2013 AWS Worldwide Public Sector Summit Washington, D.C.

Size: px

Start display at page:

Download "2013 AWS Worldwide Public Sector Summit Washington, D.C."

Brianne Lawrence
5 years ago
Views:

1 Washington, D.C. Security, Compliance, and Governance on the AWS Cloud CJ Moses GM, Government Cloud Solutions

2 AWS Platform Your Applications Management & Administration Identity & Access AWS IAM Identity Federation Consolidated Billing Application Platform Services Content Delivery Amazon CloudFront Web Interface Management Console Application Svcs Amazon Simple Workflow Service Amazon CloudSearch Amazon SNS, SQS, SES Monitoring Amazon CloudWatch Parallel Processing Elastic MapReduce Deployment & Automation AWS Elastic Beanstalk AWS CloudFormation AWS OpsWorks AWS Cloud HSM Libraries & SDKs Java,.NET, PHP, Python, Ruby, Node.js, Android, ios Foundation Services Compute Amazon EC2 Auto Scaling Storage Amazon S3 Amazon EBS Amazon Storage Gateway Amazon Glacier Database Amazon RDS Amazon ElastiCache Amazon DynamoDB Amazon Reshift Networking Amazon VPC Elastic Load Balancing Amazon Route 53 AWS Direct Connect AWS Global Infrastructure Availability Zones Regions Edge Locations

AWS Security and Compliance Center http://aws.amazon.

3 AWS Security and Compliance Center Answers to many security & privacy questions Overview of Security Processes whitepaper Risk and Compliance whitepaper Security bulletins Customer penetration testing Security best practices More information on: AWS Identity & Access Management (AWS IAM) AWS Multi-Factor Authentication (AWS MFA)

4 Security is a Shared Responsibility Customer Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups + = OS firewalls Operating systems Applications Proper service configuration Account management Authorization policies Re-focus your security professionals on a subset of the problem Take advantage of high levels of uniformity and automation

5 Amazon Customer Shared responsibility Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customers implement their own set of controls Multiple customers with FISMA Low and Moderate ATOs Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Foundation Services Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations SOC 1/SSAE 16/ISAE 3402 SOC 2 ISO 27001/ 2 Certification Payment Card Industry (PCI) Data Security Standard (DSS) NIST Compliant Controls DoD Compliant Controls FedRAMP HIPAA and ITAR Compliant

6 Global Infrastructure 9 AWS regions 42 AWS edge locations

AWS Regions & Availability Zones US REGIONS GLOBAL REGIONS US East (VA) US West (CA) Asia Pacific (Tokyo) Asia Pacific (Singapore) Availability Zone A Availability Zone B Availability Zone A

7 AWS Regions & Availability Zones US REGIONS GLOBAL REGIONS US East (VA) US West (CA) Asia Pacific (Tokyo) Asia Pacific (Singapore) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone C Availability Zone D Availability Zone C US West (OR) GovCloud (OR) EU (Ireland) South America (Sao Paulo) Asia Pacific (Sydney) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone C Availability Zone C Customer Decides Where Applications and Data Reside Note: Conceptual drawing only. The number of Availability Zones may vary.

8 Global Infrastructure GovCloud (US) 9 AWS regions 42 AWS edge locations

9 AWS GovCloud (US) The AWS GovCloud (US) Region: built for government customers Sensitive / CUI (controlled, unclassified information) workloads ITAR workloads All customers are either government agencies or businesses who serve government Community cloud The same but different Generally the same APIs as AWS commercial clouds, but Amazon Virtual Private Cloud networking only (no EC2 NAT) Distinct console, credentials and AWS IAM (Identity & Access Management) database FIPS certified VPN and API endpoints

10 Credentials AWS Public Account Billing is linked AWS GovCloud (US) Account IAM Group IAM Group IAM User 1 IAM User 2 IAM User 1 IAM User 2 US East (VA) US West (CA) US West (OR) EU (Ireland) GovCloud (US) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) South America (Sao Paulo)

Physical Security of Data Centers Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical

11 Physical Security of Data Centers Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical access 2 or more levels of two-factor authentication Controlled, need-based access All access is logged and reviewed Separation of Duties Employees with physical access don t have logical privileges Maps to an Availability Zone

