![{
"Statement": [
{
"Action": [
"ses:SendEmail"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.1.1.1"
}
}
}
]
}](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-77-320.jpg)
![{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Statement": [
{
"Action": "ses:*",
"Effect": "Deny",
"Resource": "*"
},
{
"Action": "iam:*",
"Effect": "Deny",
"Resource": "*"
}
]
}](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-79-320.jpg)
![{
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accessKeyId": "EXAMPLE_KEY_ID",
"accountId": "123456789012",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:22:54Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2"
}]
}
},](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-99-320.jpg)
!["responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}]
}
}
},
... additional entries ...
]
}](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-100-320.jpg)
![$ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
["i-0123456789","i-012345678a","i-012345678b"]](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-107-320.jpg)
![$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
--- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810
+++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504
@@ -1,33 +1,33 @@
{
"class" : "com.amazonaws.services.ec2.model.SecurityGroup",
"description" : "App1",
"groupId" : "sg-0123456789",
"groupName" : "app1-frontend",
"ipPermissions" : [
{
"class" : "com.amazonaws.services.ec2.model.IpPermission",
"fromPort" : 80,
"ipProtocol" : "tcp",
"ipRanges" : [
"10.10.1.1/32",
"10.10.1.2/32",
+ "10.10.1.3/32",
- "10.10.1.4/32"
],
"toPort" : 80,
"userIdGroupPairs" : [ ]
}
],
"ipPermissionsEgress" : [ ],
"ownerId" : "2345678912345",
"tags" : [ ],
"vpcId" : null
}](https://image.slidesharecdn.com/awssecurity-141022214038-conversion-gate01/85/Amazon-Web-Services-Security-109-320.jpg)
Uploaded byJason Chan
Amazon Web Services Security
Jason Chan gave a presentation on AWS security at SAINTCON 2014. He began with an overview of typical AWS setups and then focused on three main areas: shared responsibility between AWS and customers, access controls and permissions, and account segregation. For each area, he provided tips on best practices as well as potential security traps to avoid. He also discussed tools for monitoring AWS security configurations and activity, such as CloudTrail, Trusted Advisor, and the Edda service created at Netflix.
More Related Content
Similar to Amazon Web Services Security
Amazon Web Services Security
- 1. AWS Security JasonChan chan@netflix.com : @chanjbs SAINTCON 2014
- 2. Quick Survey AWSExperience 1-4
- 4. 14m users in1+ year
- 5. 14m users in1+ year 150m photos
- 6. 14m users in1+ year 150m photos 3 engineers
- 7. 14m users in1+ year 150m photos 3 engineers $1B acquisition by FB
- 9.
- 10. idea + cloud= profit!
- 13.
- 15. Goal: AWS benefits,securely
- 16. AWS Intro TypicalSetup Thinking about AWS Security Tips and Traps Other Resources
- 17. Me Now: Security@ Netflix Before: Security @ VMware Before: @stake, iSEC
- 19.
- 20. IaaS Undifferentiated heavylifting
- 21. API-driven building blocks Customer control
- 22.
- 24.
- 32. Thinking About AWS Security
- 33.
- 36. A note onsecurity automation
- 39. Typically, how do you:
- 40. Create a useraccount
- 41. Create a useraccount Inventory your systems
- 42. Create a useraccount Inventory your systems Update a firewall config
- 43. Create a useraccount Inventory your systems Update a firewall config Make a forensic image
- 44. Create a useraccount Inventory your systems Update a firewall config Make a forensic image Disable a MFA token
- 45. In AWS .. .
- 46. CreateUser() DescribeInstances() AuthorizeSecurityGroupIngress() CreateSnapshot() DeactivateMFADevice()
- 48. Three Areas ofFocus
- 52.
- 54. Guidance High-level •CSA and ENISA guidance AWS specific • Security Whitepaper • Risk and Compliance Whitepaper • Security Center and Compliance Center
- 55. Shared responsibility tips Understand the model, and what AWS can't do Engage AWS for support - SSAE 16, PCI, etc.
