Security best practices on AWS cloud

Security best practices on AWS

Martin Yan – Head of Enterprise Sales, AWS HK/Taiwan

What we will cover today
1.

Quick intro on AWS

2.

Understanding shared responsibility for security

3.

Using AWS global reach and availability features

4.

Building a secure virtual private cloud

5.

Using AWS Identity and Access Management

6.

Protecting your content on AWS

7.

Building secure applications on AWS

Security best practices for AWS
1.

Quick Intro on AWS

2.


3.


4.


5.

Using AWS Identity and Access Management

6.


7.


What is AWS?
Deployment & Administration
Application Services

Compute

Storage
Networking
AWS Global Infrastructure

Database

AWS Global Infrastructure

9 Regions
25+ Availability Zones
Continuous Expansion

• $5.2B retail business

Every day, AWS adds enough

• 7,800 employees

server capacity to power that

• A whole lot of servers

whole $5B enterprise

Solving Problems for Organizations Around the World

Compute Services
Amazon EC2

Auto Scaling

Elastic Load
Balancing

Elastic Virtual servers
in the cloud

Automated scaling
of EC2 capacity

Dynamic traffic
distribution

EC2
Actual

Networking Services
Amazon VPC:
Private, isolated
section of the AWS
Cloud

AWS DirectConnect

Amazon Route 53

Private connectivity
between AWS and your
datacenter

Domain Name System
(DNS) web service.

Availability
Zone A

Availability
Zone B

Storage Services
Amazon EBS

Amazon S3

Amazon Glacier

AWS Storage Gateway

Block storage for use
with Amazon EC2

Internet scale
storage via API

Storage for archiving
and backup

Integrates on-premises
IT and AWS storage

S3,
Glacier

EBS

Images
Videos
Files
Binaries
Snapshots

Images
Videos
Files
Binaries
Snapshots

Application Services
Amazon RDS

Amazon Dynamo
DB

Amazon CloudFront

Amazon
CloudSearch

Managed relational
database service

Managed NoSQL
database service

distribute content
globally

Managed search
service

DBA

Big Data Services
Amazon EMR
(Elastic Map Reduce)

Amazon Redshift

AWS Data Pipeline

Hosted Hadoop
framework

Petabyte-scale data
warehouse service

Move data among AWS
services and onpremises data sources

Deployment & Administration
Amazon
CloudWatch
Monitor resources

AWS IAM (Identity
& Access Mgmt)
Manage users,
groups &
permissions

AWS
OpsWorks

AWS
CloudFormation

AWS Elastic
Beanstalk

Dev-Ops framework
for application
lifecycle management

Templates to deploy
& manage

Automate resource
management

Web App

Enterprise
App

Database

Security best practices for AWS
1.

Quick Intro on AWS

2.


3.


4.


5.

Using AWS Identity and Access Management Features

6.


7.


Every customer has access to the same security capabilities
AWS maintains a formal control environment
•

SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)

•

SOC 2 Type 1

•

ISO 27001 Certification

•

Certified PCI DSS Level 1 Service Provider

•

FedRAMP (FISMA), ITAR, FIPS 140-2

•

HIPAA and MPAA capable

Foundation Services

Compute

AWS Global
Infrastructure

Storage

Database

Networking

Availability Zones

Edge Locations
Regions

Customers

Security is a shared responsibility between AWS and our customers
•

Customer content

•
Platform, Applications, Identity & Access Management
•
Operating System, Network & Firewall Configuration
Client-side Data
Encryption

Server-side Data
Encryption

•
Network Traffic
Protection

Customers configure AWS
security features
Get access to a mature
vendor marketplace
Can implement and
manage their own controls
Gain additional assurance
above AWS controls

Foundation Services
•

Compute

Storage

Database

Networking

•

AWS Global
Infrastructure

Availability Zones

Edge Locations
Regions

•

Culture of security and
continual improvement
Ongoing audits and
assurance
Protection of large-scale
service endpoints

Customers

You can build end-to-end compliance, certification and audit
Your compliant
solutions

Your
certifications

Your external
audits and
attestations

•

•
•

Achieve PCI, HIPAA and
MPAA compliance
Certify against ISO27001
with a reduced scope
Have key controls audited
or publish your own
independent attestations

Foundation Services
•

Compute

Storage

Database

Networking

•

AWS Global
Infrastructure

Availability Zones

Edge Locations
Regions

•

Culture of security and
continual improvement
Ongoing audits and
assurance
Protection of large-scale
service endpoints

Customers retain full ownership and control of their content
Customers retain ownership of their intellectual property and content
• Customers manage their privacy objectives how they choose to
• Select the AWS geographical Region and no automatic replication elsewhere

