Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Move Fast AND Stay Secure
Making life easier Choosing security does not mean giving up on convenience or introducing complexity
Understand AWS Security
Security is a shared responsibility Shared Responsibility Let AWS do the heavy lifting Focus on what s most valuable to your business AWS Facility operations Physical Security Physical Infrastructure Network Infrastructure Virtualisation Infrastructure Hardware lifecycle management Customer Choice of Guest OS Application Configuration Options Account Management flexibility Security Groups ACLs Identity Management
Shared Responsibility Model
AWS Global Infrastructure 16 AWS Regions (+5 announced) Each Region has at least 2 Availability Zones 44 (+16) Availability Zones (AZs) Availability Zone A Availability Zone B Availability Zone C 77 AWS Edge Locations
AWS Assurance Programs AWS maintains a formal control environment SOC 1 Type II SOC 2 Type II and public SOC 3 report ISO 27001, 27017, 27018 Certification Certified PCI DSS Level 1 Service Provider FedRAMP Authorization Architect for HIPAA compliance EU Data Protection C5 (GER), Cyber Essentials Plus (UK)
Establish network security
VPC Availability Zone A Availability Zone B VPC CIDR: 10.1.0.0 /16 VPC = Virtual Private Cloud Your virtual data center on AWS Block of IPs that define your network (typically RFC 1918) Can span multiple AZs Default VPCs
VPC subnet 10.1.1.0/24 10.1.10.0/24 Subnet Subnet Availability Zone A Availability Zone B VPC CIDR: 10.1.0.0 /16 Range of IPs in your VPC IP range Lives inside an AZ Can provide security at the subnet or network level with access control lists (ACLs) Can route at the subnet level Default VPC subnets
Network access control list VPC Subnet with ACL NACL = network access control list VPC Subnet with ACL Availability Zone A VPC Subnet with ACL Availability Zone B VPC CIDR: 10.1.0.0 /16 An optional layer of security that acts as a firewall for a subnet A numbered list of rules that we evaluate in order ACLs are stateless and have separate inbound and outbound rules
Security groups Security Group EC2 EC2 EC2 EC2 Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24 Availability Zone A Availability Zone B A security group acts as a virtual firewall for your EC2 instance An EC2 instance can have up to five security groups Security groups act at the instance level, not the subnet level Security groups are stateful
Amazon Virtual Private Cloud Internet Gateway VPC CIDR 10.10.0.0/16 AZ A AZ B Existing Datacenter VPC Public Subnet 10.10.1.0/24 Public ELB VPC Public Subnet 10.10.2.0/24 VPN Connection Autoscaling Web Tier Customer Gateway Virtual Private Gateway Administrators & Corporate Users Direct Connect Internal ELB Autoscaling Application Tier Network Partner Location VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24 RDS Standby Multi-AZ RDS Data Tier Snapshots RDS Master VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
Security Groups VPC VPC CIDR 10.1.0.0/16 Public subnet ELB sg_elb_frontend (ELB Security Group) Public subnet ELB Private subnet Web sg_web_frontend (Web Security Group) Web Private subnet Back end sg_backend (Backend Security Group) Private subnet Back end Availability Zone A Availability Zone B
Security Groups
Security Groups
Security Groups
AWS WAF: Web Application Firewall
AWS WAF in action Admins AWS Management Console Define rules AWS WAF Developers AWS API Deploy protection Web app in CloudFront
AWS WAF Partner integrations Alert Logic, Trend Micro, and Imperva integrating with AWS WAF Offer additional detection and threat intelligence Dynamically modify rulesets of AWS WAF for increased protection
AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional, comprehensive protections from large and sophisticated attacks
Integrate Identity & Access Management
IAM: Identity and Access Management With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with two-factor authentication AWS account owner Integrated with your existing corporate directory using SAML 2.0 and single sign-on Network management Security management Server management Storage management
AWS Identity & Access Management IAM Users IAM Groups IAM Roles IAM Policies
Implement Data Protection
