More Related Content
Similar to AWS Security Deep Dive Summary
Similar to AWS Security Deep Dive Summary (20)
More from Amazon Web Services
More from Amazon Web Services (20)
AWS Security Deep Dive Summary
- 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Security Deep Dive
Ahmed Gouda
Solutions Architect
AWS
- 2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Introduction - broad security & identity portfolio
• SEGMENTATION
• Identify and sort workloads by classification
• PROTECT
• What are we protecting?
• Identity, boundaries, data
• IDENTIFICATION
• Threat detection and remediation
- 4. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Segmentation – on-premise nature
VPC
Prod
UAT
Dev
SIT VPC
VPC
VPC
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS CloudFormation
VPC
Prod
UAT
Dev
SIT VPC
VPC
VPC
AWS CloudFormation
infrastructure as code
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
In the beginning….
Your AWS account
You
- 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Today
Jump
account
Your cloud team
Dev account
Prod account
Data science
account
Security account
Cross-account
trusts
Cross-account
resource access
You
- 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Organizations
AWS Organizations
• Centrally govern your environment
• Manage billing
• Automate account creation
• Create groups (organizational units) to
reflect business needs
• Apply “Service Control Policies” to a unit
to control the behavior of those accounts
• Control access, compliance, and security
- 10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP fine grained permission control
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”security",
"Effect": "Deny",
"Resource": "*",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
}
}
}
- 11. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP fine grained permission control
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "security",
"Effect": "Deny",
"Resource": "*",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
}
}
}
- 12. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP fine grained permission control
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "security",
"Effect": "Deny",
"Resource": "*",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
}
}
}
- 13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP fine grained permission control
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "security",
"Effect": "Deny",
"Resource": "*",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-central-1", "eu-west-1"]
}
}
}
- 14. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCP fine grained permission control
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": “security",
"Effect": "Deny",
"Resource": "*",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": ["eu-central-1", "eu-west-1”]
}
}
}
- 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Resource Access Manager
§ AWS Resource Access Manager
(RAM) helps securely share AWS
resources with any AWS account
or within AWS Organizations
§ Accessed from Console, CLI, or
API
§ Resource shares can be tagged
and you can reference the tags in
IAM policies to create a tag-based
permission system; you can add
and remove accounts and
resources from a resource share
at any time
- 16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Disambiguation
Identity
Authentication, authorization,
audit, and governance for your
cloud workloads
(the subject)
Principle
Resources
Actions
Conditions
- 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Disambiguation
Identity
Authentication, authorization,
audit, and governance for your
cloud workloads
(the subject)
Principle
Resources
Actions
Conditions
- 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Disambiguation
Identity
Authentication, authorization,
audit, and governance for your
cloud workloads
Our scope for today
AWS Identity and Access
Management (IAM)
(the service)
Authenticates and authorizes
AWS APIs
Includes
(the subject)
- 20. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity access management policies
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
- 22. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM user policy
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
- 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
”s3:listAllMyBuckets”,
”s3:PutObject”,
”s3:GetObject”,
”s3:DeleteObject”
],
"Resource": "arn:aws:s3:::2x2demo/*"
}
]
}
- 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
”s3:listAllMyBuckets”,
”s3:PutObject”,
”s3:GetObject”,
”s3:DeleteObject”
],
"Resource": "arn:aws:s3:::2x2demo/*"
}
]
}
- 25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
”s3:listAllMyBuckets”,
”s3:PutObject”,
”s3:GetObject”,
”s3:DeleteObject”
],
"Resource": "arn:aws:s3:::2x2demo/*"
}
]
}
- 26. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – user policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
”s3:listAllMyBuckets”,
”s3:PutObject”,
”s3:GetObject”,
”s3:DeleteObject”
],
"Resource": "arn:aws:s3:::2x2demo/*"
}
]
}
- 27. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM resource policy
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
- 28. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 29. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 30. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 31. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 32. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 33. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – resource policy
{
"Version": "2012-10-17",
”Id": “12345”,
"Statement": [
{
"Effect": ”Deny",
”Principal": ”*",
"Action": ”s3:*",
"Resource":
"arn:aws:s3:::2x2demo/*”,
"Condition": {
”Null": {”aws:MultiFactorAuthAge":true}
}
}
]
}
- 34. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity access management policies
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
- 35. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM endpoint policy
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
- 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – endpoint policy
{
"Version": "2012-10-17",
"Statement": [
{
”Sid”:“Access-to-specific-bucket-only”,
"Effect": ”Allow",
”Principal": ”*",
"Action": ”s3:*",
"Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"]
}
]
}
- 37. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – endpoint policy
{
"Version": "2012-10-17",
"Statement": [
{
”Sid”:“Access-to-specific-bucket-only”,
"Effect": ”Allow",
”Principal": ”*",
"Action": ”s3:*",
"Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"]
}
]
}
- 38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – endpoint policy
{
"Version": "2012-10-17",
"Statement": [
{
”Sid”:“Access-to-specific-bucket-only”,
