Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Copyright © 2016 evident.io1
IMPLEMENTING THE TOP 10 AWS
SECURITY BEST PRACTICES
Justin Lundy, Co-Founder / CTO
Sebastian ...
Copyright © 2016 evident.io2
When we gave developers the power to
create infrastructure, security became
their responsibil...
Copyright © 2016 evident.io3
AWS Shared Security Responsibility Model
Copyright © 2016 evident.io4
Top 10 AWS Security Best Practices
1. Disable root API access key and secret key
2. Enable MF...
Copyright © 2016 evident.io5
• Do this first
• You can’t get a log file if you don’t turn it on
• Consolidate logs
• Set u...
Copyright © 2016 evident.io6
• “Root” account has no restrictions
• Create administrative IAM users
• Use Roles for EC2 (#...
Copyright © 2016 evident.io7
#2 - ENABLE MFA TOKENS EVERYWHERE
• Provide an additional factor to the authentication step
•...
Copyright © 2016 evident.io8
• How many people have the keys to your kingdom?
• Not just people - apps
• Review IAM polici...
Copyright © 2016 evident.io9
• Do your EC2 instances need to contact other AWS
Services?
• AWS SDKs and aws-cli support EC...
Copyright © 2016 evident.io10
• Programs should operate using the least amount of privilege
to get the job done
• IAM can ...
Copyright © 2016 evident.io11
• Compromised access keys are very annoying and can cost
your business dearly
• IAM users sh...
Copyright © 2016 evident.io12
• Similar to EC2 Roles
• Can be used in place of privileged IAM user
Access Keys
• Temporary...
Copyright © 2016 evident.io13
• AutoScaling allows you to increase number of EC2
instances automatically
• More instances ...
Copyright © 2016 evident.io14
• Unless you really mean it
• Like leaving the door wide open
• EC2 IP address range is a fa...
Copyright © 2016 evident.io15
• Open S3 buckets a favorite for trolling for API
Access Keys
• Check your Bucket ACLs regul...
Copyright © 2016 evident.io16
EVIDENT SECURITY PLATFORM (ESP) FOR AWS
A cloud-native solution that automates key cloud sec...
Copyright © 2016 evident.io17
How It Works
Copyright © 2016 evident.io18
Closing Thoughts:
• Compliance	≠ Secure
• Think about Residual Risk!
• Keep up! Your opposit...
Copyright © 2016 evident.io19
Online CloudSec Resources
http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-...
Copyright © 2016 evident.io20
Q & A - ANY QUESTIONS?
THANKS FOR PARTICIPATING!
SEBASTIAN TAPHANEL: SEBASTIAN@EVIDENT.IO
HTTPS://WWW.LINKEDIN.COM/IN/SEBASTIANTAPHANEL
Upcoming SlideShare
Loading in …5
×

Implementing the Top 10 AWS Security Best Practices

419 views

Published on

Hard Lessons Learned from defending Adobe Creative Cloud on AWS! Insight into implementing a solid Security Architecture based on a mutual conversation between DevOps and SecOps!

