In addition to discussing the AWS Shared Responsibility Model in detail for Infrastructure, Container and Abstract Services, we present a reference architecture for a secure, multi-account enterprise structure, including Mandatory Access Control for logging and separation assurance for different groups and functions within an organisation.
3. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
4. Interacting with AWS (common protocols)
Management
SSH
RDP (only over fully-encapsulated VPN)
Database
MySQL
MS SQL
Oracle
File Transfer
SFTP, etc…..
5. AWS Shared Responsibility Model – Deep
Dive
Will one model work for all services?
Infrastruc
ture
Services
Container
Services
Abstract
Services
6. Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Mgmt
Protocols
API
Calls
7. Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
Customers
RESPONSIBILITIES
8. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Container Services Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Mgmt
Protocols
API
Calls
9. Infrastructure Service
Example – RDS
• Foundational Services –
Networking, Compute, Storage
• AWS Global Infrastructure
• High Availability
• AWS API Endpoints
• Operating System
• Platform / Application
• Backup and Patching
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• Data Protection (Transit, Rest)
• Scaling
Customers
RESPONSIBILITIES
10. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Abstract Services
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
& Data Integrity Authentication
APIEndpoints
AWSIAM
API Calls
11. • Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
Infrastructure Service
Example – S3
12. Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services
14. Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security innovation
on-prem
Start on base of accredited services
Functionally necessary – high watermark of
requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all workload
scenarios
Security innovation drives broad compliance
on AWS
15. What this means
You benefit from an environment built for the most security
sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data
17. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications
19. Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security
configuration best practices
provides set-by-step implementation and
assessment procedures
20. AWS Enterprise Accelerator:
ComplianceArchitectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide
NIST 800-53 and PCI-DSS
assets, so far
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
21. Education — AWS Security & Compliance
AWS Security Fundamentals
3 hour eLearning course
Target audience – Security Auditors/Analysts
It’s Free
AWS Security Operations
3 day Instructor Lead Training
Target audience – Security Engineer/Architects
12 Modules + Labs
Self-paced labs available on http://qwiklabs.com
https://aws.amazon.com/training/course-
descriptions/
23. Helpful Resources: New Videos
The AWS Shared Security Responsibility Model in Practice: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption Options on AWS: https://youtu.be/9bn7p2tdym0
Compliance, Logging, Analysis and Alerting: https://youtu.be/42-1xpT-s6U
24. Mandatory Access Control?
Contrast with Discretionary Access Control
• u/g/o / rwx file permissions
• Under the control of the file owner
MAC is a function of core system policy
• Immutable to all system users; sometimes also invisible to them
• …including root
Epitomised in SELinux, descended from Orange Book B1
systems
• Sometimes extended to do multilevel / cross-domain security
25. Mandatory Access Control?
SELinux on AWS
• RHEL, Ubuntu, SuSE, etc AMIs…
• (Don’t forget FreeBSD and other Community AMIs)
First native MAC service on AWS: Glacier Vault Lock
• Set a Policy and fix it in place
• Even the account owner can’t change it, until its time lock expires
• Designed to meet SEC “Books and Records” requirements (Rule 17a-
4(f))
• Also FINRA Rule 4511, CFTC Regulation 1.31
How can we make more services behave similarly?
• Cross-account access gets us close!
26. S3 Subtleties
Versioning
MFA Delete
• Put these together, and you get something which looks a lot like an
append-only object store
• …consider evidential integrity and weight
• Consider adding lifecycle policies to rotate into Vault-Locked Glacier
• Good for long-term log retention
27. S3 Subtleties
CloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow Logs
• Make them write-only for production / resource accounts
• No means to read or list bucket contents
• Make them read-only for audit accounts
• Though audit user activities may need to be written to logs too
– Potentially to a different log location
Create a separate Logging account and apply cross-account
sharing:
28. S3 Subtleties
S3 write-only cross-account sharing
• Share write-only (no reading or listing of contents) from owner
account via bucket policy
• Writer accounts have IAM permissions to write
29. S3 Subtleties: Log Bucket Policy, Part 1
(Actual policy won’t fit here, but…):
• Start with the cross-account bucket policy for writing CloudTrail logs, at
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sha
ring-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1
• Add the Sid + Effect + Principal + Action + Resource aggregate objects
from the bucket policy for Config, at
http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-
policy.html , applying the same principles
• Add s3:GetBucketLocation permissions, to handle cross-Region logs
• (we want to log from all Regions to 1 bucket)
• Add the following for CloudWatch Logs:
30. S3 Subtleties: Log Bucket Policy, Part 2{
"Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below",
"Effect": "Allow",
"Principal": ]
"AWS": "arn:aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action":[
"s3: PutObject",
"S3: GetBucketLocation"
],
"Resource":"arn: aws: s3:::myorg-logbucket/<optionalprefix>/AWSLogs/*"
},
{
"Sid":"Control to require full control grant on write",
"Effect":"Deny",
"Principal":[
"AWS":"arn: aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myorg-logbucket/<optional prefix>/AWSLogs/*",
"Condition": {
"StringNotEquals": {
"s3:"bucket-owner-full-control"
}
}}
31. S3 Subtleties: Log Bucket Policy, Part 3
• Audit users (in another account) will need read-only access to your log
bucket; see
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing
-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)
Good to do via a Role which has to be explicitly assumed; again,
see the URL above
32. S3 Subtleties: Log Bucket Policy and IAM
Point CloudTrail and Config in other accounts to our log bucket
for writing, when setting these accounts up
IAM policy to add to each log-generating account to allow cross-
account writing:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”Cross-account Write",
"Effect": "Allow",
"Action": [
"s3:PutObject”,
”s3:GetBucketLocation”
],
"Resource": [
"arn:aws:s3:::myorg-logbucket"
]
}
]}
33. Detailed Billing: Sample Records
ItemDescription
UsageStar
tDate
UsageEn
dDate
UsageQua
ntity
Currenc
yCode
CostBef
oreTax
Cre
dits
TaxAm
ount
TaxT
ype
TotalCo
st
$0.000 per GB - regional data transfer under the
monthly global free tier
01.04.14
00:00
30.04.14
23:59
0.0000067
5 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.05 per GB-month of provisioned storage - US
West (Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.
