The document summarizes a presentation from the AWS Government, Education, and Nonprofit Symposium on June 25-26, 2015 in Washington, DC. It discusses enhanced security and compliance capabilities available on AWS, including AWS' responsibility for physical and network security controls versus the customer's responsibility for logical controls. It also provides examples of using AWS security services like AWS Key Management Service, AWS CloudTrail, and Amazon S3 for encryption and auditing.
How to Troubleshoot Apps for the Modern Connected Worker
AWS Security and Compliance Symposium
1. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Enhanced Security and Compliance with
AWS
Brad Dispensa - AWS
Justin Lundy - Evident.io
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
familiar security
model
validated and driven by
customers’ security experts
benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is job zero
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
physical infrastructure
hardware
hypervisor
guest operating system
logical security
data and application
software firewalls/IDS/AV
customer control and
customer responsibility
AWS control and
AWS responsibility
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Key AWS certifications and assurance programs
certifications and accreditations for
workloads that matter
AWS CloudTrail – AWS API call logging for
governance & compliance
stores data in S3 or
archive to Amazon
Glacier
log and review user
activity
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
• You benefit from an environment built for the most security-sensitive
organizations
• AWS manages 1800+ physical security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data
• You are responsible for logical security configuration of the AWS
services you use above the hypervisor
What this means
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Economies of scale: World-class teams
• Where would some of the world’s best security
experts like to work?
• They want to work on huge challenges with huge
impact!
• AWS has highly leveraged, world-class teams
watching your back!
27. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws kms decrypt --region us-west-1 --ciphertext-blob
fileb://encoded --output text --query Plaintext |base64 –decode
Secret information
28. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp encoded s3://wwps-dc-demo/encoded
upload: ./encoded to s3://wwps-dc-demo/encoded
[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp s3://wwps-dc-demo/encoded secret-stuff
download: s3://wwps-dc-demo/encoded to ./secret-stuff
29. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws s3 ls --region us-west-1 s3://wwps-dc-demo
A client error (AccessDenied) occurred when calling the ListObjects operation: Access
Denied
32. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
You get to control who can do what in your AWS
environment as well as when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing Active Directory directory
using federation and single sign-on
AWS account owner
network
management
security
management
server
management
storage
management
Control access and segregate duties
everywhere
33. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
• Native encryption across services for free
– Amazon S3, EBC, Amazon RDS, Amazon Redshift
– End-to-end SSL/TLS
• Scalable key management
– AWS Key Management Service provides scalable, low-cost key management
– AWS CloudHSM provides hardware-based, high assurance key generation,
storage, and management
• Third-party encryption options
– Trend Micro, SafeNet, Vormetric, Hytrust, Sophos, etc.
Encrypt your sensitive information
34. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
EC2
template catalog running instance your instance
hardening
audit and logging
vulnerability management
malware and HIPS
whitelisting and integrity
user administration
operating system
Configure and harden EC2 instances to your own specs
Use host-based protection software
Manage administrative users
Enforce separation of duties and least privilege
Connect to your existing services (for example, SIEM), patching
Enforce consistent security on servers
37. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
virtual private cloud
Availability Zone
security group
user
38. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Your organization
project teams marketing
business units reporting
digital/websites
dev and test Amazon Redshift
EMR Analytics
internal
enterprise apps
Amazon S3
Amazon
Glacier
storage/
backup
Create flexible, resilient, segmented environments
40. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Understand configuration changes
• Automate IT asset inventory
• Discover and provision cloud services
• Audit and troubleshoot configuration
changes in the cloud
41. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your S3 buckets, no
matter how those API calls were made
Who did what and when and from where (IP address)
• CloudTrail support for a growing list of AWS services, including EC2, EBS, VPC,
RDS, IAM, and Amazon Redshift
• Easily aggregate all log information
Out-of-the-box integration with log analysis tools from AWS partners,
including Splunk, AlertLogic, and SumoLogic
Monitoring: Get consistent visibility of logs
42. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
• Performs a series of security
configuration checks of your AWS
environment:
• Open ports
• Unrestricted access
• IAM use
• CloudTrail logging
• S3 bucket permissions
• Multi-factor authentication
• Password policy
• DB access risk
• DNS records
• Load balancer config
Getting some help – Trusted Advisor
43. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
• Performs a larger series of security
configuration checks of your AWS
environment:
• Open ports, unrestricted access
• IAM use, encryption, policy, users
• CloudTrail logging
• S3 bucket permissions
• Multi-factor authentication
• Password policy
• DNS records
• Load balancer config
• Route53 config
• Credential rotation
• Over 100 security checks vs. Trusted
Advisor’s 12
• Custom signature flexibility
Getting even more help – Evident.io
Evident dashboard
44. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Evident helps organizations of all sizes
proactively manage information security
risk and compliance of their entire global
AWS infrastructure configuration, on a
continuous basis.
