AWS Security: A Practitioner's Perspective

7,270 views

Published on

Presented at the SF AWS Users group on 4/17/2012.

Published in: Technology, Business
0 Comments
23 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,270
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
0
Comments
0
Likes
23
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • AWS Security: A Practitioner's Perspective

    1. 1. AWS Security:A Practitioner’s Perspective Jason Chan chan@netflix.com San Francisco AWS Users Group April 17, 2012
    2. 2. Jason Chan• Cloud Security Architect @ Netflix• Previously: • Most recently led security team at VMware • Primarily security consulting at @stake, iSEC Partners• Some presentations at: • http://www.slideshare.net/netflix
    3. 3. Agenda• Goals and non-goals• AWS on one slide• Netflix in the cloud• AWS security: Overview• AWS security: Gotchas• AWS security: Recommendations• Takeaways
    4. 4. Non-Goals
    5. 5. Non-Goals• Primer on general cloud security issues
    6. 6. Non-Goals• Primer on general cloud security issues• AWS how-to
    7. 7. Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security
    8. 8. Non-Goals• Primer on general cloud security issues• AWS how-to• Comprehensive guide to AWS security• Info on designing for high-availability
    9. 9. AWS Overview
    10. 10. AWS on a Slide
    11. 11. AWS on a Slide
    12. 12. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
    13. 13. AWS on a Slide “The cloud lets its users focus on delivering differentiating business value instead of wasting valuable resources on the undifferentiated heavy lifting that makes up most of IT infrastructure.” - Werner Vogels (AWS CTO) August 25, 2009, ‘All Things
    14. 14. Netflix in the Cloud
    15. 15. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests
    16. 16. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
    17. 17. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11
    18. 18. Outgrowing Data Center http://techblog.netflix.com/2011/02/redesigning-netflix-api.html Netflix API: Growth in Requests 37x Growth 1/10 - 1/11Datacenter(Capacity(
    19. 19. Netflix Deployed on AWS 2009 2009 2010 2010 2010 2011Content& Logs& Play& WWW& API&& CS& Video& InternaAonal& Masters& S3& DRM& SignEup& Metadata& CS&Lookup& Device& DiagnosAcs& EC2& EMR&Hadoop& CDN&RouAng& Search&& Config& and&AcAons& Movie& TV&Movie& Customer& S3& Hive& Bookmarks& Choosing& Choosing& Call&Log& Business& Social/ CDN& Intelligence& Logging& RaAngs& Facebook& CS&AnalyAcs& EC2, S3, SQS, SDB,VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
    20. 20. AWS Security Overview Shared ResponsibilityAWS Credentials and IdentifiersServices, Actions, and Resources Controlling Network TrafficAWS Security-Related Services
    21. 21. SharedResponsibility
    22. 22. YOU SharedResponsibility
    23. 23. YOU SharedResponsibility
    24. 24. YOU SharedResponsibility AWS
    25. 25. YOU SharedResponsibility AWS
    26. 26. YOU SharedResponsibility AWS http://aws.amazon.com/security/
    27. 27. AWS Credentials and Identifiers
    28. 28. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifierCanonical User ID Used for S3 permissioning
    29. 29. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic
    30. 30. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security
    31. 31. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource IdentifierAmazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2
    32. 32. AWS Credentials and Identifiers Account Identifiers Account ID 12 digit identifier Canonical User ID Used for S3 permissioning Resource Identifier Amazon Resource Name (ARN) Unique resource identifier: arn:aws:sns:us-east-1:1234567890123456:mytopic Sign-In Credentials Main Account E-Mail/PW Console access IAM Account Name/PW Console access MFA Token HW/SW token for additional security Access Credentials Access Keys REST API X.509 Certificates SOAP API, EC2 tools Key Pairs CloudFront, EC2http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
    33. 33. AWS Services, Actions, and Resources
    34. 34. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
    35. 35. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
    36. 36. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate Address
    37. 37. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent.
    38. 38. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    39. 39. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    40. 40. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    41. 41. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    42. 42. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    43. 43. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    44. 44. AWS Services, Actions, and Resources Service Action Resource Get Object, S3 Bucket, Object Delete Bucket Terminate Instances, EC2 Instance, AMI, EBS Volume Associate AddressAWS policies can be applied to actions and resources. Compatibility is service-dependent. http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
    45. 45. Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}
    46. 46. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
    47. 47. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
    48. 48. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
    49. 49. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
    50. 50. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" ] } } ] }
    51. 51. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] }
    52. 52. Policies - Example { "Statement": [ { "Action": [Which service? "s3:GetObject" Which actions? ], "Effect": "Allow", Allow or deny? "Resource": "arn:aws:s3:::testbucket/files/*", Which resource? "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { Any conditions? "aws:SourceIp": "1.1.1.1" (optional) } }, "Principal": { "AWS": [ "123456789012" To whom does the policy apply? ] } } ] } http://awspolicygen.s3.amazonaws.com/policygen.html
    53. 53. Controlling Network Traffic in AWSApp Server TCP 3306 DB Server
    54. 54. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
    55. 55. Controlling Network Traffic in AWS App Server TCP 3306 DB Server Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306 AWS Configuration ec2-authorize db -P tcp -p 3306 -s app
