AMAZON WEB SERVICES (AWS) SERVICES OVERVIEW & SECURITY TIPS MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER INFLUENCER @RESPONSIBLE CYBER 1
AGENDA AWS SERVICES OVERVIEW REGIONS & AVAILABILITY ZONES VIRTUAL PRIVATE CLOUD (VPC) ELASTIC COMPUTE CLOUD (EC2) AWS OBJECT STORAGE: S3, AND GLACIER IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS CONTENT DELIVERY NETWORK (CDN) VERSIONING & ENCRYPTION 2
AWS SERVICES OVERVIEW Amazon Web Services offers ondemand cloud computing services to individuals, companies and governments, on demand with a paid subscription with an option available for 12 months. APPLICATION PLATFORM INFRASTRUCTURE 3
AWS SERVICES OVERVIEW 1. Infrastructure-as-a-service (IaaS) Servers, virtual machines, storage, networks, etc. provided by the cloud provider and billed per usage. 2. Platform as a service (PaaS) Access to a ready-made environment for development, testing, delivering, and managing software, billed per usage. 3. Software as a service (SaaS) Access to applications over the Internet, like for example Gmail, or Office365, billed per usage. Source: https://en.wikipedia.org/wiki/cloud_computing#/media/file:cloud_computing.svg 4
AWS SERVICES OVERVIEW WHAT DO YOU NEED? WHAT REGULATION IS YOUR BUSINESS SUBJECT TO? WHAT IS YOUR RESPONSIBILITY? WHERE DO YOU NEED THESE SERVICES? 5
FIRST QUESTION - WHAT DO YOU NEED? 6
WHAT DO YOU NEED? Before starting the course, and your implementation it is very important to understand your choice, and what would you and your business need as architecture, and approach. Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS) Private cloud Public cloud Hybrid cloud 7
SECOND QUESTION - WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO? 8
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO? AWS is providing great support in terms of good practices, and guidelines for business compliance with local regulations. For Singapore, financial institutions are highly regulated by the Monetary Authority of Singapore (MAS). We can find publicly available: AWS User Guide to Financial Services Regulations & Guidelines in Singapore, to support AWS services deployment and configuration. You can download the guide from the link: https://d0.awsstatic.com/whitepapers/compliance/financial_services_regulati ons_guidelines_in_singapore.pdf 9
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO? AWS features also a list of access-controlled documents relevant to compliance and security as AWS Artifact. The list can be easily accessible with an admin account, and you can download the correspondent document, to follow the instructions. https://console.aws.amazon.co m/artifact 10
THIRD QUESTION WHAT IS YOUR RESPONSIBILITY? 11
WHAT IS YOUR RESPONSIBILITY? Source: https://d0.awsstatic.com/whitepapers/compliance/financial_services_regulations_guidelines_in_singapore.pdf 12
FOURTH QUESTION - WHERE DO YOU NEED THESE SERVICES? 13
REGIONS & AVAILABILITY ZONES AWS Services are located worldwide in several locations. These locations are composed of Regions and Availability Zones. Region = One Geographical Area Availability Zone = Separated Location in a Geographical Area Example: https://ec2.ap-south-1.amazonaws.com http://docs.aws.amazon.com/amazonrds/latest/userguide/concepts.regionsandavailabilityzones.html 14
REGIONS & AVAILABILITY ZONES Regions are an important point for AWS implementation and deployment. Your choices might vary depending on the considered region, as all services are not available consistently over the regions. Example: Glacier is not available in Singapore. https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services 15
REGIONS & AVAILABILITY ZONES Use multiple availability zones (AZs) for redundancy! Various service limits are enforced by Amazon. You can ask for soft limit increase, in some cases. 16
AWS SERVICES OVERVIEW LET S RECAP LET S REMEMBER THE IMPORTANT BASICS LET S CHECK THE SECURITY TIPS YOUR ARE AWESOMELY GETTING THERE 17
VIRTUAL PRIVATE CLOUD (VPC) 18
AMAZON VIRTUAL PRIVATE CLOUD (VPC) Amazon Virtual Private Cloud (VPC) What is it? Amazon Virtual Private Cloud (Amazon VPC) allows you the provisioning of a logically isolated section of the Amazon Web Services (AWS) cloud. Your can select your own IP address range, create subnets, and configure route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications. 19
AMAZON VIRTUAL PRIVATE CLOUD (VPC) This is an example of a simple architecture with the different services, including a VPC. Inside the VPC, we have two different subnets, a router, and an Internet Gateway. Tip: Use a load balancer to balance between AZs. It is definitely recommended to use a public subnet with an Internet Gateway for Internet access. 20
AMAZON VIRTUAL PRIVATE CLOUD (VPC) Default VPC and Custom VPC are the only VPC forms available. Default VPC is created when you create an AWS account. Custom VPC is dedicated for advanced users. 21
