Accelerating your Business with Security

What to Expect from the Session Existing Multi-Account Strategies, and Multi-Account Planning Organizations Compliance and Scoping (and Artifact) EC2 Systems Manager DDoS and Mitigation with Shield

Start Here

Existing Multi-Account Strategies, and Multi- Account Planning

The Story So Far MASCOT fully role- and identity-managed implementation from ProServe Presented at Re:Invent 2016 SAC319 (https://www.youtube.com/watch?v=pqq39mzkqxu ), SAC320 (https://www.youtube.com/watch?v=xjtswd8z_be ) Bertram Dorn's work from 2014 similar structure, but a number of differences https://youtu.be/cnsajs7pwja Neither covers Organizations (yet)

What Needs Segregating from What? Obvious cases first: Read access to Billing and Log records from everyone, except Auditors and Security...and even then, access should be limited to appropriate cases consider evidential weight Prod from Dev, Test and Staging remember Knight Capital? also "bug ringfencing" Compliance in-scope from out-of-scope auditors need to see a hard scope boundary you will want to keep in-scope as small as possible use both AWS Accounts and VPCs for this

What Needs Segregating from What? Less obvious cases: Look at your org chart and body of policies Consider how Separation of Duty and Need to Know operate both in and between departments Within org charts, policy, compliance scoping, and the need to ringfence dev accounts where bugs could impact API access, lies the answers to "how many AWS Organizations KMS CMKs AWS accounts...do I need?"

Organizations

In the beginning Your AWS Account You

Today Cross Account Resource Access Dev Account Data Science Account Jump Account Prod Account Audit Account You Your Cloud Team Cross Account Trusts

What do customers want to do? Use AWS account boundaries for isolation. Centrally manage policies across many accounts. Delegate permissions, but maintain guardrails. See combined view of all charges.

Introducing AWS Organizations Policy-based management for multiple AWS accounts. Control AWS service use across accounts Automate AWS account creation Consolidate billing

Typical Use Cases Control the use of AWS services to help comply with corporate security and compliance policies. Service Control Policies (SCPs) help you centrally control AWS service use across multiple AWS accounts. Ensure that entities in your accounts can use only the services that meet your corporate security and compliance policy requirements.

Typical Use Cases Automate the creation of AWS accounts for different resources. API driven AWS account creation. Use APIs to add the new account to a group and attach service control policies. Use API response to trigger additional automation (eg deploy CloudFormation template)

Typical Use Cases Create different groups of accounts for development and production resources. Organise groups into a hierarchy. Apply different policies to each group. Alternatively, group according to lines-ofbusiness or other desired dimensions.

Key Features Policy framework for multiple AWS accounts. Group-based account management. Account creation and management APIs. Consolidated billing for all AWS accounts in your organization. Enable Consolidated Billing Only or All Features.

How is Organizations different from IAM? Create groups of AWS accounts with AWS Organizations. Use Organizations to attach SCPs to those groups to centrally control AWS service use. Entities in the AWS accounts can only use the AWS services allowed by both the SCP and the AWS IAM policy for the account.

How to get started? Revisit or create your account segmentation strategy. Decide which type of organization is right for you. Organize your AWS accounts according to it. Test & begin to apply SCPs slowly. Iterate on SCPs to achieve your desired state.

Pricing & Availability Available at no additional charge. Global service. Accessed through endpoint in N. Virginia region.

Service Control Policies (SCPs) Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed whitelisting - Define the list of APIs that must be blocked blacklisting Cannot be overridden by local administrator Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions Necessary but not sufficient IAM policy simulator is SCP aware

Blacklisting example Whitelisting example { } "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", ] }, { } "Action": "*", "Resource": "*" "Effect": "Deny", "Action": "redshift:*", "Resource": "*" { "Version": "2012-10-17", ] } "Statement": [{ "Effect": "Allow", } "Action": [ "ec2:runinstances", "ec2:describeinstances", "ec2:describeimages", "ec2:describekeypairs", "ec2:describevpcs", "ec2:describesubnets", "ec2:describesecuritygroups" ], "Resource": "*"

