Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security: A Practitioner's Perspective

7,778 views

Published on

Presented at the SF AWS Users group on 4/17/2012.

Published in: Technology, Business
  • Be the first to comment

AWS Security: A Practitioner's Perspective

  1. 1. AWS Security:A Practitioner’s Perspective Jason Chan chan@netflix.com San Francisco AWS Users Group April 17, 2012
  2. 2. Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
  3. 3. Agenda• Goals and non-goals• AWS on one slide• Netflix in the cloud• AWS security: Overview• AWS security: Gotchas• AWS security: Recommendations• Takeaways
  4. 4. Non-Goals
  5. 5. Non-Goals• Primer on general cloud security issues
  6. 6. Non-Goals• Primer on general cloud security issues• AWS how-to
  7. 7. Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security
  8. 8. Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security• Info on designing for high-availability
  9. 9. AWS Overview
  10. 10. AWS on a Slide
  11. 11. AWS on a Slide
  12. 12. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  13. 13. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
  14. 14. Netflix in the Cloud
  15. 15. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests
  16. 16. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  17. 17. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
  18. 18. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11Datacenter(Capacity(
  19. 19. Netflix Deployed on AWS 2009 2009 2010 2010 2010 2011Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Config& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
  20. 20. AWS Security Overview Shared ResponsibilityAWS Credentials and IdentifiersServices, Actions, and Resources Controlling Network TrafficAWS Security-Related Services
  21. 21. SharedResponsibility
  22. 22. YOU SharedResponsibility
  23. 23. YOU SharedResponsibility
  24. 24. YOU SharedResponsibility AWS
  25. 25. YOU SharedResponsibility AWS
  26. 26. YOU SharedResponsibility AWS http://aws.amazon.com/security/
  27. 27. AWS Credentials and Identifiers
  28. 28. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifierCanonical User ID Used for S3 permissioning
  29. 29. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic
  30. 30. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security
  31. 31. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2
  32. 32. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
  33. 33. AWS Services, Actions, and Resources
  34. 34. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  35. 35. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  36. 36. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
  37. 37. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent.
  38. 38. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  39. 39. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  40. 40. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  41. 41. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  42. 42. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  43. 43. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  44. 44. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
  45. 45. Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}
  46. 46. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  47. 47. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  48. 48. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  49. 49. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  50. 50. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
  51. 51. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }
  52. 52. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html
  53. 53. Controlling Network Traffic in AWSApp Server TCP 3306 DB Server
  54. 54. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
  55. 55. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app
  56. 56. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  57. 57. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  58. 58. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  59. 59. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
  60. 60. AWS Security-Related Services• Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS)• Virtual Private Cloud (VPC)
  61. 61. AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances
  62. 62. AWS Limits
  63. 63. AWS Limits• “Because the cloud is infinite if your requirements are moderate”
  64. 64. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits
  65. 65. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable
  66. 66. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)
  67. 67. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling
  68. 68. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
  69. 69. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests• NOTE: Track limits and inspect error messages
  70. 70. EC2 IP Addresses
  71. 71. EC2 IP Addresses• Each instance has two IPs - private and public
  72. 72. EC2 IP Addresses• Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...
  73. 73. EC2 IP Addresses• Name resolution depends on client location
  74. 74. EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  75. 75. EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
  76. 76. EC2 IP Addresses
  77. 77. EC2 IP Addresses• Both public and private IPs are dynamic
  78. 78. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs
  79. 79. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs
  80. 80. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used
  81. 81. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP:
  82. 82. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs
  83. 83. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region
  84. 84. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info
  85. 85. Elastic Load Balancers• Service availability and traffic balancing across EC2 Internet instances• Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.
  86. 86. Elastic Load Balancers
  87. 87. Elastic Load Balancers• ELB intercepts and forwards traffic
  88. 88. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP
  89. 89. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For
  90. 90. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB
  91. 91. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet
  92. 92. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases
  93. 93. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases• NOTE:VPC ELBs can use security groups for limiting access
  94. 94. S3 Policies and Object Ownership
  95. 95. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file
  96. 96. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs
  97. 97. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner
  98. 98. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”
  99. 99. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner
  100. 100. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner• Use “x-amz-acl” header on write to fix permissions
  101. 101. AWS Resource Logging
  102. 102. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible
  103. 103. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable
  104. 104. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration
  105. 105. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration• NOTE: AWS provides no capability for logging or auditing resource access
  106. 106. Delivering Credentials to EC2 Instances
  107. 107. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
  108. 108. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials
  109. 109. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation
  110. 110. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas:
  111. 111. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html
  112. 112. AWS SecurityRecommendationsSystematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security
  113. 113. Systematic Approach to AWS Security
  114. 114. Systematic Approach to AWS Security• Understand shared responsibility model
  115. 115. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS
  116. 116. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services
  117. 117. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security
  118. 118. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security• Secure AWS operations
  119. 119. Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gapshttps://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
  120. 120. AWS Management
  121. 121. AWS Management• No longer any reason to not use IAM
  122. 122. AWS Management• No longer any reason to not use IAM• Enable:
  123. 123. AWS Management• No longer any reason to not use IAM• Enable: • IAM
  124. 124. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)
  125. 125. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model
  126. 126. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model• Consider using separate top-level accounts for compartmentalization
  127. 127. AWS Security Features and Services
  128. 128. AWS Security Features and Services• Understand security features, limitations, and options of the features you use
  129. 129. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning
  130. 130. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination
  131. 131. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination• Consider VPC based on use cases and requirements
  132. 132. AWS Resource Security
  133. 133. AWS Resource Security• Review access requirements for AWS resources
  134. 134. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues
  135. 135. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately
  136. 136. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security
  137. 137. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport
  138. 138. Secure AWSOperations
  139. 139. Secure AWS Operations• Understand security group/ACL differences
  140. 140. Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements
  141. 141. Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements• Actively manage and monitor accounts and credentials
  142. 142. OtherRecommendations
  143. 143. Other Recommendations• Tools like boto are useful for security monitoring and analysis
  144. 144. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on:
  145. 145. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/
  146. 146. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr
  147. 147. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html
  148. 148. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30
  149. 149. Takeaways
  150. 150. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model
  151. 151. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer
  152. 152. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
  153. 153. Thanks!Questions? chan@netflix.com
  154. 154. Backup Slides
  155. 155. Cloud and Platform Engineering EngineeringTools •  Orchestra*on,.build.and.deployment. CloudSolu0ons •  Monitoring,.consul*ng,.Simian.Army. CORE •  24/7.site.reliability.Pla5ormEngineering •  Core.shared.components.and.libraries. Security •  Applica*on,.engineering,.and.opera*onal. CloudDatabase •  Cassandra,.SDB,.RDS. Engineering CloudPerformance •  Tes*ng,.op*miza*on,.cost. CloudArchitecture •  Overall.design.paFerns.
  156. 156. Netflix PaaS• Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to• Supports multiple AWS thousands of instances accounts • Monitoring for millions of• One-click deployment and metrics load balancing across three datacenters • Base server and client• Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix
  157. 157. Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
  158. 158. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
  159. 159. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
  160. 160. Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
  161. 161. References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/

×