This document discusses best practices for securing customer data on AWS from day one, including implementing strong identity and access management, enabling traceability, applying security at all layers, automating security best practices, protecting data in transit and at rest, and preparing for security events. It provides guidance on setting up authentication and authorization controls with IAM, implementing detective controls with logging and monitoring tools, applying defense-in-depth with network and host security configurations, automating security configurations with tools like CloudFormation, encrypting data at rest and in transit, and planning incident response procedures.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Securing Your Customers
Data From Day One
Mackenzie Kosut | 2018

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by design principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data (in transit and at rest)
• Prepare for security events
https://aws.amazon.com/architecture/well-architected/

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implement a strong identity foundation

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity Access Management (IAM)
Ensure only authorized and authenticated users are able to
access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0 (ADFS)
• Define a management
policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protecting AWS credentials
• Establish Less-privileged Users
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via STS

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fine grained access control
• Establish least privilege
principle
• Define clear roles for users
and roles
• Use AWS organizations to
centrally manage access

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detective controls
Identifying a potential security threat is essential for legal
compliance assurance, key areas in this are:
• Capture and analyze logs
• Integrate auditing controls with notifications and
workflow / Use your logs

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Capture and analyze logs
Asset management
• Describe assets and instance programmatically
• No dependency on instance based agent
API driven log analysis
• Collect, filter and analyze with ease
• Automatically collect API calls with CloudTrail
• Use CloudWatch Logs or ElasticSearch with instances

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use your logs
Don’t just collect and store logs, analyze logs easily with
CloudWatch Events:
• Trigger notifications
• Automate responses with Lambda
• Integrate events with ticketing systems

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Detect change
• Use native tools such as AWS Config to detect change in your environment
and trigger CloudWatch Events
• Collect output from Amazon Inspector to ensure compliance
• Use Amazon GuardDuty to constantly monitor and intelligently detect
threats and take action

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Change management

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
AWS Config – https://aws.amazon.com/config/
AWS Config Rules –
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-
config.html
Amazon Inspector - https://aws.amazon.com/inspector/
Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/
Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/
Amazon Athena – https://aws.amazon.com/athena/
Amazon Glacier – https://aws.amazon.com/glacier/
AWS Lambda – https://aws.amazon.com/lambda/

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Apply security at all layers

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Defense-in-depth

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure protection
Protect network and
host level boundaries
System security config
and management
Enforce service-level
protection

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACL’s to prevent access between subnets
• Use route tables to deny internet access from protected
subnets
• Use Security groups to grant access to and from other
security groups
Limit what you run in public subnets:
• ELB/ALB and NLB’s
• Bastion hosts
• Try and avoid where possible having a system directly
accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
System security config and management
OS based firewalls
CVE vulnerability scanners
Virus scanners
Remove unnecessary tools from OS
Remove direct access to machines – use EC2 system
manager
Amazon Inspector to scan OS and applications

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Enforce service-level protection
• Use least privilege IAM policies
• Use fined grained controls within policies
• Look at service level permission (such as S3 bucket
policies)
• Use KMS and define admin and user access policies

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
Amazon VPC – https://aws.amazon.com/vpc/
AWS Direct Connect – https://aws.amazon.com/directconnect/
Amazon Inspector - https://aws.amazon.com/inspector/

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate security best practices

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ensure best practice
• Template everything (CloudFormation, Terraform, etc
etc)
• Utilise CI/CD pipelines
• Set custom AWS Config rules
• Amazon Inspector to detect vulnerabilities
• Automate response to non compliant infrastructure

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Immutable infrastructure

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security as code

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
Amazon VPC – https://aws.amazon.com/
AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/
Inspector - https://aws.amazon.com/inspector/
AWS CloudFormation - https://aws.amazon.com/cloudformation/
AWS SAM - https://github.com/awslabs/serverless-application-model
AWS Pipeline - https://aws.amazon.com/codepipeline/
AWS KMS - https://aws.amazon.com/kms/
Terraform - https://www.terraform.io/

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect data (in transit and at rest)

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data classification
Start of by classifying data based on sensitivity:
• Public data = unencrypted, non-sensitive, available to everyone
• Critical data = encrypted, not directly accessible from the internet, requires
authorization and authentication
Use resource tags to help define the policy:
• “DataClassification=CRITICAL”
• Integrate access with IAM policies
Amazon Macie:
Macie can automatically discover, classify and protect sensitive data through machine
learning

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encrypt your data

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data in transit
AWS endpoints are HTTPS,
but what can you do?
• VPN connectivity to VPC
• TLS application communication
• ELB or CloudFront with ACM

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data at rest
Inbuilt encryption
• S3: select KMS key on upload
• EBS and RDS snapshots: automatically encrypt data at rest
• DynamoDB: encrypt backups
Bring your own Key
Encrypt data locally before uploading
SSE-C (server side encryption with customer key)

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption and tokenization
Tokens allow you to represent data (credit card number) as a token.
Generate and Retrieve encrypted data from a toke store such as cloudHSM or
encrypt and store data in DynamoDB.
cloudHSM is PCI-DSS and FIPS compliant

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
AWS KMS - https://aws.amazon.com/kms/
Amazon Macie – https://aws.amazon.com/macie/
AWS Cloud HSM – https://aws.amazon.com/cloudhsm/
Amazon EBS – https://aws.amazon.com/ebs/
S2n - https://github.com/awslabs/s2n

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prepare for security events

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Incident response
“Even with a mature preventative and detective solution in
place, you should consider a mitigation plan”

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clean room
• Use Tags to quickly determine impact and escalate
• Get the right people access and on the call
• Use Cloud API’s to automate and isolate instances
• CloudFormation – recreate clean / update environments easily for
production or investigation purposes

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Resources
AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/
Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-
Pillar.pdf

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You
Presenter Name, Twitter, Email

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A