AWS Security by Design

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shafreen Sayyed
Solutions Architect, Amazon Web Services
AWS Security by Design
10th May 2018

Security by Design Principles
• Implement a segregated account environment
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data (in transit and at rest)
• Prepare for security events

An Expansive Ecosystem
Products integrated with AWS platform and easy to test

Implement a segregated account environment

Developer
Sandbox
Dev Pre-Prod
BU/Product/Resource Accounts
Developer Accounts
Security
AWS Organizations
Organization Accounts
Shared
Services
Organization Master Account
Billing
Tooling
Amazon
CloudFormation
StackSets
Sandbox
Direct Conn.
Account
Internal
Audit
External
Data centre
Logging
Prod
Shared
Services
AWS Organizations (Outline Multi-Account Structure)

Implement a strong identity foundation

AWS Identity Access Management (IAM)
Ensure only authorized and authenticated users are able
to access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control

Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0
• Define a management
policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code

Protecting AWS credentials
• Establish Least-privileged Users access
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via AWS STS

Fine grained access control
• Establish least privilege
principle
• Users have no permissions
• Groups have permission to
assume a Role
• Roles have permissions to
do necessary stuff,
according to least
privileges
• Use AWS Organizations to
centrally manage access

Amazon GuardDuty
• A Threat Detection Service Re-Imagined for the Cloud
• Continuously monitors and protects AWS Accounts along with the
applications and services running within them
• Detects known threats as well as unknown threats (Zero-Days)
• Makes Use of Artificial Intelligence / Machine Learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC FlowLogs & DNS
• Detailed & Actionable Findings, Emitted as CloudWatch Events and
Console Reports

Detecting Known Threats
Threat Intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer-provided threat intel (STIX)
• Known malware-infected hosts
• Anonymising Proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets

Detecting Unknown Threats
Anomaly Detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine Learning Classifiers

What can the service detect?
RDP Brute
Force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe api
with temp
creds
Attempt to
compromise
account
Malicious or
Suspicious IP
Unusual Ports DNS Exfiltration
RDP Brute Force
Unusual Traffic VolumeConnect to Blacklisted Site
Recon
Anonymizing Proxy
Temp credentials
Used off-instance
Unusual ISP Caller
Bitcoin Activity
Unusual Instance Launch
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html#actual-types

GuardDuty Partners

Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/
https://www.youtube.com/watch?v=ZKpkF17d0Oo&feature=youtu.be
AWS Git-Secrets- https://github.com/awslabs/git-secrets
AWS Multi-account strategy - https://www.youtube.com/watch?v=71fD8Oenwxc
AWS GuardDuty Finding types -
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-
types.html#actual-types
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guar
dduty_filter-findings

Enable traceability

Detective controls
Identifying a potential security threat is essential for legal
compliance assurance, key areas in this are:
• Capture and analyze logs
• Integrate auditing controls with notifications and
workflow / Use your logs

AWS CloudTrail
AWS Config
Amazon CloudWatch Logs
VPC Flow Logs
ELB logs
API Endpoint Logs
Amazon Redshift Logs
...
(If it doesn’t move, watch it ‘til it moves – then log it!)
If it moves…log it!

Different log categories
AWS infrastructure logs
 AWS CloudTrail
 Amazon VPC Flow
Logs
 …
AWS service logs
 Amazon S3
 Elastic Load Balancing
 Amazon CloudFront
 AWS Lambda
(sometimes)
 AWS Elastic Beanstalk
 …
Host-based logs
 Messages
 Security
 NGINX/Apache/
 Syslog etc
 Performance
Monitoring
 …
Security-related events

Multiple levels of automation
Self managed
 AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch
Alerts
 AWS CloudTrail -> Amazon SNS -> AWS Lambda
Compliance validation
 AWS Config Rules
Host-based compliance checking
 Amazon Inspector
Active change remediation
 Amazon CloudWatch Events

