AWS Security Best Practices

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Best Practices
Vasily Pantyukhin, AWS Solutions Architect

Security Is Easy…

It is the goal of every security organization
to build a system that, over time,
maximizes the delivered customer value
while minimizing the cost of that delivery.

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The most vulnerable part of the SYSTEM…

“The gradual process through which
unacceptable practice or standards become
acceptable. As the deviant behavior is repeated
without catastrophic results, it becomes the
social norm for the organization.”
Normalization of deviance

We can not patch our brain
https://www.kisspng.com/png-human-brain-cerebrum-spinal-cord-central-nervous-s-666789

"Good intentions never work, you need good
mechanisms to make anything happen"

Some
Lots
Many
Then
N
ow
Soon
Automation
Features vs support

Least Privilege = Maximum Effort

Prevention
Analysis Response
Detection
Preventing BAD things happening ->
preventing GOOD things happening

Prevention
Analysis Response
Detection
Shift focus to detective controls
cheaper to implement and don’t block innovation

Security Anti-Patterns
M i s t a k e s t o A v o i d

Anti-Pattern: A common response to a recurring problem
that is usually ineffective and risks being highly counterproductive

InfoSec Auditing
Four Types of Security Anti-Patterns
Account Structure Network Design Software Delivery

• Root login: one person’s inbox
• Root MFA: that person’s mobile phone
• Risk: What if they leave the company?
• Only root can edit this. AWS cannot.
Anti-Pattern: Personally Owned AWS Accounts

• Root email: team distribution list address
• Root MFA: hardware device, in office safe
• Contact info: company street address
• Phone number: company main number
• No one logs into account root! Use IAM only!
Best Practice: Group Contacts on All Accounts

Anti-Pattern: AWS Account Overcrowding
Database Team 7Personalization
Team
Privileged Admin Analytics Team 1

Analytics Team 1
Database Team 7
Personalization
Team
User Profiles Ops
Team
Capital Markets
UX Team
New App Dev
Team
DevSecOpsTeam
Random
Developer
Random
Contractor
Privileged Admin
BU Architect
Anti-Pattern: AWS Account Overcrowding

Risk: Ambiguous Security Boundaries
Analytics Team 1
Database Team 7
Personalization
Team
User Profiles Ops
Team
Capital Markets
UX Team
New App Dev
Team
DevSecOpsTeam
Random
Developer
Random
Contractor
Privileged Admin
BU Architect
?
? ?

Multi-Account Strategy: AWS Account is the single family home
Analytics Team 1 Database Team 7
DevOps Team
Capital
Markets UX
Team
New App Dev
Team
DevOpsTeam
Random
Contractor
SecOps
Auditor
BU Architect

Full Accountability: SecOps overlay across accounts
Capital Markets
UX Team
Portfolio API
Team
Monitoring AuthN,
AuthZ
Data
Protection
MonitoringAuthN,
AuthZ
Data
Protection
SecOps Team
Detective
Controls
Preventative
Controls
Directive
Controls
Service Integrations

Object Oriented Design: Each Biz Capability Team is a
Separate Object
Capital Markets
UX Team
Portfolio API
Team
Monitoring AuthN,
AuthZ
Data
Protection
MonitoringAuthN,
AuthZ
Data
Protection
REST API calls
Service Integrations

InfoSec Auditing
Account Structure Software DeliveryNetwork Design

• Routing is not security
• Dynamic IP whack-a-mole
• Doesn’t identify end users
• Not defense in depth
• Not highly scalable
Anti-Pattern: Trusted IP Access w/o Client Auth
HTTP (80) ALLOW 88.44.21.148
HTTP (80) ALLOW 64.23.0.0/16
HTTP (80) ALLOW 204.172.63.12
HTTP (80) ALLOW 183.62.242.71
Backend network
DMZ network
Backend Core Services
VPN 1
… and so many more …
VPN 2
Private Route 3
Private NAT 4

Design your web services to be publically
addressable, even if they’re not
• Especially for core services
• Highly scalable and auditable
• Defense in depth: stacked edge services
Best Practice: Implement AuthN and AuthZ
Amazon API Gateway
Amazon EC2
IAM Auth, Cert, or Custom Auth
AWS Lambda
AWS Shield
Amazon S3
bucket
Amazon
DynamoDB
Core Shared Resources
AWS CloudTrail
AWS API Calls
AWS
Service
Integration
AWS service Integrations
AWS VPC Endpoints

Account Structure Network Design Software DeliveryInfoSec Auditing

• How you audit yourself
• Manual technical audits
• Not highly scalable
• Inconsistent process
• Typically reactive
Anti-Pattern: Manual Technical Auditing