Best practices AWS Organizations 1. Monitor activity in the master account using CloudTrail 2. Do not manage resources in the master account 3. Manage your organization using the principle of Least privilege 4. Use OUs to assign controls 5. Test controls on single AWS account first 6. Only assign controls to root of organization if necessary 7. Avoid mixing whitelisting and blacklisting SCPs in organization 8. Create new AWS accounts for the right reasons

Compliance and Scoping (and Artifact)

The Artifact Service

The Artifact Service { } "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", ] } "Action": [ "artifact:get" ], "Resource": [ "arn:aws:artifact:::report-package/certifications and Attestations/SOC/*", "arn:aws:artifact:::report-package/certifications and Attestations/PCI/*", "arn:aws:artifact:::report-package/certifications and Attestations/ISO/*" ]

The Artifact Service C5 (Germany) FedRAMP Partner package Global Financial Services Regulatory Principles IRAP Package (Australia) ISO 27001 Certification, Statement of Applicability ISO 27017 Certification, Statement of Applicability ISO 27018 Certification, Statement of Applicability ISO 9001 Certification MAS TRM Guidelines Workbook (Singapore) PCI DSS Attestation of Compliance and Responsibility Summary - Current and Previous PSN Connection Compliance Certificate (UK) PSN Service Provision Compliance Certificate (UK) Quality Management System Overview SOC 1 Reports (Current and Previous) SOC 2 Reports (Current and Previous) SOC 2 Report for Confidentiality SOC 3 SOC Continued Operations Letter

EC2 Systems Manager

Amazon EC2 Systems Manager Announced at Re:Invent 2016 See sessions WIN401 (https://www.youtube.com/watch?v=eal9k0aglyi ) and WIN402 (https://www.youtube.com/watch?v=l5tglwwi5yo )

Systems Manager Capabilities Configuration, Administration Shared Capabilities Update and Track Run Command Maintenance Windows Automation Inventory State Manager Parameter Store Patch Manager

Inventory

Inventory What we heard: Accurate software inventory is critical for understanding fleet configuration and license usage Legacy solutions not optimised for cloud Self-hosting requires additional overhead

Inventory Introducing Inventory End-to-end inventory collection (EC2/on-premises/Workspaces) Linux / Windows Powerful query syntax Extensible inventory schema Integrated with AWS services

Inventory System Diagram AWS Config Console + CLI/APIs AWS Config EC2 Console, SSM CLI/APIs AWS SSM Service EC2 Windows Instance SSMAgent State Manager EC2 Linux Instance SSMAgent EC2 Inventory SSM document Inventory Store On- Premises Instance SSMAgent

Inventory Getting Started 1. Configure Inventory policy 2. Apply Inventory policy 3. Query inventory

Inventory Configuration Create an Inventory association 1. Select instances (by instance ID or tag) 2. Select scan frequency (hours, minutes, days, NOW) 3. Select Inventory Types to gather Instance information Applications AWS Components Network configuration Windows Updates Custom Inventory

Inventory Custom Inventory Type Custom Inventory Collection Extensible: record any attribute for a given instance On-premise Examples: rack location, BIOS version, firewall settings Two ways to record custom inventory types 1. Agent/on-instance: Write a cron job to record custom inventory files to a predefined path 2. API: Use PutInventory API

Inventory Manager Query Search by inventory attribute Partial and inverse searches eg "Windows 2012 r2 instances running SQL Server 2016 where Windows Update KB112342 is not installed" Integration with AWS Config Record inventory changes over time Use AWS Config Rules to monitor changes, notify

State Manager

State Manager Maintain consistent state of instances Reapply to keep instances from drifting Easily view status of configuration changes Define schedule ad hoc, periodic Track aggregate status for your fleet

State Manager Getting started Document: Author your intent Target: Instances or tag queries Association: Binding between a document and a target Schedule: When to apply your association Status: Check the state of your association at an aggregate or instance level

