF
AWS KMS
AWS Shield
Temporary
Security
Credentials
IAM
AWS
Config
S3 Bucket
“Website
Images”
S3 Bucket
“Data
Backup”
Amazon
CloudFront
MFA token
AWS KMS
Data
Encryption Key
Internet
AWS Account AWS Account
Internet
Gateway
Amazon
CloudWatch
AWS
CloudTrail
Amazon
Inspector
AWS Directory
Service
AutomatedConfigurationChecks
Security Group
Internal
Data Service
Web Server
Instance
Security Group