Contenu connexe Similaire à Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 2018 (20) Plus de Amazon Web Services (20) Best Practices for Securing an Amazon VPC (NET318) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corina Motoi
Solutions Architect
AWS UK Public Sector
Matt Johnson
Manager, Solutions Architecture
AWS UK Public Sector
Best Practices for Securing
Amazon VPC
N E T 3 1 8
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS re:Invent this workshop
In this interactive workshop, we provide practical advice and guidance
for designing and building secure Amazon Virtual Private Clouds
(Amazon VPCs).
Using a hands-on approach, we take you through using Amazon VPC
features such as subnets, security groups, AWS PrivateLink, network
ACLs, routing, flow logs, and service endpoints. We also share best
practices for VPC design and management based on our experience
supporting customers running large-scale infrastructures.
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Welcome to the workshop
• We have a number of AWS staff in the room:
• Amazonians, please identify yourselves!
• Your fellow conference attendees at your table
• Say hello, make a new friend
• Work on your own, or get together in small teams (2-3 people)
• Decide who will be following along with their laptop
• Please feel free to ask questions at any time
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
If you want to go hands-on, you will need…
• Your laptop (use tablets at your own risk!)
• An AWS account with:
• Full AWS Identity and Access Management (IAM) administrator access
• Recommended regions: EU (Dublin, Frankfurt, London), Asia (Singapore, Sydney, Tokyo)
• Ability to create two VPCs in your chosen region
• Pro tip: Choose a region you don’t normally work in, to avoid hitting limits!
• To start the AWS CloudFormation deployment — NOW!
• http://bit.ly/net318workshop/
Note: we will provide a $20 credit voucher at the end of the workshop to
cover the costs of deploying the workshop resources
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
monitoring &
automated
remediation
Monitoring
tools
Automated
remediation
Show&tell
Controlling
VPC traffic
flows
VPC
security
basics
External
AWS
traffic
VPC private
connectivity
Gateway
endpoints
Interface
endpoints
PrivateLink
Securing the
Amazon
VPC control
plane
Securing
VPC config
Track/audit
changes
Least privileged
access/VPC flow logs
What we are going to cover today
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Tuesday, November 27
AIOPs – Find Your Needle in the Haystack
1:00 PM – 2:00 PM | Mirage, Montego D, T1
Wednesday, November 28
NET303 - Advanced VPC Design and New Capabilities for Amazon VPC
4:00 PM – 5:00 PM | Aria West, Level 3, Ironwood 5, T1
Wednesday, November 28
NET301 – Best Practices for AWS PrivateLink
4:45 PM – 5:45 PM | Venetian, Level 2, Venetian F, T2
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Assumptions
This workshop assumes an introductory (200 level) familiarity with:
• Amazon VPC concepts
• Subnets, route tables, gateways
• Amazon EC2 concepts
• AWS load balancing,
• IAM concepts
• Users, groups, policies, roles
• Other AWS services
• AWS Identity and Access Management (IAM)
• Amazon CloudWatch
• AWS CloudFormation
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Today’s objectives
• By the end of the workshop, you should have built a fully functional
VPC architecture, aligned with security best practices in three areas:
VPC control plane
Traffic control
VPC monitoring
• You should understand how to implement security measures in a VPC
• You (hopefully) have learned something new that you can apply back
at your organization
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto Scaling group
Users
Auto Scaling group
AWS Cloud
Region
VPC VPC
High-level architecture
Deployment guide here: http://bit.ly/net318workshop/
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objective of this chapter
Learn how to configure permissions to
manage your VPC and track/audit any
changes to its configuration
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why secure the Amazon VPC control plane?
Securing VPC config
Track/audit changes in your VPC environment
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objective of this chapter
Learn how to configure permissions to
manage your VPC and track/audit any
changes to its configuration
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Assess the following:
• What types of users access the resources in a VPC?
• What kind of VPC resources are users allowed to access?
• What tasks do users need to perform?
