More Related Content
Similar to AWS Security by Design (20)
More from Amazon Web Services (20)
AWS Security by Design
- 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shafreen Sayyed
Solutions Architect, Amazon Web Services
AWS Security by Design
10th May 2018
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security by Design Principles
• Implement a segregated account environment
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data (in transit and at rest)
• Prepare for security events
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
An Expansive Ecosystem
Products integrated with AWS platform and easy to test
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implement a segregated account environment
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developer
Sandbox
Dev Pre-Prod
BU/Product/Resource Accounts
Developer Accounts
Security
AWS Organizations
Organization Accounts
Shared
Services
Organization Master Account
Billing
Tooling
Amazon
CloudFormation
StackSets
Sandbox
Direct Conn.
Account
Internal
Audit
External
Data centre
Logging
Prod
Shared
Services
AWS Organizations (Outline Multi-Account Structure)
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Implement a strong identity foundation
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity Access Management (IAM)
Ensure only authorized and authenticated users are able
to access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0
• Define a management
policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protecting AWS credentials
• Establish Least-privileged Users access
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via AWS STS
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine grained access control
• Establish least privilege
principle
• Users have no permissions
• Groups have permission to
assume a Role
• Roles have permissions to
do necessary stuff,
according to least
privileges
• Use AWS Organizations to
centrally manage access
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
• A Threat Detection Service Re-Imagined for the Cloud
• Continuously monitors and protects AWS Accounts along with the
applications and services running within them
• Detects known threats as well as unknown threats (Zero-Days)
• Makes Use of Artificial Intelligence / Machine Learning
• Integrated threat intelligence
• Operates on CloudTrail, VPC FlowLogs & DNS
• Detailed & Actionable Findings, Emitted as CloudWatch Events and
Console Reports
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detecting Known Threats
Threat Intelligence
• GuardDuty consumes feeds from various sources
• AWS Security
• Commercial feeds
• Open source feeds
• Customer-provided threat intel (STIX)
• Known malware-infected hosts
• Anonymising Proxies
• Sites hosting malware & hacker tools
• Crypto-currency mining pools and wallets
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detecting Unknown Threats
Anomaly Detection
• Algorithms to detect unusual behavior
• Inspecting signal patterns for signatures
• Profiling normal and looking at deviations
• Machine Learning Classifiers
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What can the service detect?
RDP Brute
Force
RAT Installed
Exfiltrate
temp IAM
creds over
DNS
Probe api
with temp
creds
Attempt to
compromise
account
Malicious or
Suspicious IP
Unusual Ports DNS Exfiltration
RDP Brute Force
Unusual Traffic VolumeConnect to Blacklisted Site
Recon
Anonymizing Proxy
Temp credentials
Used off-instance
Unusual ISP Caller
Bitcoin Activity
Unusual Instance Launch
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types.html#actual-types
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty Partners
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/
https://www.youtube.com/watch?v=ZKpkF17d0Oo&feature=youtu.be
AWS Git-Secrets- https://github.com/awslabs/git-secrets
AWS Multi-account strategy - https://www.youtube.com/watch?v=71fD8Oenwxc
AWS GuardDuty Finding types -
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-
types.html#actual-types
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guar
dduty_filter-findings
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enable traceability
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective controls
Identifying a potential security threat is essential for legal
compliance assurance, key areas in this are:
• Capture and analyze logs
• Integrate auditing controls with notifications and
workflow / Use your logs
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
AWS Config
Amazon CloudWatch Logs
VPC Flow Logs
ELB logs
API Endpoint Logs
Amazon Redshift Logs
...
(If it doesn’t move, watch it ‘til it moves – then log it!)
If it moves…log it!