554USD 0.56 0.0
0.0000
00 None
0.5600
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5910.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SQS Requests per month
are free
01.04.14
00:00
30.04.14
23:594153.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.00 per GB - EU (Ireland) data transfer from US
West (Northern California)
01.04.14
00:00
30.04.14
23:59
0.0000329
2 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:590.02311019USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5988.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:593.3E-7 USD 0.00 0.0
0.0000
00 None
0.0000
00
35. The Base Account Structure
AWS Account
Root Account • No Access Keys
• MFA Enabled
• Raise Alert on Login
IAM Master • No Access Keys
• MFA Enabled
• Raise Alert on Login
Define IAM Policies
Enable IAM Managers (User or Role)
• Have Passwd Policy
• Enforce Passwd
Rotation
• Have Acct Questions
set up
• Have Info eMail set
up
IAM Manager • No Access Keys
• MFA Enabled
Create IAM
Users/Groups/Roles
Use Pre-Defined Policies
36. The Larger Picture
BILLING
S3 Holder
CloudTrail
Config
CW Logs
S3 Holder
BILL
CloudTrail
IAMUser
IAM User
Assume
Role
IAM User
Assume
Role
IAM User
Assume
Role
Resources
IAM ROLE
IAM ROLE
IAM ROLE
Backup Data
Backup
S3 Holder
Audit
Display
Rights
STS
{
"Version": "2012-10-17",
"Statement": [ {
"Sid": ”STS-Only",
"Effect": "Allow",
"Action": [ "sts:AssumeRole" ],
"Resource": [ "*" ] }
]
}
37. There’s One More Account to Consider…
(…and it won’t fit on the diagram)
Service Catalogue
• Also has cross-account capability
• Repository for CloudFormation templates, golden AMIs…
• …add latest database backups and other necessary datasets, and
you have an Intellectual Property Holding Account
• Something to copy cross-Region for DR
• See http://aws.amazon.com/servicecatalog/faqs/ for cross-account access
38. Raising Alerts
Raise (through CloudTrail, watched by a Lambda function triggered on bucket
writes) an Alert (through, eg, SNS) if:
• Any account’s root user logs in
• Any IAM-Master account logs in
• Billing/CloudTrail accounts have another S3 Bucket created
• IAM-User generates any new AWS resource
• IAM-User generates any CloudTrail events other than assume-role
and console login
• IAM-User logs in to any Resource Accounts (besides IAM-Manager)
• Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)
39. Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notifications
API
calls
from
most
services Monitoring
data from
AWS
services
Custom
metrics
We look after the security OF the cloud, and you look after your security IN the cloud.
Talk about:
AWS Global Infrastructure – mention Environmental/Physical controls
Foundational Services – logical controls
Customers responsible for Operating System and Applications – however not every service provides the customer with visibility to the O.S or App Layer
EBS volumes behave like raw block level unformatted block devices which you can create a file system on top of – network attached storage connected to EC2 instances
Instance storage – block level local drive physically attached to the host computer – considered temporary storage
We look after the security OF the cloud, and you look after your security IN the cloud.
Mention:
O.S
App development
Protecting Data – Encryption Rest/Transit
Customer IAM – local or corporate identity management system
Change in IAM
RDS as an example
Customer manages DB – DB Users etc
AWS manages OS, Engine
Change in IAM
S3 example
Customers are responsible for controlling access to their data on S3 via AWS IAM
Also responsible for creating/deleting the content
Talk about Customer Key Management
Refer to AWS part of Shared Responsibility Model
On Prem:
Audits usually done by an in-house team
Typically done once a year
Tend to be workload specific compliance checks
Must keep pace and invest in security innovation
On AWS:
You start with a base of accredited services
Audits are performed by 3rd party experts
Accountable to everone
Security Innovation drives broad compliance
Leads into Audit rights discussion:
------------------------------------
(FINRA – example on-prem vs aws)
Anonymize finra
Own your own accreditation
Own your own certifications
Own your own external audits
Essentially – just because AWS is certified against PCI-DSS, customers still need to work with a QSA to ensure that from the 12 requirements of PCI – which the customer is still responsible for based on the shared responsibility models to assist the customer in becoming accredited in running PCI workloads on top of AWS
This leads into a program called GoldBase
Talk about Launch Constraints – Leveraging an IAM Role to perform Launch for User
Talk about Template Constraints – limiting VPCs, Instance Types etc
aka "how to manage your logging buckets, continued".
If you share your versioned, MFA-delete bucket write-only across accounts from a dedicated Audit acct to Production, Staging, etc, then the policy on the bucket and the contents are both invisible and immutable to the account it's being shared with, even its root user - and having spent about half my working life in a multilevel, cross-domain, modified Bell-LaPadula world, this amounts to Mandatory Access Control.
You can also set SELinux up in properly constrained Enforcing Mode on EC2 - you could set up user-data at instance launch time to call a script to generate keys and then go into Enforcing mode, if you need to simulate TPM functionality. There may be better ways of doing this, as CloudHSM can be called from Java as well as PKCS#11 - get creative!