The document discusses various AWS security services including Identity and Access Management (IAM) for authorization, VPCs for network security, CloudTrail for auditing API calls, GuardDuty for threat detection, WAF for web application firewall, Shield for DDoS protection, Inspector for security assessments, and Secrets Manager for secrets management. It provides overviews and examples of how to configure and use these services to help secure workloads running on AWS.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance and Security
Mitigation Techniques on AWS
Ric Harvey, Technical Developer Evangelist
@ric__harvey
https://gitlab.com/ric_harvey

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Back to Basics

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity Access Management (IAM)
Ensure only authorized and authenticated users are able
to access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0 (ADFS)
• Define a
management policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protecting AWS credentials
• Establish less-privileged Users
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via STS

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fine grained access control
• Establish least privilege
principle
• Define clear roles for users
and roles
• Use AWS organizations to
centrally manage access

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and Subnetting

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure protection
Protect network and
host level boundaries
System security
config and
management
Enforce service-level
protection

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACL’s to prevent access between subnets
• Use route tables to deny internet access from
protected subnets
• Use Security groups to grant access to and from
other security groups
Limit what you run in public subnets:
• ELB/ALB and NLB’s
• Bastion hosts
• Try and avoid where possible having a system
directly accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudTrail

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enabled by default

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
GuardDuty

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Genera lly a va ila ble toda y

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Instance reconisance
• Port probe / accepted comm
• Port scan (intra-VPC)
• Bruteforce attack (IP)
• Tor communications
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Spambot activity
• Outbound SSH bruteforce
• EC2 Credential Exfiltration
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
• Domain generated algorithms
Account reconisance
• Tor API call (failed)

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Automated response
HTTPS
CLI
CloudWatch Events

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Console

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Console
Detailed response
• Time
• IP Location
• Type of action

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Pricing
Pricing examples (monthly)
US-East (N. VA) / Example 1
GuardDuty processes
•40,000,000 events
•2,000 GB of VPC Flow logs
•1,000 GB of DNS Query Logs
Charges =
40 x $4.00 (per 1,000,000 events)
+ 500 x $1.00 (first 500 GB)
+ 2,000 x $0.50 (next 2,000 GB)
+ 500 x $0.25 (over 2,500 GB)
= $1,785 per month

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty Automated response
https://github.com/aws-samples/amazon-guardduty-hands-on

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s WAF?
Web Application Firewall
Choose WAF behaviors:
• Allow all requests except the ones that you specify
• Block all requests except the ones that you specify
• Count the requests that match the properties that you specify

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WAF Rules
• Protect your API’s and web applications
• Preconfigured RuleGroups
• OWASP Top 10 mitigations
• Bad-bot defenses
• Virtual patching against latest CVE’s

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WAF Examples
https://github.com/aws-samples/aws-waf-sample

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield
Goal Suggested services
Protect a web application and RESTful APIs
against a DDoS attack
Shield Advanced protecting an Amazon
CloudFront distribution and an Application
Load Balancer
Protect a TCP-based application against a
DDoS attack
Shield Advanced protecting a Network Load
Balancer attached to an Elastic IP address
Protect a UDP-based game server against a
DDoS attack
Shield Advanced protecting an Amazon EC2
instance attached to an Elastic IP address

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Features
Active monitoring
• Network flow monitoring
• Automated application (layer 7) traffic
monitoring
DDoS mitigations
• Helps protect from common DDoS
attacks, such as SYN floods and UDP
reflection attacks
• Access to additional DDoS mitigation
capacity
Standard and Advanced
Standard and Advanced
Advanced
Advanced

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Features
Visibility and reporting
• Layer 3/4 attack notification and
attack forensic reports
• Layer 3/4/7 attack historical report
DDoS response team support
• Incident management during high
severity events
• Custom mitigations during attacks
• Post-attack analysis
Advanced
Advanced
Advanced
Advanced
Advanced

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Features
Cost protection
• Reimburse related Route 53,
CloudFront, and ELB DDoS charges
Price
No additional cost for all AWS customers
$3,000/month plus additional data
transfer fees
AWS WAF included at no additional cost
Standard
Advanced
Advanced

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Inspector

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threat assessment tooling at scale
Automate security assessments
First reports in minutes
Install agent on Linux
Install agent on windows
https://aws.amazon.com/inspector/getting-started/

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Inspector findinds

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API
keys, and other secrets through their lifecycle
• Secure secrets storage
• Automatic secrets rotation without disrupting applications
• Programmatic retrieval of secrets
• Audit and monitor secrets usage
https://aws.amazon.com/secrets-manager/getting-started/

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Secrets Manager

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?
Ric Harvey, Technical Developer Evangelist
@ric__harvey
https://gitlab.com/ric_harvey

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Ric Harvey, Technical Developer Evangelist
@ric__harvey
https://gitlab.com/ric_harvey