2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
New capabilities for Amazon VPC
• VPC endpoints
– Generic capability
– First VPCE available is for S3
• VPC Flow Logs
– Netflow-like data from elastic network
interfaces
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Problem statement
• AWS “abstracted services”[1] generally
have service endpoints on the public
address side of an AWS region
• How best to reach those endpoints from
inside your VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Reaching public endpoints
Public IPs and IGW
Pros
• Highly available
• Horizontally scalable
• Can restrict dest.
ports/ CIDRs
Cons
• Public IPs; security
controls are limited
• Can reach entire S3
service
NAT/PAT server(s)
Pros
• Central control
• All protocols
Cons
• Availability risks
• Scaling hard, limited
• Lots of work to
manage
• Security limitations
similar to use of IGW
Proxy server(s)
Pros
• Central control
• Can scale fairly well
• Many security options
Cons
• Availability risks
• Lots of work to
manage and scale
• Works only with
HTTP/S
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC endpoints to the rescue
• No need for public IP addresses, NAT/PAT,
or proxies
• Highly available; no SPOF
• Practically infinite horizontal scalability
• Rich security controls
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Rich security controls
• New route entry
– As many endpoints per VPC as you like, but
maximum one assigned route per subnet
• New logical destination address for security
group outbound traffic rules
– Thus, instance-level control through security
groups
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Rich security controls (cont.)
• Policies on VPC endpoints
– Logically, resource policies (not IAM policies)
– Constrain principals, actions, destination buckets,
paths within buckets
• S3 bucket policies
– Constrain source VPCs, VPC endpoints, both
• All policies ANDed together (IAM, VPC
endpoints, S3)
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC endpoint policy example
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"]
}
]
}
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
S3 bucket policy example #1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
S3 bucket policy example #2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Access-to-specific-VPC-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC Flow Logs
• Longstanding ask: greater visibility into
VPC network behavior
– Specifically, what about those security group
and network ACL DENY cases?
• VPC Flow Logs provide the answer
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC Flow Logs (cont.)
• Enabled at the ENI, subnet, or VPC level
• Traffic data surfaced as “flow log records” per ENI
• Exposed as CloudWatch Log groups and streams
• Data accumulated and published to CW Logs at
~10 minute intervals
• Normal CloudWatch Logs groups/streams with all
related features
– For example, new CloudWatch Logs -> Amazon
Kinesis stream integration
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Flow Log record (text, space-delimited)
Field Description
version The VPC Flow Logs version.
account-id The AWS account ID for the Flow Log.
interface-id The ID of the network interface for which the log stream applies.
srcaddr The source IP address. The IP address of the network interface is always its private IP address.
dstaddr The destination IP address. The IP address of the network interface is always its private IP address.
srcport The source port of the traffic.
dstport The destination port of the traffic.
protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.
packets The number of packets transferred during the capture window.
bytes The number of bytes transferred during the capture window.
start The time, in Unix seconds, of the start of the capture window.
end The time, in Unix seconds, of the end of the capture window.
action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or
network ACLs.
REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:
OK: Data is logging normally to CloudWatch Logs.
NODATA: There was no network traffic to or from the network interface during the capture window.
SKIPDATA: Some flow log records were skipped during the capture window.
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Example records
SSH traffic allowed
RDP traffic denied
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389 6 1 231 1439530000 1439530060 REJECT OK
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
VPC networking
• Continually advancing the state of the art
• Focused on improving control and visibility
• Integration with third-party monitoring and
management tools
• Key element of the AWS increasingly
powerful security suite
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Notes de l'éditeur
Programmable infrastructure allows IT governance to advance from a fully manual people/process mode to an increasingly automated and software-driven mode. In this session, we will examine how the AWS cloud enables advances and best practices in governance and compliance based on APIs and automation.