Creating an Association aws ssm create-association --document-name WebServerDocument --document-version \$DEFAULT --schedule-expression cron(0 */30 * * *? *) --targets Key=tag:Name;Values=WebServer --output-location "{ \"S3Location\": { \"OutputS3Region\": \ us-east-1\", \"OutputS3BucketName\": \ MyBucket\", \"OutputS3KeyPrefix\": \ MyPrefix\" } } Configures all instances that match the tag query and reapplies every 30 minutes

Automation

CI/CD for DevOps Repo Generate CloudFormation Templates for Environment Dev Code Config Tests Commit to Git/master Version Control Config Get / Pull Code Package Builder Push CI Server Install Create Distributed Builds Run Tests in parallel AMIs Deploy Server Test Env Staging Env Prod Env Send Build Report to Dev Stop everything if build failed

CI/CD for DevSecOps CloudFormation Templates for Environment Dev Code Config Tests Validate Version Control Continuous Scan Config Get / Pull Code Package Builder Audit/Validate CI Server Checksum AMIs Log for audit Promote Process Test Env Staging Env Prod Env Send Build Report to Security Stop everything if audit/validation failed

Automation

Automation What we heard Automation pain point: AMI building Triggers: patching, hardening, application bake-in Never-ending Time consuming, especially when builds fail Overhead of maintaining build service

Automation Introducing Automation Simplified automation solution Perfect for AMI updates, instance deployment & config Pro-active event notifications AWS optimised (EC2 Run Command, AWS Lambda, AWS CloudTrail, IAM, and Amazon CloudWatch integrations)

Automation Getting Started 1. Create an automation document 2. Run automation 3. Monitor your automation

Automation - Documents Input & output parameters Examples Create default values, or assign at run-time Parameter Store integration System Variables (DATE, DATE_TIME, REGION, EXECUTION_ID) Document Parameter Name sourceamiid targetaminame Default Value {{ssm:sourceami}} patchedami-{{global:date_time}}

Automation - Documents Automation Steps Action types: runinstances, changeinstancestate, createami runcommand, invokelambdafunction Flow control: retries, timeouts, continue/abort Public Automation Documents AWS-UpdateWindowsAmi AWS-UpdateLinuxAmi

Automation IAM Setup 1. Create a Service Role for Automation Permission for Automation service to operate in your account 2. Attach PassRole policy to user s account 3. Launch instances with SSM role (AmazonEC2RoleforSSM)

Automation Monitoring Amazon CloudWatch Events Publish notifications to an Amazon SNS topic Step-level & automation-level notifications

Parameter Store

Parameter Store Centrally store and find configuration data Repeatable, automatable management (e.g. SQL connection strings, passwords, cryptographic keys) Granular access control view, use and edit values Encrypt sensitive data using your own AWS KMS keys

Parameter Store Getting started Parameter: Key-value pair Secure Strings: Encrypt sensitive parameters with your own KMS or default account encryption key Reuse: In Documents and easily reference at runtime across EC2 Systems Manager using {{ssm:parametername}} Access Control: Create an IAM policy to control access to specific parameter

Creating and using a parameter $ aws ssm put-parameter --name myprivatekey --type securestring --value -----BEGIN RSA PRIVATE KEY----- WtcUTC+57cf --key <KMS keyid> $ aws ssm send-command --name Insert-Websvr-Private-Key --parameters commands=[ cat {{ssm:myprivatekey}} > /etc/apache2/keys/private.key ; chmod 400 /etc/apache2/keys/private.key ; chown webserver:webserver /etc/apache2/keys/private.key ] --target Key=tag:Name,Values=WebServer

DDoS Mitigation with Shield

DDoS and Mitigation with Shield Distributed Denial Of Service

Types of DDoS attacks

Types of DDoS attacks Volumetric DDoS attacks Congest networks by flooding them with more traffic than they are able to handle (e.g., UDP reflection attacks)

Types of DDoS attacks State-exhaustion DDoS attacks Abuse protocols to stress systems like firewalls, IPS, or load balancers (e.g., TCP SYN flood)

