Infrastructure Security: Your Minimum Security Baseline

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
CAF Infrastructure Security: Your minimum security baseline
Steven Laino
Security Architect
Professional Services

CAF Infrastructure Security
• Overview of Shared Responsibility Model
– Infrastructure Services
– Container Services
– Abstracted Services
• Overview of Cloud Adoption Framework
– Security Perspective
• Infrastructure Security
– Tools
– Techniques

All customers benefit from the same security
Certified by independent experts
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001
• ISO 9001
• PCI DSS Level 1 - Service Provider
• ISO 27017 (security of the cloud)
• ISO 27018 (personal data)
Compute Storage Database Network
AWS Global
Infrastructure Regions
Availability Zones CloudFront
edge
locations
AWS Foundation Services

Compute Storage Database Networking
AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
Infrastructure Services
Such as Amazon EC2, Amazon EBS, and Amazon VPC
Managed by
Managed by
Client-Side Data encryption
& Data Integrity
Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWS IAMCustomer IAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data

AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Operating System, Network Configuration
Customer content
Customers
Container Services
Such as Amazon RDS and Amazon EMR
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWS IAMCustomer IAM

AWS Global
Availability Zones
Edge Locations
Operating System, Network & Firewall Configuration
Customer content
Customers
Abstracted Services
Such as Amazon S3 and Amazon DynamoDB Managed by
Managed by
Optional – Opaque Data: 1’s and
0’s
(in flight / at rest)
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
Client-Side Data Encryption
& Data Integrity Authentication
AWS IAM

Overview of Cloud Adoption Framework
• Guidance for organizations adopting the cloud
– Helps coordinate different aspects of adoption
– Helps understand the how the organization will change
• 6 Perspectives

• Common Roles:
– CISO
– IT Security Managers
– IT Security Analysts
• 5 Core Epics
CAF Security Perspective

Security in the cloud is familiar.
“Security in the cloud is familiar. The
increase in agility and the ability to
perform actions faster, at a larger
scale and at a lower cost, does not
invalidate well-established principles
of information security.”
- Security Perspective of the AWS
Cloud Adoption Framework
Whitepaper
Security Perspective
Directive
Preventative Detective
Responsive

Infrastructure Security
• Preventative
• Virtual Private Cloud (VPC)
• Subnets
• Security Groups
• Network Access Control Lists (ACLs)
• Egress filtering
• CloudFront / Route53
• AWS Shield
• Detective/Responsive
• Config & Config Rules
• Cloudtrail & Cloudwatch
• VPC flow logs
• Inspector
• EC2 Systems Manager (SSM)

VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
VPC CIDR 10.10.0.0/16
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
AZ A AZ B
Public ELB
Internal ELB
RDS
Master
Autoscaling
Web Tier
Autoscaling
Application Tier
Internet
Gateway
RDS
Standby
Snapshots
Multi-AZ RDS
Data Tier
Existing
Datacenter
Virtual
Private
Gateway
Customer
Gateway
VPN Connection
Direct Connect
Network
Partner
Location
Administrators &
Corporate Users
Virtual Private Cloud

Security Groups
security group
HTTP GET
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)

Network ACLs
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET
TCP(6) Port(80)
HTTP GET
TCP(6) Port(80)
srcIP=216.246.16.228

Layers of Access Control
users
Applicatio
nservers
Private subnet
security
group
Public subnet
ELB IPS/IDS
Private subnet
ELB
security group
WAF
Private subnet
ELB
security group security group
ELB

Considerations for controlling egress traffic from VPCs
• In addition to Security groups & Network ACLs…
• Routing rules
• VPC endpoints
• NAT gateways
• Host / network based third party tools
Egress Filtering

CloudFront
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
users
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB

Hide ‘n Go Seek
• ~>nslookup www.buildabeer.com
• Server: 10.43.23.72
• Address: 10.43.23.72#53
• Non-authoritative answer:
• www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
• Name: d3u9qbug2y23to.cloudfront.net
• Address: 52.84.20.173
• <snip>
• Name: d3u9qbug2y23to.cloudfront.net
• Address: 52.84.20.85
• ~>nslookup ftp.buildabeer.com
• Server: 10.43.23.72
• Address: 10.43.23.72#53
• Non-authoritative answer:
• ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
• Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
• Address: 54.148.117.41
• <snip>

Separation of services
Amazon
Route 53
CloudFront
security group
Public subnet
servers
Private subnet
ELB
www.foo.commail.foo.com
security group
Public subnet
Mail servers
Private subnet
ELB
security group
Public subnet
Web servers
Private subnet
ELB
mail.foo.com
www.foo.com

AWS Shield DDoS protections
ü Integrated into AWS infrastructure
ü Protection against most common
infrastructure attacks
ü SYN/ACK Floods, UDP Floods,
Refection attacks, etc.
ü No additional cost
DDoS mitigation
systems
DDoS Attack
Users

AWS CloudTrail & CloudWatch
AWS
CloudTrail
Amazon
CloudWatch
ü Enable globally for all AWS Regions
ü Encryption & Integrity Validation
ü Archive & Forward
ü Amazon CloudWatch Logs
ü Metrics & Filters
ü Alarms & Notifications