12 Continuous Availability Model AWS is Built for Continuous Availability Scalable, fault tolerant services All Datacenters (AZs) are always on No Disaster Recovery Datacenter Managed to the same standards Robust Internet connectivity Each AZ has redundant, Tier 1 Service Providers Resilient network infrastructure

13 AWS Configuration Management Most updates are done in such a manner that they will not impact the customer Changes are authorized, logged, tested, approved, and documented AWS will communicate with customers, either via , or through the AWS Service Health Dashboard ( when there is a chance they may be affected

14 Data Backup & Replication AWS favors replication over traditional backup Equivalent to more traditional backup solutions Higher data availability and throughput No tapes with AWS customer data Makes data available in multiple edge locations Amazon CloudFront, Amazon Route 53 Cross Region Amazon EBS snapshot and AMI copy Data replicated to multiple Availability Zones within a single Region Amazon S3, Amazon S3 RRS, Amazon DynamoDB, Amazon SimpleDB, Amazon SQS, Amazon RDS Multi-AZ, Amazon EBS Snapshots, etc Data replicated to multiple physical locations within a single Availability Zone Amazon EBS, Amazon RDS Data NOT automatically replicated Amazon EC2 instance store (a.k.a. ephemeral drives)

15 Storage Device Decommissioning All storage devices go through process Equivalent to more traditional backup solutions Higher data availability and throughput No tapes with AWS customer data Uses techniques from DoD M ( National Industrial Security Program Operating Manual ) NIST ( Guidelines for Media Sanitization ) Ultimately degaussed physically destroyed

16 Amazon S3 Security Access controls at bucket and object level: Read, Write, Full Owner has full control Customer Encryption SSL Supported Server Side Encryption Durability % Availability 99.99% Versioning (MFA Delete) Detailed Access Logging Signed URLs { } "Version": " "Statement": [ { "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:getobject", "Resource": "arn:aws:s3:::tw-cloudfront-source/* } ]

Network Security Considerations Distributed Denial of Service (DDoS): Standard mitigation techniques in effect Man in the Middle (MITM): All endpoints protected by SSL Fresh EC2 host keys generated

17 Network Security Considerations Distributed Denial of Service (DDoS): Standard mitigation techniques in effect Man in the Middle (MITM): All endpoints protected by SSL Fresh EC2 host keys generated at boot IP Spoofing: Prohibited at host OS level Unauthorized Port Scanning: Violation of AWS TOS Detected, stopped, and blocked Inbound ports blocked by default Packet Sniffing: Promiscuous mode is ineffective Protection at hypervisor level

18 Amazon EC2 Security Host operating system Individual SSH keyed logins via bastion host for AWS admins All accesses logged and audited Guest (a.k.a. Instance) operating system Customer controlled (customer owns root/admin) AWS admins cannot log in Customer-generated keypairs Stateful firewall Mandatory inbound firewall, default deny mode Customer controls configuration via Security Groups Signed API calls Require X.509 certificate or customer s secret AWS key

19 Virtual Memory and Local Disk Proprietary disk management prevents one instance from reading the disk contents of another Disk is wiped upon creation Disks can be encrypted by the customer for added layer of security

20 Amazon EC2 Instance Isolation Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups Firewall Physical Interfaces

21 Network Traffic Flow Security AWS Security Groups Inbound traffic must be explicitly specified by protocol, port, and security group VPC adds outbound filters Inbound Traffic Amazon VPC also adds Network Access Control Lists (ACLs): Inbound and outbound stateless filters OS Firewall (e.g., iptables) may be implemented Completely user controlled security layer Granular access control of discrete hosts Logging network events Amazon EC2 OS Firewall AWS Security Group

22 Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Attach an Elastic IP address to any instance in your Amazon VPC so it can be reached directly from the Internet Bridge your Amazon VPC and your onsite IT infrastructure with an industry standard encrypted Amazon VPN connection Use a wizard to easily create your Amazon VPC in 4 different topologies

23 Amazon EC2 Classic Internet EC2 Customer 1 EC2 EC2 EC2 EC Customer 2 EC2 Customer 3 EC2 EC AZ A AZ B AWS Region EC2 classic is one big /8 network EC