We aim to be the de-facto platform for
enhanced AWS security.
About Evident.io
AWS Summit SF 2015
45. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
- Continuous monitoring of AWS security
configuration
- Enhanced visibility across AWS accounts
- Guided information security risk mitigation
- Rapid Evident activations in <= 10 minutes
- Custom signatures in Ruby or JavaScript- custom
alert suppressions
- Third-party integrations with popular apps
About the Evident security platform
Custom signature – CIS-hardened AMI for Ubuntu example
46. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Evident native integrations
SQS Slack PagerDuty
HipChat JIRA
47. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS:
- facilities
- physical security
- physical infrastructure
- network infrastructure
- virtualization infrastructure
AWS shared responsibilities - expanded
Customer:
- operating system security
- patch management
- application configuration management
- identity and access management
- security groups, network ACLs
- VPC configuration
- S3 bucket policies
- IAM roles, policies, users, groups
- EBS, S3, RDS encryption
- for large environments, thousands to millions of
logical controls to monitor
48. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
- business disruption
- financial losses
- loss of privacy
- reputational damage
- loss of client confidence
- legal penalties
- impaired growth
- loss of life
Potential risks
49. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
- angry employees
- dishonest employees
- criminals
- governments
- terrorists
- press
- competitors
- hackers
- Mother Nature
Potential threats
50. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
- software bugs
- broken processes
- ineffective controls
- hardware flaws
- unauthorized changes
- legacy systems
- inadequate BCP
- human error
- misconfiguration
Potential vulnerabilities
51. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1. Disable root API access key and secret key.
2. Enable MFA tokens everywhere.
3. Reduce number of IAM users with admin rights.
4. Use roles for EC2.
5. Least privilege: limit what IAM entities can do with strong/explicit policies.
6. Rotate all the keys regularly.
7. Use IAM roles with STS AssumeRole, where possible.
8. Use Auto Scaling to handle traffic spikes.
9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.
10. Watch world-readable/listable S3 bucket policies.
(Based on our experience with Incident Response, top 10 to implement ASAP.)
Top 10 AWS security best practices
52. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
“Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
53. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Editor's Notes
Speaker BIO.
At AWS security is a top priority.
We build our security program on many of the same tenets as you do. Our data centers are designed with the highest physical security requirements in mind, and access to those data centers is restricted to a very small number of individuals. In our data center we have very strict segregation of duties to ensure that out data center technicians have on the most minimal accesses they need to do their jobs. In the same way you do, we lock down our network and systems, and have well defined processes and people controls to make sure our data centers operate in an efficient and secure manner.
Our security measures have been driven by security experts from across our largest, most advanced customers, including Shell, NASDAQ, and GE, and have been validated by a wide range of security experts and accreditation bodies.
These organizations with very high security standards set the bar for AWS security, but the great thing about security in AWS is that everyone gets to benefit from the security controls that we have put in place. Whether you are a small startup, a mid sized enterprise, or the largest company you get to take advantage of the security controls that we have put in place to satisfy
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.
As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.
As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
Pull a better slide that shows the shared Security model
We are also certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards.
