This document discusses security best practices for AWS. It covers understanding the shared responsibility model for security between AWS and customers. It also discusses using AWS features like virtual private clouds, identity and access management, encryption, and building secure applications to implement security best practices. The document provides guidance on topics like network segmentation, access control lists, security groups, load balancing, and auditing to help customers securely deploy solutions on AWS.
2. What we will cover today
1.
Quick intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
3. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
4. What is AWS?
Deployment & Administration
Application Services
Compute
Storage
Networking
AWS Global Infrastructure
Database
8. Compute Services
Amazon EC2
Auto Scaling
Elastic Load
Balancing
Elastic Virtual servers
in the cloud
Automated scaling
of EC2 capacity
Dynamic traffic
distribution
EC2
Actual
9. Networking Services
Amazon VPC:
Private, isolated
section of the AWS
Cloud
AWS DirectConnect
Amazon Route 53
Private connectivity
between AWS and your
datacenter
Domain Name System
(DNS) web service.
Availability
Zone A
Availability
Zone B
10. Storage Services
Amazon EBS
Amazon S3
Amazon Glacier
AWS Storage Gateway
Block storage for use
with Amazon EC2
Internet scale
storage via API
Storage for archiving
and backup
Integrates on-premises
IT and AWS storage
S3,
Glacier
EBS
Images
Videos
Files
Binaries
Snapshots
Images
Videos
Files
Binaries
Snapshots
11. Application Services
Amazon RDS
Amazon Dynamo
DB
Amazon CloudFront
Amazon
CloudSearch
Managed relational
database service
Managed NoSQL
database service
distribute content
globally
Managed search
service
DBA
12. Big Data Services
Amazon EMR
(Elastic Map Reduce)
Amazon Redshift
AWS Data Pipeline
Hosted Hadoop
framework
Petabyte-scale data
warehouse service
Move data among AWS
services and onpremises data sources
13. Deployment & Administration
Amazon
CloudWatch
Monitor resources
AWS IAM (Identity
& Access Mgmt)
Manage users,
groups &
permissions
AWS
OpsWorks
AWS
CloudFormation
AWS Elastic
Beanstalk
Dev-Ops framework
for application
lifecycle management
Templates to deploy
& manage
Automate resource
management
Web App
Enterprise
App
Database
14. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management Features
6.
Protecting your content on AWS
7.
Building secure applications on AWS
15. Every customer has access to the same security capabilities
AWS maintains a formal control environment
•
SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
•
SOC 2 Type 1
•
ISO 27001 Certification
•
Certified PCI DSS Level 1 Service Provider
•
FedRAMP (FISMA), ITAR, FIPS 140-2
•
HIPAA and MPAA capable
Foundation Services
Compute
AWS Global
Infrastructure
Storage
Database
Networking
Availability Zones
Edge Locations
Regions
16. Customers
Security is a shared responsibility between AWS and our customers
•
Customer content
•
Platform, Applications, Identity & Access Management
•
Operating System, Network & Firewall Configuration
Client-side Data
Encryption
Server-side Data
Encryption
•
Network Traffic
Protection
Customers configure AWS
security features
Get access to a mature
vendor marketplace
Can implement and
manage their own controls
Gain additional assurance
above AWS controls
Foundation Services
•
Compute
Storage
Database
Networking
•
AWS Global
Infrastructure
Availability Zones
Edge Locations
Regions
•
Culture of security and
continual improvement
Ongoing audits and
assurance
Protection of large-scale
service endpoints
17. Customers
You can build end-to-end compliance, certification and audit
Your compliant
solutions
Your
certifications
Your external
audits and
attestations
•
•
•
Achieve PCI, HIPAA and
MPAA compliance
Certify against ISO27001
with a reduced scope
Have key controls audited
or publish your own
independent attestations
Foundation Services
•
Compute
Storage
Database
Networking
•
AWS Global
Infrastructure
Availability Zones
Edge Locations
Regions
•
Culture of security and
continual improvement
Ongoing audits and
assurance
Protection of large-scale
service endpoints
18. Customers retain full ownership and control of their content
Customers retain ownership of their intellectual property and content
• Customers manage their privacy objectives how they choose to
• Select the AWS geographical Region and no automatic replication elsewhere
• Customers can encrypt their content, retain management and ownership of keys
and implement additional controls to protect their content within AWS
The security of our services and customers is key to AWS
• Security starts at the top in Amazon with a dedicated CISO and strong
cultural focus
• Dedicated internal teams constantly looking at the security of our services
• AWS support personnel have no access to customer content
19. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management Features
6.
