Best Practices for Cloud Security at Scale Phil Rodrigues Security Solutions Architect Web Services, ANZ www.cloudsec.com #CLOUDSEC
Best Practices for Security at Scale Best of the Best tips for Security in the Cloud Phil Rodrigues Security Solutions Architect Web Services Level 200 2017, Web Services, Inc. or its Affiliates. All rights reserved.
Agenda Sources of Best Practices A Bad Day Best of the Best Practices Infrastructure Security Data Protection Identity and Access Management Logging and Monitoring Tools and Automation Click, Script, Commit
Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Centre for Security (CIS) s How to move to the cloud securely including the Core Five Epics : Identity and Access Management Logging and Monitoring Infrastructure Security Data Protection Incident Response Whitepaper with 44 best practices including: Identity and Access Management (10 best practices) Logging and Monitoring (4) Infrastructure Security (15) Data Protection (15) 148 detailed recommendations for configuration and auditing covering: AWS Foundations with 52 checks aligned to AWS Best Practices AWS Three-Tier Web Architecture with 96 checks for web applications
CIS s: What, Why, Check, Fix
A is for Andy and B is for Bill Andy follows best practices Bill does NOT follow best practices :-) :-(
Bill s Bad Day Bill AWS Account Gateway Web Server Instance Internal Data Service Website Images Data Backup
Bill s Bad Day Bill 1 Access the vulnerable web application AWS Account 2 Pivot to the data service 1 2 5 Bad Person Gateway Web Server Instance Internal Data Service 3 Delete the website image files 3 4 4 Change permissions to the data backup Website Images Data Backup 5 Download the data backup
Bill s Bad Day Bill 1 No web application protection AWS Account 2 No segmentation 3 One account Gateway Web Server Instance Internal Data Service 4 All permissions granted 5 Sensitive data not encrypted Andy now let s help Andy have a great day! :-) Website Images Data Backup 6 No logging, monitoring, alerting
Best of the Best Practices: Infrastructure Security 1) Create a Threat Prevention Layer using AWS Edge Services 2) Create network zones with Virtual Private Clouds (VPCs) and Security Groups Security Group 3) Manage vulnerabilities through patching and scanning CloudFront AWS Shield AWS WAF Inspector Use the 70 worldwide points of presence in the AWS Edge Network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier
Infrastructure Security Andy 1 Inspector AWS Account Security Group Security Group AWS WAF CloudFront Gateway Web Server Instance Internal Data Service AWS Shield Website Images Data Backup
Best of the Best Practices: Data Protection 4) Encrypt data at rest (with the occasional exception) 5) Use server-side encryption with provider managed keys 6) Encrypt data in transit (with no exceptions) AWS KMS S3 Data AWS KMS Encryption Key CloudFront Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Gateway SSL / TLS / HTTPS Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier
Data Protection Andy Inspector AWS Account AWS WAF CloudFront Gateway Internal Data Service AWS Shield Website Images AWS KMS 2 Data Backup AWS KMS Data Encryption Key
Best of the Best Practices: Identity and Access Mgmt 7) Use multiple AWS accounts to reduce blast radius 8) Use limited roles and grant temporary security credentials 9) Federate to an existing identity service Production Staging AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM IAM Roles Temporary Security Credentials IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. IAM MFA token AWS Directory Service Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier
Identity and Access Management Andy Inspector AWS Account AWS Account AWS Directory Service MFA token AWS WAF CloudFront Gateway Internal Data Service 3 IAM AWS Shield Website Images Database Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key
Best of the Best Practices: Logging and Monitoring 10) Turn on logging in all accounts, for all services, in all regions 11) Use the AWS platform s built-in monitoring and alerting features 12) Use a separate AWS account to fetch and store copies of all logs Production Security AWS CloudTrail CloudWatch The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. CloudWatch Alarms AWS Config Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier
Logging and Monitoring Andy Inspector AWS CloudTrail AWS Account CloudWatch 4 AWS Config AWS Account AWS Directory Service MFA token AWS WAF CloudFront Gateway Internal Data Service IAM AWS Shield Website Images Database Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key
Best Practices Andy Inspector AWS CloudTrail AWS Account CloudWatch AWS Config AWS Account AWS Directory Service Security Group Security Group MFA token AWS WAF CloudFront Gateway Web Server Instance Internal Data Service IAM AWS Shield Website Images Data Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key
Tools and Automation Inspector CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:invent 2016: 5 Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules (SAC401)
Three Speeds? Crawl Run
Three Speeds Crawl Walk Run
Three Levels? 8-bit Mario 64-bit Mario
Three Levels 8-bit Mario 16-bit Mario 64-bit Mario
Three Stages? Zero Hero
Three Stages Zero Pro Hero
Three Stages Click Script Commit
Three Stages of Cloud Security Maturity Stage One Click Stage Two Script Stage Three Commit Manual Best Practices Automated Controls Continuous Security Static Workloads Evolving Workloads Agile Workloads Release 1x per month Release 1-10x per month Release 10-100x per month DevSecOps?
Prepare your Umbrella Before it Rains turn it on
Resources AWS Security Best Practices White Paper http://bit.ly/awsbest CIS AWS Security Foundations http://bit.ly/awscis CIS AWS Three-Tier Web Architecture http://bit.ly/awscis3t https://aws.amazon.com/summits/sydney/on-demand-17/security-cloud/
Thank you!
Thank You