As you continually evolve your use of the AWS platform, it’s important to consider ways to improve your security posture and take advantage of new security services and features. In this advanced session, we share architectural patterns for meeting common challenges, service limits and tips, tricks, and ways to continually evaluate your architecture against best practices. Automation and tools are featured throughout, and there will be code giveaways! Be prepared for a technically deep session on AWS security.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security best practices the well-
architected way
Ben Potter
Security Lead, Well-Architected
Amazon Web Services
@benji_potter
S D D 3 1 8

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS Well-Architected introduction
Incident response
AWS Identity and Access Management (IAM)
Detective controls
Infrastructure protection
Data protection

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/well-architected/
https://wa.aws.amazon.com
https://wellarchitectedlabs.com
AWS Well-Architected

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Are you Well-Architected?
Security Reliability
Performance
efficiency
Cost
optimization
Operational
excellence
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
History
Well-Architected
started
2012
Questions across
four pillars
2014
Operational
excellence
2016
Self-service,
imp. plans
2018
AWS SA reviews
2013
Published framework
2015
APN partners, lens
2017 2019

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why AWS
Well-Architected
Framework?
Learn AWS best practices
Build and deploy faster
Lower or mitigate risks
Make informed decisions

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Well-Architected Tool
It is in the console
If its not in your region, use North Virginia
Use it as a training/learning tool
Create a dummy workload and start

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM
Use automation
Enable detection
Prepare for an incident
What should you do first?

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design principles
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Keep people away from data
Prepare for security events

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System (Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Instance
Application

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Amazon GuardDuty as a starting point
Threat intel,
ML/AI
anomaly
detection
Alert
+
Respond
Backdoor
Behavior
CryptoCurrency
PenTest
Persistence
Policy
PrivilegeEscalation
Recon
ResourceConsumption
Stealth
Trojan
Unauthorized
Amazon
GuardDuty
VPC Flow Logs
DNS logs
AWS CloudTrail
events
High
Medium
Low
FindingsData sourcesFinding types

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Amazon GuardDuty as a starting point
Threat intel,
ML/AI
Anomaly
Detection
Alert
+
Respond
Backdoor
Behavior
CryptoCurrency
PenTest
Persistence
Policy
PrivilegeEscalation
Recon
ResourceConsumption
Stealth
Trojan
Unauthorized
Amazon
GuardDuty
VPC flow logs
DNS Logs
CloudTrail Events
HIGH
MEDIUM
LOW
FindingsData SourcesFinding Types
New!
Guide: http://bit.ly/2EWlARo

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Playbooks
Working definition:
Playbooks provide adequately skilled team members, who are unfamiliar with
the workload, the guidance necessary to gather applicable information, identify
potential sources of failure, isolate faults, and determine root cause of issues.

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Playbooks—Example
# Scenario title:
Malicious IP action
# Scenario description:
An API was invoked from a known malicious IP address
# Data to gather:
CloudTrail + application logs
# Investigation steps:
CloudTrail history of IP, ASN, IP info, created resources
# Escalation & communication:
High severity infosec ticket
# Resolution steps:
Disabled credentials, remove resources

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How to run a gameday
1. Schedule time block
2. Find a prize
3. Supply junk food and beverages
4. Pick relevant finding from: https://amzn.to/2PetNro
5. Create a playbook
6. Learn
7. Have fun!

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System
AWS Lambda
Role
Amazon Simple
Notification Service
Amazon Simple
Storage Service (S3)
Instance
Application
IR Playbooks IR Tools Access
Amazon GuardDuty

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://github.com/awslabs/aws-well-architected-
labs/tree/master/Security/300_Incident_Response_with_AWS_C
onsole_and_CLI

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Federation tip
https://aws.amazon.com/identity/federation/
Blog: https://amzn.to/2Wvh2LS

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Requirement: users and roles
created by delegated admins must
have a permissions boundary
Ability: can create users and roles
that have permissions boundaries
attached
Admins
Delegated
admins
“Bound” IAM
users and roles
Create delegated admins Create “bound” users and roles Users and roles restricted by
permissions boundaries
Result: permissions boundary
restrict the permissions of the users
and roles
Restricted resources
Permissions for resources
restricted
Permissions of the roles attached to
resources like Lambda functions are
limited by the permissions boundary
Permission boundaries
Lab: http://bit.ly/WALpb

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate credential management
• Disable / delete unused access keys
• Cleanup after federation
• Regularly remind people for having an access key
• Remove leavers
• Constantly reduce permission

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda assuming role
RoleLambda function
Account 1 Account 2
Role Sign URL

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda example
exports.handler = async (event) => {
// Parameters
var AWS = require('aws-sdk’);
var s3_params = {Bucket: 'bucket', Key: event.Records[0].file_name};
var sts_params = {
DurationSeconds: 900,
RoleArn: "arn:aws:iam::012345678901:role/service-role/assumed_role",
RoleSessionName: "Session”
};
// Assume the role with STS, an async call to get creds
var sts = new AWS.STS();
await sts.assumeRole(sts_params, function(err, data) {
var s3 =new AWS.S3({region: 'ap-southeast-2’,
sessionToken:data.Credentials.SessionToken});
// Sign the URL
var url = s3.getSignedUrl('getObject', s3_params);
// Return the response
const response = {
statusCode: 200,
body: JSON.stringify('Hello from Lambda!’),
};
return response;}).promise();

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
Role
Instance
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Role
Instance
VPC
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Amazon GuardDuty

