AWS SSA Webinar 11 - Getting started on AWS: Security
•Download as PPTX, PDF•
0 likes•251 views
In this session, we will take a deeper look at the security services and features available on AWS. We will look at how Identity and Access Management (IAM) works by covering IAM users, policies, roles, groups. We will also look at AWS Security groups and how they are applied to the different infrastructure components, e.g. Amazon EC2 instances, Load Balancers, Databases (via Amazon RDS). Lastly, we will take a quick look at Amazon Certificate Manager for SSL certificates and mention additional services like Amazon Detective, GuardDuty, Macie, WAF.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS SSA Webinar 11 - Getting started on AWS: Security
Similar to AWS SSA Webinar 11 - Getting started on AWS: Security (20)
More from Cobus Bernard
More from Cobus Bernard (16)
Recently uploaded
Recently uploaded (20)
AWS SSA Webinar 11 - Getting started on AWS: Security
- 1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Getting started with AWS: Security O n l i n e W e b i n a r – 2 0 2 0 / 0 4 / 2 8 Cobus Bernard Sr Developer Advocate Amazon Web Services @cobusbernard cobusbernard cobusbernard
- 2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Securing your root account Identity and Access Management Security Groups ACM SSL Certificates Additional services Q&A
- 3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS global platform AWS global infrastructure • 23 Regions with 73 Availability Zones • 4 Regions coming soon: Indonesia, Italy, Japan and Spain 216 CloudFront PoPs • 205 edge locations • 11 Regional edge caches • 245 Countries and territories served AWS global network • Redundant 100 GbE network • 100% encrypted between facilities • Private network capacity between all AWS Regions except China SLA of 99.99% availability
- 4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 5. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. n Identity & access management Detective controls Infrastructure protection Incident response Data protection AWS security solutions
- 6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Policy AWS Organization AWS account: Master webinar-cobus-1
- 8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Policy AWS Organization AWS account: Master webinar-cobus-1 Allow
- 9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Policy AWS Organization AWS account: Master webinar-cobus-1 s3:ListBucket s3:GetObject
- 10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Policy AWS Organization AWS account: Master webinar-cobus-1 s3:List* s3:Get*
- 11. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM Policy AWS Organization AWS account: Master webinar-cobus-1 arn:aws:s3:::webinar-cobus-1 arn:aws:s3:::webinar-cobus-1/*
- 12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM roles for Services AWS account Use IAM roles for access to AWS resources: • From your application running on an AWS compute environment, e.g., EC2 instance, Lambda function, etc. • To grant permission to an AWS service to access your resources (not shown) EC2 instance Lambda function Amazon S3 buckets Amazon DynamoDB table
- 13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Subnet Subnet Subnet VPC Availability Zone US-EAST-1A Availability Zone US-EAST-1B Amazon VPC (Virtual Private Cloud) 172.31. 172.31. 172.31. 172.31. Subnet Subnet Availability Zone US-EAST-1C 172.31. 172.31. Application server security group
- 15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Subnet Subnet VPC Availability Zone US-EAST-1A Amazon VPC (Virtual Private Cloud) 172.31. 172.31. Subnet Subnet 172.31. 172.31. Web server security group Database server security group Availability Zone US-EAST-1C Load Balancer security group
- 16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enable AWS Security Hub for all your accounts Account 1 Account 2 Account 3 Conduct automated compliance scans and checks Take action based on findings. Continuously aggregate and prioritize findings Better visibility into security issues Easier to stay in compliance Introduction to AWS Security Hub
- 19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated compliance standards Based on CIS AWS Foundations Benchmark • 43 fully automated, nearly continuous checks • Findings are displayed on main dashboard for quick access • Best-practices information is provided to help reduce gaps in compliance
- 20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. GuardDuty: Key features Continuous monitoring of your AWS accounts and resources Detects unknown threats (behavior-based) Detects known threats (threat intel–based) Global coverage with regional results One-click activation with no architectural or performance impact Managed threat detection service Enterprise-wide consolidation and management
- 22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. GuardDuty: Data sources VPC Flow Logs VPC Flow Logs do not need to be turned on to generate findings; data is consumed through an independent duplicate stream Provides information about network communications for threat intel and behavioral detections DNS logs DNS logs are based on queries made from Amazon EC2 instances to known and unknown questionable domains DNS logs are in addition to Amazon Route 53 query logs; Route 53 is not required for GuardDuty to generate DNS- based findings AWS CloudTrail events AWS CloudTrail provides a history of AWS API calls used to access the AWS Management Console, SDKs, AWS Command Line Interface (AWS CLI), etc. Identifies user and account activity, including source IP address used to make the calls