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Different log categories
AWS infrastructure logs
AWS CloudTrail
Amazon VPC Flow
Logs
…
AWS service logs
Amazon S3
Elastic Load Balancing
Amazon CloudFront
AWS Lambda
(sometimes)
AWS Elastic Beanstalk
…
Host-based logs
Messages
Security
NGINX/Apache/
Syslog etc
Performance
Monitoring
…
Security-related events
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multiple levels of automation
Self managed
AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch
Alerts
AWS CloudTrail -> Amazon SNS -> AWS Lambda
Compliance validation
AWS Config Rules
Host-based compliance checking
Amazon Inspector
Active change remediation
Amazon CloudWatch Events
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Trusted Advisor checks your account
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
AWS Config – https://aws.amazon.com/config/
AWS Config Rules –
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-
aws-config.html
Amazon Inspector - https://aws.amazon.com/inspector/
Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/
Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/
Amazon Athena – https://aws.amazon.com/athena/
Amazon Glacier – https://aws.amazon.com/glacier/
AWS Lambda – https://aws.amazon.com/lambda/
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apply Security at all layers
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defence-in-depth
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure protection
Protect network and
host level boundaries
System security
config and
management
Enforce service-level
protection
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACLs to prevent access between subnets
• Use route tables to deny internet access from
protected subnets
• Use Security groups to grant access to and from
other security groups
Limit what you run in public subnets:
• ELBs , ALBs and NLBs
• Bastion hosts
• Try and avoid where possible having a system
directly accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
For protection against
most common DDoS
attacks, and access to
tools and best practices to
build a DDoS resilient
architecture on AWS.
AWS Shield
For additional protection
against larger and more
sophisticated attacks,
visibility into attacks, AWS
cost protection, Layer 7
mitigations, and 24X7
access to DDoS experts for
complex cases.
Standard Protection Advanced Protection
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…
- 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS WAF – Layer 7 application protection
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning
Managed WAF rules available on AWS Marketplace
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Artifact Service
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Systems Manager Capabilities
Run Command Maintenance Windows
Inventory
State Manager Parameter Store Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
System security config and management
• OS based firewalls
• Remove unnecessary packages from OS
• Remove direct access to machines – System manager
• Amazon Inspector to scan OS and applications for CVE
(Common Vulnerabilities Exposure)
• Don’t forget Security Groups
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Amazon VPC – https://aws.amazon.com/vpc/
AWS Direct Connect – https://aws.amazon.com/directconnect/
Amazon Inspector - https://aws.amazon.com/inspector/
AWS KMS - https://aws.amazon.com/kms/
AWS System Manager - https://aws.amazon.com/systems-manager/
AWS WAF – https://aws.amazon.com/waf/
AWS Shield - https://aws.amazon.com/shield/
AWS Artifact - https://aws.amazon.com/waf/
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate security best practices
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ensure best practice
• Template everything (CloudFormation, Terraform, etc)
• Utilise CI/CD pipelines
• Set custom AWS Config rules
s3-bucket-public-write-prohibited
s3-bucket-public-read-prohibited
• Amazon Inspector to detect known vulnerabilities
• Automate response to non compliant infrastructure
- 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Event Response Automation Playbook…
CloudWatch
Events event
Adversary
(or Intern)
Your environment Lambda
Responder
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Only allow EC2 instances launched from approved AMIs and
with appropriate subnets and Security Groups”
Example:
- 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ImageId=ami-f9dd458a
SubnetId=subnet-a8aa4ef0
SecurityGroups=[
GroupId=sg-45533823
]
EC2
- 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch
Events event
{
"detail-type": [
"EC2 Instance State-change Notification"
],
"detail": {
"state": [ "pending" ]
},
"source": [ "aws.ec2" ]
}
- 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Responder
# check if the AMI is approved
# check if AMI is used in correct subnet
# check if AMI was launched with approved security group
- 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon
DynamoDB
{
"ami": "ami-0d77397e",
"region": "eu-west-1",
"security_groups": [
"sg-cc9a3aaa"
],
"subnets": [
"subnet-ac3d7cda",
"subnet-2f9c1677"
]
},
{
"ami": "ami-f9dd458a",
"region": "eu-west-1",
"security_groups": [
"sg-ee9a3a88"
],
"subnets": [
"subnet-ad3d7cdb",
"subnet-2e9c1676"
]
}
- 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
'Time': int(time.time()),
'Source': 'auto.responder.level1',
'Resources': [ str(instance_id) ],
'DetailType': 'activeResponse',
'Detail': {
'instance': instance_id,
'actionsRequested': 'instanceTermination'
}
} Event
- 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch
Event events
{
"detail-type": [
"activeResponse"
],
"source": [
"auto.responder.level1"
]
}
- 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
L2 responder
ec2.terminate_instances
- 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Amazon VPC – https://aws.amazon.com/
AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/
Inspector - https://aws.amazon.com/inspector/
AWS CloudFormation - https://aws.amazon.com/cloudformation/
AWS SAM - https://github.com/awslabs/serverless-application-model
AWS Pipeline - https://aws.amazon.com/codepipeline/
AWS KMS - https://aws.amazon.com/kms/
Terraform - https://www.terraform.io/
- 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect data – At Rest
In Transit
In Use (?)