General rule:
• Allow least privilege access when accessing your VPC resources
Least privilege access:
• Identities: users, groups, roles
• Access management: policies and permissions
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How IAM works
• Principal
• Authorization
• Action-level permissions
• Resource-level permissions
• Resource-based permissions
• Tag-based permissions
• Service-linked roles
• Resources
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The structure of an IAM policy
• JSON-formatted documents
• Contain a statement (permissions)
that specifies
• Which actions a principal can perform
• Which resources can be accessed
• You can have multiple statements
and each statement is comprised of
PARC
{
"Statement":[{
"Effect”: "Allow",
"Principal": "*",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"condition": {
"key": "value" }
}
}]
}
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we have learned
Learn how to configure permissions to
manage your VPC and track/audit any
changes to its configuration
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next to learn
Learn how to configure permissions to
manage your VPC and track/audit any
changes to its configuration
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Capture and log events related to AWS API calls
Increase visibility into your user and resource activity
Discover and troubleshoot security and operational issues
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config & AWS Config rules
Record configuration
changes continuously
Time-series view of resource
changes
Archive and compare
Enforce best practices
Automatically roll-back
unwanted changes
Trigger additional workflow
Rule
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on 2:
Authorize the SecurityUser role to
enable logging of VPC traffic, and to
activate automated security monitoring
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services we will be enabling:
Amazon GuardDuty Amazon VPC flow logs
VPC flow logs
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Do you have Amazon GuardDuty already enabled?
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on 2: Back to work!
Authorize the SecurityUser role to
enable logging of VPC traffic, and to
activate automated security monitoring
30. AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
App
instances
APP-VPC
App
instances
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
S3 gateway
endpoint
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
Lab guide: http://bit.ly/net318workshop/
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objective of this chapter
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controlling VPC traffic flows
Best practice VPC connectivity patterns
VPC security basics
Connectivity using VPC endpoints and AWS PrivateLink
Internet gateway NAT gateway
VPC Gateway
Endpoint
Peering
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s start
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC traffic security control mechanisms
• Subnets
• Are specific to an Availability Zone (AZ), and they can be public and private
• Security group
• Acts as a virtual firewall for your instance / elastic network interfaces (ENIs) to control
inbound and outbound traffic; can be cross-referenced (within a region)
• Route table
• Contains a set of rules, called routes, that are used to determine where network traffic is
directed. Each subnet in your VPC must be associated with a route table.
• Network access control lists (NACLs)
• Optional layer of security for your VPC that acts as a firewall for controlling traffic in and
out of one or more subnets
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups vs. NACLs
Security group Network ACL
Operates at instance level Operates at subnet level
Supports allow rules only Supports allow and deny rules
Is stateful: return traffic is automatically
allowed regardless of any rules
Is stateless: return traffic must be explicitly
allowed by rules
All rules evaluated before deciding whether to
allow traffic
Rules evaluated in order when deciding whether
to allow traffic
Applies only to instances explicitly associated
with the security group
Automatically applies to all instances launched
into associated subnets
Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16) or AWS-reserved IPv4
addresses; these are the first four IPv4 addresses of the subnet (including the Amazon VPC DNS
server)
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reasons for using network ACLs
• Allows for separation of duties
• Different IAM actions mean that management of network ACLs can be handled separately
from security group configuration
• Gives the ability to specify explicit deny rules
• Allows you to blacklist specific IP addresses/ports
• Provides a mechanism to sever connection-tracked network flows
• Immediately drop established connections when security group rules are changed*
* docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-
group-connection-tracking
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gotchas
• Security groups don’t implicitly allow east-west traffic
• Instances within a security group can only talk to each other if explicitly allowed by
relevant rule(s)
• Note: the default security group has this exception!
• Rules that use security group references and/or private address ranges
will only work for connections that target private IP addresses
• Connections from within the VPC to public IP addresses will be rejected, because the
source will appear to be from a public IP address
• When using network ACLs and Amazon Elastic Load Balancers (ELBs)
• Allow health check traffic from the ELB subnets to the backend subnets
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we have learned
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next to learn in this chapter
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing internet connectivity—Inbound
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
10.0.0.0/24
10.0.1.0/24
Internet
Custom route tableInternet gateway
Do I really need inbound
internet traffic to my VPC?
Subnet
Best practices to secure your
instances
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing internet connectivity—Inbound
VPC
AWS Cloud
Availability zone 1
AWS Region
App servers
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
10.0.0.0/24
10.0.1.0/24
Internet
Custom route tableInternet gateway
Do I really need inbound
internet traffic to my VPC?
Secure traffic by applying the VPC
security controls discussed in the
previous chapter
Subnet
Best practices to secure your
instances
NACL
NACL
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing internet connectivity - outbound
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
App servers
Private subnet
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
Do I really need outbound internet
access from the instances in the private
subnet?
Route table
Internet gateway
Do I really need outbound
internet access from my VPC?
NAT
gateway
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing internet connectivity - outbound
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
App servers
Private subnet
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
Do I really need outbound internet
access from the instances in the private
subnet?
Route table
Internet gateway
Do I really need outbound
internet access from my VPC?