    56. 56. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
    57. 57. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
    58. 58. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
    59. 59. Security Groups & ACLs Cross- Dynamic Type Stateful Ingress Egress EC2 VPC Account MembershipEC2 Security Y Y N Y N Y N GroupVPC Security Y Y Y N Y N Y GroupDB Security Y Y N Y Y Y Y GroupVPC Network N Y Y N Y N/A N/A ACL
    60. 60. AWS Security-Related Services• Identity and Access Management (IAM) • Multi-Factor Authentication (MFA) • Security Token Service (STS)• Virtual Private Cloud (VPC)
    61. 61. AWS Security Gotchas AWS Limits IP Addresses in EC2 Elastic Load Balancing Security S3 Policies and Object Ownership AWS Resource Logging Delivering Credentials to Instances
    62. 62. AWS Limits
    63. 63. AWS Limits• “Because the cloud is infinite if your requirements are moderate”
    64. 64. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits
    65. 65. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable
    66. 66. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)
    67. 67. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling
    68. 68. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
    69. 69. AWS Limits• “Because the cloud is infinite if your requirements are moderate”• Many AWS services have a variety of limits • Some of which are easily discoverable• AWS services also have throttling (i.e. max RPS)• Beware of self DoS via automation and autoscaling• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests• NOTE: Track limits and inspect error messages
    70. 70. EC2 IP Addresses
    71. 71. EC2 IP Addresses• Each instance has two IPs - private and public
    72. 72. EC2 IP Addresses• Each instance has two IPs - private and public # ec2-metadata ... local-hostname: ip-10-245-134-152.ec2.internal local-ipv4: 10.245.134.152 ... public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com public-ipv4: 72.44.52.70 ...
    73. 73. EC2 IP Addresses• Name resolution depends on client location
    74. 74. EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
    75. 75. EC2 IP Addresses• Name resolution depends on client location # ec2-metadata -o local-ipv4: 10.245.134.152 # dig +short ec2-72-44-52-70.compute-1.amazonaws.com 10.245.134.152 # dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com 72.44.52.70
    76. 76. EC2 IP Addresses
    77. 77. EC2 IP Addresses• Both public and private IPs are dynamic
    78. 78. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs
    79. 79. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs
    80. 80. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used
    81. 81. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP:
    82. 82. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs
    83. 83. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region
    84. 84. EC2 IP Addresses• Both public and private IPs are dynamic • Elastic IPs can be used for persistent public IPs• Within a region, instances use their private IPs• Across regions & for Internet traffic, the public IP is used• NOTE: Traffic to the public IP/EIP: • Incurs regional data transfer costs • Is less performant in-region • Does not preserve source security group info
    85. 85. Elastic Load Balancers• Service availability and traffic balancing across EC2 Internet instances• Stable DNS for publicly- facing services ELB • Alias to the ELB DNS CNAME Instance Instance Instance • SSL termination, session stickiness, etc.
    86. 86. Elastic Load Balancers
    87. 87. Elastic Load Balancers• ELB intercepts and forwards traffic
    88. 88. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP
    89. 89. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For
    90. 90. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB
    91. 91. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet
    92. 92. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases
    93. 93. Elastic Load Balancers• ELB intercepts and forwards traffic• Traffic loses source IP • Client IP is accessible via X-Forwarded For• Backend instances must allow traffic from the ELB • Traffic from ELB == Traffic from Internet• Without additional (non security group) filtering, ELBs should only be used for public use cases• NOTE:VPC ELBs can use security groups for limiting access
    94. 94. S3 Policies and Object Ownership
    95. 95. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file
    96. 96. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs
    97. 97. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner
    98. 98. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control”
    99. 99. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner
    100. 100. S3 Policies and Object Ownership• S3 bucket similar to container, object similar to a file• Access control can be applied via bucket policy, bucket ACL, and object ACLs• NOTE: Objects only inherit bucket-level permissions if written by bucket owner • Default ACL is “object creator: full control” • Objects written by non bucket owner are inaccessible by bucket owner• Use “x-amz-acl” header on write to fix permissions
    101. 101. AWS Resource Logging
    102. 102. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible
    103. 103. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable
    104. 104. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration
    105. 105. AWS Resource Logging• AWS APIs and resources are publicly (Internet) accessible• So, your management interfaces, file store, databases, etc. are publicly addressable• Preventing access is generally possible through policy configuration• NOTE: AWS provides no capability for logging or auditing resource access
    106. 106. Delivering Credentials to EC2 Instances
    107. 107. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
    108. 108. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials
    109. 109. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation
    110. 110. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas:
