1. AWS Users’ Group May 2020!
David “Mac” McDaniel
Director, Cloud Professional Services -- Qwinix Technologies
mac@qwinix.io
david@mobile-360.com
LinkedIn: https://www.linkedin.com/in/davidbmcdaniel
Twitter: @ServerlessJava, @DenverAWSUG
2. Agenda for Tonight
● Communication Items
● Upcoming Meetups
● Resources
● Tonight’s Topic:
AWS Security 101: AWS Tools and Services
3. Communication Items
Slack Channel: https://DenverAWSUsersGroup.slack.com, email me at
david@mobile-360.com for an invite.
We now have our own Twitter handle: @DenverAWSUG. Please follow and we’ll
post updates and surveys there as well!
We are now listed on AWS UG site:
https://aws.amazon.com/usergroups/americas/
Announcements: Please email me announcements at
least the day before the Meetup!
4. Tools:
● IAM Policy Generator
● IAM Security Assessment tool
AWS Updates -- All about Security
● CloudTrail simplifies
● AWS SSO zero-down cert rotation
● WorkMail flows using Lambda
● Enhanced DirectConnect monitoring
● Enhanced Macie w/reduced pricing
● Fraud Detector - catching fraud faster
8. Categories of Security Tools
Identity and Access Management: Managing authentication and authorization
to resources
Detective Controls: Identify existing vulnerabilities and activities
Infrastructure Protection: Defends against DDos, malicious web traffic
Data Protection: Auto discover sensitive data, encryption key management
Audit Controls: Secured audit logs
Network Security: Firewalls, IDS/IPS, private connectivity
9. Identity and Access Management
IAM best practices for security:
● Complex passwords - passwords are the weakest link
● Least-privilege permission model
● Password rotation on regular schedule
● MFA/2FA:
○ Best: Hardware token like Ubikey supporting FIDO2 standard
○ Good: Mobile-phone based Authenticator application
○ Bad: SMS-based OTC (One-Time Codes)
● SSO Integration - AD, Okta, Ping, many choices - fewer passwords means
less reuse - #1 problem
● Access Analyzer - Helps maintain least privilege permission model
10. Detective Controls
These are services that notify and sometimes prevent threats as they occur.
AWS Security Hub: Aggregated security findings from services and partner
applications. Automate handling of security incidents.
Amazon GuardDuty: Continuous threat and anomaly detection using ML across
Cloud Trail, VPC flow logs, DNS logs.
Amazon Inspector: Automatic assess applications for exposure, vulnerabilities
and deviations from best practices. Unintended network accessibility, remote
root, etc.
Amazon Detective: Uses ML to help conduct faster and more efficient
investigations.
11. Infrastructure Protection
AWS Shield: Advanced, managed DDoS infrastructure protecting your
infrastructure
AWS WAF (Web Application Firewall): Content-level filtering for things like SQL
Injections, MITM or replay attacks. Implements OWASP Top 10 and other rules
Automates responses such as permanent or temporary IP banning.
AWS Firewall Manager: Centrally manage AWS WAF and AWS Managed WAF
Rules. Still distributed infrastructure, but makes managing much easier.
DirectConnect & Site-to-site VPN: Provides private connectivity between your
site or datacenter and AWS, preventing traffic from ever hitting the public
internet.
12. Data Protection
Amazon Macie: Discover and protect sensitive data in S3. Helps meet
compliance regulations such as HIPAA, GDPR, CCPA etc.
AWS KMS: Manage encryption keys, enable auto-rotation and termination.
AWS Certificate Manager: Free SSL/TLS encryption keys for some AWS services
(LBs, CloudFront, API GW, etc) but not EC2 directly. Both public and private key
management.
AWS Secrets Manager: Secure, scalable secret management, with
auto-update/rotation including sync to RDS.
13. Summary
All of these tools are a great place to start. No single tool or provider will get
you everything you may need.
During the Covid-19 pandemic, there has been a large increase in the attacks of
home networks because of the weaker security. Tools exist to hack ISP’s
routers and sometimes even install viruses.
Employee’s personal computers should never be granted access to corporate
resources as you don’t have control over what is installed and who has access.
Implement second network within home for work computers with higher level of
security measures.
Remember that, sadly, people are the weakest link in security. We all need to
help people be better!