• Customers can encrypt their content, retain management and ownership of keys
and implement additional controls to protect their content within AWS

The security of our services and customers is key to AWS
• Security starts at the top in Amazon with a dedicated CISO and strong
cultural focus
• Dedicated internal teams constantly looking at the security of our services

• AWS support personnel have no access to customer content

AWS lets customers choose where their content goes
Region
US-WEST (N. California)

EU-WEST (Ireland)
GOV CLOUD

ASIA PAC (Tokyo)

US-EAST (Virginia)

US-WEST (Oregon)

ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)

Take advantage of high availability in every Region
Availability Zone
US-WEST (N. California)

EU-WEST (Ireland)
GOV CLOUD

ASIA PAC (Tokyo)

US-EAST (Virginia)

US-WEST (Oregon)

ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)

Use edge locations to serve content close to your customers
Edge Locations
London(2)
Seattle

New York (2)

South Bend
Newark

Dublin

Palo Alto

Amsterdam
Stockholm

Tokyo
San Jose
Paris(2)
Ashburn(2)
Los Angeles (2)

Frankfurt(2)
Milan

Osaka

Jacksonville

Dallas(2)

Hong Kong

Mumbai
Chennai

St.Louis
Miami

Singapore(2)

Sao Paulo

Sydney

Build your solution for continuous, resilient operations
Scalable, fault tolerant services
Build resilient solutions operating in multiple datacenters
AWS helps simplify active-active operations

All AWS facilities are always on
No need for a “Disaster Recovery Datacenter” when you can
have resilience
Every one managed to the same global standards

Robust connectivity and bandwidth
Each AZ has multiple, redundant Tier 1 ISP Service Providers
Resilient network infrastructure

Availability Zone B

Availability Zone A

Each AWS Region has multiple availability zones

Availability Zone B

Availability Zone A

Your VPC spans every availability zone in the Region

Customers control their VPC IP address ranges

Choose your VPC address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space
• That maximum CIDR block you
can allocate is /16
• For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP
addresses

Select IP addressing strategy
• You can’t change the VPC
address space once it’s
created
• Think about overlaps with
other VPCs or existing
corporate networks
• Don’t waste address space,
but don’t’ constrain your
growth either

Availability Zone B

Availability Zone A

VPC A - 10.0.0.0/16

We will concentrate on a single availability zone just now

Availability Zone A

VPC A - 10.0.0.0/16

Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2
10.0.2.0/24

EC2
10.0.3.0/24

10.0.4.0/24

10.0.5.0/24

Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2
10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log
10.0.5.0/24

Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16

“Web servers can connect to app
servers on port 8080”

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2
10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log
10.0.5.0/24

Each instance can be in up to five security groups
VPC A - 10.0.0.0/16


NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2

“Allow outbound
connections to
the log server”

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log
10.0.5.0/24

Use separate security groups for applications and management
VPC A - 10.0.0.0/16


NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2

“Allow outbound
connections to
the log server”

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

“Allow SSH and
ICMP from hosts
in the Jump Hosts
security group”

Log
10.0.5.0/24

The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2
10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

EC2

Web
EC2
10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16

NAT

Availability Zone A

10.0.1.0/24

“Deny all traffic between the web
server subnet and the database
server subnet”
Web
EC2

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16

NACLs are optional
NAT

•

Availability Zone A

10.0.1.0/24

Web
EC2

•
•
•

Applied at subnet level, stateless and
permit all by default
ALLOW and DENY
Applies to all instances in the subnet
Use as a second line of defence

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16

NAT

Elastic Load
Balancer

Availability Zone A

10.0.1.0/24

EC2

Web
EC2

Web
EC2

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16

NAT

Elastic Load
Balancer

Availability Zone A

10.0.1.0/24

EC2
Web
EC2

Web
EC2

Web
EC2

EC2

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

Your security can scale up and down with your solution
VPC A - 10.0.0.0/16

NAT

Elastic load balancers

Elastic Load
Balancer

•

Availability Zone A

10.0.1.0/24

EC2
Web
EC2

Web
EC2

Web
EC2

Auto
scaling

•

Instances can automatically be
added and removed from the
balancing pool using rules
You can add instances into
security groups at launch time

10.0.2.0/24

EC2

App
EC2

10.0.3.0/24

10.0.4.0/24

Jump

Log

Router
10.0.5.0/24

You have fine grained control of your AWS environment
AWS IAM enables you to securely control access to AWS services
and resources
• Fine grained control of user permissions, resources and actions
• Now includes support for RunInstances
• Add multi factor authentication
• Hardware token or smartphone apps
• Test out your new policies using the Identity and Access
Management policy simulator

