Post on 23-Jan-2018
@zinimanboazz@amazon.com
SecurityBestPractices
January2018
BoazZiniman- TechnicalEvangelist- AWS
LocalEvents:https://aws.amazon.com/events/aws-israel/
JourneyThroughtheCloud
Learn from the journeys taken by other AWS customers
Discover best practices that you can use to bootstrap your projects
Common use cases and adoption models for the AWS Cloud
SecurityBestPractices
• Architectedtobeoneofthemostflexibleandsecurecloudenvironments
• Removesmanyofthesecurityheadachesthatcomewithinfrastructure
• BuiltinSecurityFeatures
Agenda
• SharingtheSecurityResponsibility• OverviewofAWSSecurityFeatures• CurrentRecommendations• VerifyingourSecurity• CaseStudies&UsefulResources
AWSsecurityapproach
SizeofAWSsecurityteam
Visibilityintousage&resources
IncreasingyourSecurityPostureintheCloud
https://aws.amazon.com/security
BroadAccreditations&Certifications
https://aws.amazon.com/compliance
Partnerecosystem Customerecosystem Everyonebenefits
SecurityBenefitsfromCommunityNetworkEffect
SHARINGTHESECURITYRESPONSIBILITY
§ LetAWSdotheheavylifting§ Focusonwhat’smostvaluabletoyourbusiness
• Customer• ChoiceofGuestOS• ApplicationConfigurationOptions• AccountManagementflexibility• SecurityGroups• ACLs• IdentityManagement
• AWS• Facilityoperations• PhysicalSecurity• PhysicalInfrastructure• NetworkInfrastructure• VirtualisationInfrastructure• Hardwarelifecyclemanagement
SharedSecurityModel
Such as Amazon EC2, Amazon EBS, and Amazon VPC
SharedSecurityModel:InfrastructureServices
Such as Amazon RDS and Amazon EMR
SharedSecurityModel:ContainerServices
Such as Amazon S3 and Amazon DynamoDB
SharedSecurityModel:AbstractedServices
AWSSECURITYFEATURES
SECUREACCESSAPIENDPOINTSUSETLS
BUILT-INFIREWALLSYOUCONTROLACCESSTOYOURINSTANCES
APPLICATIONPROTECTIONCONTROLACCESSTOYOUAPPLEVEL
ROLE-BASEDACCESSCONTROLWITHFINE-GRAINEDPERMISSIONS
MULTI-FACTORAUTHENTICATION
BUILTIN
PRIVATESUBNETSWITHINYOURAWSVIRTUALPRIVATECLOUD
ENCRYPTYOURDATAATREST
USINGAES256BITENCRYPTIONKEYS
KMS&CLOUDHSMAHIGHLYSECUREWAYTOSTOREKEYS
DEDICATEDCONNECTIONANOPTIONWITHAWSDIRECTCONNECT
SECURITYLOGSAWSCLOUDTRAIL,AWSCONFIG&AMAZONCLOUDWATCHLOGS
TRUSTEDADVISORYOURCUSTOMISEDCLOUDEXPERT
ADVANCEDTOOLSYOUROWNSECURITYGUARD
CURRENTRECOMMENDATIONS
KnowtheAWSSharedResponsibilityModelBuildyoursystemsusingAWSasthefoundation&architectusinganISMSthattakesadvantageofAWSfeatures
RegionsAnindependentcollectionofAWSresourcesinadefinedgeographyAsolidfoundationformeetinglocation-dependentprivacyandcompliancerequirements
AvailabilityZonesDesignedasindependentfailurezonesPhysicallyseparatedwithinatypicalmetropolitanregion
UnderstandtheAWSSecureGlobalInfrastructureRegions,AvailabilityZonesandEndpoints
UnderstandtheAWSSecureGlobalInfrastructureUsingtheIAMservice
AWSIdentityandAccessManagement(IAM)enablesyoutosecurelycontrolaccesstoAWSservicesandresourcesforyourusers.
UsingIAM,youcancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresourcesviacredentialssuchasaccesskeys,passwordsandmulti-factorauthenticationdevices.
YoucanalsofederatewithSAMLtoyourownpre-existingdirectoriesofuseraccountinformation,suchasOpenLDAPorActiveDirectory
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
DefineandCategorise AssetsonAWS
Identifyalltheinformationassetsthatyouneedtoprotect
DesignYourISMStoProtectYourAssetsonAWSEstablishastandardforimplementing,operating,monitoring,reviewing,maintaining&improvingyourinformationsecuritymanagementsyste
AWSAccountYourAWSaccountrepresentsabusinessrelationshipbetweenyouandAWS.AWSaccountshaverootpermissionstoallAWSresourcesandservices,sotheyareverypowerful.