Cryptographic Services AWS KMS Amazon CloudHSM ü Deep integration with AWS Services ü CloudTrail ü AWS SDK for application encryption ü Dedicated HSM ü Integrate with on-premises HSMs ü Hybrid Architectures
AWS Key Management Service Encryption key management and compliance made easy One-click Encryption of server and database storage Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail
AWS Key Management Service
Enable Detective Controls
AWS CloudTrail & CloudWatch AWS CloudTrail Amazon CloudWatch ü Enable globally for all AWS Regions ü Encryption & Integrity Validation ü Archive & Forward ü Amazon CloudWatch Logs ü Metrics & Filters ü Alarms & Notifications
CloudTrail: Record AWS API Calls AWS CloudTrail records AWS API calls for your account and delivers log files to you. The recorded information includes caller identity, time, the source IP address, parameters, and the response returned by the AWS service. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
CloudWatch Logs: Centralize Your Logs Send existing system, application, and custom log files to CloudWatch Logs via our agent, and monitor these logs in near real-time. This can help you better understand and operate your systems and applications, and you can store your logs using highly durable, low-cost storage for later access
VPC Flow Logs Agentless Enable per ENI, per subnet, or per VPC Logged to AWS CloudWatch Logs Create CloudWatch metrics from log data Alarm on those metrics Interface Source IP Source port Protocol Packets AWS account Accept or reject Destination IP Destination port Bytes Start/end time
VPC Flow Logs Amazon Elasticsearch Service Amazon CloudWatch Logs subscriptions
VPC Flow Logs CloudWatch Alarms
Trusted Advisor
Trusted Advisor
Amazon Inspector Vulnerability Assessment Service Built from the ground up to support Dev/Ops Model Automatable via API s AWS Context Aware Static & Dynamic Telemetry Integrated with CI/CD tools On-Demand Pricing model CVE & CIS Rules Packages AWS AppSec Best Practices
Prioritized findings
Detailed remediation recommendations
Optimize Change Management
AWS CloudFormation Infrastructure as Code AWS CloudFormation Template Stack ü ü ü Orchestrate changes across AWS Services Use as foundation to Service Catalog products Use with source code repositories to manage infrastructure changes ü JSON-based text file describing infrastructure ü ü ü Resources created from a template Can be updated Updates can be restrictured
Change Sets Create Change Set
Change Sets
Change Sets
AWS Config & Config Rules AWS Config ü Record configuration changes continuously ü Time-series view of resource changes ü Archive & Compare Amazon Config Rules ü Enforce best practices ü Automatically roll-back unwanted changes ü Trigger additional workflow
AWS Config: Record AWS Environment Changes AWS Config records AWS environment Changing Resources Recording Continuous Change History configuration and changes information for your account. AWS Config Stream Snapshot (ex. 2014-11-05) Snapshots answer the question What did my environment look like, at time x? History answers the question What changes have happened, to infrastructure element I over time?
AWS Config VPC Example
AWS Config VPC Example
AWS Config Rules Tenancy Enforcement Example
AWS Config Rules Tenancy Enforcement Example
Resources
Security Community AWS Platform & Tools Customer ecosystem Partner ecosystem
AWS Marketplace Security Partners Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection
aws.amazon.com/security/
AWS Training & Certification Self-Paced Labs Training Certification Try products, gain new skills, and get hands-on practice working with AWS technologies Build technical expertise to design and operate scalable, efficient applications on AWS Validate your proven skills and expertise with the AWS platform aws.amazon.com/training/ self-paced-labs aws.amazon.com/training aws.amazon.com/certification
Strengthen your security posture Over 30 global compliance certifications and accreditations Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations Get native functionality and tools Benefit from AWS industry leading security teams 24/7, 365 days a year Leverage security enhancements gleaned from millions of customer experiences
Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers. Rob Alexander, CIO, Capital One
Gracias!