DevSecOps: security as code:
• Proactive controls enforced by code
• Continuous evidence-based auditing
Continuous detective controls:
• Amazon CloudWatch Logs + Alarms
• Amazon Inspector for EC2
• Amazon Macie for Amazon S3
• AWS Trusted Advisor
• AWS Config rules
• Cloud Conformity
• Cloud Custodian
• evident.io
• Dome9
• cfn-nag
• …and many more!
Best Practice: Continuous Automated Auditing

import boto3
ec2 = boto3.client('ec2')
regions = ec2.describe_regions()
# Lambda invoked by a CloudWatch Scheduled Event
def handler(event, context):
# scan each AWS region
for reg in regions['Regions']:
# check each RDS instance in region
rds = boto3.client('rds',
region_name = reg['RegionName'])
try:
dbis = rds.describe_db_instances()['DBInstances']
for dbi in dbis:
print '{} {} {}'.format(
reg['RegionName'],
dbi['DBInstanceIdentifier'],
dbi['StorageEncrypted'])
# react if database StorageEncrypted is False
• (Python example)
• Can be serverless
• Can be continuous
• Can log the results
• Can send alerts
• Can remediate
• No DB connection
• AWS Config rule:
RDS_STORAGE_ENCRYPTED
Example: Amazon RDS At-Rest Encryption Audit

The IKEA effect
We love it
more when we
do it ourselves
https://www.digitalsurgeons.com/thoughts/creative/the-ikea-effect-on-creatives/

Anti-Pattern: Not Using AWS Native-Managed Services
DevOps Team A DevOps Team B DevOps Team C DevOps Team D
Methodology sprawl: audit complications + patch drift

Consistency and Compliance from AWS-Managed Services
DevOps Team A DevOps Team B DevOps Team C DevOps Team D

• AWS Auditor Learning Path
• AWS Tech Essentials
• Goal: DevSecOps
Best Practice: Train Your Technical Auditors
https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html

Development QA
Operations
Architecture
Anti-Pattern: Over-the-Wall Software Delivery

DevOps: Small Interdisciplinary Delivery Teams
Development QA
Operations
DevOps

DevOps Delivery: SDLC (Software Development Lifecycle)
Development QA
Operations
Automated
Delivery
Automated Tests
Automated
Deployment
Automated
Monitoring
Change
Request
Develop
DevOps

DevOps Quality: Fanatical Testing and Automation
Development QA
Operations
Automated
Delivery
Automated Tests
Automated
Deployment
Automated
Monitoring
Change
Request
Develop
DevOps
UI
Tests
Integration Tests
Unit Tests

Critical Practice: SSDLC (Secure Software Development Lifecycle)
Development QA
Operations
UI
Tests
Security
Tests
Code Review
Integration Tests
Unit Tests, Static Analysis
Automated
Delivery
Automated Tests
Code Review
Automated
Deployment
Automated
Monitoring
Change
Request
Develop
DevSecOps
Test results
Deployment logs
Deployment notifications
Audit Trails and Artifacts

Example: DevSecOps Pipeline on AWS
Commit Build Test Approve Production
AWS CodePipeline
AWS CodeCommit
private git repo
AWS CloudFormation Amazon SNS
Review Dashboard
Amazon EC2Unit
Tests
Acceptance
Tests
AWS CodeDeploy
Amazon EC2
SecOps Monitoring
and Alerts
AWS CodeBuild
Developers
commit app
code
Security
Tests
Code
scanning
Amazon S3
Build artifact
Change Review

AWS Security Solutions
T o o l s t o u s e

AWS Identity & Access
Management (IAM)
AWS Directory Service
AWS Organizations
AWS Secrets Manager
AWS Single Sign-On
Amazon Cognito
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems
Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual
Private Cloud (VPC)
AWS Key
Management Service
(KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager
Server-Side
Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Solutions

AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Organizations
Policy-based management for multiple AWS accounts
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API keys,
and other secrets through their lifecycle
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
Define, enforce, and audit
user permissions across
AWS services, actions
and resources.
Identity & access
management

Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
VPC Flow Logs
Capture information about the IP traffic going to and from network
interfaces in your VPC. Flow log data is stored using Amazon
CloudWatch Logs
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable
compliance auditing, security analysis, resource change tracking, and
troubleshooting
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect
your AWS accounts and workloads
Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment.
Detective
control

Amazon Virtual Private Cloud (VPC)
Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
AWS Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to
apply OS patches, create secure system images, and configure secure
operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS WAF – Web application firewall
Protects your web applications from common web exploits ensuring
availability and security
AWS Firewall Manager
Centrally configure and manage AWS WAF rules across accounts and
applications
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security

AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for use
with AWS services
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Server-Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
In addition to our automatic
data encryption and
management services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection

AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or
managing servers so you can scale your programmed, automated
response to incidents
During an incident, containing
the event and returning to a
known good state are important
elements of a response plan.
AWS provides the following
tools to automate aspects of
this best practice.
Incident
response

Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
Well-architected - Security Pillar

Thank you !
V a s i l y P a n t y u k h i n
S o l u t i o n s A r c h i t e c t A W S

AWS Security Best Practices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security Best Practices

Similar to AWS Security Best Practices (20)

More from Aleksandr Maklakov

More from Aleksandr Maklakov (13)

Recently uploaded

Recently uploaded (20)

AWS Security Best Practices