NAT
gateway
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing internet connectivity - outbound
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
App servers
Private subnet
Router Internet
gateway
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw_id
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
Destination Target
10.0.0.0/16 local
0.0.0.0/0 Nat_gateway_i
d
Do I really need outbound internet
access from the instances in the private
subnet?
Route table
Route table
Internet gateway
Do I really need outbound
internet access from my VPC?
Secure traffic by applying the VPC
security controls discussed in the
previous chapter
NAT
gateway
NACL
NACL
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Options for on-premises connectivity
Option Use Case Internet connection
required
Dedicated network
connection
Traffic
encryption
AWS Managed VPN AWS managed IPsec VPN
connection over the
internet
YES YES
Software VPN Software appliance-based
VPN connection over the
internet
YES YES
AWS Direct Connect Dedicated network
connection over private
lines
YES
AWS Direct Connect
Plus Software VPN
Software appliance-based
VPN connection over
private lines
YES YES
AWS Direct Connect
Plus managed VPN
AWS Managed IPsec VPN
connection via DX Public VIF
YES (DX public VIF) YES YES
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we have learned
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next to learn
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private connectivity to AWS services
Use cases
• Scenarios where you have only DX/VPN connectivity to VPCs
• No egress from the VPC to public networks (and hence AWS API
endpoints)
Best practice:
• Reduces the attack surface by only allowing outbound traffic
initiated from the VPC
Supporting services
• VPC endpoints
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
Internet
gateway
198.51.100.
4 (Elastic IP)
10.0.0.0/24
10.0.1.0/24
Internet
App servers
Service VPC
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
No IGW, NGW, or public
IP addresses required
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
VPC gateway endpoints
• Private routed access to Amazon
S3 and Amazon DynamoDB
• IAM-based access control
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC
No IGW, NGW, or public
IP addresses required
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC
VPC interface endpoints (AWS
PrivateLink)
• Private IP access to specific AWS
service endpoints and customer
endpoints
• Security group access controls
No IGW, NGW, or public
IP addresses required
VPC gateway endpoints
• Private routed access to
Amazon S3 and DynamoDB
• IAM-based access control
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway endpoints—Access control
VPC
Public subnet
AWS Cloud
Availability zone 1
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
VPC gateway
endpoint
App servers
Service VPC
Robust access control
• Route table association
• Resource policies (for
Amazon S3 endpoints)
• VPC endpoints policies
• Prefix lists within
security groups
Destination Target
10.0.1.0/16 local
Prefix List for S3 us-west-
2
VPCE
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway endpoints—VPC endpoints policies
• A VPC endpoint policy is an
IAM resource policy that you
attach to an endpoint when
you create or modify the
endpoint
• An endpoint policy does not
replace IAM user policies or
service-specific policies (such
as S3 bucket policies)
• You cannot attach more than
one policy to an endpoint
{
"Statement": [
{
"Sid": "vpce-restrict-to-backup-bucket",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject”
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::backups-reinvent",
"arn:aws:s3:::backups-reinvent/*"]
}
]
}
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway endpoints—Prefix list & security groups
• Logical route destination target
• Amazon S3 prefix lists abstract
changes to S3 IP ranges
• Can be used in security group rules
aws ec2 describe-prefix-lists
PREFIXLISTS pl-68a54001
com.amazonaws.us-west-2.s3
CIDRS 54.231.160.0/19
CIDRS 52.218.128.0/18
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC traffic control mechanisms
Private connectivity to AWS services
VPC gateway endpoints
Let’s take a break—Hands-on time!
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on 3:
Configure (and test) the S3 gateway
endpoint in the app VPC to allow instances
to read data from the S3 logging bucket
61. AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
App
instances
App
instances
S3 gateway
endpoint
Endpoint
policy
APP-VPC
Lab guide: http://bit.ly/net318workshop/
62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC traffic control mechanisms
Private connectivity to AWS services
VPC gateway endpoints
VPC interface endpoints
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC interface endpoints (AWS PrivateLink)—Access
control
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
Interface endpoints are created
directly inside your VPC
• using elastic network interfaces
(ENIs)—one per AZ
• IP addresses in your VPC’s subnets
• Accessible via DX, VPN, and inter-
region peering
Support for private DNS names
Amazon VPC security groups
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC interface endpoints (AWS PrivateLink)
Currently supported services
• Specific AWS services (list here:
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-
interface.html)
• Endpoint services hosted by other AWS accounts
• Supported AWS Marketplace partner services
65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s take a break—Hands-on time!
