Network Security and Access Control within AWS

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Seymour, Solutions Architect
July 2016
Network Security and Access
Control within AWS
@sseymour

What to expect from the session
• Configure network security using VPC
• Customer – Irdeto – PCI Compliant Architecture
• Configure users, groups and roles to manage actions
• Configure monitoring and logging to audit changes

Network security tools
• Amazon VPC
• Subnets
• Security groups
• Network ACLs
• Amazon CloudFront
• Amazon Route 53
• AWS WAF
• IP tables / OS Firewall
sg-xxxxx

Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Security
Group
Subnet 10.0.1.0/24
Routing Table
Network ACL
Security
Group
Virtual Private Gateway Internet Gateway
Lockdown at
instance level
Isolate network
functions
Lockdown at
network level
Route restrictively
Router
Availability Zone A Availability Zone B

VPC
VPC (APP-VPC-1)
security group (APP-SG-1)
HTTP GET Beer
TCP(6) Port(80)

VPC
VPC (APP-VPC-1)
HTTP GET Beer
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)

Network ACL
VPC (APP-VPC-1)
HTTP GET Beer
TCP(6) Port(80)
srcIP=216.246.16.228
HTTP GET Beer
TCP(6) Port(80)
NACL

VPC (APP-VPC-1)
Obfuscate
Amazon
Route 53
CloudFront
Users
SG
Public Subnet
EC2
Instances
Private subnet
ELB
SG
NACL
NACL
AWS WAF
Amazon
Cloudfront
Amazon
Route 53

Access Control: Restricting Origin Access
Amazon S3
Origin Access Identity (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensures performance benefits to all
customers
Custom Origin
Block by IP Address
Pre-shared Secret Header
• Whitelist only CloudFront
• Protects origin from overload
• Ensures performance benefits to all customers

Amazon CloudFront
Edge Location
Access Control : AWS WAF
Scraper Bot
Host: www.buildabeer.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.BuIlDaBeEr.com/
Connection: keep-alive
AWS WAF
Host: www.buildabeer.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive
SG
Public Subnet
ELB
NACL

Layers of defense
VPC (BuildABeer-VPC-1)
users Private subnet
Web
servers
Private subnet
ELBSecurity services
(IPS/IDS, WAF,
Firewall)
Public subnet
SG
NACL

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Story
irdeto

©2016 Irdeto, All Rights Reserved. – www.irdeto.com
18
Using ECS for a PCI Environment
Liz Duke, Technical Delivery Manager

19
Part of $56B Market Cap Multimedia Conglomerate
Classifieds Etail
Market-
places
Online
comparison
shopping
Payment
Online
services
C2C B2C
Ecommerce
Internet
Listed
Video Entertainment
DDT DTH
Print
Global platform operator

20
Key statistics about Irdeto
70% of employees are in
engineering/research/
development
247 issued patents
483 patents pending
+2 billion
devices secured
Innovating
Since 1969
Over 300 million
broadcast and multiscreen
consumers
#1 in software security
for pay media
[and the first company to bring to market a software-
based CA solution for one-way broadcast networks]

21
Serving the world’s best brands
Americas APAC EMEA

22
Irdeto around the world: Offices and Data Centers
Irdeto office location
Datacentre location

23
Providing a PCI compliant service
A new solution introduces new challenges….
 The requirements involved us being able to provide PCI compliant solutions in
multiple locations around the world.
 We looked at the number of services AWS provides that are already PCI
compliant and designed our solution to run utilizing these services.
 We utilize the security built in at every level in AWS to segregate and protect our
environments and applications.

24
Our Design

25
Automation is Key

26
Security In Our Environments
Output from pre-stack

27
Pre Stack Outputs
Com IAM Role IAM Policies
vlt $env-vltRole [$env]-ecsInstancePolicy
[$env]-ecsS3ReadPolicy
[$env]-ecsVltDynamodbPolicy
[$env]-ecsKmsDecryptPolicy
[$env]-ecsKmsGenerateRandomPolicy
ver $env-verRole [$env]-ecsInstancePolicy
[$env]- ecsMetaS3ReadPolicy
[$env]- ecsJavascriptS3ReadPolicy
div $env-divRole [$env]-ecsInstancePolicy
[$env]-swfDivPolicy
ddr $env-ddrRole [$env]-ecsInstancePolicy
[$env]- ecsMetaS3WritePolicy
[$env]- ecsJavascriptS3WritePolicy
[$env]-swfDdrPolicy
dwk $env-dwkRole [$env]-ecsInstancePolicy
[$env]- ecsMetaS3WritePolicy
[$env]- ecsJavascriptS3WritePolicy
[$env]-swfDwkPolicy

28
Example Policy
[$env]-ecsVltDynamodbPolicy { "Version": "2012-10-17", "Statement": [
{ "Action": [ "dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:PutItem",
"dynamodb:Query", "dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem" ], "Effect":
"Allow", "Resource":
"arn:aws:dynamodb:eu-west-1:[$aws-
accountId]:table/[$env]-*" } ] }

29
Security Groups

30
AWS Services Used
▪ Compute – Elastic Container Service (ECS)
▪ Storage and Content Delivery - S3 and Cloud Front.
▪ Database – DynamoDB
▪ Networking – Virtual Private Cloud (VPC) and Route53
▪ Security and Identity – Identity Access Management (IAM)
▪ Application Services – Simple Queue Service (SQS) and Simple Workflow
Service (SWF).

31
Thank you!

Identity and Access Management
Users, groups, and roles

Access points to AWS – Command Line
~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",

Access points to AWS - API
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)

Access points to AWS - Console

Who can access resources
• Accounts
• Users
• AWS Identity and Access
Management (IAM) Users
• Federated users
• Groups
• Roles
• Services
IAM role
IAM users
IAM groups
Amazon EC2
Federated user

Restricted access best practices
• Do not use the root account
• Create an administrative account
• Enable MFA
• Enforce strong passwords
• Use groups to assign permissions
• Use cross account access for secure logging

IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• Inline policies (older way)
• You create and embed directly in a single user, group, or role

Services
AWS CloudTrail
AWS Config
Amazon Inspector
VPC Flow Logs

Introduction to AWS CloudTrail
Store/archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On AWS services
around the
world..
CloudTrail is
continuously
recording
API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket

AWS CloudTrail
Record CloudFront API calls history for:
• Security analysis
• Resource change tracking
• Compliance auditing
CloudWatch Alarm
CloudTrailCloudFront
Distribution Updates

AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

• Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance guideline Action if noncompliance
All EBS volumes should be encrypted Encrypt volumes
Instances must be within a VPC Terminate instance
Instances must be tagged with
environment type
Notify developer (email, page,
Amazon SNS)
AWS Config Rules

AWS Config Rules
(Example—instances must be tagged with a data classification)

Amazon Inspector
• Vulnerability Assessment Service
• Automatable by using API actions
• AWS Context Aware
• Static and dynamic telemetry
• Integrated with CI/CD tools
• CVE and CIS rules packages
• AWS AppSec best practices

VPC Flow Logs: See all your traffic
Visibility into effects of Security
Group rules
Troubleshooting network
connectivity
Ability to analyze traffic

Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()

Please remember to rate this
session under My Agenda on
awssummit.london

Steve Seymour, Solutions Architect
@sseymour
http://aws.amazon.com/security
http://aws.amazon.com/compliance

Network Security and Access Control within AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Network Security and Access Control within AWS

Similar to Network Security and Access Control within AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Network Security and Access Control within AWS