These are the foundation principles we should take into account when thinking about security in the cloud
We are going to look at these 6 key areas in todays presentation.
They are underpinned in the well architected “security pillar” URL to get more information.
We are going to look at three main concepts today…….
Think carefully about who needs access, consider using SAML and ADFS to integrate with your existing controls
Remember to have a policy / procedure in place for new starters and leavers
Create logical groups of users (admins, DBA’s, developers, billing etc)
Apply policies to groups rather than individual users for easier management
Only grant access to the services needed, we’ll cover fined grained access controls shortly
Use roles for instances/funtions avoid baking in API keys to code which could be exposed in version control
Tie AWS usage into your workforce lifecycle (starters and leavers procedures for granting and removing access)
Enable MFA on the root account and remove API access key, use account only to provision less privileged account only when needed
MFA for all user access to the console and also consider certain operations such as deleting from S3 can be required to have an MFA token entered which prevent accidental deletion
Temporary API keys can be assigned to authenticated users via STS (many projects on github help users manage keys)
Least privilege limits principle limits the the potential impact of inappropriate use, so to re-emphasize the importance of defining clear roles at the start of a project
This first policies allows a user to have fill control of S3 (create, delete etc)
The second policy is much more restricted with fine grained controls restricting what the user can do and even limiting to a specific bucket
You can also consider using AWS organizations to centrally manage policies.
Unlike in traditional DC where you need agents on every machine in the cloud aggregation is much easier due to two capabilities
Cloud asset management is considered more accurate than using a CMDB (configuration management database)
Push logs with traditional agents into cloudwatch or elasticsearch which are fully managed and/or easily scaled
Amazon Athena can be used to identify logs such as cloud trail
Archive logs into Glacier to reduce store costs for highly regulated industries that need to store logs for a long period of time, this can be managed by S3 life cycle policies
Cloud watch provides a scaleable rules engine that can emit events when a pattern is matched.
Using this you can use services such as SNS to send email alerts or push notifications to HTTP endpoints
The rules engine can broker both native AWS event formats such as AWS Config rules and custom events you can generate yourself
Its important to constantly monitor your environment for unauthorized change or systems that fall out of compliance.
Using AWS Config you can detect changes in your infrastructure and record states. Making it easy to iterate new versions or role back to previous ones.
Amazon Inspector allows you to detect vulnerabilities on instances such as CVE issues and unapplied updates, you can incorporate these logs into your work flow which can alert you when an instance may need attention
Amazon GuardDuty monitors for unusual activity in your account, such as API calls that don’t fit your pattern of normal usage. In these events a detailed security report is delivered to the GuardDuty security console and a cloudwatch event is emmited allowing you to take action, and even triggered automated responses with Lambda
Securing your systems can be considered in layer and you use these layers to protect your most valuable assets, your data.
AWS looks physical security and host security of the hypervisor (refer to the share responsibility model)
Customers have a wide range of tools protect on a network level, Sensible VPC design with subnets for public and private access, Routing to the internet and other subnets can be controller.
Network access control lists can be applied (for example) only allow access from the application subnet to the db subnet on port 3306 and do not permit other ports or subnets in, treat this as a stateless firewall.
Security groups (statefull firewall) is outside the OS and defines access rules into the instance, you can also define relationships between SG’s
You should also harden you systems in the same way you would in your DC, look at key/password rotation policies, regular patch your OS and application stack and use IAM roles to grant access to other services so you don’t have to put API keys in code or on thehost.
Finally your data should be subject to strict auth and access controls and when creating backups use encryption at rest, many services support this with KMS integration.
Lets look at three ways of handling infrastructure protection in AWS
VPC and subnet design
Separate applications, public and db subnets for example
Limit direct internet access ingress and egress
NACLS and SG to control access
VPN gateways or direct connect to access the VPC and machines within
You traditional tools on your systems to ensure the security compliance
Remove tools from the AMI’s (harden them) to prevent these tools being used against you
Consider using EC2 systems manager Run Command / state manager / inventory / parameter store / patch manager to control your instances rather than allowing direct access from admins. This allows you to audit the work and also reliably and repeatedly deploy the same commands across your entire fleet
Templating and automated CI/CD deployments can help ensure a consistent environment
AWS Config custom rules to ensure continual compliance
Use SNS and lambda to automatically respond to non compliant infrastructure
If you design to have immutable / throw away infrastructure its easier update, test and then deploy to production using an automated pipeline
This lets you define your infrastructure as code. The benefits of this is that its easy to recreate, update and deploy other versions of your infrastructure so that you can do testing and development in an environment that matches production.
AWS Cloudformation allows you to define most AWS resources in code and deploy, update and manage the stack easily.
SAM (serverless application model) allows you define serverless resources and can be integrated with cloudformation.
Using these tools together you can start to automate your security pipeline.
Lets take for an example an AMI running a web server (apache and php). We’ve defined this as a cloudformation template and deployed it. AWS inspector now detects theres an new version of Apache and the version we are running is a security risk.
We trigger an automated event and patch the system. From this we create a new hardened AMI version using a CI/CD pipeline. We also update the cloudformation template with the new resource and store it in git for version control.
Now when autoscale kicks in or we redeploy the stack we are using the new version from the start.
Lots of options to give you full control and flexibility, from fully managed solutions to solutions where you bring your own key and encrypt data before its sent to AWS.
s2n is the open source TLS implementation that’s now handling 100% of traffic for S3
All AWS service endpoints are HTTPS
When looking at connectivity for management or data transfer to and from your VPC consider using a VPN to secure communications
If you have applications that send data between them You should use TLS to secure the connection. AWS Certificate Manager = ACM can generate , deploy and manage certs for you
You can also secure external communications into you applications via ELB/ALB and CloudFront and use ACM to manage the certificate. It’s also possible to bring your own SSL cert and key to use.
Multiple services support built in integration with AWS KMS
Avoid storing unencrypted private data.
Use tokenization systems such as cloudHSM (hardware security module) designed generate or bring your own keys. It has easy integration with applications using industry-standard APIs, such as PKCS#11, JavaCryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries
Its PCI-DSS and FIPS 140-2 Level 3 validated
If you have tagged resource groups and data sensitivity in the detection of a breach you can quickly see the impact. Addition tags such as the owner of a service is also useful in this case to get the right people on a incident call for example
You can use the API to automatically remove a potentially breach system from a Load balancer by changing the security group, auto scale should then replace the instance with a fresh one so your application isn’t affected.
Cloudformation can be used to quickly recreate a new TRUSTED environment.