Types of DDoS attacks Application-layer DDoS attacks Use well-formed but malicious requests to circumvent mitigation and consume application resources (e.g., HTTP GET, DNS query floods)

DDoS attack trends 18% State exhaustion 65% Volumetric 18% Application layer Volumetric State exhaustion Application layer

Challenges in mitigating DDoS attacks

Challenges in mitigating DDoS attacks Difficult to enable Complex set-up Provision bandwidth capacity Application re-architecture

DDoS protections built into AWS Integrated into the AWS global infrastructure Always-on, fast mitigation without external routing Redundant Internet connectivity in AWS data centres

DDoS protections built into AWS ü Protection against most common infrastructure attacks ü SYN/ACK Floods, UDP Floods, Refection attacks etc. ü No additional cost DDoS Attack Users DDoS mitigation systems

AWS Shield A Managed DDoS Protection Service

AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.

AWS Shield Four key pillars AWS Integration DDoS protection without infrastructure changes Always-On Detection and Mitigation Minimize impact on application latency Affordable Don t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications

AWS Shield Standard

AWS Shield Standard Layer 3/4 protection ü Automatic detection & mitigation ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) Layer 7 protection ü AWS WAF for Layer 7 DDoS attack mitigation ü Self-service & pay-as-you-go ü Built into AWS services

AWS Shield Standard Better protection than ever for your applications running on AWS Improved mitigations using proprietary BlackWatch systems Additional mitigation capacity Commitment to continuously improve detection and mitigation Still at no additional cost

AWS Shield Advanced Managed DDoS Protection

AWS Shield Advanced Available today on Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53

AWS Shield Advanced Available today in US East (N. Virginia) US West (Oregon) EU (Ireland) Asia Pacific (Tokyo) us-east-1 us-west-2 eu-west-1 ap-northeast-1

AWS Shield Advanced Announcing AWS WAF for Application Load Balancer Valid users X AWS WAF Application Load Balancer Attackers

AWS Shield Advanced Always-on monitoring & detection AWS bill protection Advanced L3/4 & L7 DDoS protection 24x7 access to DDoS Response Team Attack notification and reporting

Always-on monitoring and detection Network flow monitoring Application traffic monitoring

Always-on monitoring and detection Signature based detection Heuristics-based anomaly detection Baselining

Always-on monitoring and detection Heuristics-based anomaly detection Detects anomalies based on attributes such as: Source IP Source ASN Traffic levels Validated sources

Always-on monitoring and detection Baselining Continuously baselining normal traffic patterns HTTP Requests per second Source IP Address URLs User-Agents

AWS Shield Advanced Always-on monitoring & detection AWS bill protection Advanced L3/4 & L7 DDoS protection 24x7 access to DDoS Response Team Attack notification and reporting

Advanced DDoS protection Layer 3/4 infrastructure protection Layer 7 application protection

Layer 3/4 infrastructure protection Advanced mitigation techniques Deterministic filtering Traffic prioritisation based on scoring Advanced routing policies

Layer 3/4 infrastructure protection Deterministic filtering Automatically filters malformed TCP packets IP checksum TCP valid flags UDP payload length DNS request validation

Layer 3/4 infrastructure protection Traffic prioritisation based on scoring Low suspicion attributes High suspicion attributes Normal packet or request header Traffic composition and volume is typical given its source Traffic valid for its destination Suspicious packet or request headers Entropy in traffic by header attribute Entropy in traffic source and volume Traffic source has a poor reputation Traffic invalid for its destination Request with cache-busting attributes

Layer 3/4 infrastructure protection Traffic prioritisation based on scoring Inline inspection and scoring Preferentially discard lower priority (attack) traffic False positives are avoided and legitimate viewers are protected High-suspicion packets dropped Low-suspicion packets retained

Layer 3/4 infrastructure protection Advanced routing policies Distributed scrubbing and bandwidth capacity Automated routing policies to absorb large attacks Manual traffic engineering