24 Amazon VPC Internet Internet GW EC2 EC2 EC2 EC ( ) ( ) SN /24 SN /24 VPC /16 AZ A AZ B AWS Region Amazon VPC network isolation

25 Amazon VPC Network Security Controls

26 Amazon VPC - Dedicated Instances Option to ensure physical hosts are not shared with other customers Can identify specific EC2 Instances as dedicated Optionally configure entire Amazon VPC as dedicated

27 AWS CloudHSM Protect and store your cryptographic keys with industry standard, tamper-resistant AWS CloudHSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance). Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys. Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations. Use AWS CloudHSM in conjunction with your compatible on-premise HSMs to replicate keys among on-premise HSMs and AWS CloudHSMs. This increases key durability and makes it easy to migrate cryptographic applications from your datacenter to AWS. SafeNet Luna SA HSM

28 AWS CloudHSM

AWS Identity and Access Management Users and Groups within Accounts Unique security credentials Access

API calls must be signed by a secret key Deep integration into some Services Amazon S3: policies on

Applications use LDAP, Active Directory/ADFS, etc.

29 AWS Identity and Access Management Users and Groups within Accounts Unique security credentials Access keys Login/Password Enforce password complexity optional MFA device Policies control access to AWS APIs API calls must be signed by a secret key Deep integration into some Services Amazon S3: policies on objects and buckets AWS Management Console supports User log on Not for Operating Systems or Applications use LDAP, Active Directory/ADFS, etc... Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication AWS system entitlements

30 AWS Multi-Factor Authentication Helps prevent access based on unauthorized knowledge of your e- mail address and password Additional protection for account information Works with master account and AWS IAM users Integrated into AWS Management Console Key pages on the AWS Portal Amazon S3 (Secure Delete) Virtual MFA (using OATH standard) Groups Account Roles Administrators Developers Applications Jim Brad Reporting Bob Mark Console Susan Tomcat Kevin Multi-factor authentication AWS system entitlements

Use End User 1 End User 1 End User Group Reseller User 1 End User 2 End User 2 End User 1 Reseller User

31 Identity & Access Management Consolidated Billing Account Management/Isolation Payor Account Linked Account Customer 1 Linked Account Customer 2 Linked Account Customer 3 Linked Account Reseller Internal Use End User 1 End User 1 End User Group Reseller User 1 End User 2 End User 2 End User 1 Reseller User 2 End User 3 End User 3 End User 2 Reseller User 3 End User 4 End User 3 Reseller User 4 End User 5 End User 4

32 The Capability/Transparency Trade-up What You Give Up - Low-level operational details of the infrastructure - Control over low-level capabilities - Ability to physically examine servers What You Get - Flexible, useful environment - High investment and capability in security - Certifications, reports - Reduced compliance ops burden

33 Accreditation & Compliance, Old and New Old world New world Audits done by an in-house team Audits done by third party auditors Regardless of actual security, check the box Superior security drives broad compliance Check once a year Continuous monitoring, checking Workload-specific security Security based on all workload scenarios

34 Expert Audits: the Validation Scalpel SME SME SME SME SME SME=subject matter expert

35 Customers Getting Certified Controls Reports Reliance Practices Customer Verified + Tested Customer Controls Controls

Security Infrastructure The entire customer community benefits from the

36 Benefits of Scale Apply to Security and Compliance Everyone s Systems and Applications Security Infrastructure Requirements Requirements Requirements Security Infrastructure The entire customer community benefits from the world-class AWS security team, market-leading capabilities, and on-going security improvements

FedRAMP Compliance Paths 1. Joint Authorization Board Approval (P-ATO) JAB (members from DHS, GSA, DoD) approves package for hypothetical workloads 2.

