Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing Your Virtual Data Center in the Cloud
Becky Weiss
Senior Principal Engineer
AWS Identity
N E T 2 0 2
Alan Halachmi
Senior Manager, Solutions Architecture
AWS Worldwide Public Sector

Agenda: Bootstrap your cloud security know-how
Quickly get up to speed with AWS’s network- and identity-based
security controls
Recognize the repeatable patterns for securing your AWS resources
See some examples
AWS cloud
IAM VPC
controls

AWS region
Availability Zone Availability Zone Availability Zone

AWS region
virtual private cloud

AWS region
VPC subnet VPC subnet VPC subnet

AWS region
EC2 instance
EC2 instance
EC2 instance

AWS region
EC2 instance
EC2 instance
EC2 instance
RDS DB
instance
RDSDB
instancestandby

AWS region
EC2 instance
EC2 instance
EC2 instance
RDS DB
instance
RDSDB
instancestandby
AWS Directory
Service
AWS Directory
Service

AWS region
EC2 instance
EC2 instance
EC2 instance
RDS DB
instance
RDSDB
instancestandby
AWS Directory
Service
AWS Directory
Service
Amazon S3
bucket
Amazon SQS
queue
Amazon DynamoDB
table

Services for securing AWS resources
If it’s in your VPC:
• VPC network security controls
• Identity and Access Management
(IAM) permissions
If it’s not in your VPC:
• Identity and Access Management
(IAM) permissions

AWS region
EC2 instance
EC2 instance
EC2 instance
RDS DB
instance
RDSDB
instancestandby
AWS Directory
Service
AWS Directory
Service
Amazon S3
bucket
Amazon SQS
queue
Amazon DynamoDB
table
$ dig mydatabase.cumxp40klozz.us-
east-2.rds.amazonaws.com +short
10.0.51.81

AWS region
EC2 instance
EC2 instance
EC2 instance
RDS DB
instance
RDSDB
instancestandby
AWS Directory
Service
AWS Directory
Service
Amazon S3
bucket
Amazon SQS
queue
Amazon DynamoDB
table
$ dig sqs.us-east-2.amazonaws.com +short
52.95.18.51

Secure connectivity with Amazon VPC
• Security Groups: Authorize
only the traffic you expect
• Routing: Route traffic
headed out of your VPC only
to expected destinations
• Gateways: Create points of
connectivity with specific
scopes of access
VPC subnet

Security Groups: Stateful network firewalls
Application Load
Balancer
Backend EC2 instances
Amazon RDS database
Security Group
sg-08eec15c2101526a1
Security Group
sg-0bbef9ea1db9d2ddf
Security Group
sg-0b0a4f8118aa5d450
Port 443 (HTTPS)
Port 8443 (HTTPS)
Port 3306 (MySQL)

Security Groups: Stateful network firewalls
Application Load
Balancer
Backend EC2 instances
Security Group
sg-08eec15c2101526a1
Security Group
sg-0bbef9ea1db9d2ddf
Security Group
sg-0b0a4f8118aa5d450
Port 443 (HTTPS)
Port 8443 (HTTPS)
Port 3306 (MySQL)
Amazon RDS database

Routing for least-privilege connectivity
VPC Subnet: 10.0.1.0/24
VPC Subnet: 10.0.51.0/24
VPC Subnet: 10.0.2.0/24
VPC Subnet: 10.0.52.0/24
VPC Subnet: 10.0.3.0/24
VPC Subnet: 10.0.53.0/24

Routing for least-privilege connectivity
Availability Zone
VPC Subnet: 10.0.2.0/24
VPC Subnet: 10.0.52.0/24

Routing: No outbound connectivity
Availability Zone
VPC Subnet: 10.0.2.0/24
VPC Subnet: 10.0.52.0/24
AWS Elasticache
- RedisEC2 instances

Routing: Full internet connectivity
Availability Zone
VPC Subnet: 10.0.2.0/24
VPC Subnet: 10.0.52.0/24
AWS Elasticache
Application
Load Balancer
Public-facing
EC2 instance
Internet
gateway
Public IP
address

Routing: Outbound-only internet connectivity
Availability Zone
VPC Subnet: 10.0.2.0/24
VPC Subnet: 10.0.52.0/24
AWS Elasticache
Internet
gateway
Public IP
address
VPC NAT
gateway

Routing for least privilege: Summary
• AWS offers a variety of routing options
• Determine the different routing needs of
different parts of your workload, and put
them in different subnets
• Have only the routes you need in each
subnet.