ELASTIC COMPUTE CLOUD (EC2) 22
ELASTIC COMPUTE CLOUD (EC2) Elastic Compute Cloud (EC2) What is it? EC2 provides a web service that provides secure, resizable compute capacity in the cloud. The different types of EC2 will provide you various CPUs, memory capacities, storage types, and networking capacity. An instance type can be changed if it has an Elastic Block Store (EBS) store volume root device. Example: Instance Type vcpu Memory Storage Networking Performance Clock Speed Physical Processor (GiB) (GB) (GHz) t2.nano 1 0.5 EBS Only Low Intel Xeon family up to 3.3 t2.micro 1 1 EBS Only Low to Moderate Intel Xeon family Up to 3.3 23
ELASTIC COMPUTE CLOUD (EC2) Amazon Elastic Block Store (Amazon EBS) What is it? Amazon Elastic Block Store (Amazon EBS) is a block storage volume for Amazon EC2 instances. Data stored on an Amazon EBS volume can persist after instance termination, and independently of the instance life. EBS has four types of storage: Provisioned IOPS SSD (io1) General Purpose SSD (gp2) Throughput Optimized HDD (st1) Cold HDD (sc1) You can not detach or attach instance store volume to another instance. 24
ELASTIC COMPUTE CLOUD (EC2) Elastic Compute Cloud (EC2) Some Tips? "Enable termination protection" option allows you to protect an accidental EC2 instance termination. To enable termination protection for an instance at launch time Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. On the dashboard, choose Launch Instance and follow the directions in the wizard. On the Configure Instance Details page, select the Enable termination protection check box. To enable termination protection for a running or stopped instance Select the instance, choose Actions, Instance Settings, and then choose Change Termination Protection. Select Yes, Enable. In addition, enable backups, and output data to another AWS service. 25
ELASTIC COMPUTE CLOUD (EC2) If you need to copy an EC2 instance to another region, you can create an Amazon Machine Images (AMI). The AMI can be deployed then as it does represent a high performance execution environment for applications running on EC2, and contains all the information to launch an instance. EC2-Classic is an old configuration which is not available anymore. It is still being supported for clients. 26
ELASTIC COMPUTE CLOUD (EC2) The most secure option to connect to instances without Internet connectivity in a private subnet VPC is a bastion host server to connect to the instances. Bastion hosts are instances within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with the bastion host, it then behaves like a bridge, allowing you to use SSH or RDP to login to other instances (within private subnets) within your network. You can use bastion as a bridge with security groups and NACL to access other private instances. 27
ELASTIC COMPUTE CLOUD (EC2) Placement group is a logical grouping of instances within a single Availability Zone, achieving high performance computing, with low-latency network performance. There is a soft limit of 20 instances per region. You can submit the limit increase form and retry the failed requests once approved. You can use CURL, or GET command; to access the information for your instance, for example: [ec2-user ~]$ curl http://169.254.169.254/latest/meta-data Or [ec2-user ~]$ GET http://169.254.169.254/latest/meta-data 28
AWS OBJECT STORAGE: S3, AND GLACIER 29
AWS OBJECT STORAGE: S3, AND GLACIER AWS provides various storage options What are they? Let s focus on the four below: S3 Amazon Simple Storage Service, min object storage size is 0B S3 Standard - Infrequent Access (Standard - IA), min object storage size is 128KB Amazon S3 Reduced Redundancy Storage, min object storage size is 128KB Glacier 30
AWS OBJECT STORAGE: S3, AND GLACIER AWS provides various storage options Some Tips? AWS RRS provides the same functionality as AWS S3, but is cheaper. It is ideally suited for non-mission, critical applications, such as files which can be reproduced. Example: Storing image thumbnails can be a good use case for storing content in AWS RRS. AWS RRS is being cheaper than AWS IA. 31
AWS OBJECT STORAGE: S3, AND GLACIER Key points to remember regarding an S3 bucket are: S3 is a Object Based storage, only for, for example files. and not OS. It can store files from 0 to 5 TB Names of Buckets are universal, and therefore need to be unique HTTP 200 CODE is the confirmation for successful data upload When you upload an object, the object will be immediately available - Read after write consistency If you change/delete an object in the bucket, the object might not be immediately updated. It might take few minutes - Override after put or deleting No partial or damaged/corrupted objects when uploading, updating, or deleting. Encryption is enabled 32
