AWS Security Overview Bill Shinn Principal Security Solutions Architect
Accelerating Security with AWS AWS Overview / Risk Management / Compliance Overview Identity / Privilege Isolation Roles for EC2 / 3 Technical Use Cases 2
AWS Overview 3
What is AWS? Deployment & Management Application Services Compute Storage Database Networking AWS Global Infrastructure 4
AWS Global Infrastructure 9 Regions 25 Availability Zones Continuous Expansion 5
AWS Availability Zones APAC Region (Sydney) US East Region (N. VA) EU Region (Ireland) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability US Zone West C Region (Oregon) Availability Zone C APAC Region (Singapore) US West Region (N. California) Availability Zone A Availability Zone B Availability Zone A Availability Zone B Availability Zone A Availability Zone B Note: Conceptual drawing only. South America (Sao Paulo), GovCloud & Asia- Pacific (Toyko) not shown. 6
AWS Approach to Risk Management, Security & Compliance 7
Architected for Enterprise Security Requirements The Amazon Virtual Private Cloud [Amazon VPC] was a unique option that offered an additional level of security and an ability to integrate with other aspects of our infrastructure. Dr. Michael Miller, Head of HPC for R&D 8
Security & Compliance Shared Responsibility Customer Facilities Physical Security Compute Infrastructure Storage Infrastructure Network Infrastructure Virtualization Layer Operating System Applications + = Security Groups Firewalls Network Configuration Account Management 9
Benefits of Scale Apply to Security and Compliance Nothing better for the community than a tough set of customers Everyone s Systems and Applications Security Infrastructure Requirements Requirements Requirements Security Infrastructure The entire community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements
Accreditation & Compliance, Old and New Old world Functionally optional (you can build a secure system without it) Audits done by an in-house team Accountable to yourself Must maintain talent and keep pace Check typically once a year, one location Workload-specific/regulation specific compliance checks New world Functionally necessary high watermark of requirements Audits done by third party experts Accountable to everyone Security drives broad compliance Continuous monitoring, everywhere Compliance approach based on all possible workload scenarios
Identity / Isolation / Trust Boundary Patterns 12
Identity & Access Management IAM enables customers to create and manage users in AWS s identity system Identity Federation with local directory is an option for enterprises Very familiar security model Users, groups, permissions Allows customers to Create users Assign individual passwords, access keys, multifactor authentication devices Grant fine-grained permissions Optionally grant them access to the AWS Console Organize users in groups
IAM Policy Structure Action Effect Resource Condition
IAM / Security Token Service AssumeRole Duration from 15 minutes to one hour Returns access key ID, secret access key, and security token
Privilege Isolation Account IAM User/Group/Role Region Amazon VPC Security Group Resource
Privilege Isolation / Resources Resource Permissions by Service (by API call) http://docs.aws.amazon.com/iam/latest/userguide/using_specificproducts.html Amazon DynamoDB (tables and indexes) Amazon Elastic Beanstalk (application, applicationversion, solutionstack Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes) Amazon Glacier (vault) Amazon IAM (signing credentials, group, ) Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group) Amazon RDS Amazon Route53 (hosted zone) Amazon S3 (bucket) Amazon SNS (topic) Amazon SQS (queue)
Privilege Isolation / Resources " Resource-based Permissions for EC2 announced on July 9 th, 2013 " Assign permissions to EC2 & Other Resources " Instance " Snapshot " Volume " Combine with existing permissions and policies based on EC2 Actions to create extremely fine-grained polices for managing AWS resources. " Leverage Tagging and attribute-driven conditions " Tags such as Production or AppName " Overlay organizational structure such as cost centers or departments " Require dedicated tenancy as a condition " Available resources and conditions continue to grow
AWS IAM Credentials require 'rubygems'! require 'aws-sdk'!! s3 = AWS::S3.new(! :access_key_id => 'AKIAIOSFODNN7EXAMPLE',! :secret_access_key => 'wjalrxutnfemi/k7mdeng/bpxrficyexamplekey')!! document = s3.buckets['text-content'].objects[ db-backup-schedule.txt']!! File.open("local-file.txt", "w") do f! f.write(document.read)! end!
IAM Roles / EC2 Role Instance Profile Identity for the instance itself Available to all application and users on host
IAM Roles / Instance Metadata Service Entitlements of credentials => IAM Role Short-life & Expiration Managed rotation No stored credentials!