VPC traffic control mechanisms
Private connectivity to AWS services
VPC gateway endpoints
VPC interface endpoints
66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on 4:
Establish private connectivity to push
custom metric data from EC2 instances
into Amazon CloudWatch
69. AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
WEB-VPC
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
App
instances
App
instances
S3 gateway
endpoint
Endpoint
policy
APP-VPC
AWS interface
endpoints
AWS interface
endpoints
Lab guide: http://bit.ly/net318workshop/
70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we have learned
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
.
71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next to learn
Understand VPC traffic control
mechanisms and how to use them for
external AWS connectivity, private
connectivity to AWS services, or for
multi-VPC architectures
72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-VPC architecture
Use cases
• Peering two or more VPCs to provide access to resources
• Peering to one VPC to access centralized resources
Best practice
• Minimize blast radius for users and networks
Supporting services
• VPC peering
• AWS PrivateLink for customer and partner services
73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
App servers
Service VPC
• Networking connection
between two VPCs
• Peering connection can be
made between
• Your own VPCs, and/or…
• …VPCs in another AWS
account and/or…
• …VPCs in another region
• Uses the underlying
Amazon VPC infrastructure
• Doesn’t create a bottleneck
• No single point of failure
Peering
74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for customer and partner services
VPC
Private subnet 10.0.1.0/24
Instances
Service VPC
Service provider VPCService consumer VPC
Private IP
10.0.1.5
Private IP
10.0.1.10
VPC endpoint
network interface
Private subnet
10.0.2.0/24
Instances
• Great for vending SaaS
services securely
• Tenancy:
• Single-tenant mode: create a
PrivateLink NLB for every
client/customer
• Multi-tenant mode: allow
many customers to use the
same PrivateLink NLB
• Endpoints have regional
and zonal DNS names
75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink—Good to know
How do we tell endpoint traffic and different VPCs apart? Three options:
1. Use traditional accounts/passwords/security tokens at application level
2. Use separate NLBs and different listener ports on the targets
3. Enable the ProxyProtocolV2 preamble
Supports traffic in one direction only
Supports TCP, not UDP
76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC peering vs AWS PrivateLink
Use case VPC peering AWS PrivateLink
Private connection between two VPCs YES YES
Source IP identification YES NO
Provide an endpoint service to another
VPC
NO YES
Supports overlapping CIDR ranges NO YES
Bidirectional traffic YES NO
UDP support YES NO
Connectivity from DX/VPN NO YES
77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC traffic control mechanisms
Multi-VPC architectures
AWS PrivateLink
Let’s take a break—Hands-on time!
78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hands-on 5:
Pass traffic directed to the /service/ URL
from the front-end load balancer
privately to the back-end load balancer
81. AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
S3 gateway
endpoint
Endpoint
policy
AWS interface
endpoints
AWS interface
endpoints
APP-VPC
App
instances
App
instances
WEB-VPC
Lab guide: http://bit.ly/net318workshop/
82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objective of this chapter
Learn about the VPC-related monitoring
tools and how to use them to detect and
remediate security breaches
84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Monitoring IP traffic flows
• Detecting malicious or unauthorised behaviour
• Triggering automated remediation
What is the role of VPC monitoring?
VPC Flow
logs
CloudWatch
Events
85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objective of this chapter
Learn about the VPC-related monitoring
tools and how to use them to detect and
remediate security breaches
86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Services and tools for VPC monitoring
Account Resources Network
VPC Flow logs
87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
Capture information about the
IP traffic going to and from
network interfaces in your VPC
88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
Capture information about the
IP traffic going to and from
network interfaces in your
VPC
89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
Capture information about the
IP traffic going to and from
network interfaces in your
VPC
90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs
VPC
Public subnet
AWS Cloud
Availability zone 1
NAT
gateway
AWS Region
Private subnet
10.0.0.0/24
10.0.1.0/24
Web
servers
Service VPC
ENI
ENI
App servers
VPC flow
logs
Capture information about the
IP traffic going to and from
network interfaces in your VPC
Use cases
• Diagnose overly restrictive
security controls
• Monitor the traffic
reaching your instances
• Identify trends and create
alarms in response to
specific types of traffic
91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs format
92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC flow logs—Good to know
• If traffic is sent to a secondary IP address on an ENI, the flow log
displays the primary IPv4 address in the destination IP address field
• Flow log API actions don’t support resource-level permissions
• Not all traffic is captured:
• Traffic sent to the Amazon DNS Server
• Traffic sent to the Windows License Activation server
• Traffic sent to the 169.254.169.254 metadata server
• DHCP request and response traffic
• Traffic to the reserved IP address for the default VPC router
93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HIGH
MEDIUM
LOW
Amazon GuardDuty
AWS Cloud
VPC Flow
logs
DNS logs Threat intel,
ML/AI,
anomaly
detection
SIEM
and/or
RESPONDInstance
compromise
Reconnaissance
Account
compromise
Intelligent continuous security monitoring and threat detection, fully managed,
integrated threat intelligence, anomaly detection, and machine learning
service
94. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Reconnaissance Instance compromise Account compromise
Instance recon:
• Port probe/accepted comm
• Port scan (intra-VPC)
• Brute force attack (IP)
• Drop point (IP)
• Tor communications
Account recon:
• Tor API call (failed)
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Outbound DDoS
• Spambot activity
• Outbound SSH brute force
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
• Domain generated algorithms
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create,
update, delete)
• High volume of describe calls
• Unusual IAM user added
*Signature-based stateless findings *Behavioral stateful findings and anomaly detections (ML driven)
Amazon GuardDuty threat detection type details
95. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty—Good to know
• You don’t need to have any logging turned on in account in order for
GuardDuty to process any of the log types.
