AWS Security and Compliance Symposium

AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Enhanced Security and Compliance with
AWS
Brad Dispensa - AWS
Justin Lundy - Evident.io

familiar security
model
validated and driven by
customers’ security experts
benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is job zero

physical infrastructure
hardware
hypervisor
guest operating system
logical security
data and application
software firewalls/IDS/AV
customer control and
customer responsibility
AWS control and
AWS responsibility

Key AWS certifications and assurance programs
certifications and accreditations for
workloads that matter
AWS CloudTrail – AWS API call logging for
governance & compliance
stores data in S3 or
archive to Amazon
Glacier
log and review user
activity

• You benefit from an environment built for the most security-sensitive
organizations
• AWS manages 1800+ physical security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data
• You are responsible for logical security configuration of the AWS
services you use above the hypervisor
What this means

Economies of scale: World-class teams
• Where would some of the world’s best security
experts like to work?
• They want to work on huge challenges with huge
impact!
• AWS has highly leveraged, world-class teams
watching your back!

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”xxxxxxx",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/User": "Developer"
}
},
"Resource": [
"arn:aws:ec2:us-west-2:1234567890:instance/*"
]
}
]
}

[ec2-user@ip-172-31-7-156 ~]$ aws kms encrypt --region us-west-1 --key-id
arn:aws:kms:us-west-1:1234567890:key/6a39053e-17b8-4b35-83ca-xxxxxxxx --plaintext
"Secret information" --query CiphertextBlob --output text| base64 --decode > encoded
[ec2-user@ip-172-31-7-156 ~]$ cat encoded
0a0_0Z?G`?He.0M? ??r?>??‫????ׅ‬x?L?mZ?G??‫?ׅ‬E??M? ??r?>??‫???ׅ‬p0n *?H??
?N?5????-f??-2???.1$N,???0??2?T?@>????CA?Kz??U

[ec2-user@ip-172-31-7-156 ~]$ aws kms decrypt --region us-west-1 --ciphertext-blob
fileb://encoded --output text --query Plaintext |base64 –decode
Secret information

[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp encoded s3://wwps-dc-demo/encoded
upload: ./encoded to s3://wwps-dc-demo/encoded
[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp s3://wwps-dc-demo/encoded secret-stuff
download: s3://wwps-dc-demo/encoded to ./secret-stuff

[ec2-user@ip-172-31-7-156 ~]$ aws s3 ls --region us-west-1 s3://wwps-dc-demo
A client error (AccessDenied) occurred when calling the ListObjects operation: Access
Denied

You get to control who can do what in your AWS
environment as well as when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing Active Directory directory
using federation and single sign-on
AWS account owner
network
management
security
management
server
management
storage
management
Control access and segregate duties
everywhere

• Native encryption across services for free
– Amazon S3, EBC, Amazon RDS, Amazon Redshift
– End-to-end SSL/TLS
• Scalable key management
– AWS Key Management Service provides scalable, low-cost key management
– AWS CloudHSM provides hardware-based, high assurance key generation,
storage, and management
• Third-party encryption options
– Trend Micro, SafeNet, Vormetric, Hytrust, Sophos, etc.
Encrypt your sensitive information

EC2
template catalog running instance your instance
hardening
audit and logging
vulnerability management
malware and HIPS
whitelisting and integrity
user administration
operating system
Configure and harden EC2 instances to your own specs
Use host-based protection software
Manage administrative users
Enforce separation of duties and least privilege
Connect to your existing services (for example, SIEM), patching
Enforce consistent security on servers

virtual private cloud
Availability Zone
security group
user

Your organization
project teams marketing
business units reporting
digital/websites
dev and test Amazon Redshift
EMR Analytics
internal
enterprise apps
Amazon S3
Amazon
Glacier
storage/
backup
Create flexible, resilient, segmented environments

Understand configuration changes
• Automate IT asset inventory
• Discover and provision cloud services
• Audit and troubleshoot configuration
changes in the cloud

Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your S3 buckets, no
matter how those API calls were made
Who did what and when and from where (IP address)
• CloudTrail support for a growing list of AWS services, including EC2, EBS, VPC,
RDS, IAM, and Amazon Redshift
• Easily aggregate all log information
Out-of-the-box integration with log analysis tools from AWS partners,
including Splunk, AlertLogic, and SumoLogic
Monitoring: Get consistent visibility of logs

• Performs a series of security
configuration checks of your AWS
environment:
• Open ports
• Unrestricted access
• IAM use
• CloudTrail logging
• S3 bucket permissions
• Multi-factor authentication
• Password policy
• DB access risk
• DNS records
• Load balancer config
Getting some help – Trusted Advisor

• Performs a larger series of security
configuration checks of your AWS
environment:
• Open ports, unrestricted access
• IAM use, encryption, policy, users
• CloudTrail logging
• S3 bucket permissions
• Multi-factor authentication
• Password policy
• DNS records
• Load balancer config
• Route53 config
• Credential rotation
• Over 100 security checks vs. Trusted
Advisor’s 12
• Custom signature flexibility
Getting even more help – Evident.io
Evident dashboard

Evident helps organizations of all sizes
proactively manage information security
risk and compliance of their entire global
AWS infrastructure configuration, on a
continuous basis.
We aim to be the de-facto platform for
enhanced AWS security.
About Evident.io
AWS Summit SF 2015

- Continuous monitoring of AWS security
configuration
- Enhanced visibility across AWS accounts
- Guided information security risk mitigation
- Rapid Evident activations in <= 10 minutes
- Custom signatures in Ruby or JavaScript- custom
alert suppressions
- Third-party integrations with popular apps
About the Evident security platform
Custom signature – CIS-hardened AMI for Ubuntu example

Evident native integrations
SQS Slack PagerDuty
HipChat JIRA

AWS:
- facilities
- physical security
- physical infrastructure
- network infrastructure
- virtualization infrastructure
AWS shared responsibilities - expanded
Customer:
- operating system security
- patch management
- application configuration management
- identity and access management
- security groups, network ACLs
- VPC configuration
- S3 bucket policies
- IAM roles, policies, users, groups
- EBS, S3, RDS encryption
- for large environments, thousands to millions of
logical controls to monitor

- business disruption
- financial losses
- loss of privacy
- reputational damage
- loss of client confidence
- legal penalties
- impaired growth
- loss of life
Potential risks

- angry employees
- dishonest employees
- criminals
- governments
- terrorists
- press
- competitors
- hackers
- Mother Nature
Potential threats

- software bugs
- broken processes
- ineffective controls
- hardware flaws
- unauthorized changes
- legacy systems
- inadequate BCP
- human error
- misconfiguration
Potential vulnerabilities

1. Disable root API access key and secret key.
2. Enable MFA tokens everywhere.
3. Reduce number of IAM users with admin rights.
4. Use roles for EC2.
5. Least privilege: limit what IAM entities can do with strong/explicit policies.
6. Rotate all the keys regularly.
7. Use IAM roles with STS AssumeRole, where possible.
8. Use Auto Scaling to handle traffic spikes.
9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.
10. Watch world-readable/listable S3 bucket policies.
(Based on our experience with Incident Response, top 10 to implement ASAP.)
Top 10 AWS security best practices

“Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL

Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices

AWS Security and Compliance Symposium

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to AWS Security and Compliance Symposium

Similar to AWS Security and Compliance Symposium (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

AWS Security and Compliance Symposium

Editor's Notes