- 23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon GuardDuty works VPC Flow Logs DNS logs CloudTrail events FindingsData sources Threat intelligence Anomaly detection (ML) AWS Security Hub • Remediate • Partner solutions • Send to SIEM CloudWatch Event Finding types Examples Bitcoin mining C&C activity Unusual user behavior Examples • Launch instance • Change in network permissions Amazon GuardDuty Threat detection types HIGH MEDIUM LOW Unusual traffic patterns Example • Unusual ports and volume Amazon S3 bucket
- 24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What can GuardDuty detect? GuardDuty leverages threat intelligence from various sources AWS security intel AWS Partner Network (APN) Partners CrowdStrike and Proofpoint Customer-provided threat intel Threat intelligence enables GuardDuty to identify the following: Known malware-infected hosts Anonymizing proxies Sites hosting malware and hacker tools Cryptocurrency mining pools and wallets Detecting known threats using threat intelligence
- 25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 26. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Detective Quickly analyze, investigate, and identify the root cause of security issues Built-in data collection Automated analysis Visual insights
- 27. How does Amazon Detective work?
- 28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 29. What is a WAF? • Web Application Firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to HTTP traffic • WAFs Come in Four Flavors • Pure Play: stand alone appliance or software • CDN: bundled with Content Delivery Network • Load Balancer: bundled with a load balancer • Universal Threat Manager (UTM): catch-all for misc. security
- 30. The AWS WAF
- 31. Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cobus Bernard Sr Developer Advocate Amazon Web Services @cobusbernard cobusbernard cobusbernard
Editor's Notes
- 1/ First, it all starts with our foundation. As you look at the Gartner IaaS MQ, Gartner calls our the breadth of our offering and the strength of our infrastructure, including the unmatched reliability and availability we provide. 3/ The AWS Cloud spans 69 Availability Zones within 22 geographic Regions around the world, with announced plans for 9 more Availability Zones and four more Regions in, Cape Town, Jakarta, and Milan. global network of 191 Points of Presence (180 Edge Locations and 11 Regional Edge Caches) in 73 cities across 33 countries. 4/ Amazon CloudFront uses a global network of 187 Points of Presence (176 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries 5/ Our AWS geographical regions are comprised of availability zones (AZ’s) that are set of data centers isolated from failures and low latency connectivity providing natively high availability. 6/ All supported by the AWS global network which connects all of our regions. A network that's been built specifically for the cloud, and we continue to iterate on it.
- We align the AWS security services to the 5 epics of the Security Cloud Adoption Framework (CAF). The order of the epics tells a story. https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
- Here we’ve configured 172.31.0.0/16 as the VPC CIDR and created two public subnets (172.31.0.0/24, 172.31.1.0/24) and two private subnets (172.31.128.0/24, 172.31.129.0/24).
- Here we’ve configured 172.31.0.0/16 as the VPC CIDR and created two public subnets (172.31.0.0/24, 172.31.1.0/24) and two private subnets (172.31.128.0/24, 172.31.129.0/24).
- AWS Security Hub workflow Get started in a few clicks and a few more for multi-account rollup No normalization or parsing needed with AWS Security Finding Format 28 partner integrations with simple setup (a few clicks to 15 min of CloudFormation deployment); 3 fully automated AWS integrations 25+ out-of-the-box AWS correlation and stacking rules called “insights” and ability for customers to create their own; plus default ones from partners coming soon. Automated compliance checks via CIS AWS Foundations Benchmark Automated response and remediation actions on specific findings via CloudWatch Events rules and targets You can set up AWS Security Hub in the AWS Management Console by clicking the “Enable Security Hub” button and adding your AWS accounts to the service. The process of ingesting data across the AWS security services begins. Security Hub (CLICK) aggregates findings from AWS security services and partner security tools and correlate them to identify the highest priority findings. As an additional step, (CLICK) Security Hub conducts continuous and automated compliance checks using industry standards and provide the results to you for remediation. Finally, you may review the findings (CLICK) in the console and select the ones for specific actions such as sending finding to ticketing, chat, email, or automated remediation via CloudWatch Events and Lambda.
