This AWS Security Checklist webinar will help you and your auditors assess the security of your AWS environment in accordance with industry or regulatory standards. This security focused checklist builds on recently revised Operational Checklists for AWS, which helps you evaluate your applications against a list of best practices before deployment.
Learning Objectives:
* Evaluate the ability of AWS services to meet information security objectives and ensure future deployments within the AWS cloud are done in a secure and compliant way
* Assess your existing organisational use of AWS and to ensure it meets security best practices
* Develop AWS usage policies or validate that existing policies are being followed
1. Dr. Andrew Kane, Solutions Architect
drandrewkane
AWS Security Checklist
2. Learning Objectives
1. Evaluate AWS services to meet Info Security objectives
…and make sure future deployments are safe
2. Assess your existing use of AWS services
…and make sure they meet Security Best Practice
3. Develop AWS usage policies
…or validate exsiting policies are being followed
5. Developers and system
architects
To help customers assess
their application’s use of
specific services and
features before they
launch
Enterprise architects
To assist enterprises in
identifying key items to think
about as they build a cloud
migration and operational
strategy
Operational Checklists
Basic Operations Checklist
Enterprise Operations Checklist
Auditing Security Checklist
Risk & compliance
teams an external auditors
To assist customers when they
evaluate the security controls
required by their specific industry
of governing body like the
AICPA, NIST, ISO, PCI SCC, etc
6. Enterprise Operations Checklist
AWS API Credentias Identity Federation EC2 Instance Credentials
Network Access Data Access Logging & Monitoring
7. Auditing Security Checklist
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
Encryption Key
Management
Client and Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
CustomersAWS
Responsible for
security ‘in’ the
Cloud
Responsible
for security
‘of’ the Cloud
}
}
8. Auditing Security Checklist
Governance
Understand AWS Usage
Identify Assets
Define AWS Boundaries
Assess Policies
Identify & Review Risks
Documentation & Inventory
Evaluate Risks
Add AWS to Risk Assessment
IT Security & Program Policy
Service Provider Oversight
10. Auditing Security Checklist
Encryption Controls
AWS Console Access
AWS API Access
IPsec Tunnels
SSL Key Management
Protect PINs at Rest
Logging and Monitoring
Centralised Log Storage
Review Policies for “Adequacy”
Review Network Logs
Review IAM Credential Reports
Aggregate from Multiple Sources
Intrusion Detection & Response
11. Security Checklist - General
1 Protect your root account
2 Protect your CloudTrail and Billing S3 Bucket
3 Activate CloudTrail in all Regions
4 Create administration IAM roles with minimal privileges
5 Evaluate AWS Security Token Service (STS) and Roles
6 Familiarise yourself with AWS Detailed Billing reports
7 Regularly monitor your monthly spend
12. Security Checklist – EC2 / VPC / EBS
1 Only use encrypted EBS volumes
2 Activation your VPC Flow Logs
3 Protect your EC2 key-pairs
4 Leverage IAM roles for EC2
5 Clearly structure your Security Groups
13. Security Checklist – S3
1 Don't create any public-access S3 buckets
2 Encrypt sensitive data using server-side encryption (SSE)
3 Encrypt inbound and outbound S3 traffic
4 Familiarise yourself with Versioning and Lifecycle Policies
5 Activate S3 Logging and analyse logs regularly
18. AWS Account
Root Account • No Access Keys
• MFA Enabled
• Raise Alert on Login
IAM Master • No Access Keys
• MFA Enabled
• Raise Alert on Login
• Define IAM Policies
• Enable IAM Managers (User or Role)
• Have a Password Policy
• Enforce Password
Rotation
• Have Account Questions
set up
• Use an email distribution
list with at least 3
members who check it
regularly in case of
leavers / holidays etc.
IAM Manager • No Access Keys
• MFA Enabled
• Create IAM Users/Groups/Roles
• Use Pre-Defined Policies
Account Base IAM Structure
19. Multi-Account Structure
CLOUDTRAIL A/C
S3 Holder
BILL
CloudTrail
IAMUser A/C
IAM User Assume
Role
IAM User Assume
Role
IAM User Assume
Role
RESOURCE A/C
IAM ROLE
IAM ROLE
IAM ROLE
Backup Data
BACKUP A/C
S3 Holder
AUDIT A/C
Display Rights
STS
BILLING A/C
S3 Holder
21. Deep Set of Cloud Security Tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrail
&
Inspector
Service
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation
27. AWS Config - Rules
…or create your own custom rules
28. SECURITY ASSESSMENT TOOL ANALYZING END TO END
APPLICATION CONFIGURATION AND ACTIVITY
AMAZON INSPECTOR
29. Scanning Engine Active Monitoring Embedded Rules Fully automated
Amazon Inspector - Features
30. VPC FEATURE TO RECORD TRAFFIC FLOW
AWS VIRTUAL PRIVATE CLOUD FLOW LOGS
31. AWS VPC Flow Logs
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
• Enable per Elastic Network Interface (ENI), subnet or per VPC
• Create CloudWatch metrics from log data
• Logged to CloudWatch Logs
• Alarm on those metrics
• Agentless
36. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.
37. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
40. Integration with AWS Key Management Service
Two-tiered key hierarchy using envelope encryption
• Unique data key encrypt customer data
• AWS KMS master keys encrypt data keys
Benefits of envelope encryption:
• Limits risk of a compromised data key
• Better performance for encrypting large data
• Easier to manage a small number of master keys
than millions of data keys
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Custom
Application
AWS KMS