Security Best Practises on AWS presented by Simon Elisha during the AWS APAC Webinar series.

1. Security Best Practices on
AWS
Simon Elisha – Principal Solution Architect
@simon_elisha

2. All lines are muted.
You can ask questions at any time in the
Question box.
We will answer some at the end of the
session and all via email.

3. Agenda
The Shared Responsibility Model
Taking Advantaged of the Shared Model
Using the AWS Security Features
Underlying AWS Infrastructure Security
Your Responsibilities

4. In the cloud security is a shared responsibility
How do we secure our How can you secure your
Infrastructure? application and what is
Infrastructure Application your responsibility?
Security Security
Services Security
What security options and
features are available to
you?

5. Leverage shared security model
Understand your customer & form correct security stance

6. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience

7. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience
IAM
Internal
Administration
audience
Architecture

8. Leverage shared security model
Understand your customer & form security stance
Penetration test requests
Your certifications Your processes
External
audience
IAM AWS Certifications
Internal Regulated
Administration AWS White
audience audience Papers
Architecture AWS QSA Process

9. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Don’t fear assessment – AWS meets high standards (PCI, ISO27001, SOC1…)
As with any infrastructure provider, security assessments take time
Derive value from architecture reviews early in deployment cycle

10. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
http://aws.amazon.com/security/
Risk and compliance paper
AWS security processes paper
NEW! CSA consensus assessments
initiative questionnaire

11. Leverage shared security model
Understand your customer & form security stance
Engage with security assessors early in adoption cycle
Use comprehensive materials and certifications provided by AWS
Build upon features of AWS and implement a ‘security by design’ environment

12. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions

13. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions

14. Build upon AWS features
Tiered Access Security Groups VPC Direct Connect & VPN
IAM Instance firewalls Network control Private connections to VPC
Control users and allow AWS to Firewall control on instances via Create low level networking Secured access to resources in AWS
manage credentials in running Security Groups constraints for resource access, such over software or hardware VPN and
instances for service access as public and private subnets, dedicated network links
(allocation, rotation) CLIs and APIs internet gateways and NATs
Instantly audit your entire AWS
APIs vs Instance infrastructure from scriptable APIs –
Bastion hosts
Provide developer API credentials generate an on-demand IT inventory Only allow access for management
and control access to SSH keys enabled by programmatic nature of of production resources from a
AWS bastion host. Turn off when not
Temporary Credentials needed
Provide developer API credentials Dedicated Instances
and control access to SSH keys
Only allow access for management
of production resources from a
bastion host. Turn off when not
needed

15. Identity & access management
Account
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin

16. Identity & access management
Groups Account
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin
Multi-factor authentication

17. Identity & access management
Groups Account Roles
Administrators Developers Applications
Jim Brad Reporting
Bob Mark Console
Susan Tomcat
Kevin
Multi-factor authentication AWS system entitlements

18. IAM policies
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
Policy driven "ec2:*",
"elasticloadbalancing:*",
Declarative definition of rights for groups "autoscaling:*",
"cloudwatch:*",
Policies control access to AWS APIs "s3:*",
"sns:*"
],
"Resource": "*"
}
]
}

19. IAM Roles
Aids Automation
Assign role to EC2 instances
Control access without passing
credentials at boot time
Integrated into SDKs

20. Key Management
Decide upon a key Consider SSH key
management rotation &
strategy automation
Control access to EC2 instances Limit exposure to private key
via SSH and embedded public compromise by rotating keys
key: and replacing
e.g. EC2 Key Pair per group of authorized_keys listings
instances, EC2 Key Pair per on running instances
account Consider bootstrap automation
to grant developer access with
Can use your existing SSH or AD developer unique keypairs
strategy

21. Temporary Security Credentials
Containing
Identity for authentication
Access Policy to control permissions
Configurable Expiration (1 – 36 hours)
Supports
AWS Identities (including IAM Users)
Federated Identities (users customer’s system to authenticate)
Scales to millions of users
No need to create an IAM identity for every user
Use Cases
Identity Federation to AWS APIs
Mobile and browser-based applications
Consumer applications with unlimited users

22. Security credentials – the hotel metaphor
AWS Account’s IAM User Temporary Security
Access Key ID Credentials

23. Security Groups
Control ingress of data by port, IP & Security Group
VPC also supports egress data control
User configurable via API, CLI, GUI Web Tier
Create “defence in depth”
Application Tier
Database Tier
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier,
which acts as Bastion
Sync with on-premises Amazon EC2
database Security Grou
Firewall
All other Internet ports
blocked by default

24. CLI & API
Instantly audit the
state of your entire
environment using
the API
Regular calls via command line
or API to determine which web-
based infrastructure services
are being used at any time
Store and compare over time –
track anomalies or non-
governed usage

25. Virtual Private Cloud (VPC)
Logically Isolated Environment
Private IP address ranges & subnets
Ingress and Egress Network Access Control
Internet
Elastic IP addresses, NAT & and Internet Gateway
Hardware encrypted VPN connections and/or Direct Connect
Wizard-based setup