- 56. Shared responsibility traps AWS can help, but you're ultimately responsible Contract, Ts & Cs are not a firewall
- 57. Segregation and AccessControl
- 58.
- 59. Users = APIaccess control Three types 1. Main/Root 2. IAM 3. IAM Roles for EC2
- 61. IAM user (accountsfor humans)
- 62. Keys are static Must be protected
- 64. IAM role (accountsfor services)
- 65. Keys are short-lived Difficult to protect
- 66. curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
- 68. Users in AWS- Tips Don't use the root account Protect IAM keys Use IAM roles for EC2
- 69. Users in AWS- Traps Keys have a way of finding themselves in GitHub No way to control access to EC2 metadata
- 70.
- 71. Suggested homework Readthe API docs
- 72. Two Permission Types 1. User-Based - Attached to a user, controls what the user can do (also applies to groups and roles) 2. Resource-Based - Attached to a resource, controls what can be done to the resource
- 73. Bonus, Confusing ThirdType • Resource-Level - Attached to a user, controls what the user can do, to which resource
- 76.
- 77. { "Statement": [ { "Action": [ "ses:SendEmail" ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "1.1.1.1" } } } ] }
- 78. Common approach - blacklisting
- 79. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } { "Statement": [ { "Action": "ses:*", "Effect": "Deny", "Resource": "*" }, { "Action": "iam:*", "Effect": "Deny", "Resource": "*" } ] }
- 81. Creating policies •AWS has dozens of services • Hundreds of API calls across those services • Resource-level control and conditions provides tremendous granularity
- 82. Sounds great! Signme up!
- 84. Looking at resource-level policies again
- 86. Who (or what)can apply (or delete) tags?
- 87. Permissions and policies- Tips Think least-privilege Think traditional RBAC
- 88. Permissions and policies- Traps Be careful with tag-based security Be careful with policy size limitations Be careful with non-specific policies
- 89.
- 92. Account segregation -Tips Test / Dev / Staging / Prod Compliance requirements Business units (billing boundaries) Core/platform vs. end-user
- 93. Account segregation -Traps Cross-account limitations (VPC security groups, S3) Logistics and planning - AZ mapping, reservations and limits
- 94.
- 95. Bill as IDS AWS Billing Alerts
- 97. CloudTrail Logging ofAPI calls
- 99. { "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] } },
- 100. "responseElements": { "instancesSet":{ "items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }] } } }, ... additional entries ... ] }
- 101. Trusted Advisor Checksconfig vs. best practices
- 104. Shameless Plug Sectionof the Talk
- 105. Edda AWS confighistory
- 106. What instance hasa given public IP? $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
- 107. $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0" ["i-0123456789","i-012345678a","i-012345678b"]
- 108. What is themost recent change to a security group? $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
- 109. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2" --- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810 +++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504 @@ -1,33 +1,33 @@ { "class" : "com.amazonaws.services.ec2.model.SecurityGroup", "description" : "App1", "groupId" : "sg-0123456789", "groupName" : "app1-frontend", "ipPermissions" : [ { "class" : "com.amazonaws.services.ec2.model.IpPermission", "fromPort" : 80, "ipProtocol" : "tcp", "ipRanges" : [ "10.10.1.1/32", "10.10.1.2/32", + "10.10.1.3/32", - "10.10.1.4/32" ], "toPort" : 80, "userIdGroupPairs" : [ ] } ], "ipPermissionsEgress" : [ ], "ownerId" : "2345678912345", "tags" : [ ], "vpcId" : null }
- 110.
- 112. Monitoring - Tips Know your options Ideal place to drive automation
- 113. Monitoring - Traps There is no configuration history CloudTrail logs are complex
- 114. AWS Security Resources http://tiny.cc/awssecurity
- 115. Thank you! chan@netflix.com: @chanjbs