AWS SDK Credential Chain Static credentials provided to the AWS.config method. For example, AWS.config(:access_key_id => '...', :secret_access_key => '...') Environment Variables ('AWS' prefix): ENV['AWS_ACCESS_KEY'] and ENV['AWS_SECRET_ACCESS_KEY'] Environment Variables ('AMAZON' prefix): ENV['AMAZON_ACCESS_KEY'] and ENV['AMAZON_SECRET_ACCESS_KEY'] Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2 instance
AWS IAM Credentials / EC2 Roles require 'rubygems'! require 'aws-sdk'!! #s3 = AWS::S3.new()! # :access_key_id => 'AKIAIOSFODNN7EXAMPLE',! # :secret_access_key => 'wjalrxutnfemi/k7mdeng/bpxrficyexamplekey )!! s3 = AWS::S3.new()!! document = s3.buckets['text-content'].objects[ db-backup-schedule.txt']! [ec2-user@ip-172-16-1-153 ~]$ curl http://169.254.169.254/latest/meta-data/iam/securitycredentials/dba/!! File.open("local-file.txt", {! "w") do f! "Code" f.write(document.read)! : "Success",! end! "LastUpdated" : "2013-10-09T04:20:10Z",! "Type" : "AWS-HMAC",! "AccessKeyId" : EXAMPLEACCESSID12345",! "SecretAccessKey" : "/1e2x3a4m5p6l7esecretAccessK3y+321987",! "Token" : "AQoDYXdzEIX//////////wEaoAJJ2rZZJat9wVl3Hub/ ALObuZoLeOxLs48WqL0D0muqK9iMRrfAWQlhOtVzygfuRkLzAbKj3FUcNez6kqy/ ljzkr461omlbvt1lurmgkzhgww8iqks1owrv1k3vebbk6ippjjnvzxgt0x9o8maomh989ejnwuzq6w6qq9ufopczc9dcvgbo8 7b5Lo1yOJTnghyQI6XDqyImrUx+NMgQU2bOGiXyQ7RiWyhdkUXgBh4tuipsO4Q6XUE189NM0EKkeSDsKdzl/H+WX +IihSnYjjaLWHr6wSBVbmudoLb8RqE/urMGWhEolZuiXMGYvWOdau9MBkXF +4ciqlGx7mff6rOQoLqMzAhz4hWbEMOciVD7oUo3HvG/lLo4JOUyBEBHkJwglrPTkgU=",! "Expiration" : "2013-10-09T10:24:32Z"! }[ec2-user@ip-172-16-1-153 ~]$!
Roles for EC2 / 3 Use Cases 24
Bastion Host Role Eliminates need for individual IAM credentials Reduces or eliminates need for federation Combine with auditing of shell commands Control access by host / purpose
Web Application Access Role Eliminates need for storing IAM credentials in config files, Addresses key distribution and app deployment/bootstrap patterns (get secrets for database access, private keys for mutual auth, etc.) Can t check secrets into GitHub or Perforce if there aren t any Easier coding, faster coding, more features
Security Auditing Role Read-only access to AWS assets Census picture of all assets (feed scanning & SIEM reconciliation) RDS & RedShift query and connection auditing Change detection of vital objects
Security Auditing Role / EC2 Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {! "Action": [!!!"ec2:describeaddresses",!!!"ec2:describeimageattribute",! "ec2:describeimages",! "ec2:describeinstanceattribute",! "ec2:describeinstancestatus",! "ec2:describeinstances",!!!"ec2:describenetworkacls",! "ec2:describenetworkinterfaceattribute",! "ec2:describenetworkinterfaces",! "ec2:describeroutetables",! "ec2:describesecuritygroups",! "ec2:describesubnets",!!!"ec2:describevpcs"! ],! }!! ]! "Resource": [! "*"! ],! "Effect": "Allow"! }!
Security Auditing Role / RDS Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {! }! ]! }! "Action": [! "rds:describedbinstances",! "rds:describedblogfiles",! "rds:describedbparametergroups",! "rds:describedbparameters",! "rds:downloaddblogfileportion"! ],!! "Resource": [! "*"! ],! "Effect": "Allow",! "Condition": {! }! }! "streq": {! "rds:db-tag/environment": [! "prod",! "dr"! ]!
Security Auditing Role / RDS Read-only Policy #!/usr/bin/env ruby!! require 'rubygems'! require 'aws-sdk!! rds = AWS::RDS.new(:region => 'us-east-1').client!! general = "general/mysql-general.log"! logdata = rds.download_db_log_file_portion(:db_instance_identifier => "rdsexample", :log_file_name => general)!! puts logdata[:log_file_data]!!
Security Auditing Role / RDS Read-only Policy
Thank You! Bill Shinn Principal Security Solutions Architect