In this session, we will take a deeper look at the security services and features available on AWS. We will look at how Identity and Access Management (IAM) works by covering IAM users, policies, roles, groups. We will also look at AWS Security groups and how they are applied to the different infrastructure components, e.g. Amazon EC2 instances, Load Balancers, Databases (via Amazon RDS). Lastly, we will take a quick look at Amazon Certificate Manager for SSL certificates and mention additional services like Amazon Detective, GuardDuty, Macie, WAF.
29. What is a WAF?
• Web Application Firewall (WAF) is an appliance, server plugin,
or filter that applies a set of rules to HTTP traffic
• WAFs Come in Four Flavors
• Pure Play: stand alone appliance or software
• CDN: bundled with Content Delivery Network
• Load Balancer: bundled with a load balancer
• Universal Threat Manager (UTM): catch-all for misc. security
1/ First, it all starts with our foundation. As you look at the Gartner IaaS MQ, Gartner calls our the breadth of our offering and the strength of our infrastructure, including the unmatched reliability and availability we provide.
3/ The AWS Cloud spans 69 Availability Zones within 22 geographic Regions around the world, with announced plans for 9 more Availability Zones and four more Regions in, Cape Town, Jakarta, and Milan. global network of 191 Points of Presence (180 Edge Locations and 11 Regional Edge Caches) in 73 cities across 33 countries.
4/ Amazon CloudFront uses a global network of 187 Points of Presence (176 Edge Locations and 11 Regional Edge Caches) in 69 cities across 30 countries
5/ Our AWS geographical regions are comprised of availability zones (AZ’s) that are set of data centers isolated from failures and low latency connectivity providing natively high availability.
6/ All supported by the AWS global network which connects all of our regions. A network that's been built specifically for the cloud, and we continue to iterate on it.
We align the AWS security services to the 5 epics of the Security Cloud Adoption Framework (CAF). The order of the epics tells a story.
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
Here we’ve configured 172.31.0.0/16 as the VPC CIDR and created two public subnets (172.31.0.0/24, 172.31.1.0/24) and two private subnets (172.31.128.0/24, 172.31.129.0/24).
Here we’ve configured 172.31.0.0/16 as the VPC CIDR and created two public subnets (172.31.0.0/24, 172.31.1.0/24) and two private subnets (172.31.128.0/24, 172.31.129.0/24).
AWS Security Hub workflow
Get started in a few clicks and a few more for multi-account rollup
No normalization or parsing needed with AWS Security Finding Format
28 partner integrations with simple setup (a few clicks to 15 min of CloudFormation deployment); 3 fully automated AWS integrations
25+ out-of-the-box AWS correlation and stacking rules called “insights” and ability for customers to create their own; plus default ones from partners coming soon.
Automated compliance checks via CIS AWS Foundations Benchmark
Automated response and remediation actions on specific findings via CloudWatch Events rules and targets
You can set up AWS Security Hub in the AWS Management Console by clicking the “Enable Security Hub” button and adding your AWS accounts to the service. The process of ingesting data across the AWS security services begins. Security Hub (CLICK) aggregates findings from AWS security services and partner security tools and correlate them to identify the highest priority findings. As an additional step, (CLICK) Security Hub conducts continuous and automated compliance checks using industry standards and provide the results to you for remediation. Finally, you may review the findings (CLICK) in the console and select the ones for specific actions such as sending finding to ticketing, chat, email, or automated remediation via CloudWatch Events and Lambda.
CIS
https://www.cisecurity.org/benchmark/amazon_web_services/
Standards is one of the methods used by Security Hub to process findings.
This method uses compliance frameworks that are based on regulatory requirements or AWS best practices.
AWS has defined specific evaluation checks that align to the controls within a certain compliance standard.
CIS, or Center for Internet Security, AWS Foundations Benchmark is the compliance standard currently being used by Security Hub. AWS Security Hub creates a score to inform you how your AWS environment is doing against the CIS Benchmark and displays it on the main dashboard. When you click through to the standard, you will see a summary of the controls that need your attention. Security Hub also shows informational best practices on how to mitigate each compliance issue.
Improve compliance with automated checks
With Security Hub, you can run automated, continuous account-level configuration and compliance checks based on industry standards and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark. These checks provide a compliance score and identify specific accounts and resources that require attention.
