Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17
-
Upload
john-martinez -
Category
Technology
-
view
171 -
download
1
description
Transcript of Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17
![Page 1: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/1.jpg)
Shared Security Responsibilities in AWS
John Martinez, Principal Solutions Architect, Evident.io
![Page 2: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/2.jpg)
The Obligatory “Me” Slide• Principal Solutions Architect at Evident.io
• 4+ years AWS and Cloud Experience (but almost all AWS)
• Worked in two of the largest AWS environments
• Unix & Linux geek
• I am NOT a “SECURITY” guy!
• Passionate about DevOps, Security and helping people out
![Page 3: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/3.jpg)
Shared Responsibilities???
![Page 4: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/4.jpg)
The minute we gave developers the power to create infrastructure, security
became their responsibility, too!
![Page 5: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/5.jpg)
On-Prem Compared to AWSOn-Prem!
• Physical key(cards) to DC
• Firewalls
• Network and Power Cables
AWS!
• API Access Key and Secret
• EC2 Security Groups
• VPC and EC2 APIs
And you still need to allow inbound access to your apps!
![Page 6: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/6.jpg)
The Scary Stuff
etc…
![Page 7: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/7.jpg)
Security Responsibilities Where AWS stops and YOU begin
Doesn’t have to be scary!
![Page 8: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/8.jpg)
AWS Responsibilities*
• Data center access (yes, there’s still data centers back there somewhere!)
• Physical infrastructure (servers, storage, network gear and stuff)
• Network security
• API end-points*Full detail found in the AWS Security Whitepaper
(http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf)
![Page 9: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/9.jpg)
AWS Security Services• Identity and Access Management (IAM)
• Secure Token Service (STS) - used indirectly via IAM with Roles
• EC2 Security Groups
• EC2 Keypairs (SSH)
• VPC Subnet ACLs
• CloudTrail
• CloudHSM
![Page 10: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/10.jpg)
The following suggestions are from personal experience, YMMV
⚠️
![Page 11: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/11.jpg)
The Really Long IAM Section.1AWS provides IAM and STS for you to use, but you have to figure out how to best use them
• Enable MFA for root accounts NOW
• Then, enable MFA for IAM users next
• Enable a password policy for your IAM users
• Switch to using Roles for EC2 instances
• Limit scope of EC2 Instance Profile policies — only allow what apps need to do, nothing more
![Page 12: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/12.jpg)
The Really Long IAM Section.2AWS provides IAM and STS for you to use, but you have to figure out how to best use them
• Limit the amount of people with “Admin” policies attached to their IAM users
• Demand that your 3rd party vendors use cross-account delegation using IAM roles
• Protect the shit out of your API Access Keys and Secret Keys (encrypt laptop drives, do not store on EC2 instances, do not put in GitHub repos, etc., etc.)
• If you’re an enterprise, consider federating Console access with SAML
![Page 13: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/13.jpg)
Notes on S3
• If you’re not careful, you can inadvertently give people access to your secrets…by making the wrong object public
• However, it can be a great place to store and distribute secrets…if protected well and used with features like IAM Roles for EC2
• Configure bucket policies so they are complimentary to IAM policies
• Use object versioning and lifecycle rules to archive to Glacier
![Page 14: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/14.jpg)
Complimentary Policy ExamplesIAM User Policy
S3 Bucket Policy
![Page 15: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/15.jpg)
Be Vigilant of Strange Activity• Instances in a region you’re not normally in (t1.micro are especially
favorites for testing your reaction)
• IAM users you don’t recognize
• Weird behavior form your applications
• More S3 objects and buckets than you remember or missing objects and buckets
• An unexpected increase in your AWS bill
![Page 16: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/16.jpg)
So, What Can I do???• Use CloudFormation to deploy and maintain the state of your
infrastructure (infrastructure *IS* code)
• Use SNS to alert you where possible: CloudFormation, AutoScaling
• Use CloudTrail to keep an eye on API activity
• Maintain blacklists/whitelists on reverse proxies behind ELBs
• And if you suspect the worst, involve AWS Support ASAP
• Subscribe to Evident.io :-)
![Page 17: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/17.jpg)
Resources!
Evident.io AWS Security Resource Center
http://evident.io/aws-security-resource-center
!
!
!
AWS Security Blog
http://blogs.aws.amazon.com/security/blog
AWS Security Center
http://aws.amazon.com/security/
![Page 18: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/18.jpg)
Thank you!
@johnmartinez
http://www.evident.io/
![Page 19: Shared Security Responsibilities in AWS - LA AWS User Meetup - 2014-07-17](https://reader033.fdocuments.in/reader033/viewer/2022051815/540d98af8d7f728d7e8b4a37/html5/thumbnails/19.jpg)