Protecting your content on AWS
7.
Building secure applications on AWS
20. AWS lets customers choose where their content goes
Region
US-WEST (N. California)
EU-WEST (Ireland)
GOV CLOUD
ASIA PAC (Tokyo)
US-EAST (Virginia)
US-WEST (Oregon)
ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)
21. Take advantage of high availability in every Region
Availability Zone
US-WEST (N. California)
EU-WEST (Ireland)
GOV CLOUD
ASIA PAC (Tokyo)
US-EAST (Virginia)
US-WEST (Oregon)
ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
ASIA PAC
(Sydney)
22. Use edge locations to serve content close to your customers
Edge Locations
London(2)
Seattle
New York (2)
South Bend
Newark
Dublin
Palo Alto
Amsterdam
Stockholm
Tokyo
San Jose
Paris(2)
Ashburn(2)
Los Angeles (2)
Frankfurt(2)
Milan
Osaka
Jacksonville
Dallas(2)
Hong Kong
Mumbai
Chennai
St.Louis
Miami
Singapore(2)
Sao Paulo
Sydney
23. Build your solution for continuous, resilient operations
Scalable, fault tolerant services
Build resilient solutions operating in multiple datacenters
AWS helps simplify active-active operations
All AWS facilities are always on
No need for a “Disaster Recovery Datacenter” when you can
have resilience
Every one managed to the same global standards
Robust connectivity and bandwidth
Each AZ has multiple, redundant Tier 1 ISP Service Providers
Resilient network infrastructure
24. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
27. Customers control their VPC IP address ranges
Choose your VPC address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space
• That maximum CIDR block you
can allocate is /16
• For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP
addresses
Select IP addressing strategy
• You can’t change the VPC
address space once it’s
created
• Think about overlaps with
other VPCs or existing
corporate networks
• Don’t waste address space,
but don’t’ constrain your
growth either
Availability Zone B
Availability Zone A
VPC A - 10.0.0.0/16
28. We will concentrate on a single availability zone just now
Availability Zone A
VPC A - 10.0.0.0/16
29. Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
10.0.3.0/24
10.0.4.0/24
10.0.5.0/24
30. Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
31. Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
32. Each instance can be in up to five security groups
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
“Allow outbound
connections to
the log server”
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
10.0.5.0/24
33. Use separate security groups for applications and management
VPC A - 10.0.0.0/16
“Web servers can connect to app
servers on port 8080”
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
“Allow outbound
connections to
the log server”
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
“Allow SSH and
ICMP from hosts
in the Jump Hosts
security group”
Log
10.0.5.0/24
34. The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
35. Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
36. Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
NAT
Availability Zone A
10.0.1.0/24
“Deny all traffic between the web
server subnet and the database
server subnet”
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
37. Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16
NACLs are optional
NAT
•
Availability Zone A
10.0.1.0/24
Web
EC2
•
•
•
Applied at subnet level, stateless and
permit all by default
ALLOW and DENY
Applies to all instances in the subnet
Use as a second line of defence
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
38. Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16
NAT
Elastic Load
Balancer
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
39. Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16
NAT
Elastic Load
Balancer
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
EC2
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
40. Your security can scale up and down with your solution
VPC A - 10.0.0.0/16
NAT
Elastic load balancers
Elastic Load
Balancer
•
Availability Zone A
10.0.1.0/24
EC2
Web
EC2
Web
EC2
Web
EC2
Auto
scaling
•
Instances can automatically be
added and removed from the
balancing pool using rules
You can add instances into
security groups at launch time
10.0.2.0/24
EC2
App
EC2
10.0.3.0/24
10.0.4.0/24
Jump
Log
Router
10.0.5.0/24
41. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
42. You have fine grained control of your AWS environment
AWS IAM enables you to securely control access to AWS services
and resources
• Fine grained control of user permissions, resources and actions
• Now includes support for RunInstances
• Add multi factor authentication
• Hardware token or smartphone apps
• Test out your new policies using the Identity and Access
Management policy simulator
43. Segregate duties between roles with IAM
AWS account
owner (master)
You get to choose who can
do what in your AWS
environment and from
where
Network
management
Security
management
Server
management
Storage
management
VPC A - 10.0.0.0/16
Internet
Subnet 10.0.1.0/24
Availability Zone
Router
Internet
Gateway
Manage and operate
Customer
Gateway
Subnet 10.0.2.0/24
Availability Zone
Region
44. Use AWS CloudTrail (beta) to track access to APIs and IAM
Increase your visibility of what happened in your AWS
environment
• CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were
made
• Who did what and when and from what IP address
• Be notified of log file delivery using the AWS Simple
Notification Service
• Support for many AWS services including EC2, EBS, VPC,
RDS, IAM, STS and RedShift
• Aggregate log information into a single S3 bucket
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and
SumoLogic.
45. AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
•
Security analysis
•
Track changes to AWS resources, for example
VPC security groups and NACLs
•
Compliance – understand AWS API call history
•
Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
CloudTrail is currently available in US-WEST1
and US-EAST1
46. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
47. AWS has many different content storage services
S3
DBA
RDS
EBS
Redshift
48. Making use of available Amazon S3 security features
Configure S3 access controls at bucket and object level
•
•
Restrict access and rights as tightly as possible and regularly review
access logs
Use versioning for important file, with MFA required for delete
Use S3 cryptographic features
•
•
Use SSL to protect data in transit
S3 server side encryption
•
•
AWS will transparently encrypt your objects using AES-256 and manage
the keys on your behalf
Use S3 client side encryption
•
•
•
Encrypt information before sending it to S3
Build yourself or use the AWS Java SDK
Use MD5 checksums to verify the integrity of objects loaded into S3
49. Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases
•
Limit security group access to RDS instances
•
Limit RDS management plane access with AWS IAM permissions
Encrypt data in flight
•
DBA
Oracle Native Network Encryption, SSL for SQL Server, MySQL and
PostgreSQL – especially if the database is accessible from the Internet
Encrypt data at rest in sensitive table space
•
Native RDS via SQL Server and Oracle Transparent Data Encryption
•
Encrypt sensitive information at application level or use a DB proxy
Configure automatic patching of minor updates – let AWS do the heavy lifting
for you within a maintenance window you choose
RDS
50. Encrypting EBS volumes on Amazon EC2 instances
Roll your own encryption or use commercial solutions
•
Windows BitLocker or Linux LUKS for encrypted volumes and
TrueCrypt for containers
•
SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer
boot volume encryption
•
MapReduce volumes can use Gazzang
Managing encryption keys is critical and difficult!
•
How will you manage keys and make sure they are available when
required, for example at instance start-up?
•
How will you keep them available and prevent loss?
•
How will you rotate keys on a regular basis and keep them private?
EBS
51. Security best practices for AWS
1.
Quick Intro on AWS
2.
Understanding shared responsibility for security
3.
Using AWS global reach and availability features
4.
Building a secure virtual private cloud
5.
Using AWS Identity and Access Management
6.
Protecting your content on AWS
7.
Building secure applications on AWS
52. You decide how to configure your instance environment
You take responsibility for final configuration
User administration
Harden operating system and platforms
•
•
Use standard hardening guides and techniques
Apply latest security patches – Amazon maintains repositories
Whitelisting and integrity
Malware and IPS
Use host-based protection software
•
Vulnerability management
Think of how they will work in an elastic environment - hosts may only
be in use for hours before being replaced
Audit and logging
Think about how you will manage administrative users
•
Hardening and configuration
Restrict access as much as possible
Build out the rest of your standard security environment
Launch
instance
AMI catalogue
EC2
Running instance
Operating system
Configure
instance
Your instance
53. Where you can go for help and further information
Browse and read AWS security whitepapers and good practices
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, including CSA questionnaire response
• Security best practices
• Audit and operational checklists to help you assess security before
you go live
Sign up for AWS support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment
54. Get training and become AWS certified in your discipline
Get training from an instructor or try the self-paced labs
•
http://aws.amazon.com/training/
Become AWS certified and gain recognition and visibility
•
•
http://aws.amazon.com/certification
Demonstrate that you have skills, knowledge and expertise to design, deploy
and manage projects applications on the AWS platform
•
Prove skills and foster credibility with your employer and peers
Choose your discipline, or do all of them!
•
•
•
AWS Certified Solutions Architect – Associate Level
AWS Certified Developer – Associate Level (Beta)
AWS Certified SyOps Administrator – Associate Level (Beta)
55. Thank you for your time today
Any questions?
Martin Yan
ymartin@amazon.com