The document discusses best practices for managing security operations on AWS. It recommends establishing consistent controls, testing frequently and embracing failures early, implementing full-stack monitoring mechanisms in a closed-loop cycle, and maintaining visibility. It provides examples of how Netflix uses AWS services like CloudTrail, CloudWatch, and SDKs to achieve security and operational visibility across their massive infrastructure spanning over 100,000 instances.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Eduardo Delgado
31 de mayo de 2018
Mejores prácticas para
Administrar operaciones de
seguridad en AWS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
La cuenta de AWS como límite
• El más alto grado de segregación
• Por clasificación de datos
• Unidad de negocio
• Cargas de trabajo
• Funcional
En VPC
• SGs, NACLs
• Restricciones a nivel de
recursos con AWS IAM
VPC como límite (a nivel cuenta AWS)
• Equivalente a separar redes
• Peering, ruteo (+ todo lo de arriba)
• AWS IAM similar a lo anterior
• Flexibilidad
• Innovación
• Tamaño
adecuado
• Radio de la
expansión
• Segregación
• Clasificación

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
App A.1
App B.1
App A.2
App B.2
Registro
Agg.
Otros
(1..N)
SecOps
EquipoBEquipoAComún
Independientemente de
los límites, considere :
- Cómo agregar los
registros (logs)
- Cuenta dedicada para
SecOps
BU A BU B
Registro
Agg.
SecOps
Conf A.2
Pub A.2
App A.1
App A.2

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
De Hacia

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation + AWS Organizations

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Batería de casos de prueba Revisión de
especificaciones

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fase de creación: Control de cambios en código fuente
• Análisis de código estático: analizar las plantillas de CFN contra un conjunto de reglas de
seguridad
Fase de aceptación: Ambiente de desarrollo
• Análisis dinámico: ejecutar la plantilla en el entorno de pruebas de sandbox/aceptación
Fases de Capacidad/integración/staging: Ambiente pre-producción
• Carga, rendimiento, penetración, y prueba de failover
Fase de producción: Ambiente de producción
• Implementar ...

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoreo AjustesControl

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Señal
Ruido
Recopilar Remediar
Hacer nada
Corregir
Alertar
Enriquece
r
Detener
Medir
Espectro de opciones

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API calls (AWS CloudTrail)
son registradas
StopTrail/Change Regresar
Control Monitoreo
Ajustar
SSH solo de la subred del
bastion
Crear/cambiar SGs validar
fuente si puerto == 22
Cambiar SG vía
AWS Lambda
Todas las instancias con la
mismas versiones de
parches
AWS Systems Manager +
AWS Config rules
Aplicar parches vía
AWS Systems Manager
No acceso a root AmazongCloudWatch logs +
Syslog
Aislar e investigar
No objetos públicos en
Amazon S3
Registro a nivel objeto con
CloudTrail
Hacer un objeto privado

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/blogs/security/how-to-detect-and-
automatically-remediate-unintended-permissions-in-amazon-s3-
object-acls-with-cloudwatch-events/

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Estableciendo la seguridad de la plataforma
• Estableciendo la seguridad de la red
• Estableciendo la seguridad del sistema operativo
• Estableciendo protección de datos

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Estableciendo la seguridad de la plataforma
• Estableciendo la seguridad de la red
• Estableciendo la seguridad del sistema operativo
• Estableciendo protección de datos
Reposo:
- AWS KMS
- AWS
CloudHSM
Tránsito:
- VPN
- ACM

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Estableciendo la seguridad de la plataforma
• Estableciendo la seguridad de la red
• Estableciendo la seguridad del sistema operativo
• Estableciendo protección de datos

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Systems Manager
Ejecutar comandos Administrador de
estados
Inventario Ventana de
mantenimiento
Administrador de
parches
Automatización Almacenamiento de
parámetros
Documentos

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comprender los límites
Controles consistentes
Prueba a menudo, falla temprano
Mecanismos de ciclo cerrado
Pila completa (full stack)
Práctica
Visibilidad

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Incident Response
Simulations
SIRS

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Arquitectura Visibilidad Auditoria
H e r r a m i e n t a s d e s e g u r i d a d y o p e r a c i o n e s d e
N e t f l i x

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Arquitectura
Visibilidad
Auditoria

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
El centro de operaciones de seguridad de
Netflix no tiene paneles brillantes que se
miran todo el día

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
CloudTrail
Amazon
CloudWatch
SDKs

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
CloudTrail
Amazon
CloudWatch
SDKs

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Netflix es ENORME

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
>100,000 instancias

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
>33% del tráfico de internet
de US

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1,000sde cambios

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
>1,000,000eventos/minuto

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
>1,000,000eventos/minuto
En solo dos cuentas

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Múltiples cuentas

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Awwwdit

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Histórico

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cómo detectar y remediar automáticamente los permisos no deseados en las ACL
de objetos de Amazon S3 con eventos de CloudWatch
https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-
unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/
Implementación de DevSecOps utilizando AWS CodePipeline
https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-
codepipeline/
Automatizando el repositorio de Gobernanza
https://github.com/awslabs/automating-governance-sample

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gracias