IAMUsersWithIAMyoucancreatemultipleusers,eachwithindividualsecuritycredentials,allcontrolledunderasingleAWSaccount.IAMuserscanbeaperson,service,orapplicationthatneedsaccesstoyourAWSresourcesthroughthemanagementconsole,CLI,ordirectlyviaAPIs.
ManageAWSAccounts,IAMUsers,Groups&RolesOperateundertheprincipleofLeastPrivilege
ManageAWSAccounts,IAMUsers,Groups&RolesStrategiesforusingmultipleAWSaccounts
Business Requirement Proposed Design Comments
Centralised security management Single AWS Account Centralize information security management and minimize overhead.
Separation of production, development & testing accounts Three AWS Accounts Create one AWS account for production services, one for development and one for testing
Multiple autonomous departments Multiple AWS Accounts Create separate AWS accounts for each autonomous part of the organization. You can assign permissions and policies under each account
Centralized security management with multiple autonomous independent projects
Multiple AWS Accounts Create a single AWS account for common project resources (such as DNS services, Active Directory, CMS etc.). Then create separate AWS accounts per project. You can assign permissions and policies under each project account and grant access to resources across accounts.
ManageAWSAccounts,IAMUsers,Groups&RolesDelegationusingIAMRolesandTemporarySecurityCredentials
Applications on Amazon EC2 and other services that need to access AWS resourcesCross Account AccessIdentity Federation
http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
ManageAWSAccounts,IAMUsers,Groups&RolesControlmultipleaccountswithAmazonOrganizations
Centrally manage policies across multiple AWS accounts
Automate AWS account creation and management
Control access to AWS services
AmazonEC2KeyPairsUsedtoauthenticateSSHaccesstoLinuxinstancesandtogeneratetheinitialadministratorpasswordonWindowsinstances.
Ifyouhavehighersecurityrequirements,youarefreetoimplementalternativeauthenticationmechanismsanddisableAmazonEC2KeyPairAuthentication
ManageOS-levelAccesstoAmazonEC2InstancesYouownthecredentials,butAWShelpsyoubootstrapinitialaccesstotheOS
ResourceAccessAuthorisationUsersorIAMRolescanonlyaccessresourcesafterauthentication
Fine-grainedresourcespoliciescanrestrictusersorpermituserstoaccessonlytheresourcesthatyouspecify
{"Effect": "Allow”,"Action": ["s3:GetObject”,"s3:PutObject”],"Resource": ["arn:aws:s3:::myBucket/amazon/snakegame/${cognito-identity.amazonaws.com:sub}"]
}
SecureYourData
Atrest&intransit
SecureYourData
Atrest&intransit
ProtectingDataatRestOptionsdifferbyAWSService.AmazonS3– ServersideencryptionwithAmazonS3managedkeys,yourownencryptionkeyswithCustomer-ProvidedKeys(SSE-C),orkeysmanagedbyKMS
AmazonEBS– usevolumeencryptionprovidedbyyouroperatingsystemorKMS.Forexample,WindowsEFSorMicrosoftWindowsBitlocker,Linuxdm-crypt,CloudHSMoron-premiseHSMwithSafeNetProtectV
AmazonRDS– usedatabasespecificcryptographicfunctions,orKMSEMR/DynamoDB– seeSecurityBestPracticesWhitepaperforoptions
OS Hardening and UpdatesUse of Amazon Machine Images (AMIs) makes it easy to deploy standardized operating system and application builds
Amazon provides and maintains a preconfigured set of AMIs, but you are also free to create your own and use these as the basis for EC2 instances that you deploy
Standard OS hardening principles (eg CIS Benchmarks, DISA STIGs) can and should be applied to the operating systems that you chose to run on EC2 instances
There are lots more detailed recommendations for securing your OS environment in the AWS Security Best Practices Whitepaper
SecureYourOperatingSystems&ApplicationsWiththesharedresponsibilitymodelyoumanageoperatingsystems&applicationsecurity
AmazonVirtualPrivateCloud(VPC)CreateprivatecloudswithLayer2separation,withintheAWSCloud
UseyourownIPaddressspace,allocatedbyyou.UseRFC1918privateaddressspacefornon-internet-routablenetworks
ConnecttoyourVPCviatheInternet,IPsecovertheInternet,AWSDirectConnect,AWSDirectConnectwithIPsecoracombinationofthese.Defineyourownsubnettopology,routingtableandcreatecustomserviceinstancessuchasDNSortimeservers
SecureYourInfrastructure
UsingAWSplatformfeatures
SecureYourInfrastructure
UsingAWSplatformfeatures
SecurityZoningandNetworkSegmentationNetworksegmentationsimplyisolatesonenetworkfromanother
Securityzonesaregroupsofsystemcomponentswithsimilarsecuritylevelsthathavecommoncontrolsappliedtothem
