AWS Security meetup: How to implement top 10 aws security best practices
AWS Security Strategy
-
Upload
teri-radichel -
Category
Technology
-
view
196 -
download
2
Transcript of AWS Security Strategy
AWS Security StrategyEnterprise Security on AWS
Teri Radichel, Cloud Architect | WatchGuard Technologies | @teriradichel
The CIO of the 5th largest bank in the US says they can be more secure in AWS than in their own data center.
Possible?
About That Internet Thing…
You are already using shared infrastructure.
How do you secure it?
Security Policy
Yours.Do you know what it says?Does everybody follow it?
AWS.https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
What’s In Your Network?
Do you really know?
Automated Configuration
AWS facilitatesautomated infrastructure and applicationdeployment via code stored in source control
Automated Event-Driven SecurityAWS makes it easier to automatically react to events that trigger a security response
Points of Discovery and Reaction• Knowns:• Prevent from entering environment• Detect and roll back on entry into environment
• Unknowns:• Baseline normal behavior• React to anomalies – alerts, investigation
Recommendations…• Best Practices• Lessons Learned• Ideas• Tools
Follow IAM Best Practices
Follow Evident IO Best Practices
The Right PeopleCowboy has no well thought out plan or expertise
Mr. No Kills Innovation.He is not open to new ideas.
Analysis Paralysis Kills Productivity
Engineers = expertise + well-designed solutions based on available data
Deployment PipelineDevOps, security, developer and QA teams should all use the same process for AWS deployments.
Add Security Controls at this checkpoint.
Facilitates inventory, audit and compliance.
CICD – Continuous Integration, Continuous Deployment
Automate Everything
From The Start.
Security Automation• Automate Biggest Risks ~ Verizon Data Breach Report• Automated Deployments – CloudFormation, SDKs
- Consider Immutable Infrastructure where possible
• Automated Compliance – AWS Config, AWS Inspector• Automated Security Operations – AWS WAF, 3rd Party Tools• Custom automation – roll your own• Automated Intrusion Detection – Proof of Concept Framework:https://github.com/tradichel/AWSSecurityAutomationFramework
Other Options for SSH and Access Secret Key• IAM Roles for Users and AWS Resources• Cross Account Roles• Active Directory Integration• STS – temporary credentials• Use MFA where possible• Consider CLI, Console and Instance Logins• If using keys, train users that keys are passwords and treat as such
Encryption on AWS• KMS - AWS Key Management Service• CloudHSM - Single Tenant Hardware Security Module• Bring Your Own Key – import from your own key manager or HSM• AWS Certificate Manager - SSL/TLS for encryption in transit
5. Plan Network Carefully.
Internet Access AWS Only AWS to Corporate
security group
security group
security group
security group
security group
security group
Routes: Enforce Traffic Flow. Subnets: Larger. Security Groups: Whitelist.
Avoid ThisSo many holes in your network and running so many agents that you no longer know what is traversing your network anymore and network security is pointless.
Avoid ThisSubnets with almost nothing in them has the potential to exhaust your IP space.
It also becomes unwieldy to manage numerous subnets and security groups.
Use security groups for application specific rules.
Architect for the CloudAvoid Lift and Shift
Costs will be higher
Doesn’t leverage AWS
Possible Security Issues
Fix it later…right.
If you do...keep it in a separate account.
Scalable Dev Ops
Use Process Controls
Technology can’t make your toast. Yet. Use process controls when needed.
Have a Sandbox Account
Tightly secure other accounts. Match production or purpose built.
AWS Monitoring Tools• VPC Flow Logs ~ like Netflow for VPC, not real time• CloudTrail ~ Monitor actions taken on AWS• CloudWatch ~ Any kind of logs, cannot be altered if properly secured• 3rd Party Tools
Teri Radichel, Cloud ArchitectWatchGuard Technologies ~ We are hiring!@teriradichel
Security Certifications and Papers:Http://www.giac.org/certified-professional/teri-radichel/140127
Thank you!