Successfully reported this slideshow.
Your SlideShare is downloading. ×

AWS Security and SecOps

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 56 Ad
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Advertisement

Similar to AWS Security and SecOps (20)

Advertisement

Recently uploaded (20)

AWS Security and SecOps

  1. 1. Solutions Architect
  2. 2. JOB ZERO
  3. 3. exactly GxP ISO 13485 AS9100 ISO/TS 16949 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud
  4. 4. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
  5. 5. Availability Zone A Resilient applications architecture Customer content backups, archives and continuity solutions Resilient infrastructure configurations Customer resilience and recovery processesCustomers Customers control how they manage continuity and recovery AWS builds resilient services and features to help customers Availability Zone B AWS business resiliency processes Customer content, transactions and data-stores
  6. 6. NIST 800-53PCI-DSS AWS managed and audited controls Customers control SOC 2SOC 1 ISO 27001 Other AWS service featuresLogging AWS provided, customer configured and managed controls Key management Virtual Private Cloud Customer provided and managed controls Technology risks Customer risk appetite and desired control environment Sourcing risksBusiness risks Security risks Compliance IDaMEncryptionClassification Monitoring ITSMGovernanceSecurity policy Operations Malware Risk management Customers decide on the appropriate controls and manage and monitor the effectiveness of those controls Customers take reliance on AWS control reports
  7. 7. SECURITY IS VISIBILITY AND AUDITABILITY
  8. 8. How often do you map your network? RIGHT NOW?
  9. 9. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
  10. 10. and notifies you
  11. 11. SECURITY IS CONTROL
  12. 12. CONTENT
  13. 13. control of privacy you choose to do so encryption any way that you choose access lifecycle and disposal Customers retain full ownership and control of their content
  14. 14. US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) you put it Regions ASIA PAC (Seoul)
  15. 15. WHO CAN DO WHAT
  16. 16. segregate duties With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with two- factor authentication Integrated with your existing corporate directory using SAML 2.0 and single sign-on AWS account owner Network management Security management Server management Storage management
  17. 17. NETWORK
  18. 18. AvailabilityZoneA AvailabilityZoneB AWS Virtual Private Cloud • Provision a logically isolated section of the AWS cloud • You choose a private IP range for your VPC • Segment this into subnets to deploy your compute instances AWS network security • AWS network will prevent spoofing and other common layer 2 attacks • You cannot sniff anything but your own EC2 host network interface • Control all external routing and connectivity
  19. 19. YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES Digital Websites Big Data Analytics Dev and Test Enterprise Apps AWS Internet VPN
  20. 20. CONTROL YOUR COMPUTE
  21. 21. Launch instance EC2 AMI catalogue Running instance Your instance Hardening and configuration Audit and logging Vulnerability management Malware and IPS Whitelisting and integrity User administration Operating system Configure instance Configure your environment as you like You get to apply your existing security policy Create or import your own ‘gold’ images • Import existing VMs to AWS or save your own custom images Choose how to build your standard host security environment Apply your existing host controls and configurations
  22. 22. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
  23. 23. Key Management Service Encryption key management and compliance made easy
  24. 24. you fully control the keys Increase performance Comply with stringent regulatory single tenant for you EC2 Instance AWS CloudHSM AWS CloudHSM You can also store your encryption keys in AWS CloudHSM
  25. 25. REACT AND RESPOND
  26. 26. CloudWatch Logs log everything and monitor events in those logs • Storage is cheap - collect and keep your logs • Store logs durably in write-only storage • Integration with Cloudwatch Metrics and Alarms means you can continually scan for events you know might be suspicious IF (detect web attack > 10 in a 1 minute period) ALARM - INCIDENT IN PROGRESS NOTIFY CERT
  27. 27. AUDIT EVERYTHING
  28. 28. SECURITY + DEVOPS = DEVSECOPS
  29. 29. OPS SEC DEV AppSec • Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics
  30. 30. • Fun: Scan API + Ingest Config/Cloudtrail, trigger fw audits and revert unapproved changes • Fun: Track known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys.
  31. 31. • Fun: Enforce encryption of all assets with HIPAA or data classification tags. Continuous enforcement! (KMS!) • Fun: Cloudtrail/Config user attribution of use/abuse. • More Fun: Maps to PCI DSS7.1.3, COBIT DS5.4, ISO17799, and more!
  32. 32. SECURITY “EVENTS” Detect Investigate Protect Communicate
  33. 33. "userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": “55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null, ....
  34. 34. CloudTrail OFF event – Detect "CloudTrailStopMetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": { "Ref" : "LogGroupName" }, "FilterPattern": ”{ ($.eventName = StopLogging) }", "MetricTransformations": [ { "MetricNamespace": "CloudTrailMetrics", "MetricName": "CloudTrailEventCount", "MetricValue": "1" } ] } },
  35. 35. CloudTrail OFF event – Detect "CloudTrailStoppedAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmName" : ”CloudTrailStoppedAlarm", "AlarmDescription" : "Alarms when StopLogging API call is made", "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], "MetricName" : "CloudTrailEventCount", "Namespace" : "CloudTrailMetrics", "ComparisonOperator" : "GreaterThanOrEqualToThreshold", "EvaluationPeriods" : "1", "Period" : "300", "Statistic" : "Sum", "Threshold" : "1" } },
  36. 36. "userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": "55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null, ....
  37. 37. { "Sid": "Stmt0001", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:StopLogging" ], "Resource": [ "*" ] }
  38. 38. ..... "eventTime": "2015-09-20T18:53:02Z", "eventSource": "iam.amazonaws.com", "eventName": " ", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55", "userAgent": "signin.amazonaws.com", "requestParameters": { "userName": ”bob", "serialNumber": "arn:aws:iam::000019241430:mfa/bob" }, "responseElements": null, "requestID": "d1a9ebf8-5fc8-11e5-9d8f-1bc7c6757e61", .....
  39. 39. http://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate- Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users
  40. 40. CloudTrail S3 Lambda Lambda SNS
  41. 41. Users CloudFront Static Files S3 Bucket CloudFront Access Log S3 Bucket WAF Elastic Load Balancing Amazon Lambda Web Servers CloudWatch Amazon RDS DDoS X
  42. 42. https://github.com/awslabs/aws-config-rules/
  43. 43. ARE YOU WELL SECURED?
  44. 44. cfn-nag aws-cf-checker
  45. 45. Graffiti Monkey Janitor Monkey
  46. 46. https://d0.awsstatic.com/whitepapers/compliance/A WS_CIS_Foundations_Benchmark.pdf https://www.sans.org/reading- room/whitepapers/incident/balancing-security- innovation-event-driven-automation-36837