- 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Protection
AWS CloudHSM AWS Key Management
Service
AWS Certificate
Manager
- 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Protection - Encryption
Encryption In-Transit
SSL/TLS
VPN / IPSEC
SSH
Encryption At-Rest
Object
Database
Filesystem
Disk
- 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data In-Transit
AWS endpoints are HTTPS,
but what can you do?
• VPN connectivity to VPC
• TLS application communication
• ELB/ALB or CloudFront, with ACM
- 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data At-Rest
Inbuilt encryption
• S3: select KMS key on upload
• EBS and RDS snapshots: automatically encrypt data at rest
• DynamoDB: encrypt backups
Bring your own Key
Encrypt data locally before uploading
SSE-C (server side encryption with customer key)
- 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation,
deletion, and use of AES256 encryption keys in your applications
• Integrated with AWS server-side encryption
• S3, EBS, RDS, Amazon Aurora, Amazon Redshift, Amazon
WorkMail, Amazon WorkSpaces, AWS CloudTrail, and Amazon
Elastic Transcoder
• Integrated with AWS client-side encryption
• AWS SDKs, S3 encryption client, EMRFS client, and DynamoDB
encryption client
• Integrated with AWS CloudTrail to provide auditable logs of key
usage for regulatory and compliance activities
• Available in all commercial regions except China
- 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Your application or
AWS service
+
Data key Encrypted data key
Encrypted
data
Master keys in
customer’s account
KMS
How AWS services use your KMS keys
1. Client calls kms:GenerateDataKey by passing the ID of the KMS master key in your
account.
2. Client request is authenticated based on permissions set on both the user and the key.
3. A unique data encryption key is created and encrypted under the KMS master key.
4. The plaintext and encrypted data key is returned to the client.
5. The plaintext data key is used to encrypt data and is then deleted when practical.
6. The encrypted data key is stored; it’s sent back to KMS when needed for data decryption.
- 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
AWS KMS - https://aws.amazon.com/kms/
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-
program/documents/security-policies/140sp3139.pdf
AWS KMS Crypto Details - https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-
Details.pdf
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-
program/documents/security-policies/140sp3139.pdf
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3139
Amazon Macie – https://aws.amazon.com/macie/
AWS Cloud HSM – https://aws.amazon.com/cloudhsm/
Amazon EBS – https://aws.amazon.com/ebs/
S2n - https://github.com/awslabs/s2n
Mitigating DDoS Attacks on AWS - https://www.youtube.com/watch?v=w9fSW6qMktA
- 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prepare for security events
- 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Incident response
“Even with a mature preventative and detective solution
in place, you should consider a mitigation plan”
- 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Clean room
• Use Tags to quickly determine impact and escalate
• Get the right people access and on the call
• Use Cloud API’s to automate and isolate instances
• CloudFormation – recreate clean / update environments easily for
production or investigation purposes
- 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/
Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-
Pillar.pdf
AWS_CIS_Foundation_Benchmark -
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchm
ark.pdf
AWS Crypto Intro -
https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html
AWS Re:Invent Security Track - https://aws.amazon.com/blogs/security/videos-
and-slide-decks-from-the-aws-reinvent-2017-security-compliance-identity-track
- 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summing up
Enforce separation of duties and least privilege accounts
Federate users; enforce using IAM policies
Ensure security logs are separated from troubleshooting logs
Storage for logs is cheap; the consequences of missing something through not
logging, may not be
Alerting is good, automating your security response is better
Use managed services and built-in reporting to offload and automate
See the big picture: what info do you need and which tool can provide you that
- 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!