Published in: Technology
  • Be the first to comment

Implementing the Top 10 AWS Security Best Practices

  1. 1. Copyright © 2016 evident.io1 IMPLEMENTING THE TOP 10 AWS SECURITY BEST PRACTICES Justin Lundy, Co-Founder / CTO Sebastian Taphanel CISSP-ISSEP, Federal Solutions Architect 6 April 2016
  2. 2. Copyright © 2016 evident.io2 When we gave developers the power to create infrastructure, security became their responsibility, too. Security *IS* a Shared Responsibility
  3. 3. Copyright © 2016 evident.io3 AWS Shared Security Responsibility Model
  4. 4. Copyright © 2016 evident.io4 Top 10 AWS Security Best Practices 1. Disable root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Dampen DDoS with Complementary Servcies 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. Enable CloudTrail Logging & Encryption http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices
  5. 5. Copyright © 2016 evident.io5 • Do this first • You can’t get a log file if you don’t turn it on • Consolidate logs • Set up S3 Lifecycle • Only enable one global region • Encrypt everywhere • S3 • EBS • SSL • Rest • Flight • Not only at night… #0 - ENABLE CLOUDTRAIL LOGGING & ENCRYPTION
  6. 6. Copyright © 2016 evident.io6 • “Root” account has no restrictions • Create administrative IAM users • Use Roles for EC2 (#4) • Make sure billing and contact questions are filled out • Bonus: Set up MFA on root and throw away the key! #1 - DISABLE ROOT ACCOUNT API ACCESS KEY
  7. 7. Copyright © 2016 evident.io7 #2 - ENABLE MFA TOKENS EVERYWHERE • Provide an additional factor to the authentication step • MFA is assigned to root account and IAM users • Can be assigned to roles • Physical or virtual • Virtual has choices (Google Authenticator, Authy, etc.)
  8. 8. Copyright © 2016 evident.io8 • How many people have the keys to your kingdom? • Not just people - apps • Review IAM policies on Users, Groups and Roles • Remember #1 • Consider Identity Federation #3 - REDUCE NUMBER OF IAM USERS WITH ADMIN
  9. 9. Copyright © 2016 evident.io9 • Do your EC2 instances need to contact other AWS Services? • AWS SDKs and aws-cli support EC2 Roles • Reduced attack surface area • Secure DevOps on EC2 • Create an EC2 specific role • Assign a specific policy to that role • Launch an EC2 instance with that role • Easy to test with aws-cli on EC2 #4 - USE ROLES FOR EC2
  10. 10. Copyright © 2016 evident.io10 • Programs should operate using the least amount of privilege to get the job done • IAM can get very granular • Works in tandem with #4 on EC2 • Should be applied to all automated workflows, too • Very specific IAM policies - only allow what you mean • IAM managed policies make this easier • Use the IAM policy generator and policy simulator to help #5 - LEAST PRIVILEGE
  11. 11. Copyright © 2016 evident.io11 • Compromised access keys are very annoying and can cost your business dearly • IAM users should have keys rotated every 90 days minimum • Mostly useful for when Roles for EC2 won’t work in automated workflows • Sample process: • Track age of Access Keys • Create new key • Supply key to automation process • Test • Deactivate old key #6 - ROTATE ALL THE KEYS REGULARLY
  12. 12. Copyright © 2016 evident.io12 • Similar to EC2 Roles • Can be used in place of privileged IAM user Access Keys • Temporary credentials • Allows for 3rd parties such as Evident.io to access your AWS accounts more securely • Extended version of AssumeRole allows for Identity Federation #7 - USE IAM ROLES WITH STS ASSUME ROLE temporary security credential
  13. 13. Copyright © 2016 evident.io13 • AutoScaling allows you to increase number of EC2 instances automatically • More instances means site stays up • Small price to pay for site reliability • You may need a temporary increase in EC2 limits • You may need to temporarily increase desired number of instances in ASG • Work with AWS, they may be able to help you on the network edge • Add CloudFront Content Distribution • Add WAF Rate Blacklisting w/Lambda #8 - DAMPEN DDOS WITH COMPLEMENTARY SERVICES
  14. 14. Copyright © 2016 evident.io14 • Unless you really mean it • Like leaving the door wide open • EC2 IP address range is a favorite for scanners • Monitor Security Groups regularly (HINT: Evident.io can help) • Affects not just EC2 instances, but: • ELBs • RDS Database Servers • ElastiCache Clusters • EMR Nodes • and others… #9 - DO NOT ALLOW ALL IN SECURITY GROUPS
  15. 15. Copyright © 2016 evident.io15 • Open S3 buckets a favorite for trolling for API Access Keys • Check your Bucket ACLs regularly • Watch for all grantees, including AuthenticatedUsers • Check your Bucket Policies regularly #10 - WATCH READABLE AND LISTABLE S3 BUCKETS For more content on AWS security and compliance best practices check out the Evident.io blog at blog.evident.io
  16. 16. Copyright © 2016 evident.io16 EVIDENT SECURITY PLATFORM (ESP) FOR AWS A cloud-native solution that automates key cloud security processes and enables consistent enforcement of security policies, best practices and compliance requirements across an organization’s AWS cloud infrastructure. Continuous Visibility and Monitoring 24x7 monitoring, configuration checking & risk-based threat analysis of all AWS Accounts, Services & Regions. Actionable Intelligence Rapid response and guided remediation of security alerts detected by ESP. Security Automation & Integration Manage compliance and automate security policy enforcement across the entire AWS infrastructure.
  17. 17. Copyright © 2016 evident.io17 How It Works
  18. 18. Copyright © 2016 evident.io18 Closing Thoughts: • Compliance ≠ Secure • Think about Residual Risk! • Keep up! Your opposition is.. • Fail Early. Fail Often. • Embrace change • Cloud Security is a full contact (TEAM) sport! • A wise person seeks the counsel of many… • Shoutout to Justin Lundy / John Martinez / John Robel
  19. 19. Copyright © 2016 evident.io19 Online CloudSec Resources http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ https://acloud.guru/learn/aws-certified-solutions-architect-associate https://www.isc2.org/ccsp/default.aspx https://azure.microsoft.com/en-us/blog/topics/security/ https://cloud.google.com/security/ …?
  20. 20. Copyright © 2016 evident.io20 Q & A - ANY QUESTIONS?
  21. 21. THANKS FOR PARTICIPATING! SEBASTIAN TAPHANEL: SEBASTIAN@EVIDENT.IO HTTPS://WWW.LINKEDIN.COM/IN/SEBASTIANTAPHANEL

×