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate detective controls
Amazon GuardDuty
AWS Config
AWS CloudTrail
AWS CloudFormation
Lab: http://bit.ly/2WIz2SY
https://amzn.to/2Wp3GkT
http://bit.ly/CRuleRem

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Have you created a threat model?
Every threat has a MOM:
Method: The skills, knowledge, tools to pull off the attack
Opportunity: The time and access to accomplish the attack
Motive: A reason to want to perform this attack
Have you tested your detective and responsive controls?
Threat model

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to look for
Recon
DNS
Denies
404’s
Logins / time

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge
How would you detect credential stuffing?
2019-05-23 01:13:12 LAX1 2390282 2001:0db8:85a3:0000:0000:8a2e:0370:1337 POST
d111111abcdef8.cloudfront.net /myloginapi/login.do 200

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenge
• MFA
• Throttle
• Captive portal
• Fingerprint*
• Partners
https://haveibeenpwned.com/Passwords

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous evaluation
CIS Quick Start: https://amzn.to/2XE5SSp

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Application
IR Playbooks IR Tools Access
Role
Instance
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon API
Gateway
Amazon Elastic
File System
(Amazon EFS)
AWS Lambda
Role
VPC Flow
Logs

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
TPZ Egress
Transit
gateway
Security inspection
services
Security inspection
services
TPZ ingress
Xero threat protection zone

37. Share subnets between accounts in an AWS Organization
Account
Account
Account
Account
Resource share
Resource share
Infrastructure
account
VPC sharing and resource access manager

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate protection
AWS WAF automation: https://amzn.to/2MzNdpH
Whitelist
Blacklist
SQL Injection
XSS
HTTP Flood
Scanners & Probes
IP Reputation Lists
Bad Bot
Amazon CloudFront Application Load
Balancer
Web Application Resources
Amazon Kinesis
Data Firehose
Amazon S3
Web ACL
Traffic Information
Amazon API Gateway
Amazon Athena AWS Lambda
Log Passer
Amazon Athena
AWS Lambda
Access Handler
AWS Lambda
IP Lists Passer
Amazon CloudWatch
Event
Amazon S3
Access Logs
AWS WAF
Requests
WAF Logs
APP Logs
Hourly

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools
Source code and
dependency:
OWASP
Dependency-check
NPM audit + fix
RetireJS
boofuzz
Radamsa
american fuzzy lop

40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow Logs
Load Balancer
Application
Load Balancer
Amazon Elastic
File System
(Amazon EFS)
Database
Amazon Aurora Endpoints
AWS Lambda
Role
Shared
NAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Amazon Inspector AWS Security
Hub
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Instances
Endpoints
Application
AMI
Amazon CloudFrontAmazon Route 53 AWS WAF

41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow logs
Load Balancer
Application
Load Balancer
Amazon Elastic
File System
Database
Amazon Aurora Endpoints
AWS Lambda
Role
Shared
NAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
Amazon Inspector AWS Security
Hub
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Instances
Endpoints
Application
AMI
Amazon CloudFrontAmazon Route 53 AWS WAF
http://bit.ly/315r99k
http://bit.ly/2Z2tDn7

42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keep people away from data
Don’t store
Don’t grant
Encrypt
Mask
Tokenize
Isolate
Tooling
Eliminate direct
access
Operations
as code
Version control
Implementing DevSecOps: https://amzn.to/313DMlD

44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data exfiltration
Host based
SaaS
Partners
DNS
Logs

45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate detection of data leak
• Consider all sources of data!
• Interesting API calls:
• Any service that hosts data
• Pre-signed URL generation
• S3 access logs:
• Custom access log information
• Data classification code for analysis
Amazon CloudWatch
Events
s3.amazonaws.com/awsexamplebucket/photos/puppy.jpg
?x-code=example

46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default Amazon EBS encryption
New!
Blog: https://amzn.to/2HYQURb

47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS + AWS Encryption SDK
Customer master
key (CMK)
Data key Encrypted data
AWS Key Management
Service (AWS KMS)
"encryptionContext": { "aws:s3:arn":
"arn:aws:s3:::bucket_name/file_name" }
Example: https://amzn.to/2WlLK5I

48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Amazon API
Gateway
VPC Flow Logs
Amazon Elastic
File System
(Amazon EFS)
Endpoints
AWS Lambda
RoleNAT Gateway
AWS Organizations IAM AWS Single
Sign-On
MFA AWS Secrets
Manager
Amazon GuardDuty Amazon CloudWatchAWS CloudTrail AWS Config
Amazon Simple
Notification Service
(Amazon SNS)
Amazon Simple
Storage Service
(Amazon S3)
IR Playbooks IR Tools Access
AWS Code
Services
AWS CloudFormation AWS Systems
Manager
Event
Role
Auto Scaling group
Endpoints
AMI
Amazon Route 53 AWS WAF
Amazon Inspector AWS Certificate
Manager
Private Certificate Authority
AWS KMSAWS Security
Hub
Amazon Macie
Amazon CloudFront
Application
Encrypted
Instances
DLP
Shared
Load Balancer
Application
Load Balancer
Database
Encrypted
Amazon Aurora

49. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

50. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action!

51. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action!
Main: https://aws.amazon.com/well-architected/
Framework: https://wa.aws.amazon.com
Labs: http://bit.ly/WASecurityLabs
Solutions: https://aws.amazon.com/solutions

52. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ben Potter
Are you Well-Architected?
@benji_potter