AWS Trusted Advisor checks your account

Resources
AWS Config – https://aws.amazon.com/config/
AWS Config Rules –
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-
aws-config.html
Amazon Inspector - https://aws.amazon.com/inspector/
Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/
Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/
Amazon Athena – https://aws.amazon.com/athena/
Amazon Glacier – https://aws.amazon.com/glacier/
AWS Lambda – https://aws.amazon.com/lambda/

Apply Security at all layers

Defence-in-depth

Infrastructure protection
Protect network and
host level boundaries
System security
config and
management
Enforce service-level
protection

Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACLs to prevent access between subnets
• Use route tables to deny internet access from
protected subnets
• Use Security groups to grant access to and from
other security groups
Limit what you run in public subnets:
• ELBs , ALBs and NLBs
• Bastion hosts
• Try and avoid where possible having a system
directly accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect

For protection against
most common DDoS
attacks, and access to
tools and best practices to
build a DDoS resilient
architecture on AWS.
AWS Shield
For additional protection
against larger and more
sophisticated attacks,
visibility into attacks, AWS
cost protection, Layer 7
mitigations, and 24X7
access to DDoS experts for
complex cases.
Standard Protection Advanced Protection

AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…

AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

AWS WAF – Layer 7 application protection
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning
Managed WAF rules available on AWS Marketplace

The Artifact Service

Systems Manager Capabilities
Run Command Maintenance Windows
Inventory
State Manager Parameter Store Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities

System security config and management
• OS based firewalls
• Remove unnecessary packages from OS
• Remove direct access to machines – System manager
• Amazon Inspector to scan OS and applications for CVE
(Common Vulnerabilities Exposure)
• Don’t forget Security Groups

Resources
Amazon VPC – https://aws.amazon.com/vpc/
AWS Direct Connect – https://aws.amazon.com/directconnect/
Amazon Inspector - https://aws.amazon.com/inspector/
AWS KMS - https://aws.amazon.com/kms/
AWS System Manager - https://aws.amazon.com/systems-manager/
AWS WAF – https://aws.amazon.com/waf/
AWS Shield - https://aws.amazon.com/shield/
AWS Artifact - https://aws.amazon.com/waf/

Automate security best practices

Ensure best practice
• Template everything (CloudFormation, Terraform, etc)
• Utilise CI/CD pipelines
• Set custom AWS Config rules
s3-bucket-public-write-prohibited
s3-bucket-public-read-prohibited
• Amazon Inspector to detect known vulnerabilities
• Automate response to non compliant infrastructure

The Event Response Automation Playbook…
CloudWatch
Events event
Adversary
(or Intern)
Your environment Lambda
Responder

“Only allow EC2 instances launched from approved AMIs and
with appropriate subnets and Security Groups”
Example:

ImageId=ami-f9dd458a
SubnetId=subnet-a8aa4ef0
SecurityGroups=[
GroupId=sg-45533823
]
EC2

CloudWatch
Events event
{
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [ "pending" ]
},
"source": [ "aws.ec2" ]
}

Responder
# check if the AMI is approved
# check if AMI is used in correct subnet
# check if AMI was launched with approved security group

Amazon
DynamoDB
{
"ami": "ami-0d77397e",
"region": "eu-west-1",
"security_groups": [
"sg-cc9a3aaa"
],
"subnets": [
"subnet-ac3d7cda",
"subnet-2f9c1677"
]
},
{
"ami": "ami-f9dd458a",
"region": "eu-west-1",
"security_groups": [
"sg-ee9a3a88"
],
"subnets": [
"subnet-ad3d7cdb",
"subnet-2e9c1676"
]
}

{
'Time': int(time.time()),
'Source': 'auto.responder.level1',
'Resources': [ str(instance_id) ],
'DetailType': 'activeResponse',
'Detail': {
'instance': instance_id,
'actionsRequested': 'instanceTermination'
}
} Event