26. EC2 Dedicated Instances
Available within VPC
Instances launched on hardware dedicated to a single customer
Can mix-and-match use of dedicated and non-dedicated instances

27. Bastion Hosts
Server (or servers) used for system management
Access tightly controlled
Management only enabled from these hosts
Stop host when not in use
Access only allowed from specified IP addresses
TCP 22 “Bastion” TCP 22 “Bastion” TCP 22 “Bastion”
Web App DB
Server Server Server Bastion
Host
Web Security App Security DB Security
Group Group Group Bastion
TCP 80,443 “ELB” TCP 8080 “Web” TCP 3306 “App” Security Group
SSH Admin

28. Certifications
Certifications Physical Security HW, SW, Network
SOC 1 Type 2 (formerly SAS- Datacenters in nondescript Systematic change
70) facilities management
ISO 27001 Physical access strictly Phased updates deployment
controlled
PCI DSS for Safe storage decommission
EC2, S3, EBS, VPC, RDS, ELB, I Must pass two-factor
AM authentication at least twice Automated monitoring and
for floor access self-audit
FISMA Moderate Compliant
Controls Physical access logged and Advanced network protection
audited
HIPAA & ITAR Compliant
Architecture

29. Security standards
ISO 27001 PCI DSS Level 1
Achieved 11/2010
Use normally, no special configuration
Follows ISO 27002 best practice guidance Certified services include: EC2, S3, EBS, VPC,
RDS, ELB, IAM, underlying physical
Covers the AWS Information Security infrastructure & AWS Management
Management System (ISMS) Environment
Includes all Regions Leverage the work of our QSA
ISO certifying agent: EY CertifyPoint AWS will work with merchants and designated
Qualified Incident Response Assessors (QIRA)
Certified in all Regions

30. Location of data – Your choice
Deployment & Administration
App Services
Compute Storage Database Regions
An independent collection of AWS resources in a defined
Networking geography
A solid foundation for meeting location-dependent privacy
AWS Global Infrastructure
and compliance requirements

31. Global infrastructure
Deployment & Administration
App Services
Compute Storage Database Availability Zones
Designed as independent failure zones
Networking Physically separated within a typical metropolitan region
AWS Global Infrastructure

32. Global infrastructure
Deployment & Administration
App Services
Compute Storage Database Edge Locations
To deliver content to end users with lower latency
Networking A global network of edge locations
Supports global DNS infrastructure (Route53) and Cloud
AWS Global Infrastructure
Front CDN

33. Shared responsibility
Customer Data
Platform, Applications, Identity & Access Management
You
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Server-side Encryption Network Traffic Protection
Integrity Authentication (File System and/or Data) (Encryption/Integrity/Identity)
Foundation Services
Amazon
Compute Storage Database Networking
Availability Zones
AWS Global Edge Locations
Infrastructure Regions

34. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Use SSL for all AWS API calls & your own application communication
Use SSL Termination with Elastic Load Balancer (ELB) & back-end server authentication
S3 Server Side Encryption – free & easy. Can also implement client-side encryption
Operating system level encryption tools available (e.g. TrueCrypt, BitLocker, etc)

35. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Maintain OS-level firewalls for additional monitoring and control
Install logging tools and log to a separate, central location (e.g. S3)
Partner solutions available (including Trend Micro, Symantec, Check Point, etc.)
Extend your current management and logging tools to the AWS environment

36. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and application libraries patched and up-to-date
Use automated package update services (e.g. YUM, WSUS, YAST, etc)
Apply updates to installed applications, languages, SDKs etc
Easy to do “rolling updates” by creating new AMIs and instantiating a new fleet
Relational Database Service (RDS) provides automated patch application

37. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and applications libraries patched and up-to-date
Design application to protect against Layer 7 attacks (SQL Injection, etc)
Design security into your application from the start
Ensure all entered data is validated and correctly formatted
Perform API authorization and authentication for API-based applications
Use partner solutions (e.g. Layer7tech, SafeNet, AiCache, Incapsula, etc)

38. Ensure good security practice
Encrypt sensitive data both “in-flight” and “at-rest”
Operate host-based IDS/IPS and regular auditing and monitoring
Keep operating systems and applications libraries patched and up-to-date
Design application to protect against Layer 7 attacks (SQL Injection, etc)
Actively manage your AWS environment to leverage all of the capabilities available
Perform regular security reviews
Rotate keys and credentials
Use AWS Trusted Advisor Security Checks to detect open ports

39. Test and Retest
Penetration Testing
Check to see how secure your application is from
external attack
Must obtain authorization first
Partners also provide this service on & from AWS
http://aws.amazon.com/security

40. Where to find more information?
Risk and compliance paper
AWS security processes paper
NEW! CSA consensus assessments
initiative questionnaire
http://aws.amazon.com/security

41. Save the Date
aws.amazon.com/apac/arc-anz

42. Catch the AWS Podcast
http://aws.amazon.com/podcast

43. Questions? Enter them in the Question
area of the console and we will cover as
many as we can.

44. Thank you
Simon Elisha – Principal Solution Architect
@simon_elisha