37 FedRAMP Compliance Paths 1. Joint Authorization Board Approval (P-ATO) JAB (members from DHS, GSA, DoD) approves package for hypothetical workloads 2. Agency ATO Agency approves FedRAMP package for actual workloads 3. CSP-supplied documentation, with 3PAO No agency review/approval, but with 3PAO sign off on the audit 4. CSP-supplied documentation, without 3PAO No agency review/approval, and no 3PAO sign off on the audit AWS is focused on paths 2 & 3 in the near term, later 1

38 FedRAMP: Spectrum of Approaches Government COTR We don t care about FedRAMP; we ll issue our own ATO. Agency Security Official Our agency will authorize our new AWS system with a FedRAMP ATO. Government ISSO Our agency won t speak to AWS without a FedRAMP ATO. Progressive Conservative Our agency isn t sure how we are handling FedRAMP; we ll proceed towards our own ATO for now. Government ISSO Our agency requires a FedRAMP JAB P-ATO. We ll start working with AWS but will wait for that. Government PM

39 Governance: Extension and Integration Private Connections Workload Migrations On-Premises Apps Access Control Integration Cloud Apps Work with Existing Management Tools Your Data Centers

Your Private Network Your Data Our Storage AWS Storage Gateway Your Data

40 Many Capabilities to Support Hybrid Architectures IAM Active Directory Users & Access Rules VMware Images VM Import/Export Network Configuration Your Private Network Your Data Our Storage AWS Storage Gateway Your Data Centers Your On-Premises Apps AmazDirect Connect Your Cloud Apps Amazon VPC

41 AWS Ecosystem Includes Existing Management Tools Single Pane of Glass Workload Migration Inventory VMs App 1 Your Data Center App 2 Your Data Center

42 Re-thinking Incident Response in the Cloud Challenge laid down by NASA JPL Office of the Inspector General: how do you isolate and then investigate potentially compromised virtual machines? Easy in the old world unjack the network, haul off to forensics lab What is the cloud equivalent? JPL cloud architects working with AWS came up with a solution that OIG considers better than on-premises solutions

Schematic of Solution Change security group to Isolate Attach Elastic Network Interface with security group forensics-target Web server 10.0.1.60 Subnet Completely 10.0.1.0/24 isolated subnet Virtual 10.

43 Schematic of Solution Change security group to Isolate Attach Elastic Network Interface with security group forensics-target Web server Subnet Completely /24 isolated subnet Virtual /24 router Internet gateway Workstation Attach Elastic Network Interface with security group forensics-source Elastic Network Interface Security group: Forensics-target (forensics target security group) Elastic Network Interface Security group: Forensics-source (forensics source security group)

Governance Tool: AWS Trusted Advisor Online service from AWS Premium Support Analyzes account for various kinds of issues and possible concerns

44 Governance Tool: AWS Trusted Advisor Online service from AWS Premium Support Analyzes account for various kinds of issues and possible concerns Soon available as an API for integration with your tools or 3 rd party solutions Four categories: Cost savings Security Fault tolerance Performance

45 AWS Cloud Governance Service Enablers Governance Area Roles and Responsibilities Configuration Management Financial Controls Monitoring and Reporting AWS Technologies Identity and Access Management: Groups, Policies, Roles Private, hardened AMIs AWS Cloud Formation Templates AWS Elastic Beanstalk AWS OpsWorks Linked Accounts, Consolidated Billing Tagging of resources Amazon CloudWatch Billing Alarms Amazon Cloud Watch Amazon CloudWatch Alarms Amazon Simple Notification Service

46 AWS Cloud Governance Service Enablers (cont.) Governance Area Information Assurance: Processing Information Assurance: Storage Information Assurance Transmission AWS Technologies Corporate Gold master AMIs (operating system images) Amazon VPC network isolation for all workloads Dedicated Amazon EC2 Instances AWS CloudHSM service Amazon S3 AES 256 bit server-side encryption, client-side encryption Amazon EBS Volume Encryption Amazon RDS database encryption features Complete destruction of all storage media on decommissioning SSL termination for all AWS endpoints HW/SW VPN Connections AWS Direct Connect

47 AWS Cloud Governance Service Enablers (cont.) Governance Area Network Security Access Controls Identification and Authentication AWS Technologies Private addressing (Amazon Virtual Private Cloud) Network ACLs Security Groups Virtual Private Gateways Identity and Access Management Policies across all services Amazon S3 Bucket Policies Amazon EC2 Instance Roles Identity and Access Management Federated Identity Management (AWS as relying party) Multi-Factor Authentication Group Policies and Roles Strong password policies

