Downloaded 69 times
Uploaded by2nd Sight Lab
AWS Security Strategy
This document discusses AWS security best practices for enterprises. It recommends following AWS security policies and IAM best practices, automating security configurations through tools like CloudFormation, and architecting networks carefully with security groups and subnets. Automating security operations, compliance checks, and incident response is emphasized to manage risks and unknown threats. The document also warns against simply migrating on-premises systems to AWS without redesigning for the cloud.
More Related Content
AWS Security Strategy
- 1. AWS Security Strategy EnterpriseSecurity on AWS Teri Radichel, Cloud Architect | WatchGuard Technologies | @teriradichel
- 2. The CIO ofthe 5th largest bank in the US says they can be more secure in AWS than in their own data center. Possible?
- 3. About That InternetThing… You are already using shared infrastructure. How do you secure it?
- 4. Security Policy Yours. Do youknow what it says? Does everybody follow it? AWS. https://d0.awsstatic.com/whitepapers/a ws-security-whitepaper.pdf
- 5. What’s In YourNetwork? Do you really know?
- 6. Automated Configuration AWS facilitates automated infrastructure andapplication deployment via code stored in source control
- 7. Automated Event-Driven Security AWSmakes it easier to automatically react to events that trigger a security response
- 8. Points of Discoveryand Reaction • Knowns: • Prevent from entering environment • Detect and roll back on entry into environment • Unknowns: • Baseline normal behavior • React to anomalies – alerts, investigation
- 9. Recommendations… • Best Practices •Lessons Learned • Ideas • Tools
- 10. Follow IAM BestPractices
- 11. Follow Evident IOBest Practices
- 12. The Right People Cowboyhas no well thought out plan or expertise Mr. No Kills Innovation. He is not open to new ideas. Analysis Paralysis Kills Productivity Engineers = expertise + well-designed solutions based on available data
- 13. Deployment Pipeline DevOps, security,developer and QA teams should all use the same process for AWS deployments. Add Security Controls at this checkpoint. Facilitates inventory, audit and compliance. CICD – Continuous Integration, Continuous Deployment
- 14.
- 15. Security Automation • AutomateBiggest Risks ~ Verizon Data Breach Report • Automated Deployments – CloudFormation, SDKs - Consider Immutable Infrastructure where possible • Automated Compliance – AWS Config, AWS Inspector • Automated Security Operations – AWS WAF, 3rd Party Tools • Custom automation – roll your own • Automated Intrusion Detection – Proof of Concept Framework: https://github.com/tradichel/AWSSecurityAutomationFramework
- 17. Other Options forSSH and Access Secret Key • IAM Roles for Users and AWS Resources • Cross Account Roles • Active Directory Integration • STS – temporary credentials • Use MFA where possible • Consider CLI, Console and Instance Logins • If using keys, train users that keys are passwords and treat as such
- 18. Encryption on AWS •KMS - AWS Key Management Service • CloudHSM - Single Tenant Hardware Security Module • Bring Your Own Key – import from your own key manager or HSM • AWS Certificate Manager - SSL/TLS for encryption in transit
- 19. 5. Plan NetworkCarefully. Internet Access AWS Only AWS to Corporate security group security group security group security group security group security group Routes: Enforce Traffic Flow. Subnets: Larger. Security Groups: Whitelist.
- 20. Avoid This So manyholes in your network and running so many agents that you no longer know what is traversing your network anymore and network security is pointless.
- 21. Avoid This Subnets withalmost nothing in them has the potential to exhaust your IP space. It also becomes unwieldy to manage numerous subnets and security groups. Use security groups for application specific rules.
- 22. Architect for theCloud Avoid Lift and Shift Costs will be higher Doesn’t leverage AWS Possible Security Issues Fix it later…right. If you do...keep it in a separate account.
- 23.
- 24. Use Process Controls Technologycan’t make your toast. Yet. Use process controls when needed.
- 25. Have a SandboxAccount Tightly secure other accounts. Match production or purpose built.
- 27. AWS Monitoring Tools •VPC Flow Logs ~ like Netflow for VPC, not real time • CloudTrail ~ Monitor actions taken on AWS • CloudWatch ~ Any kind of logs, cannot be altered if properly secured • 3rd Party Tools
- 28. Teri Radichel, CloudArchitect WatchGuard Technologies ~ We are hiring! @teriradichel Security Certifications and Papers: Http://www.giac.org/certified-professional/teri-radichel/140127 Thank you!
Editor's Notes
- #3 Video from AWS re:Invent 2015 where Rob Alexander was the keynote speaker.
- #5 AWS Security Process Overview: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
- #6 Top 5 Critical Controls: https://www.cisecurity.org/critical-controls.cfm Deski Network Suite on left. AWS Web Console on right.
- #7 Sample architecture from AWS Case Studies: https://aws.amazon.com/solutions/case-studies/
- #8 Paper on Security Automation in AWS: https://www.sans.org/reading-room/whitepapers/incident/balancing-security-innovation-event-driven-automation-36837
- #11 AWS IAM Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Code Spaces ~ The company that got deleted. http://www.networkcomputing.com/cloud-infrastructure/code-spaces-lesson-cloud-backup/314805651
- #12 Evident IO Blog with Security Best Practices: http://blogs.evident.io
- #13 Images: Shutterstock, Meme Generator
- #14 Target was likely compromised via a deployment system: https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412
- #15 AWS CloudFormation: https://aws.amazon.com/cloudformation/
- #16 AWS Tools: https://aws.amazon.com/tools/ AWS Config: https://aws.amazon.com/config/ AWS WAF: https://aws.amazon.com/waf/ Verizon Data Breach Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
- #19 KMS: https://aws.amazon.com/kms/ CloudHSM: https://aws.amazon.com/cloudhsm/ AWS Certificate Manager: https://aws.amazon.com/certificate-manager/ Bring your own key: https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/ This new feature allows you to import keys from any key management and HSM (Hardware Security Module) solution that supports the RSA PKCS #1 standard, and use them with the AWS services and your own applications. Protecting Data At Rest on AWS: https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf AWS Security Blog ~ Encryption: https://blogs.aws.amazon.com/security/blog/category/Encryption
- #23 AWS Best Practices ~ Architecting for the Cloud: https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/
- #24 Don’t be a bottleneck image: http://digital.library.unt.edu/ark:/67531/metadc182/
- #25 Images from 6 Ways to Make Toast – Wikihow http://www.wikihow.com/Make-Toast AWS Compliance White Paper: https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
- #26 Image: http://www.markramseymedia.com/wp-content/uploads/2011/02/sandbox.jpg
- #28 VPC Flow Logs: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html CloudTrail: https://aws.amazon.com/cloudtrail/ CloudWatch: https://aws.amazon.com/cloudwatch/