AWS Config & Config Rules
AWS
Config
Amazon Config
Rules
ü Record configuration changes
continuously
ü Time-series view of resource changes
ü Archive & Compare
ü Enforce best practices
ü Automatically roll-back unwanted
changes
ü Trigger additional workflow

VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject

Vulnerability Management
• What to scan
– Scanning the AMI as part of the build
– Live scans
• AWS Inspector
• Use in concert with SSM for automated patching
• Create a secure image baseline
– Translate/improve current ”golden” image
• Partners – Qualys, Tenable, Rapid 7

Amazon EC2 Systems Manager
• A set of capabilities that...
• ...enable automated configuration...
• ...and ongoing management of systems at scale...
• ...across all of your Windows and Linux workloads...
• ...running in Amazon EC2 or on-premises…
• ...at no charge; only pay for AWS resources you manage

Amazon EC2 Systems Manager – Components
Run Command State Manager Inventory Maintenance
Window
Patch Manager Automation Parameter Store

Remotely and securely manage servers or virtual machines at
scale running in your data center or in AWS
§ Automate common administrative tasks
§ Execute commands across multiple instances simultaneously
§ Support for AWS and on-premises infrastructure
§ Granular permissions to control access through AWS Identity &
Access Management
§ Logging using AWS CloudTrail
Run Command: Overview

Provides visibility into the software catalogue and configuration
for your Amazon EC2 instances and on-premises servers
§ Gather detail on a variety of attributes, such as:
– Installed applications & OS details
– AWS components and agents
– Network configuration
§ Inventory attributes are stored in AWS Config for auditing
§ Assess compliance of configurations using AWS Config Rules
Inventory: Overview

Discover and Audit your
Software
§ Collect detailed information on the
software in your instances
§ Measure usage of licensed
software across your fleet
Inventory: Use Cases
Security & Incident Analysis
§ Historical record of inventory
changes over time
§ proactive notification if your
configurations become non-compliant

Provides secure storage for configuration data & secrets
• Store configuration data and secure strings in hierarchies and track
versions.
• Control and audit access at granular levels.
• Reference parameters across AWS services such as Amazon EC2,
Amazon EC2 Container Service, AWS Lambda, AWS
CloudFormation
Parameter Store: Overview

§ Control access to sensitive
information
§ Remove sensitive data from
scripts
§ Store DB passwords securely
Parameter Store: Use Cases
Instances
Containers
Lambda Functions
Servers
AWS KMS
IAM
Identity Federation
Roles
Policies
Secrets Consumer
Parameter Store

Define and maintain consistent configuration of operating
systems and applications running in your data center or in AWS
§ Control configuration details such as anti-virus settings, iptables, etc.
§ Define your own schedules for deployment reviews
§ Compare actual deployments against specified configuration policy
§ State Manager reapplies policies if state drift is detected
§ Query State Manager to view status of deployments
State Manager: Overview

Maintain a Consistent
Configuration
§ Specify and automatically
maintain the desired configuration
§ Automatically apply configuration
changes, settings or patches
State Manager: Use Cases
Reduce Configuration Drift
§ Periodically reapply policies to your
instances
§ Query the status of your
configurations at any time

Automated tool that helps you simplify your Windows operating
system patching process
§ Select the patches you want to deploy
§ Control timing for patch roll-outs and instance reboots
§ Define auto-approval rules for patches
§ Ability to black-list or white-list specific patches
§ Schedule the automatic roll out through maintenance windows
Patch Manager: Overview

Manage Patch Baselines
§ Define patch baselines by
products, categories & severities
§ Define approval and distribution
schedule for specific baselines
Patch Manager: Use Cases
Manage Patch Compliance
§ Scan existing fleet to determine
patch levels of the software
§ Identify patches currently installed,
missing, recently applied, etc.

Summary
• Ingress filtering capability: use VPC design in combination with security groups and NACLs to establish
boundaries
• Egress filtering capability: use Security Groups, NACLs, NAT gateways, route tables and VPC endpoints
• Detection and response capabilities use: Config, Cloudtrail, Cloudwatch & VPC flow logs in combination with
Inspector & SSM
• DDoS mitigation capability use: Cloudfront (Shield) & Route 53 to mitigate layer 3 and 4 attacks
• Vulnerability & Patch management capability: use Inspector and SSM
• Use SSM for:
– Configuration and patch compliance
– Secure privileged access to instances
– Automated patch management
– Software inventory & licensing compliance
– Secrets vaulting

Thank You!

Further Reading
• https://aws.amazon.com/blogs/devops/how-to-create-an-ami-builder-with-aws-codebuild-and-
hashicorp-packer/
• https://d0.awsstatic.com/aws-answers/AWS_Securing_EC2_Instances.pdf
• https://aws.amazon.com/ec2/systems-manager/
• https://aws.amazon.com/professional-services/CAF/

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Infrastructure Security: Your Minimum Security Baseline

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Infrastructure Security: Your Minimum Security Baseline

Similar to Infrastructure Security: Your Minimum Security Baseline (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Infrastructure Security: Your Minimum Security Baseline