CloudWatch
Event events
{
"detail-type": [
"activeResponse"
],
"source": [
"auto.responder.level1"
]
}

L2 responder
ec2.terminate_instances

Resources
Amazon VPC – https://aws.amazon.com/
AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/
Inspector - https://aws.amazon.com/inspector/
AWS CloudFormation - https://aws.amazon.com/cloudformation/
AWS SAM - https://github.com/awslabs/serverless-application-model
AWS Pipeline - https://aws.amazon.com/codepipeline/
Terraform - https://www.terraform.io/

Protect data – At Rest
In Transit
In Use (?)

Data Protection
AWS CloudHSM AWS Key Management
Service
AWS Certificate
Manager

Data Protection - Encryption
Encryption In-Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At-Rest
Object
Database
Filesystem
Disk

Data In-Transit
AWS endpoints are HTTPS,
but what can you do?
• VPN connectivity to VPC
• TLS application communication
• ELB/ALB or CloudFront, with ACM

Data At-Rest
Inbuilt encryption
• S3: select KMS key on upload
• EBS and RDS snapshots: automatically encrypt data at rest
• DynamoDB: encrypt backups
Bring your own Key
Encrypt data locally before uploading
SSE-C (server side encryption with customer key)

AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation,
deletion, and use of AES256 encryption keys in your applications
• Integrated with AWS server-side encryption
• S3, EBS, RDS, Amazon Aurora, Amazon Redshift, Amazon
WorkMail, Amazon WorkSpaces, AWS CloudTrail, and Amazon
Elastic Transcoder
• Integrated with AWS client-side encryption
• AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB
encryption client
• Integrated with AWS CloudTrail to provide auditable logs of key
usage for regulatory and compliance activities
• Available in all commercial regions except China

Your application or
AWS service
+
Data key Encrypted data key
Encrypted
data
Master keys in
customer’s account
KMS
How AWS services use your KMS keys
1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your
account.
2. Client request is authenticated based on permissions set on both the user and the key.
3. A unique data encryption key is created and encrypted under the KMS master key.
4. The plaintext and encrypted data key is returned to the client.
5. The plaintext data key is used to encrypt data and is then deleted when practical.
6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.

Resources
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-
program/documents/security-policies/140sp3139.pdf
AWS KMS Crypto Details - https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-
Details.pdf
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-
program/documents/security-policies/140sp3139.pdf
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3139
Amazon Macie – https://aws.amazon.com/macie/
AWS Cloud HSM – https://aws.amazon.com/cloudhsm/
Amazon EBS – https://aws.amazon.com/ebs/
S2n - https://github.com/awslabs/s2n
Mitigating DDoS Attacks on AWS - https://www.youtube.com/watch?v=w9fSW6qMktA

Prepare for security events

Incident response
“Even with a mature preventative and detective solution
in place, you should consider a mitigation plan”

Clean room
• Use Tags to quickly determine impact and escalate
• Get the right people access and on the call
• Use Cloud API’s to automate and isolate instances
• CloudFormation – recreate clean / update environments easily for
production or investigation purposes

Resources
AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/
Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-
Pillar.pdf
AWS_CIS_Foundation_Benchmark -
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchm
ark.pdf
AWS Crypto Intro -
https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html
AWS Re:Invent Security Track - https://aws.amazon.com/blogs/security/videos-
and-slide-decks-from-the-aws-reinvent-2017-security-compliance-identity-track

Summing up
 Enforce separation of duties and least privilege accounts
 Federate users; enforce using IAM policies
 Ensure security logs are separated from troubleshooting logs
 Storage for logs is cheap; the consequences of missing something through not
logging, may not be
 Alerting is good, automating your security response is better
 Use managed services and built-in reporting to offload and automate
 See the big picture: what info do you need and which tool can provide you that

Thank You!

AWS Security by Design

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security by Design

Similar to AWS Security by Design (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security by Design