VPC Endpoints for secure cross-account connectivity
Network Load
Balancer
VPC Subnet
Availability Zone
Availability Zone
VPC Subnet
10.0.51.129
10.0.52.39
$ dig vpce-0622f1c0e5b3ccf9b-wzu403mr.vpce-svc-05af39ae671fc730e.us-east-2.vpce.amazonaws.com +short
10.0.51.129

VPC Endpoints for secure cross-account connectivity
Network Load
Balancer

VPC Endpoints for private connectivity to AWS
services: Interface Endpoints
VPC Subnet
Availability ZoneAvailability Zone
VPC Subnet
EC2 instances EC2 instances
Amazon CloudWatch
Logs
Internet
gateway
$ dig logs.us-east-2.amazonaws.com +short
52.95.20.179

VPC NAT
gateway
VPC Subnet
VPC Subnet
Amazon CloudWatch
Logs
52.95.20.179

Creating an Interface VPC Endpoint

VPC Subnet
VPC Subnet
Amazon CloudWatch
Logs
10.55.2.191

services: Gateway Endpoints
VPC Subnet
VPC Subnet
Amazon S3

The ABCs of AWS IAM
• I: Identity. AWS IAM lets you create identities in your AWS account
who can make authenticated requests to AWS
• AM: Access Management. AWS IAM is your tool for defining who has
permissions to do what to which resources in IAM.
• IAM is the AWS-wide permissions control system. So you need to
know it.
IAM

I is for Identity: Humans  IAM Users
IAM
IAM user
long-term
security
credential
IAM user
long-term
security
credential
Amazon
DynamoDB
Human user
Human user

I is for Identity: Robots  IAM Roles
IAM
EC2 instance
Lambda
function
IAM Role
IAM Role
Amazon
DynamoDB
Application
Auto Scaling

I is for Identity: Humans with external identities
Amazon
DynamoDB
Corporate
identities
(analysts)
IAM Role:
Developers
Corporate
identities
(developers)
IAM Role:
Analysts
IAM
Corporate
Identification
Provider

Term: IAM Principal
An IAM Principal is an identity defined within an AWS account.
IAM
IAM Roles IAM Users
IAM Roles authenticate
using short-lived credentials.
IAM Users authenticate
using long-lived credentials

Term: IAM Policy IAM

Where does IAM Policy matter?
Everywhere in AWS.
For an authenticated call to succeed:
• The request must have a valid signature for an IAM Principal
• IAM Policy must specifically authorize the call

AWS-managed IAM policies IAM

Reading and Writing IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
“ec2:*"
],
"Resource": "*"
}
]
}
IAM
In English: Allowed to take
all EC2/VPC actions

Writing more granular IAM Policies:
Actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
}
]
}
IAM
In English: Allowed to
modify Security Group
rules in EC2

Resource-level IAM Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
],
"Resource": [
"arn:aws:ec2:us-east-2:111122223333:security-group/sg-0fedcba987654321"
]
}
]
}
IAM
In English: Allowed to
modify Security Group
rules, for a particular
Security Group

Term: Amazon Resource Name (ARN)
Resource: A thing in AWS. Examples: S3 bucket, DynamoDB table, EC2
instance, VPC. Even IAM Principals have ARNs.
ARN: A fully-qualified name for that resource, used throughout AWS.
service accountId
arn:aws:ec2:us-east-2:111122223333:security-group/sg-0fedcba987654321
partition region service-specific name
IAM

Conditions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": [
"arn:aws:ec2:us-east-2:111122223333:vpc/vpc-0123456789abcdef"
]
}
}
]
}
IAM
In English: Allowed to use
modify Security Groups
only in a specific VPC

Conditions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-east-2"
]
}
}
]
}
IAM
In English: Allowed to use
DynamoDB only in the us-
east-2 region

Advanced: Putting IAM and VPC security together
VPC Subnet
VPC Subnet
Amazon S3
bucket

Example: SSH access to EC2 instances
• VPC security controls used:
• Security Groups
• Routing for least privilege
Availability Zone
EC2 instances
SSH bastion instance
Port 22 (SSH)
Port 22 (SSH)
$ echo "hello world"

Example: AWS IAM-controlled SSH access to EC2 instances
• Makes use of SSM
Session Manager
• IAM controls used:
• Permissions for users to
SSH to specific instances or
groups
• VPC security controls
used:
• Security Groups
• VPC Endpoints to SSMAvailability Zone
EC2 instances
AWS Systems
Manager
$ echo "hello world"

Example: Securing serverless workloads
Amazon API
Gateway
Lambda functions
Amazon
DynamoDB
Amazon DynamoDB
Accelerator
Serverless workload with in-VPC
components
IAM controls used:
Least-privilege access on IAM Roles for
Lambda function and DAX cluster
Lambda Functions allow invocation by API
Gateway
VPC Endpoint Policies for DynamoDB
VPC security controls used:
Security Groups
VPC Endpoint for DAXDynamoDB
Port 8111

What we didn’t talk about
• Encryption
• Visibility and detective controls
• Higher-level security services
AWS KMS AWS CloudHSM
VPC Flow LogsAWS CloudTrail
Amazon Inspector Amazon
GuardDuty

Related chalk talk
Wednesday, November 28
NET210-R1: Discuss How to Secure Your Virtual Data Center in the Cloud
5:30 – 6:30 | Venetian, Level 3, Murano 3202

Related breakouts
Monday, November 26
NET201 – Your Virtual Data Center: VPC Fundamentals and Connectivity Options
4:45 – 5:45 | Venetian, Level 4, Delfino 4002, T2
Wednesday, November 28
NET301 – Best Practies for AWS Private Link
4:45 – 5:45 | Venetion, Level 2, Venetian F

Thank you!
Becky Weiss and Alan Halachmi
AWS

Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018

Similar to Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Securing Your Virtual Data Center in the Cloud (NET202) - AWS re:Invent 2018