Editor's Notes

  • AWS allows you to see your ENTIRE infrastructure at the click of a mouse
    Can you map your current network?
    Also, you can do that automatically via the API, as many times as you need.
  • Exciting new service – OK, exciting if you’re a security professional like me, perhaps not exciting as my kids view the world. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
  • AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check.

    The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
  • Enterprises segregate important duties to reduce risk of accidental or malicious changes
    AWS allows fine-grained segregation across virtually all aspects of the service

    For example, you can segregate
    Who can change network configuration
    Who can change firewalls
    Who can change how the VPC connects to the Internet or back to your corporate premises
    Who can start and stop servers
    Who can snapshot and restore storage volumes

    AWS IAM offers a programatic level of control and granularity that would not be possible to implement in traditional on-premise environments
  • You can use storage services, such as S3 and EBS, which allow you to encrypt data automatically, where we manage the keys on your behalf, so you don’t have to worry about them. You can also bring your own keys to use with S3 or EBS encryption, or you can use CloudHSM services, where you can store your keys in a physical piece of hardware which is specifically designed to be tamper proof - if someone tries to break in, it shuts down and self-destructs.

    For a lot of customers, they are happy to let us manage the keys for them, however, other customers want more control over how keys are managed, and how they are put to use in their applications, across their data and within the organization.
  • AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check.

    The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
  • These are services that can be directly used during an audit

    AWS Config
    This new service will really help you understand what is your current state of systems and relationships, and how they change over time.

    KMS
    Customer-managed key service

    CloudTrail
    API activity logs

    Trusted Advisor
    Automated security checks

    IAM console: at a glance view of Last AWS Sign-in
    A quick at-a-glance view from the IAM console showing those who have logged into AWS and how they did it.

    IAM Credential Reports
    This is in case you want evidence that your users are following security best practices, such as requiring MFA for administrative-level users.

    I’m going to spend a little time talking about some of these innovations for auditors.
  • Monitors information system accounts for and reports atypical usage of information system accounts.
  • Beetle: And if you click “Continue”, then when you look at a CloudTrail configuration screen, you can see that Logging is “OFF”.

    Speaking from the perspective of a security geek, it is probably a good idea to know if and when CloudTrail is turned off. But I would like to not have to visit each Cloudtrail account configuration to figure that out.

    Josh, there has to be a better way for knowing if and when CloudTrail is turned off.
  • Josh: There is. With CloudTrail turned on, you have a record of the API request that turned CloudTrail OFF.

    Here is what that API request would look like. You will notice that the “StopLogging” API request was made to the CloudTrail service in the us-west-2 region.

  • Josh:
    So if we looked in that CloudFormation template, you would see something like this. This is a AWS CloudWatch Metric Filter that is defined within a CloudFormation template in JSON format.
    The important thing to notice is what is highlighted in white there – I’m filtering CloudTrail event records for the “EventName” of StopLogging.
    I can then use this metric in combination with an alarm to send me a notification when it is detected.
  • Josh:
    Here is a CloudWatch Alarm for the previous metric filter
  • Josh
    Now let’s investigate. As CloudTrail will log the event “StopLogging”, we can see who made the request to do this. So if we pull up the CloudTrail event, we can see the IAM user named ‘reinvent-sc308’ was the user who made this request and the request originated from 55.55.55.55 .
  • Josh: So now that we know what happened, how could we protect this from happening in the future. Well, we could simply add an IAM policy to our AM Groups or Roles in order to deny permissions we don’t want our users to have.
  • Beetle: When you look in your CloudTrail logs, this is a snippet of what the MFA Deactivate request would look like. Notice the EventName is “DeactivateMFADevice”.
  • Josh:
    But how can we force individuals to use their MFA devices? Well, we have a blog post that talks about that specifically. I’d recommend you check it out :
    http://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users
    ----- Meeting Notes (10/6/15 11:53) -----
    screenshot of blog post?
  • [Josh]

    So some customers would prefer to know when unapproved AMIs are launched. So how can we detect this?
    Well, we’d want to compare each launched instance’s AMI against a whitelist of approved AMI ID’s.
    What is the best way? A whitelist could be rather long…
  • [Josh]

    So let’s look at a flow diagram of how this works. We configure AWS CloudTrail to send logs to our Amazon S3 bucket. We then want Amazon S3 to send event notifications to Amazon SNS whenever a new log is deposited in the bucket. The SNS topic can have multiple Lambda subscribers, which can then each check and react to different things.

×