Layer 3/4 infrastructure protection Additional protections against larger and more sophisticated attacks Advanced routing capabilities Additional mitigation capacity

Advanced DDoS protection Layer 3/4 infrastructure protection Layer 7 application protection

AWS WAF Layer 7 application protection Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning

AWS WAF Layer 7 application protection Three modes of operation Self-service Engage DDoS experts Proactive DRT engagement

AWS WAF Layer 7 application protection Engage DDoS experts 1. You engage the AWS DDoS Response Team (DRT) 2. DRT triages attack 3. DRT assists you with creating AWS WAF rules

AWS WAF Layer 7 application protection Proactive DRT engagement 1. Always-on monitoring engages the AWS DDoS Response Team (DRT) 2. DRT proactively triages DDoS attack 3. DRT creates AWS WAF rules (prior authorization required)

AWS Shield Advanced Always-on monitoring & detection AWS bill protection Advanced L3/4 & L7 DDoS protection 24x7 access to DDoS Response Team Attack notification and reporting

Attack notification and reporting Real-time notification of attacks via Amazon CloudWatch Near real-time metrics and packet captures for attack forensics Historical attack reports Attack monitoring and detection

AWS Shield Advanced Always-on monitoring & detection AWS bill protection Advanced L3/4 & L7 DDoS protection 24x7 access to DDoS Response Team Attack notification and reporting

24x7 access to DDoS Response Team Critical and urgent priority cases are answered quickly and routed directly to DDoS experts Complex cases can be escalated to the AWS DDoS Response Team (DRT), who have deep experience in protecting AWS as well as Amazon.com and its subsidiaries

24x7 access to DDoS Response Team Before Attack Proactive consultation and best practice guidance During Attack Attack mitigation After Attack Post-mortem analysis

AWS Shield Advanced Always-on monitoring & detection AWS bill protection Advanced L3/4 & L7 DDoS protection 24x7 access to DDoS Response Team Attack notification and reporting

AWS cost protection AWS absorbs scaling cost due to DDoS attack Amazon CloudFront Elastic Load Balancer Application Load Balancer Amazon Route 53

AWS DDoS Shield: Pricing Standard Protection No commitment No additional cost Advanced Protection 1 year subscription commitment Monthly base fee: $3,000 Data transfer fees Data Transfer Price ($ per GB) CloudFront ELB First 100 TB $0.025 0.050 Next 400 TB $0.020 0.040 Next 500 TB $0.015 0.030 Next 4 PB $0.010 Contact Us Above 5 PB Contact Us Contact Us

AWS DDoS Shield: How to choose Standard Protection For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture on AWS. Advanced Protection For additional protection against larger and more sophisticated attacks, visibility into attacks, AWS cost protection, Layer 7 mitigations, and 24X7 access to DDoS experts for complex cases.

AWS Shield: Getting started Standard Protection Advanced Protection You get it automatically Enable via the AWS Console

Helpful Videos IAM Recommended Practices: AWS Security Checklist: Automating Security Event Response: Compliance with AWS Verifying AWS Security: Securing Enterprise Big Data Workloads: AWS Security Best Practices: Software Security and Best Practices: https://youtu.be/r-pyvnhxx-u https://www.brighttalk.com/webcast/9019/257297 https://www.brighttalk.com/webcast/9019/258547 https://www.brighttalk.com/webcast/9019/260695 https://www.brighttalk.com/webcast/9019/261911 https://www.brighttalk.com/webcast/9019/264011 https://www.brighttalk.com/webcast/9019/264917

Helpful Resources Compliance Enablers: Risk & Compliance Whitepaper: Compliance Centre Website: Security Centre: Security Blog: Well-Architected Framework: AWS Audit Training: https://aws.amazon.com/compliance/compliance-enablers/ https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ https://aws.amazon.com/compliance https://aws.amazon.com/security https://blogs.aws.amazon.com/security/ https://aws.amazon.com/blogs/aws/are-you-well-architected/ awsaudittraining@amazon.com