This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
4. Security Economies of Scale
• AWS control objectives idempotent across the
entire cloud
• Reduced compliance scope
• Defense in depth layers are variable cost
• Security benefits from automation
5. Why Update Your Security Strategy for
AWS?
• Communicate the CISO’s intent & Concept of
Operations (CONOPS)
• Articulate a vision for the desired end-state
32. Network Protection
App Tier
Web Tier
Protect
Tier
Internet
Gateway
Route Table
NACL
Internet
IAM
DB Tier
VPN
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center
33. Instance Protection
Instance
Protect
Tier
Internet
Gateway
SSH Keys
Auto Scaling
Managed
Encryption
Host Security
Software
Bootstrapping
CloudFront
Load Distro
Penetration
Testing
App Tier
Web Tier
Bastion Host
AMIs
Internet
IAM
DB Tier
VPN
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center
34. Database Protection
Protect Tier
Internet
Gateway
Internet
DB Tier
App Tier
Web Tier
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center
IAM
Database
Oracle TDE
VP
N
Oracle NNE
MySQL, MSSQL SSL
Redshfit
Cluster
Encryption
EMR Job Flow
Roles
SQL SSL
Clients
DynamoDB,
SimpleDB SSL
RDS Auto
Minor Patching
36. In-line Threat Management:
EIP
2
EIP
4
IPS NAT Layer
App
IPS NAT Layer
EIP
3
Web
EIP
1
Protect
IPS/IDS NAT HA
App Layer
Availability Zone A
Availability Zone B
DB
App Layer
37. CloudFront
Protect Tier
Route Table
Web Tier
Internet
Gateway
NACL
App Tier
Internet
IAM
DB Tier
VPN
S3
VPN
AWS
DX
Existing
CGW Perimeter
Security
Stack
Corporate
Data Center
39. Why Build a Security Operations
Playbook?
• Empower CISO organization to operate their
cloud enterprise securely
• Enable CISO business partners to secure
deployments and manage mission risk
40. Typical Components
• Overview of the AWS service or enterprise
process
• Requirements/Dependencies
• Workflow
• Exceptions
41. Requirements/De
pendencies
Workflow
Sample Entry: Amazon S3
Overview of the
AWS service or
enterprise
process
Exceptions
Description
• Amazon S3 provides a simple web services interface that can
be used to store and retrieve any amount of data, at any
time, from anywhere on the web.
Secure Configuration
• Data stored in Amazon S3 is secure by default; only bucket
and object owners have access to the Amazon S3 resources
they create. For customers who must comply with regulatory
standards such as PCI and HIPAA, Amazon S3’s data
protection features can be used as part of an overall strategy
to achieve compliance.
42. Granularity
Purpose
Application
IAM Access Policy
Fine grained
Role-based access control
(RBAC)
Apply to IAM groups, roles,
users
Bucket Policy
Fine grained
Grant permissions without IAM and
provide cross-account access
Apply to S3 buckets
Requirements/De
pendencies
Workflow
Choosing Controls
Overview of the
AWS service or
enterprise
process
Exceptions
ACLs
Coarse grained
Grant simple, broad
permissions
Apply to buckets and objects
48. Requirements/De
pendencies
Workflow
Keys, Delimiters, and Tags
Overview of the
AWS service or
enterprise
process
Exceptions
Using Keys and Delimiters
• S3 tags should not be used to configure
permissions to resources
• Instead, use keys and delimiters as described in
the previous section to emulate “folder-level
permissions”
49. Operations
Privilege Isolation & Roles
Refresher
Strategy
IAM Role – Bastion Host
Playbook
IAM Role – Auditing Role
Operations
Architecture
Enterprise Security
Planning
Enterprise Security
Operations
49
50. Overview of the
AWS service or
enterprise
process
Workflow
Privilege Isolation
AWS Account
IAM User/Group/Role
Region
Amazon VPC
Security Group
API Call
Resource
Requirements/De
pendencies
Exceptions
51. •
STS AssumeRole
•
Valid token for one hour
•
Returns access key ID, secret access key, and security token
Requirements/De
pendencies
Workflow
IAM / Security Token Service
Overview of the
AWS service or
enterprise
process
Exceptions
52. Resource Permissions by Service (by API call)
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html
•
•
•
•
•
•
•
•
•
•
•
Amazon DynamoDB (tables and indexes)
AWS Elastic Beanstalk (application, applicationversion, solutionstack)
Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes)
Amazon Glacier (vault)
AWS IAM (signing credentials, group, …)
Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group)
Amazon RDS
Amazon Route53 (hosted zone)
Amazon S3 (bucket)
Amazon SNS (topic)
Amazon SQS (queue)
Requirements/De
pendencies
Workflow
Privilege Isolation / Resources
Overview of the
AWS service or
enterprise
process
Exceptions
53. IAM Roles / EC2
•
Role
•
Instance Profile
•
Identity for the instance itself
•
Available to all application and users on host
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions
54. IAM Roles / Instance Metadata
Service
•
Entitlements of credentials => IAM role
•
Short-life & expiration of credentials provided by STS
•
Managed rotation
•
No stored credentials!
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions
55. •
Eliminates need for individual IAM credentials
•
Reduces or eliminates need for federation
•
Combine with auditing of shell commands
•
Control access by host / purpose
Requirements/De
pendencies
Workflow
Bastion Host Configuration
Overview of the
AWS service or
enterprise
process
Exceptions
56. •
Read-only access to AWS assets
•
Census picture of all assets (feed scanning & SIEM reconciliation)
•
RDS & Redshift query and connection auditing
•
Change detection of vital objects
Requirements/De
pendencies
Workflow
Security Auditing Configuration
Overview of the
AWS service or
enterprise
process
Exceptions
57. Security Auditing / EC2 Read-only Policy
Overview of the
AWS service or
enterprise
process
Requirements/De
pendencies
Workflow
Exceptions
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
59. What to do after re:Invent
•
Update security strategy and vision
•
Map AWS features to strategic initiatives
•
Integrate AWS into your security operations
•
Document privilege isolation architecture
•
Begin transition to IAM roles for EC2
•
Enable IAM auditing role
60. References
• Updated Security Best Practices Whitepaper
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
• AWS Compliance Center
https://aws.amazon.com/compliance
• AWS Security Center
https://aws.amazon.com/security
• AWS Security Blog
http://blogs.aws.amazon.com/security/
61. Re:Invent Related Sessions
•
Come talk security with AWS - Thursday, 4-6pm in the Toscana 3605
room
•
SEC308 Auto-Scaling Web Application Security and AWS Thursday, 4:15pm
•
SEC402 Intrusion Detection in the Cloud -Thursday, 5:30pm
•
SEC304 Encryption and Key Management in AWS - Friday 9:00am
•
SEC306 Implementing Bulletproof HIPAA Solutions on AWS Friday, 11:30am
62. Please give us your feedback on this
presentation
ARC308
As a thank you, we will select prize
winners daily for completed surveys!