AWS OBJECT STORAGE: S3, AND GLACIER Implementing versioning and lifecycle rules are key to prevent data loss. Accidental deletion of data from an S3 bucket can be avoided by: Enabling versioning Enabling MFA access 33
AWS OBJECT STORAGE: S3, AND GLACIER You can't have any dots in your bucket name if you use the bucket name in the subdomain of your URLs if you would like to use SSL for your bucket. This will cause a certificate mismatch. AWS SSL certificate only covers *.s3.amazonaws.com. Versioning is required for replication in S3. To list delete markers (and other versions of an object), you need to use the versions subresource in a GET Bucket versions request, as a simple GET will not retrieve delete marker objects. 34
AWS OBJECT STORAGE: S3, AND GLACIER You can retrieve data faster from Glacier with: Expedited retrievals and access data in 1 5 minutes for a flat rate of $0.03 per GB retrieved, or Bulk retrievals to access your data in approximately 5 12 hours for a flat rate of just $0.0025 per GB retrieved. Cross region replication has additional cost (Redundancy) 35
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS 36
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS Identity and Access Management (IAM) What is it? Access Control is one of the most important security controls to put in place, and therefore we can check the below important points offered par AWS services. You can define your Identity Access Management rules, and create Security Groups to control and limit the access to the resources. The statement is the main element of the IAM policy and it is a must for a policy. Elements such as condition, version and ID are not required. 37
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS You will have: A centralised control of your AWS account (I recommend hardware MFA for the root account) Granular Permissions Identity Federation, including Active Directory Multi Factor Authentication Password Policies PCI DSS Compliance Every user gets an IAM account. Never login to the master. 38
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS Identity and Access Management (IAM) Some Tips? I encourage highly to use hardware MFA or Virtual MFA Device for your access control, as for example Google Authenticator. https://aws.amazon.com/iam/details/mfa 39
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS When you create a new user, a pair of access key is generated if enabled. Make sure that you do not enable it if not necessary. The access keys (Users can have multiple API keys) will not allow a user to connect to the console however will allow for an API to get access. 40
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS AWS Best practices advise a password with 14 characters length. I recommend using at least 12 characters, complexity, password expiration, and no password reuse. It is possible to create an IAM when an instance is running ONLY if "no reboot" option is checked. 41
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS Another access control measure is Security Groups. This in fact is one of the main controls. I highly recommend to add Network Access Control Lists as an additional layer of security. Security Group Operates at the instance level (first layer of defense) Network ACL Operates at the subnet level (second layer of defense) Supports allow rules only Is stateful: Return traffic is automatically allowed, regardless of any rules Weevaluate all rules before deciding whether to allow traffic Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Supports allow rules and deny rules Is stateless: Return traffic must be explicitly allowed by rules We process rules in number order when deciding whether to allow traffic Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group) http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_security.html 42
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS Outbound Ports should be enabled on NACL, when an instance needs to be accessible by everyone, even if port 80 allows inbound. Source/Destination check should be disabled when a custom NAT instance is launched, even after configuring security groups and NACL. Instances should have either public IP or elastic IP to be able to reach the Internet. You can have one Elastic IP address associated with a running instance at no charge. You can also check the associated IP through the instance metadata. For an instance to be able to connect to the Internet with an Internet Gateway, and a public subnet, a route should be created as 0.0.0.0/0 and your internet gateway as target. 43
