Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amazon Web Services Security

1,502 views

Published on

AWS Security presentation from SaintCon 2014.

Published in: Technology

Amazon Web Services Security

  1. 1. AWS Security Jason Chan chan@netflix.com : @chanjbs SAINTCON 2014
  2. 2. Quick Survey AWS Experience 1-4
  3. 3. 14m users in 1+ year
  4. 4. 14m users in 1+ year 150m photos
  5. 5. 14m users in 1+ year 150m photos 3 engineers
  6. 6. 14m users in 1+ year 150m photos 3 engineers $1B acquisition by FB
  7. 7. So . . .
  8. 8. idea + cloud = profit!
  9. 9. So . . .
  10. 10. Goal: AWS benefits, securely
  11. 11. AWS Intro Typical Setup Thinking about AWS Security Tips and Traps Other Resources
  12. 12. Me Now: Security @ Netflix Before: Security @ VMware Before: @stake, iSEC
  13. 13. AWS
  14. 14. IaaS Undifferentiated heavy lifting
  15. 15. API-driven building blocks Customer control
  16. 16. Evolving quickly
  17. 17. Typical AWS Setup
  18. 18. Thinking About AWS Security
  19. 19. Philosophy
  20. 20. A note on security automation
  21. 21. Typically, how do you:
  22. 22. Create a user account
  23. 23. Create a user account Inventory your systems
  24. 24. Create a user account Inventory your systems Update a firewall config
  25. 25. Create a user account Inventory your systems Update a firewall config Make a forensic image
  26. 26. Create a user account Inventory your systems Update a firewall config Make a forensic image Disable a MFA token
  27. 27. In AWS . . .
  28. 28. CreateUser() DescribeInstances() AuthorizeSecurityGroupIngress() CreateSnapshot() DeactivateMFADevice()
  29. 29. Three Areas of Focus
  30. 30. Shared Responsibility
  31. 31. Guidance High-level • CSA and ENISA guidance AWS specific • Security Whitepaper • Risk and Compliance Whitepaper • Security Center and Compliance Center
  32. 32. Shared responsibility tips Understand the model, and what AWS can't do Engage AWS for support - SSAE 16, PCI, etc.
  33. 33. Shared responsibility traps AWS can help, but you're ultimately responsible Contract, Ts & Cs are not a firewall
  34. 34. Segregation and Access Control
  35. 35. "Users/Accounts" in AWS
  36. 36. Users = API access control Three types 1. Main/Root 2. IAM 3. IAM Roles for EC2
  37. 37. IAM user (accounts for humans)
  38. 38. Keys are static Must be protected
  39. 39. IAM role (accounts for services)
  40. 40. Keys are short-lived Difficult to protect
  41. 41. curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access { "Code" : "Success", "LastUpdated" : "2012-04-26T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : "2012-04-27T22:39:16Z" }
  42. 42. Users in AWS - Tips Don't use the root account Protect IAM keys Use IAM roles for EC2
  43. 43. Users in AWS - Traps Keys have a way of finding themselves in GitHub No way to control access to EC2 metadata
  44. 44. Permissions and Policies
  45. 45. Suggested homework Read the API docs
  46. 46. Two Permission Types 1. User-Based - Attached to a user, controls what the user can do (also applies to groups and roles) 2. Resource-Based - Attached to a resource, controls what can be done to the resource
  47. 47. Bonus, Confusing Third Type • Resource-Level - Attached to a user, controls what the user can do, to which resource
  48. 48. User policies
  49. 49. { "Statement": [ { "Action": [ "ses:SendEmail" ], "Effect": "Allow", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "1.1.1.1" } } } ] }
  50. 50. Common approach - blacklisting
  51. 51. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } { "Statement": [ { "Action": "ses:*", "Effect": "Deny", "Resource": "*" }, { "Action": "iam:*", "Effect": "Deny", "Resource": "*" } ] }
  52. 52. Creating policies • AWS has dozens of services • Hundreds of API calls across those services • Resource-level control and conditions provides tremendous granularity
  53. 53. Sounds great! Sign me up!
  54. 54. Looking at resource-level policies again
  55. 55. Who (or what) can apply (or delete) tags?
  56. 56. Permissions and policies - Tips Think least-privilege Think traditional RBAC
  57. 57. Permissions and policies - Traps Be careful with tag-based security Be careful with policy size limitations Be careful with non-specific policies
  58. 58. Account-Level Strongest separation
  59. 59. Account segregation - Tips Test / Dev / Staging / Prod Compliance requirements Business units (billing boundaries) Core/platform vs. end-user
  60. 60. Account segregation - Traps Cross-account limitations (VPC security groups, S3) Logistics and planning - AZ mapping, reservations and limits
  61. 61. Monitoring AWS Security
  62. 62. Bill as IDS AWS Billing Alerts
  63. 63. CloudTrail Logging of API calls
  64. 64. { "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] } },
  65. 65. "responseElements": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }] } } }, ... additional entries ... ] }
  66. 66. Trusted Advisor Checks config vs. best practices
  67. 67. Shameless Plug Section of the Talk
  68. 68. Edda AWS config history
  69. 69. What instance has a given public IP? $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
  70. 70. $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0" ["i-0123456789","i-012345678a","i-012345678b"]
  71. 71. What is the most recent change to a security group? $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
  72. 72. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2" --- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810 +++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504 @@ -1,33 +1,33 @@ { "class" : "com.amazonaws.services.ec2.model.SecurityGroup", "description" : "App1", "groupId" : "sg-0123456789", "groupName" : "app1-frontend", "ipPermissions" : [ { "class" : "com.amazonaws.services.ec2.model.IpPermission", "fromPort" : 80, "ipProtocol" : "tcp", "ipRanges" : [ "10.10.1.1/32", "10.10.1.2/32", + "10.10.1.3/32", - "10.10.1.4/32" ], "toPort" : 80, "userIdGroupPairs" : [ ] } ], "ipPermissionsEgress" : [ ], "ownerId" : "2345678912345", "tags" : [ ], "vpcId" : null }
  73. 73. Security Monkey
  74. 74. Monitoring - Tips Know your options Ideal place to drive automation
  75. 75. Monitoring - Traps There is no configuration history CloudTrail logs are complex
  76. 76. AWS Security Resources http://tiny.cc/awssecurity
  77. 77. Thank you! chan@netflix.com : @chanjbs

×