The First focuses on the the implementation ease such as (Click for each bullet) I’ll say the first one to start
One click – speaks to SIMPLICITY of the solution. No architectural requirements or performance impact. Just turn it on – click.
Continuous monitoring of your AWS accounts and workloads.
Global coverage but the results are kept regionally. You could aggregate all of your results for analysis by bringing them into S3 or into a 3rd party solution (Splunk, Qradar) running in their SOC – as an example
And Then the actual security related benefits
Detects known threats through known signatures based
Detects unknown threats through behavior based analytics.
Customers can define their own remediation through 3rd party tools or invoking Lambda functions.
How does this all work…
Click
Data Sources
GuardDuty analyzes AWS VPC Flow Logs, DNS and CloudTrail Events. It is optimized to consume large volumes of.
AWS does all of the heavy lifting you are not required to turn on any logging.
Data is NOT stored by GuardDuty – It is pulled from internal sources, analyzed in memory and then discarded.
GuardDuty ONLY stores the results from the findings that are produced.
Thus your data remains your data
Click
With threat intel being applied to data sources Guard Duty can detect known threats and produce instant findings (they are known !). Things like (READ bottom of slide)
Threat Intel comes from:
AWS Security Intel – GuardDuty has access to AWS’ own security intel feed (from ASIS team). This is the only way you can access this feed. This Intel is constantly being updated by AWS Security team.
Commercial/partner Intelligence is currently provided by CrowdStrike and ProofPoint. At no extra cost to the customer.
Customer’s can provide there own Threat Intelligence data and customer provided threat intel does not get shared across customers.
What Else can GD detect…
We do all the heavy lifting of provisions processing and storing logs
We take those logs and extract important records and combine them into a federated view
Then present them in an organized time series view that power investigations and reduce mean time to respond
Out of the box we keep this information for a full year so you can historically go back in time
Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity. It organizes the data into a graph model that summarizes all the security-related relationships in your AWS environment. Amazon Detective then queries this model to create visualizations used in investigations. The graph model is continuously updated as new data becomes available from AWS resources, so you spend less time managing constantly changing data.
Amazon Detective is integrated with AWS security services such as Amazon GuardDuty and AWS Security Hub as well as AWS partner security products to help quickly investigate security findings identified in these services. Using a single-click from these integrated services you can go to Amazon Detective and immediately see events related to the finding, drill down into relevant historical activities and investigate the issue. For example, from an Amazon GuardDuty finding, you can launch Amazon Detective by clicking on “Investigate” that provides instant insight into the relevant activity for the involved resource, giving you the details and context to quickly decide whether the detected finding reflects actual suspicious activity.
Amazon Detective produces visualizations with the information you need to investigate and respond to security findings. It helps you answer questions like ‘is this normal for this role to have so many failed API calls?’ or ‘is this spike in traffic from this instance expected?’ without having to organize any data or develop, configure, or tune your own queries and algorithms. Amazon Detective maintains up to a year of historical event data that shows changes in the type and volume of activity over a selected time window, and links those changes to security findings.
RICH
First of all, let’s make sure we are all on the same page. What is a WAF?
Quite simply, a WAF is a Web Application Firewall. It is an application layer firewall used to protect web assets from various forms of attack. WAF is an appliance, server plugin or filter that applies a set of rules to HTTP traffic. Another way to look at it, a web security service providing OSI Layer 7 protection by monitoring http and https requests and restricting access to web applications.
Why do IT managers devops engineers buy / implement a WAF? Gartner reports that 25-30% of all WAF implementations are for the protection of eCommerce solutions that require a PCI compliant workflow. While we are offering the WAF as part of CloudFront, which *IS* a PCI Compliant service, the AWS WAF will not obtain PCI compliance until Q3 2016. However, it can still be used as a component in architectures requiring PCI compliance. If you have questions about this, please contact us offline to discuss in more detail.
Common attacks include high volume request traffic for content from a single IP address or a range of IP addresses.
CDN based WAF’s filter requests at edge locations before content is served or requests are forwarded to the origin server
.
RICH
Let’s talk about why we built the WAF based on customer feedback.
Initially the WAF will be a CDN offering, but will be extended shortly after launch to include ELB