• Currently, customers do not have direct access to the DNS logs and so
GuardDuty is, in effect, their only means of monitoring these logs.
• All the logging is all done on the back end as GuardDuty gets them
directly from the relevant services. So, there is no need for architecture
changes, no agents, and no account performance impact.
96. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudWatch—Good to know
• CloudWatch offers a range of capabilities
• Metrics
• Dashboards
• Logs
• Events
• Alarms
• CloudWatch logs provides a range of benefits
• A useful aggregation point for log data
• The ability to push data into other services
• Integration with third-party services
97. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we have learned
Learn about the VPC-related monitoring
tools and how to use them to detect and
remediate security breaches
98. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s next to learn
Learn about the VPC-related monitoring
tools and how to use them to detect and
remediate security breaches
99. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated remediation—VPC security breaches
• Apply controls that can help restore the environment to the “desired”
state based on information from detective controls
• Respond with no (or limited) human interaction to security breaches
• Provides a “failsafe” capability when preventive controls fail or are
compromised
Supporting services
• CloudWatch Events
• Custom Config rules
• AWS Lambda
100. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch Events concepts—Good to know
• Driven by API activity
• Concepts:
• Event—indicates a change in your AWS environment
• Target—processes events
• Rule—matches incoming events and routes them to targets for
processing
• Amazon CloudWatch Event bus allows centralized CloudWatch Events
within/between organizations
101. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic remediation within a VPCDetect
Report
Remediate
CloudWatch
EventsVPC flow logs
Lambda
Function
102. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
103. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Show & Tell
Maintain the security of the application
VPC by removing any internet gateway
that might get attached
105. AZ-A
AZ-B
PRI-A
PRI-B
APP-A VPCE-A
APP-B VPCE-B
AZ-A
AZ-B
VPCE-B
VPCE-A
WEB-B
WEB-A
Web
instances
Main route
table
S3 gateway
endpoint
Web
instances
Public route
table
AWS interface
endpoints
AWS interface
endpoints
Main route
table
Region
S3 logging
bucket
PUB-A
PUB-B
Internet
gateway
Endpoint
policy
SecurityUser
policy
SecurityUser
role
WEB-VPC
flow logs
APP-VPC
flow logs
S3 gateway
endpoint
Endpoint
policy
AWS interface
endpoints
AWS interface
endpoints
App
instances
App
instances
WEB-VPC
Internet
gateway
Event (event-
based)
Rule Detach
gateway
APP-VPC
Lab guide: http://bit.ly/net318workshop/
106. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
107. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
monitoring &
automated
remediation
Monitoring
tools
Automated
remediation
Show&tell
Controlling
VPC traffic
flows
VPC
security
basics
External
AWS
traffic
VPC private
connectivity
Gateway
endpoints
Interface
endpoints
PrivateLink
Securing the
Amazon
VPC control
plane
Securing
VPC config
Track/audit
changes
Least privileged
access/VPC Flow logs
What we’ve covered today
108. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Finally …
• Don’t forget to delete the CloudFormation stack and any resources you
have created today
• http://bit.ly/net318cleanup/
• Complete the evaluation form (NET318) so we can improve this
workshop next year
• Enjoy the rest of the week!
109. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corina Motoi
Solutions Architect
AWS UK Public Sector
Matt Johnson
Manager, Solutions
Architecture
AWS UK Public Sector
110. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.