Segregate duties between roles with IAM
AWS account
owner (master)

You get to choose who can
do what in your AWS
environment and from
where

Network
management

Security
management

Server
management

Storage
management

VPC A - 10.0.0.0/16

Internet

Subnet 10.0.1.0/24
Availability Zone

Router

Internet
Gateway

Manage and operate
Customer
Gateway
Subnet 10.0.2.0/24
Availability Zone
Region

Use AWS CloudTrail (beta) to track access to APIs and IAM
Increase your visibility of what happened in your AWS
environment
• CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were
made
• Who did what and when and from what IP address
• Be notified of log file delivery using the AWS Simple
Notification Service
• Support for many AWS services including EC2, EBS, VPC,
RDS, IAM, STS and RedShift
• Aggregate log information into a single S3 bucket
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and
SumoLogic.

AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
•

Security analysis

•

Track changes to AWS resources, for example
VPC security groups and NACLs

•

Compliance – understand AWS API call history

•

Troubleshoot operational issues – quickly
identify the most recent changes to your
environment

CloudTrail is currently available in US-WEST1
and US-EAST1

AWS has many different content storage services

S3

DBA

RDS

EBS

Redshift

Making use of available Amazon S3 security features
Configure S3 access controls at bucket and object level
•
•

Restrict access and rights as tightly as possible and regularly review
access logs
Use versioning for important file, with MFA required for delete

Use S3 cryptographic features
•
•

Use SSL to protect data in transit
S3 server side encryption
•

•

AWS will transparently encrypt your objects using AES-256 and manage
the keys on your behalf

Use S3 client side encryption
•
•

•

Encrypt information before sending it to S3
Build yourself or use the AWS Java SDK

Use MD5 checksums to verify the integrity of objects loaded into S3

Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases
•

Limit security group access to RDS instances

•

Limit RDS management plane access with AWS IAM permissions

Encrypt data in flight
•

DBA

Oracle Native Network Encryption, SSL for SQL Server, MySQL and
PostgreSQL – especially if the database is accessible from the Internet

Encrypt data at rest in sensitive table space
•

Native RDS via SQL Server and Oracle Transparent Data Encryption

•

Encrypt sensitive information at application level or use a DB proxy

Configure automatic patching of minor updates – let AWS do the heavy lifting
for you within a maintenance window you choose

RDS

Encrypting EBS volumes on Amazon EC2 instances
Roll your own encryption or use commercial solutions
•

Windows BitLocker or Linux LUKS for encrypted volumes and
TrueCrypt for containers

•

SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer
boot volume encryption

•

MapReduce volumes can use Gazzang

Managing encryption keys is critical and difficult!
•

How will you manage keys and make sure they are available when
required, for example at instance start-up?

•

How will you keep them available and prevent loss?

•

How will you rotate keys on a regular basis and keep them private?

EBS

You decide how to configure your instance environment
You take responsibility for final configuration
User administration

Harden operating system and platforms
•
•

Use standard hardening guides and techniques
Apply latest security patches – Amazon maintains repositories

Whitelisting and integrity
Malware and IPS

Use host-based protection software
•

Vulnerability management

Think of how they will work in an elastic environment - hosts may only
be in use for hours before being replaced

Audit and logging

Think about how you will manage administrative users
•

Hardening and configuration

Restrict access as much as possible

Build out the rest of your standard security environment

Launch
instance

AMI catalogue

EC2
Running instance

Operating system

Configure
instance

Your instance

Where you can go for help and further information
Browse and read AWS security whitepapers and good practices
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, including CSA questionnaire response
• Security best practices
• Audit and operational checklists to help you assess security before
you go live
Sign up for AWS support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment

Get training and become AWS certified in your discipline
Get training from an instructor or try the self-paced labs
•

http://aws.amazon.com/training/

Become AWS certified and gain recognition and visibility
•
•

http://aws.amazon.com/certification
Demonstrate that you have skills, knowledge and expertise to design, deploy
and manage projects applications on the AWS platform

•

Prove skills and foster credibility with your employer and peers

Choose your discipline, or do all of them!
•
•
•

AWS Certified Solutions Architect – Associate Level
AWS Certified Developer – Associate Level (Beta)
AWS Certified SyOps Administrator – Associate Level (Beta)

Thank you for your time today

Any questions?
Martin Yan
ymartin@amazon.com

Security best practices on AWS cloud

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Security best practices on AWS cloud

Similaire à Security best practices on AWS cloud (20)

Plus de Martin Yan

Plus de Martin Yan (7)

Dernier

Dernier (20)

Security best practices on AWS cloud