CombineAWSplatformsecurityfeatureswithyourownoverlayinfrastructurecomponentssuchasrepositories,DNS×erverstosegmentnetworksandcreatesecurityzones
TheAWSelasticcloudinfrastructure&automateddeploymenttoolsmeanthatyoucanapplythesamesecuritycontrolsacrossallAWSregionsRepeatableanduniformdeploymentsimproveyouroverallsecurityposture
ImplementOS&HigherLevelMonitoringLogsmaybegeneratedbyavarietyofnetworkcomponentsaswellasoperatingsystems,platformsandapplicationsWerecommendloggingandanalysisofthefollowingeventtypes:• Actionstakenbyanyindividualwithrootoradministrativeprivileges• Accesstoallaudittrails• Invalidlogicalaccessattempts• Useofidentificationandauthenticationmechanisms• Initialisationofauditlogs• Creation,deletionandmodificationofsystemlevelobjects
Area Consideration
Log collection Note how log files are collected. Often operating system, application, or third-party/middleware agents collect log file information
Log transport When log files are centralized, transfer them to the central location in a secure, reliable, and timely fashion
Log storage Centralize log files from multiple instances to facilitate retention policies, as well as analysis and correlation
Log taxonomy Present different categories of log files in a format suitable for analysis
Log analysis/correlation
Log files provide security intelligence after you analyze them and correlate events in them. You can analyze logs in real time, or at scheduled intervals.
Log protection/security
Log files are sensitive. Protect them through network control, identity and access management, protection/ encryption, data integrity authentication, and tamper-proof time-stamping
Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud
Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud
UseCloudWatchLogstoCentraliseYourLogsCloudWatchLogsenablesyoutomonitorandtroubleshootyoursystemsandapplicationsusingyourexistingsystem,application,andcustomlogfiles.
Sendyourexistingsystem,application,andcustomlogfilestoCloudWatchLogsviaouragent,andmonitortheselogsinnearreal-time.
Thiscanhelpyoubetterunderstandandoperateyoursystemsandapplications,andyoucanstoreyourlogsusinghighlydurable,low-coststorageforlateraccess
Area Consideration
Log collection Note how log files are collected. Often operating system, application, or third-party/middleware agents collect log file information
Log transport When log files are centralized, transfer them to the central location in a secure, reliable, and timely fashion
Log storage Centralize log files from multiple instances to facilitate retention policies, as well as analysis and correlation
Log taxonomy Present different categories of log files in a format suitable for analysis
Log analysis/correlation
Log files provide security intelligence after you analyze them and correlate events in them. You can analyze logs in real time, or at scheduled intervals.
Log protection/security
Log files are sensitive. Protect them through network control, identity and access management, protection/ encryption, data integrity authentication, and tamper-proof time-stamping
Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud
UseCloudTrailtoRecordAWSAPICallsAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforyouraccountanddeliverslogfilestoyou.
TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.
WithCloudTrail,youcangetahistoryofAWSAPIcallsforyouraccount.TheAWSAPIcallhistoryproducedbyCloudTrailenablessecurityanalysis,resourcechangetracking,andcomplianceauditing.
RESOURCESYOUCANUSETOLEARNMORE
aws.amazon.com/security/
AWSTechnicalDocumentation
https://aws.amazon.com/blogs/security/
IntroductiontoAWSSecurity
SecurityatScale:GovernanceinAWS
SecurityatScale:LogginginAWS
AWSSecurityBestPractices
SecuringDataatRestwithEncryption
AWSAnswerstoKeyComplianceQuestions
AWSSecurityWhitePapers
https://aws.amazon.com/whitepapers/#security
aws.amazon.com/architecture/
CertificationSelf-PacedLabs
aws.amazon.com/training
Tryproducts,gainnewskills,andgethands-onpracticeworkingwith
AWStechnologies
Training
ValidateyourprovenskillsandexpertisewiththeAWSplatform
Buildtechnicalexpertisetodesignandoperatescalable,efficient
applicationsonAWS
AWSTraining&Certification
aws.amazon.com/training/self-paced-labs
aws.amazon.com/certification
https://aws.amazon.com/summits/summit-tel-aviv/
@zinimanboazz@amazon.com
ThankYou!January2018
BoazZiniman- TechnicalEvangelist- AWS
FullSeries:http://bit.ly/JTTCloudHeb
https://aws.amazon.com/summits/summit-tel-aviv/