48 AWS Cloud Governance Service Enablers (cont.) Governance Area Disaster Recovery and Continuity of Operations AWS Technologies Data Amazon EBS Snapshots Amazon S3 Near-Line Storage Amazon Glacier Near-Offline Storage AWS Storage Gateway Bulk Data via AWS Import/Export Managed AWS No-SQL/SQL Database Services Extensive 3rd Party Solutions Workload Amazon Elastic Load Balancers, Amazon EC2 Auto Scaling, Amazon CloudWatch Amazon Route 53 Health Checks, Latency Based Routing Amazon CloudFront Content Delivery Network Multi-AZ, Multi-Region Workload Deployment

49 Questions??? Security, Compliance and Governance on the AWS Cloud

Security Token Service (STS) Temporary security credentials containing Identity for authentication Access Policy to control permissions Configurable Expiration (1 36 hours) Supports AWS Identities

50 Security Token Service (STS) Temporary security credentials containing Identity for authentication Access Policy to control permissions Configurable Expiration (1 36 hours) Supports AWS Identities (including IAM Users) Federated Identities (users customers authenticate) Scales to millions of users No need to create an IAM identity for every user Use Cases Identity Federation to AWS APIs Mobile and browser-based applications Consumer applications with unlimited users

51 Identity Syncing with IAM

52 Identity Federation > AWS APIs

53 An you don t want to get

54 Internet server1.aws-wwps.com server2.aws-wwps.com server3.aws-wwps.com Internet Gateway (IGW + EIPs = direct Internet access) ELB VPC DMZ Subnet VPC Subnets VPC Subnets webserver /24 VPC Private Subnet App tier Forensics source Availability Zone 1a webserver /24 VPC Private Subnet App tier Availability Zone 1b webserver /24 VPC Private Subnet App tier Availability Zone 1b VPC Customer VPN Connection Virtual Private Gateway Customer Gateway Customer Data Center

55 Dimensions of Shared Responsibility & Control Operation within the Service: The functions the customer controls and configurations they choose (e.g., in Amazon EC2, Amazon RDS) Security Configurability: The tools AWS gives customers to configure their security stance (e.g., access policies, security groups) vary considerably from service to service Security Features Which Span Services: Some security configuration features are global (e.g., IAM), others service-specific Cross-Layer Security Controls: Means by which customers integrate their existing controls into AWS (e.g., key management, Active Directory, Drupal user management) and vice versa (e.g., IAM Roles for Instances)

56 1. Operation within the Service Customers choose controls they implement, specific configurations/ operations Example: Amazon EC2 instances Manage root/administrative access to guest OS Install software; responsible for patching and maintenance Manage Amazon EC2 key pairs, potentially x509 SSL certs Examples: Amazon Relational Database Service, Amazon Redshift Administration of RDBMS but not underlying OSes Examples: Amazon S3, Amazon DynamoDB Fully managed service, zero operational access Rich authorization capabilities via AWS IAM

57 2. Security Configurability AWS services provide rich security controls tailored to each service customers choose which and how to implement Example: Amazon VPC responsibility and control options Configure security groups Control network ACLs Configure network routing, VPNs, etc. Example: Amazon S3 responsibility and control options Rich support for AWS IAM policies, plus service specific access controls Logging capability records all access (including logging daemon!) Example: Amazon CloudWatch Minimal security configuration available

58 3. Security Features Which Span Services The security impact of some services is more global, others more servicespecific; importance/responsibility thus varies Broader potential impact to other services Example: Identity and Access Management manages access to other services Example: Amazon EC2 runs customer code and can be used to access many services (see Amazon EC2 IAM roles) Narrower potential impact to other services Example: Amazon S3 provides a critical and foundational service for many other AWS services, with rich security features/configurability, but impact of the security configuration is mostly limited to the service itself

59 4. Cross-Layer Security Controls Customers can integrate their existing controls into AWS (typically implemented within Amazon EC2 instances, but not always, e.g., IAM federation) Examples: SSH key management; AWS CloudHSM integration Active Directory or SAML-P within Amazon EC2 Federation from AD or Shibboleth to AWS IAM OS-level firewalls (e.g., RHEL, Windows) and OS-level IDS/IPS systems Encrypted file system on Amazon Elastic Block Storage (EBS) Application level security X.509 certificate management for web servers or ELB Virtual security appliances (e.g., Checkpoint, Sophos, Xceedium, Layer 7)

60 Thank You

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below