    111. 111. Delivering Credentials to EC2 Instances• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)• Access to resources will generally require credentials• Secure delivery and storage of credentials becomes difficult with scale and automation• Some ideas: • http://shlomoswidler.com/2009/08/how-to-keep- your-aws-credentials-on-ec2.html
    112. 112. AWS SecurityRecommendationsSystematic Approach to AWS Security Shared Responsibility AWS Management AWS Security Features and Services Resource Security Operations Security
    113. 113. Systematic Approach to AWS Security
    114. 114. Systematic Approach to AWS Security• Understand shared responsibility model
    115. 115. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS
    116. 116. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services
    117. 117. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security
    118. 118. Systematic Approach to AWS Security• Understand shared responsibility model• Management of AWS• AWS security features and services• AWS resource security• Secure AWS operations
    119. 119. Shared Responsibility • Analyze what each side provides in terms of security controls • Understand legal/ contractual aspects • Make plans to bridge any gapshttps://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
    120. 120. AWS Management
    121. 121. AWS Management• No longer any reason to not use IAM
    122. 122. AWS Management• No longer any reason to not use IAM• Enable:
    123. 123. AWS Management• No longer any reason to not use IAM• Enable: • IAM
    124. 124. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)
    125. 125. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model
    126. 126. AWS Management• No longer any reason to not use IAM• Enable: • IAM • MFA (for account and IAM accounts)• Create groups and assign permissions appropriate for organizational model• Consider using separate top-level accounts for compartmentalization
    127. 127. AWS Security Features and Services
    128. 128. AWS Security Features and Services• Understand security features, limitations, and options of the features you use
    129. 129. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning
    130. 130. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination
    131. 131. AWS Security Features and Services• Understand security features, limitations, and options of the features you use • S3 - encryption, MFA delete, versioning • EC2 - dedicated instances, disabling API termination• Consider VPC based on use cases and requirements
    132. 132. AWS Resource Security
    133. 133. AWS Resource Security• Review access requirements for AWS resources
    134. 134. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues
    135. 135. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately
    136. 136. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security
    137. 137. AWS Resource Security• Review access requirements for AWS resources • S3 buckets, SimpleDB domains, SQS queues• Apply resource policies to control access appropriately• Use policy conditions to enhance security • SourceIP, CurrentTime, SecureTransport
    138. 138. Secure AWSOperations
    139. 139. Secure AWS Operations• Understand security group/ACL differences
    140. 140. Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements
    141. 141. Secure AWS Operations• Understand security group/ACL differences • Design and implement according to architectural requirements• Actively manage and monitor accounts and credentials
    142. 142. OtherRecommendations
    143. 143. Other Recommendations• Tools like boto are useful for security monitoring and analysis
    144. 144. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on:
    145. 145. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/
    146. 146. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr
    147. 147. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html
    148. 148. Other Recommendations• Tools like boto are useful for security monitoring and analysis• Keep an eye on: • http://aws.typepad.com/ • @jeffbarr • AWS Endpoints: http://docs.amazonwebservices.com/ general/latest/gr/rande.html • EC2 IP Ranges: https://forums.aws.amazon.com/ forum.jspa?forumID=30
    149. 149. Takeaways
    150. 150. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model
    151. 151. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer
    152. 152. Takeaways• AWS provides an array of services that allow you to construct and operate large scale web services in a self- service, pay as you go model• The cloud operating model requires you to understand the security responsibilities of both provider and consumer• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
    153. 153. Thanks!Questions? chan@netflix.com
    154. 154. Backup Slides
    155. 155. Cloud and Platform Engineering EngineeringTools •  Orchestra*on,.build.and.deployment. CloudSolu0ons •  Monitoring,.consul*ng,.Simian.Army. CORE •  24/7.site.reliability.Pla5ormEngineering •  Core.shared.components.and.libraries. Security •  Applica*on,.engineering,.and.opera*onal. CloudDatabase •  Cassandra,.SDB,.RDS. Engineering CloudPerformance •  Tes*ng,.op*miza*on,.cost. CloudArchitecture •  Overall.design.paFerns.
    156. 156. Netflix PaaS• Supports all AWS • Dynamic and fine-grained regions and availability security zones • Automatic scaling to• Supports multiple AWS thousands of instances accounts • Monitoring for millions of• One-click deployment and metrics load balancing across three datacenters • Base server and client• Cross-region and account • I18n, L10n, geo IP routing data replication and archive http://www.slideshare.net/netflix
    157. 157. Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
    158. 158. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis
    159. 159. Security Monkey http://techblog.netflix.com/2011/07/netflix-simian-army.html• Centralized framework for cloud security monitoring and analysis• Leverages AWS APIs and common security tools
    160. 160. Security Monkey• Certificate monitoring• Security group monitoring• Exposed instances/applications• Web application vulnerability scanning• Upcoming: • Policy analysis (firewall, user, S3, etc.)
    161. 161. References• http://www.slideshare.net/netflix• http://techblog.netflix.com• https://cloudsecurityalliance.org/

    ×