Deploying Microsoft products on AWS is fast, easy, and cost-effective. Before deploying these applications to production, it's helpful to have guidance on approaches for securing them. In this session, we outline the principles for protecting the environment of Microsoft applications hosted on AWS, with a focus on risk assessment, reducing attack surface, adhering to the principle of least privilege, and protecting data.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Best Practices for
Microsoft Workloads
Minoo Duraipandy
Partner Solutions Architect
AWS Partner Team
W I N 3 0 7
Mark Szalkiewicz
Senior Consultant, Identity
AWS Professional Services

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Holistic approach to security
AWS-native security controls for Windows in AWS
Monitoring & logging
General guidance

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
End-to-end security controls
AWS Identity & Access
Management (IAM)
AWS Managed
Microsoft AD
AWS Organizations
AWS Secrets Manager
AWS Single Sign-On
Amazon Cognito
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF
AWS Firewall Manager
Amazon Inspector
Amazon VPC
AWS KMS
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager
Server-side
encryption
AWS Config rules
AWS Lambda
Identity Data
protection
Preventive
controls
Corrective
controls
Infrastructure
security
Detective
controls
VPC security groups
Network ACLs
IAM password policies
MFA/YubiKey-2FA

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
End-to-end security controls
AWS Identity & Access
Management (IAM)
AWS Managed
Microsoft AD
Organizations
AWS Secrets Manager
AWS Single Sign-On
Amazon Cognito
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web
Application Firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key
Management Service
(KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate
Manager
Server-Side
Encryption
AWS Config rules
AWS Lambda
Identity Data
protection
Corrective
controls
Infrastructure
security
Preventive
controls
Detective
controls
VPC Security Groups
Network ACLs
IAM Password Policies
MFA/Yubikey-2FA

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s start with securing identities
• AWS Directory Service for
Microsoft Active Directory
• Also known as AWS Managed Microsoft AD
• Active Directory (AD) as a managed service
• Powered by Windows Server 2012 R2
• Available in two editions: Standard and
Enterprise
• Other directories
• AD Connector
• Simple AD
Identity
MS SQL
instance
ClientAWS
Workspaces

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default directory security group
• Blocks unnecessary traffic to DC
• Attached to DC interfaces accessible from within
your peered or resized VPCs
• Inaccessible from the Internet even with
modified routing tables
• Security group rules can be modified
• To accept traffic from a more restrictive list of IP addresses
• To restrict the destination addresses DCs can communicate with
Identity

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS SSO?
Identity
Centrally manage SSO access to multiple AWS
accounts and business cloud applications
• Cloud-based single sign-on service
• Connect on-premises Microsoft Active Directory
• Access to other SAML-based apps – Dropbox, Salesforce,
Office 365
• Automatic AWS CLI/console access and permissions
based on AD group membership
• Provide and audit user access to multiple AWS accounts
• Integration with other 3P tools like Splunk, Sumo Logic
• Now provides a directory to create users, organize them
in groups, and set permissions across groups for
application access

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager improves security posture
Session Manager
Full Interactive-mode PowerShell
Encrypted access without inbound ports
Access control via IAM policies
No cost, browser based
Run Command
Perform administrative tasks
Patch Manager
Establish patch baseline
Manage patch-level compliance
Automation
Repeatable Operations and management
tasks
Maintenance Windows
Works in conjunction with Patch Manager
Distributor
Securely store and distribute software
packages
State Manager
Continuous configuration drift manager
Infrastructure
security

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Manager
VPC
IAM
permissions Session
Manager
Infrastructure
security
SSM
endpoint

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Run Command
Infrastructure
security
Run
Command
Curated
Document
Curated
Document
Curated
Document
Notifications
Amazon S3
AWS Console
Output
options

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Run Command vs. Session Manager
Commands issued at scale
When Interactive mode isn’t
needed
Concurrency control
Error control
Deeper analysis within an instance
Full Interactive mode available
Session Manager SDK for custom
front-end apps
Infrastructure
security

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Microsoft Windows Patch Management
Keeping Windows instances secure using AWS Systems Manager
Maintenance
Windows
Patch
Manager
Outdated
Windows
instances
Patched
Windows
instances
State
Manager
Run
Command
Infrastructure
security
Native DSC
integration

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Vulnerability management
Amazon Inspector
• Automatic assessment for known vulnerabilities
• Hundreds of built-in rules mapped to common security best practices
• CIS-specific Microsoft Windows Security benchmark assessments
• Helps build and maintain a hardened Windows Server OS image
Infrastructure
security
Gold AMI Registry
Default AMI
Amazon Inspector
assessment
Gold AMI
Hardened AMI
Decommission
CIS
Windows
benchmarks

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector Network Assessments
• Based on AWS’ Provable Security
Initiative
• Agentless!
• Analyze and identify resources that are
accessible from the internet
• Based on Automated Reasoning
• A formal verification process that
generates and checks mathematical
proofs
• Make sure network security is
implemented as designed
• Catch network configuration drift
• No network packets or port probes to gain
actionable insights
Infrastructure
security

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch Logs and Windows
Detective
controls
AWS Config
rules
Windows
Event
Logs
IIS Logs
Perf Logs
SQL Logs
AlarmsMonitoring
Auto Scaling
instances
Amazon Glacier
archive
AWS VPC
Flow
Logs
Email
notification

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
Detective
controls
• Managed threat detection service (think managed IDS)
• Global coverage, with regional results
• Built-in anomaly detection with ML
• No agents, no sensors, no network devices
• Single-click activation for Amazon EC2, IAM, and AWS accounts

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
Detective
controls

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty example threat detection
Detective
controls

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
When someone opens port 3389 to the world at 3AM

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Or we could avoid security incidents using:
AWS Config rules
• Easy assessment of all your Microsoft resources in AWS
• Automate evaluation of recorded configurations against desired configurations
• Built-in library of 60 different AWS rules
AWS Lambda functions
• Write code in C# or PowerShell using .NET Core 2.1
Corrective
controls

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lambda functions
Corrective
controls
• Avoid being reactive
• Use over 60 pre-built AWS Config rules
• Gateway service to DevSecOps
• Multi-layer security automation
• AWS WAF automation for L7 security
• AWS Config automation for compliance
• Amazon CloudWatch for event-based
security

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Putting it all together
ADFS SAML
token
Microsoft Windows
EC2 instances
Maintenance
Windows
Patch
Manager
Run
Command
State
Manager
Parameter
Store
Users
AMI
Inspector
Golden
AMI

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before we wrap up here

28. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Minoo Duraipandy
duraipan@amazon.com
Mark Szalkiewicz
marksza@amazon.com

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.