More Related Content More from Amazon Web Services (20) SID206_Best Practices for Managing Security Operations on AWS1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:Invent
Best Practices for
Managing Security Operations on AWS
W i l l B e n g t s o n – N e t f l i x - S e n i o r S e c u r i t y E n g i n e e r
A r m a n d o L e i t e – A W S - P r i n c i p a l S e c u r i t y A r c h i t e c t
S I D 2 0 6
N o v e m b e r 2 7 , 2 0 1 7
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blast radius
Segregate
Classify
AWS Account as the boundary
• Highest degree of segregation
• By data classification
• Business unit
• Workload
• Functional
In-VPC
• SGs, NACLs
• AWS IAM Resource level
constraints
VPC as the boundary (single account)
• Equivalent to separate networks
• Peering, Routing (+all above)
• AWS IAM similar to previous
Flexibility
Innovation
Right-sizing
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
App A.1
App B.1
App A.2
App B.2
Logging
Agg.
Other
(1..N)
SecOps
TeamBTeamAShared
Regardless of boundary,
consider:
- How to aggregate
logging
- SecOps dedicated
account
BU A BU B
Logging
Agg.
SecOps
Conf A.2
Pub A.2
App A.1
App A.2
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From To
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation + AWS Organizations
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Battery of test cases Spec review
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Commit phase: source-control changes
• Static code analysis: analyze the CFN templates against a set of security rules
Acceptance phase: dev environment
• Dynamic analysis: run template in sandbox/acceptance test environment
Capacity/integration/staging phases: pre-prod environment
• Load, performance, penetration, and failover testing
Production phase: prod environment
• Deploy...
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitor FixControl Monitor Fix
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Signal
Noise
Gather Remediate
Do Nothing
Correct
Alert
Enrich
Stop
Measure
Spectrum of options
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
API calls (CloudTrail) are
logged
StopTrail/Change Turn back on
Control Monitor Fix
SSH only from bastion
subnet
Create/Change SGs
validate source if port == 22
Change SG via Lambda
All instances in patch up to
date for XXX
EC2 Systems Manager +
AWS Config rules
Patch via Systems Manager
No root access CloudWatch Logs + Syslog Isolate and investigate
No public objects in S3 Object level logging in
CloudTrail
Make object private
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://aws.amazon.com/blogs/security/how-to-detect-and-
automatically-remediate-unintended-permissions-in-amazon-
s3-object-acls-with-cloudwatch-events/
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection
Rest:
- KMS
- CloudHSM
Transit
- VPN
- ACM
*Thu, 3:15 p.m.
SID330 AWS Key Management Service Architecture Best Practices
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establishing platform security
Establishing network security
Establishing OS security
Establishing data protection
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter Store Documents
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Understand the boundary
Consistent controls
Test often, fail early
Closed-loop mechanisms
Full stack
Practice
Visibility
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
*Security Incident Response
Simulations
S.I.R.S.
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jam Sessions @ The Park (Linq)
Security Jam
Tuesday the 28th
Jam Lounge:
Wednesday and Thursday (from 8 a.m.)
Go bananas!
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecture Visibility Audit
W i l l B e n g t s o n - N e t f l i x S e c O p s
N e t f l i x S e c u r i t y T o o l s a n d O p e r a t i o n s
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
31. Our security operations center is not
bright dashboards that we watch all day
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Netflix is BIG
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
> 100,000 instances
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
> 33% USinternet traffic
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000s of changes
46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000,000+ events/minute
47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1,000,000+ events/minute
in only two accounts
48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple accounts
49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tag, you’re it!
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object
ACLs with CloudWatch Events
https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-
unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/
Implementing DevSecOps Using AWS CodePipeline
https://aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-
codepipeline/
Automating Governance repo:
https://github.com/awslabs/automating-governance-sample
Tuesday, 27th November. 8 a.m.— Security Jam (HAC05)
(Extra seating added – bring a laptop!)
58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Tue start 8 a.m.—Security Jam
Wed start 11 a.m.—Analytics Jam
Thur start 11 a.m.—All-In Jam
Jam Lounge
Wed and Thur from 8 a.m.
Drop by at any time
William Bengtson@Netflix
Armando Leite@AWS
Your turn! Just need a laptop!
59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
Tue start 8 a.m.—Security Jam
Wed start 11 a.m.—Analytics Jam
Thur start 11 a.m.—All-In Jam
Jam Lounge
Wed and Thur from 8 a.m.
Drop by at any time
William Bengtson@Netflix
Armando Leite@AWS
Your turn! Just need a laptop!