"Effect": ”Allow",
”Principal": ”*",
"Action": ”s3:*",
"Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"]
}
]
}
- 39. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – endpoint policy
{
"Version": "2012-10-17",
"Statement": [
{
”Sid”:“Access-to-specific-bucket-only”,
"Effect": ”Allow",
”Principal": ”*",
"Action": ”s3:*",
"Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"]
}
]
}
- 40. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS IAM example policies – endpoint policy
{
"Version": "2012-10-17",
"Statement": [
{
”Sid”:“Access-to-specific-bucket-only”,
"Effect": ”Allow",
”Principal": ”*",
"Action": ”s3:*",
"Resource": ["arn:aws:s3:::2x2demo", "arn:aws:s3:::2x2demo/*"]
}
]
}
- 41. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity access management policies
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
Key
policy
Server side
encryption
- 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control,
rotation, and use of encryption keys in your
applications
• FIPS-2 validated hardware security models to
protect your keys
• Integrated with AWS server-side encryption
• Amazon S3, Amazon EBS, Amazon RDS,
Amazon Aurora, Amazon Redshift,
WorkMail, Amazon WorkSpaces, CloudTrail,
Amazon Elastic Transcoder CodeCommit
(using default service keys only), Amazon
SES, import/export Snowball, AWS DMS,
and several other services
• Integrated with AWS client-side encryption
• AWS SDKs, AWS Encryption SDK, Amazon
S3 encryption client, EMRFS client, and
DynamoDB encryption client
• Integrated with CloudTrail to provide auditable
logs of key usage for regulatory and compliance
activities
- 43. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity access management policies
Role Endpoints Amazon S3 bucket
with objects
Bucket
policy
VPCe
policy
IAM
policy
Key
policy
Server side
encryption
SCP
policy
- 44. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 45. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Amazon Cognito
§ Amazon Cognito provides authentication,
authorization, and user management for
your web and mobile apps; your users can
sign in directly with a user name and
password or through a third party such as
Facebook, Amazon, or Google
§ Amazon Cognito offers user pools and
identity pools
§ User pools are user directories that provide
sign-up and sign-in options for your app
users
§ Identity pools provide AWS credentials to
grant your users access to other AWS
services
- 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Protect your boundaries – Amazon Cognito edition
AWS LambdaUsers
Amazon S3
public bucket
Amazon S3
private bucket
Amazon Cognito
Amazon CloudFront
Authorization@Edge:
https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/
- 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Protect your boundaries – AWS WAF edition
Your security
team
Malicious IPs
AWS Lambda
Amazon S3
bucket
AWS WAF
Amazon CloudWatch
InstancesElastic
Load Balancing
AWS Certified advanced networking: ISBN-13: 978-1119439837
Amazon
CloudFront
- 49. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets
- 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Well-Architected - security design principles
Keep people away from data
Implement a strong identity foundation
Enable traceability
Automate security best practices
Protect data in transit and at rest
Apply security at all layers
Prepare for security events
- 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Log data inputs
AWS
CloudTrail
Amazon VPC
Flow Logs
DNS Logs
Track user
activity and API
usage
IP traffic to/from
network interfaces in
an Amazon VPC
Monitor apps using
log data, store, and
access log files
Log of DNS queries
in an Amazon VPC
when using the
Amazon VPC DNS
resolver
CloudWatch
Logs
- 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Machine learning
Amazon GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Amazon Macie
Machine learning-powered
security service to discover,
classify & protect sensitive
data
- 54. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
• Comprehensive view of your security state within AWS
• Aggregates security findings and alerts generated by other AWS security services
• Analyze security trends and identify the highest priority security issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
AWS Security Hub
Security
findings
providers
Findings
Insights
AWS Security
Partners
Threat detection: Introducing AWS Security Hub
- 55. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Evocations/triggers
Amazon CloudWatch
Events
AWS Config Rules
Continuously tracks your resource
configuration changes and if they
violate any of the conditions in
your rules
Delivers a near real-time stream of
system events that describe
changes in AWS resources
- 56. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 57. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Basic example – AWS Lambda + CloudWatch
Events
CloudWatch
Event
GuardDuty
findings
AWS Lambda
function
- 58. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule
Amazon EC2 instance
contents
Instance:~ ec2-user$ top
Instance:~ ec2-user$
pcap
Instance:~ ec2-user$
lime
AWS
Lambda
Amazon
GuardDuty
Elastic network
adapter
Elastic network
adapter
AWS
Lambda
function
Amazon EBS volume
- 59. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Lambda + Systems Manager + CloudWatch
AWS Systems
Manager
Documents
Amazon
CloudWatch
Rule
AWS
Lambda
Amazon
GuardDuty
AWS
Lambda
function
Amazon EBS
volume
Amazon EBS
snapshot
- 60. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Automating responses based on multiple controls
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
AWS
Lambda
function
AWS
APIs
Detect
Investigate
Respond
Team
collaboration
(Slack etc.)
Amazon
GuardDuty
Amazon VPC
Flow Logs
Amazon
Inspector
- 61. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Broad security & identity portfolio
• AWS Identity & Access
Management (IAM)
• AWS Single Sign-On (SSO)
• AWS Directory Service
• Amazon Cloud Directory
• AWS Secrets Manager
• Amazon Cognito
• AWS Organizations
• AWS Resource Access
Manager
• AWS Security Hub
• Amazon GuardDuty
• AWS CloudTrail
• AWS Config
• Amazon
CloudWatch
• Amazon VPC Flow
Logs
• AWS Systems Manager
• AWS Shield
• AWS Web Application
Firewall (AWS WAF)
• Amazon Inspector
• Amazon Virtual Private
Cloud ( Amazon VPC)
• AWS Key Management
Service (AWS KMS)
• AWS CloudHSM
• Amazon Macie
• AWS Certificate
Manager (ACM)
• Server-side encryption
• AWS Config rules
• AWS Lambda
Identity Detective
control
Infrastructure
security
Incident
response
Data
protection
- 62. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ahmed Gouda
gouda@amazon.com
- 63. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.