What does this mean for you, the customer?
First of all, no matter who you are, you get to benefit from all the controls we put in place for the largest, most security sensitive organizations in the world. You get this at no extra cost, you don’t have to do anything to get this – it’s just all part of the service
Also, performing audits is a time consuming and expensive affair. We validate our environment against over 1800 security controls – we also get audited by third parties. If you want to see those controls and how we’re managing against them, we can make our SOC 2 report available to you under NDA. SOC 2 is a reporting standard of the American Institute of Certified Public Accountants, and is a widely recognized reporting standard.
As we’ve said, you get to the flexibility to define what are the right set of security controls for your workload. More sensitive workloads will demand more stringent controls, less sensitive workloads will demand less. At the same time you remain in full control and have full ownership of your data. You decide where it goes, where it is stored, where it gets processed and how it gets transmitted.
Today I want to actually show you how leveraging AWS can help improve your security posture and I want to give you some real world examples and scenarios to illustrate common pain points that we are seeing in government, education and nonprofit organizations.
Lets say that today you decide that you want to start leveraging AWS for your environment .
You’ve set a strong password on your ROOT account and enable Multi-factor authentication as well as placing those credentials in a secure location or key escrow service. Now what?
Start by leveraging automation and simplifying your environment as much as possible. Security is not something that you can simply buy and bolt on, it needs to be baked into your policy, procedures and workflow. You can help make this part of a repeatable and reproducible (key for customers with audit requirements) process by leveraging some of the awesome tools on AWS.
People make mistakes, they forget to follow all steps, machines do not, for better or worse. Lets start by talking about how you can start to harden your environment by leveraging automation in as much of it as possible.
As an example on the AWS side, our policy states that by default all access to a resource is closed. We build policy and tools that create an environment where the customer has the choice on what they are going to expose or not based on their needs and compliance requirements.
You need to leverage user creation and permission tools that automate this process and ensure that your organizational policy and procedures are being met.
So let me share with you some ideas that can help you with this approach of automation in IAM around
AWS IAM policies are very granular and offer a high degree of control around not only what your users can do, but also what “code” can do. More on that in a little bit.
Lets say we have (2) users and I’d like to restrict the developer to only be allowed to access to a specific type of instance in my fleet.
In EC2 and most all AWS services we support resource tagging. We can define up to 10 custom tags for each object with different key value pairs.
We also support granular policy that can allow or deny a user rights to an action.
By default we give you several pre-made policies that deal with common use cases such as granting a user full or read-only access to a service.
Lets look at the EC2 full access policy, I want to take that policy and modify it allow access ONLY if the resource contains a tag “User” with a key “Developer”
The following code snippet shows how we could start to form that process.
Well, that’s spiffy and all but maybe I don’t know how to code so I’ll never figure out how to write policies.
I want to show you how easy this is to get started using our policy generator tool. (demo)
Ah ha! Now I am getting an idea, but I don’t know how I would go about testing my policy, how do I really know this is doing what I “think” it’s going to do?
So here is how easy it is to test our new policy with the IAM Policy Simulator. First we paste in our new policy and hit apply, then in the policy simulator we select our target for the test, in this case EC2 and we just want to know if the user can start an instance. We update our resource ARN with our custom ARN and then we see that the policy editor is showing us the variable condition which in this case is the tag field.
We can see that with no tag, the action would be denied but with the correct tag of “Developer” the action would be allowed.
With IAM we can apply these kinds of policy to just a single user, or we can can create groups of users with IAM and apply polices to the groups as well.
So now that we know a little bit more about how we can start to secure our users with custom policies, what about our compute instances, how do we protect them?
Another great and powerful feature that IAM supports is ROLES. Roles can be used by either IAM users (Humans) or they can be used by code or in our case, instances.
Interacting with most AWS services are done with an API call, in order to make that call we need to authenticate with an API key. You could create an IAM user just for this purpose but why when you can use a purpose built role and not have to worry about key rotation and security escalation in a user account?