- CIS https://www.cisecurity.org/benchmark/amazon_web_services/ Standards is one of the methods used by Security Hub to process findings. This method uses compliance frameworks that are based on regulatory requirements or AWS best practices. AWS has defined specific evaluation checks that align to the controls within a certain compliance standard. CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue. Improve compliance with automated checks With Security Hub, you can run automated, continuous account-level configuration and compliance checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark. These checks provide a compliance score and identify specific accounts and resources that require attention.
- The First focuses on the the implementation ease such as (Click for each bullet) I’ll say the first one to start One click – speaks to SIMPLICITY of the solution. No architectural requirements or performance impact. Just turn it on – click. Continuous monitoring of your AWS accounts and workloads. Global coverage but the results are kept regionally. You could aggregate all of your results for analysis by bringing them into S3 or into a 3rd party solution (Splunk, Qradar) running in their SOC – as an example And Then the actual security related benefits Detects known threats through known signatures based Detects unknown threats through behavior based analytics. Customers can define their own remediation through 3rd party tools or invoking Lambda functions. How does this all work… Click
- Data Sources GuardDuty analyzes AWS VPC Flow Logs, DNS and CloudTrail Events. It is optimized to consume large volumes of. AWS does all of the heavy lifting you are not required to turn on any logging. Data is NOT stored by GuardDuty – It is pulled from internal sources, analyzed in memory and then discarded. GuardDuty ONLY stores the results from the findings that are produced. Thus your data remains your data Click
- With threat intel being applied to data sources Guard Duty can detect known threats and produce instant findings (they are known !). Things like (READ bottom of slide) Threat Intel comes from: AWS Security Intel – GuardDuty has access to AWS’ own security intel feed (from ASIS team). This is the only way you can access this feed. This Intel is constantly being updated by AWS Security team. Commercial/partner Intelligence is currently provided by CrowdStrike and ProofPoint. At no extra cost to the customer. Customer’s can provide there own Threat Intelligence data and customer provided threat intel does not get shared across customers. What Else can GD detect…
- We do all the heavy lifting of provisions processing and storing logs We take those logs and extract important records and combine them into a federated view Then present them in an organized time series view that power investigations and reduce mean time to respond Out of the box we keep this information for a full year so you can historically go back in time
- Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. It organizes the data into a graph model that summarizes all the security-related relationships in your AWS environment. Amazon Detective then queries this model to create visualizations used in investigations. The graph model is continuously updated as new data becomes available from AWS resources, so you spend less time managing constantly changing data. Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub as well as AWS partner security products to help quickly investigate security findings identified in these services. Using a single-click from these integrated services you can go to Amazon Detective and immediately see events related to the finding, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate” that provides instant insight into the relevant activity for the involved resource, giving you the details and context to quickly decide whether the detected finding reflects actual suspicious activity. Amazon Detective produces visualizations with the information you need to investigate and respond to security findings. It helps you answer questions like ‘is this normal for this role to have so many failed API calls?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune your own queries and algorithms. Amazon Detective maintains up to a year of historical event data that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings.
- RICH First of all, let’s make sure we are all on the same page. What is a WAF? Quite simply, a WAF is a Web Application Firewall. It is an application layer firewall used to protect web assets from various forms of attack. WAF is an appliance, server plugin or filter that applies a set of rules to HTTP traffic. Another way to look at it, a web security service providing OSI Layer 7 protection by monitoring http and https requests and restricting access to web applications. Why do IT managers devops engineers buy / implement a WAF? Gartner reports that 25-30% of all WAF implementations are for the protection of eCommerce solutions that require a PCI compliant workflow. While we are offering the WAF as part of CloudFront, which *IS* a PCI Compliant service, the AWS WAF will not obtain PCI compliance until Q3 2016. However, it can still be used as a component in architectures requiring PCI compliance. If you have questions about this, please contact us offline to discuss in more detail. Common attacks include high volume request traffic for content from a single IP address or a range of IP addresses. CDN based WAF’s filter requests at edge locations before content is served or requests are forwarded to the origin server .
- RICH Let’s talk about why we built the WAF based on customer feedback. Initially the WAF will be a CDN offering, but will be extended shortly after launch to include ELB