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS A NAT gateway in the Failed state is automatically deleted after about an hour. Ensure that different route tables for your private and your public subnet. If the table is the same, it will not route traffic to the Internet. Use the tracert (Windows) command or traceroute (Linux) command. ICMP packets are ignored. Define all rules within a single aws_security_group_rules resource to refresh security groups rules faster. (To be confirmed and feedback is welcome) 44
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS Here you can find a great example of the different between ACL and Security Groups. Security groups Act as a firewall for Amazon EC2 instances Network access control lists (ACLs) Act as a firewall for subnets Changes to Security Groups rules are automatically applied after a short period. 45
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS By default, security groups are configured as below: Allow no inbound traffic Allow all outbound traffic Allow instances associated with this security group to communicate You need to disable SSH access. You can create an IAM role with two attached policies to delegate permission to access a resource. The permission policy grants the user for the desired task on the resource and the trust policy indicates which trusted accounts are allowed to grant its users permissions to assume the role. 46
CONTENT DELIVERY NETWORK (CDN) 47
CONTENT DELIVERY NETWORK (CDN) Content Delivery Network What is it? Another service that is provided by AWS and is critical is the CDN CloudFront. This service is critical when hosting a web application online. It delivers content by replicating commonly requested files (static content) across a globally distributed set of caching servers. From my experience, I suggest analyse your business requirements, as you might have additional functionalities needed. Amazon CloudFront doesn t have these features: purge it all, or purge instant, SPDY Protocol Support, Real time statistics or CDN balancing tech. 48
CONTENT DELIVERY NETWORK (CDN) 49
VERSIONING & ENCRYPTION 50
VERSIONING & ENCRYPTION Encryption What is it? AWS offers various types of encryption: At rest, Server Side Encryption S3 Managed keys SSE-S3 AWS Key Management Service, SSE-KMS Server Side Encryption with Customer Provided Keys SSE-C Client Side Encryption 51
VERSIONING & ENCRYPTION A new version of a file on an S3 bucket is considered an update subject to eventual consistency. If you specified the version ID on the GET request, then the new file will be subject to a read-after-write consistency. With SSE-KMS you can have different objects stored with different keys in the same bucket. You will have two layers of security controls: the bucket and the objects. Boot volume encryption on an EC2 instance, has some known issues. Google is your friend :D! 52
AWS DATABASES 53
AWS DATABASE If You Need A managed relational database in the cloud that you can launch in minutes with a just a few clicks. A fully managed MySQL and PostgreSQL-compatible relational database with 5X performance and enterprise level features. A managed NoSQL database that offers extremely fast performance, seamless scalability and reliability A fast, fully managed, petabyte-scale data warehouse at less than a tenth the cost of traditional solutions. To deploy, operate, and scale in-memory cache based on memcached or Redis in the cloud. Help migrating your databases to AWS easily and inexpensively with zero downtime. To build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions. Consider Using Amazon RDS Amazon Aurora Amazon DynamoDB Amazon Redshift Amazon ElastiCache AWS Database Migration Service Amazon Cloud Directory Product Type Relational Database Relational Database NoSQL Database Data Warehouse In-Memory Cache Database Migration Directory Source: aws.com 54
COMPLIANCE TESTING If you would like to test your configuration vs your compliance requirements, and regulation, you can run the AWS Script. I recommend the local execution. It was very fast and easy. AWS GitHub script to scan for CIS compliance 55
ADDITIONAL RESOURCES Link to CIS Benchmark Guideline Link to CIS Three-Tier Guideline AWS Well Architected AWS Cloud Adoption Framework Security 56
MAGDA CHELLY, CYBERFEMINIST, CISSP MAGDA LILIA CHELLY, IS THE MANAGING DIRECTOR OF RESPONSIBLE CYBER BY DAY, AND A CYBER FEMINIST HACKER BY NIGHT. SHE SPEAKS FIVE LANGUAGES FLUENTLY, AND HAS A PHD IN TELECOMMUNICATION ENGINEERING WITH A SUBSEQUENT SPECIALIZATION IN CYBER SECURITY (CISSP). Your employees are your company s biggest asset yet equally represent your weakest link. Empower YOUR people to protect YOUR business with a trusted, value-adding and effective cyber-security provider Magda Chelly, CyberFeminist, CISSP MAGDA WAS RECENTLY NOMINATED AS GLOBAL LEADER OF THE YEAR AT THE WOMEN IN IT AWARDS 2017, AND TOP 50 CYBER SECURITY INFLUENCER, GLOBALLY. 57
THANK YOU! PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS 58