Lets layout a scenario where this would come into play. Lets say I have my gold image of my web production server but I don’t want to put things like our security credentials or other sensitive data in the image.
I could use a role and assign the role to the instance which will allow the server to assume the role and download from an client-side encrypted file on S3.
So to complete this we need to complete a few simple steps, we need a new policy that allows a user to read from S3, we need a role that can use that policy that we will assign to an IAM instance and we also need to create a new KMS key for creating and decryting the cypher text we will create.
The first step is pretty easy, we can simply leverage the
**Reviewer, please note these are place holder text boxes, this will be animated screen captures similar to the prior examples.
Next I’ve created an EC2 instance and attached the IAM role that we have created, after I login to the instance you can see that I can run API commands even though I never ran aws config or pasted API keys into my users profile.
Here we can see the user creating some cypher text that we want to protect, in this case “Secret Information”.
This time, we take that same file and decrypt it with just a few commands.
Now lets upload that file to our S3 bucket, again note that I don’t use any API keys here.
After we can see the file is now present in our S3 bucket.
Now we can go ahead and download that same file, in this instance I’m saving the file as “secret-stuff”
Oh, I forgot to mention, I’ve gone ahead and locked down bucket access as well. Notice that with the familiar syntax, I’ve restriced access to this bucket to this particular role and stated that the permission will only allow a get and put command.
Note that when we try to list the contents of the bucket, we are denied.
So lets see how this could all be used in action.
An instance is created with a role attached to it.
We can pass user data to the instance to provision it as a web server, this would be calling commands like “yum update, yum install httpd etc”
Once our instance is patched, we call out to S3 to get our secret data that as an example, we use to connect our database.
Our instance is fully in production and hardened (again meeting HIPAA, PCI and other standards) because we have not enabled any service we don’t need. In this case, becase all of the install took place with the user data script, we no longer need to shell to this machine.
The machine is now ready to be attached to a Elastic load balancer and join the fleet.
As you can see this can help from a compliance standpoint because the data is encrypted at rest and in flight and the keys are securely managed and with the help of cloudtrail and cloud watch, we can tightly audit this. In addition, because our deployment is now more automated, we no longer need to open port (22) on this instance because we have pre-configured the machine with software and credentials it will need, this reducing our possible attack surface.
With AWS Identity and Access Management tools you get to define which of your users get to do what – in the same was as you define role-based access controls within your environment today.
You can use hardware token based or software/mobile based multifactor authentication to add an extra level of assurance for your more sensitive applications,
This can all integrate with your on premises environment by integrating with your existing corporate directory, and implementing federation and single sign on so that this becomes a seamless experience for your customers.
Lets switch gears and talk a little bit about the network.
Within your region, you have your Virtual Private Cloud or VPC. Think of this as your own private data-center in the cloud where all of your server, storage and networking will take place. By default, your VPC is completely closed to the world. AWS gives customers the choice of how they want allow access to their resources.
Your first control in your VPC is your security groups. Security groups are stateful firewalls that you can define very granular controls around. Remember that by default, your VPC will not allow access in or out.
Lets look at a configuration where there is strong isolation among services.
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles;” (Sun Tzu).
To protect your environment, it just as critical to know what your own infrastructure as it is to know what attackers are going after.
To leverage automatic event triggers, you must know when to act and to known when to act requires that you you know what you are acting upon. More simply, you must know your self or in this case your environment before you can start to make rules around it. How many transactions per second do each of your data-bases generate? What is the normal user load on your production web servers at 8:03AM PST on a Monday in July? These are low level questions that we can help you to anwser with tools like CloudWatch to gather and review metrics about your environment. However for many of our customers, their level of detail isn’t even to that granularity, for many they don’t know what servers they have right now and worse what the ones that they have are doing.
We have a solution for that problem on AWS, it’s called AWS Config and it can show you what’s going on in your environment right now, in real time.
**Note to Amazon reviewer, I’m not sure how well this deck will translate on slideshare without animations and the liner notes.