Contenu connexe Similaire à Security Framework Shakedown: Chart Your Journey with AWS Best Practices (20) Plus de Amazon Web Services (20) Security Framework Shakedown: Chart Your Journey with AWS Best Practices2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Framework Shakedown
Chart Your Journey with AWS Best Practices
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Objectives
• Define a security strategy, deliver a security program and develop
robust security operations on AWS
• Implement Explain AWS security best practices
• AWS security services at an accelerated pace
• Get some code!
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• NAB Cloud security journey
• Cloud adoption framework security perspective
• AWS well-architected framework security pillar
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
National Australia
Bank
Our vision: To be Australia's
leading bank, trusted by
customers for exceptional
service
• One of Australia’s four major
banks and largest business bank
• More than 30,000 employees
and 9 million customers across
900 locations
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our cloud security strategy
Objectives
• Extend our existing Security
Services to the Cloud
• Integrated and Secure by Default
• Continuous Security Governance
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our cloud security strategy
Objectives
• Extend our existing Security
Services to the Cloud
• Integrated and Secure by Default
• Continuous Security Governance
Insights
• We had to change our approach
• Scale with automation and
decentralization
• Security compliments agile
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundations of continuous compliance
Baseline Compliance Portfolio
AWS Service Compliance Portfolio
Application Compliance Portfolio
Service A Service B
API Gateway Amazon RDS Amazon EBS
Prod Account Non-Prod
Account
Application
Security
Assessment
AWS
Service
Control
Review
Security Posture
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS cloud adoption framework
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CAF security perspective
Security Perspective
Directive
Preventative Detective
Responsive
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Core five epics
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS shared responsibility model
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Define a strategy
Identify your workloads moving to AWSIdentify stakeholders
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deliver a security program
Rationalize security
requirements
Define data protections
and controls
Document security
architecture
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security cartography
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CAF best practices
Inventory current security requirements
Adopt a security framework
Identify workload security controls
Map current security controls cloud controls
Create a security RACI
Create a risk register
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Robust security operations
Deploy architecture Automation Continuous
monitoring
Testing and
Gamedays
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity & Access Mgmt
Detective Control
Infrastructure Security
Data Protection
Incident Response
Week 1 Week 2 Week 5Week 3 Week 4
Sample security Epics journey
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is the AWS Well-Architected Framework?
Pillars Design Principles Questions
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pillars of AWS Well-Architected
Security Reliability
Performance
Efficiency
Cost
Optimization
Operational
Excellence
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A mechanism for your cloud journey
Learn Measure Improve
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security design principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Strong identity foundation
Root account should never be used
Consider AWS Organizations
Set account security questions & contacts
Centralize identities
Audit periodically
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Strong identity foundation
Never store credentials or secrets in code
Enforce MFA on everything
Use IAM roles for users and services
Establish least privileged policies
Use temporary credentials
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Enforce MFA
User can only assume a role with MFA
MFA token
Permissions RoleUser AWS CloudPermissions
http://bit.ly/AWSWALabs
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Enable traceability
Consider Amazon GuardDuty
Configure application & infrastructure logging
Centralize using a SIEM
Proactively monitor
Regular reviews of news & best practices
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Enable traceability
Use AWS CloudFormation!
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Network protection
Amazon CloudFront + AWS WAF
Amazon VPC and security groups
Private connectivity - VPC peering, VPN, AWS Direct Connect
Service endpoints
Enforce service level permission
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Network protection
Bucket
Instances
Region
VPC
Users
https://amzn.to/2PbHOpz
WAF Automation
www.example.com
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Apply security at all layers
Harden operating systems & defaults
Use anti-malware + intrusion detection
Scan infrastructure
Scan code
Patch vulnerabilities
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: compute protection
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Scan vulnerabilities
Scan instances with Amazon Inspector
https://amzn.to/2DT9jyg
Scan code in the pipeline
Dependency Check: http://bit.ly/2SPzUAp
Testing
OWASP Zap: http://bit.ly/2yWwzqN
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Serverless
• Authorization and authentication - API
• Enforce boundaries - AWS services & network
• Input validation
• Protect sensitive data
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Automate security best practices
Template infra: AWS CloudFormation / AWS SAM
Automate build and test
AWS Config rules for verification
Automate response to non-compliance
Automate response to events
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Automate management
Automation
Patch
manager
State
manager
https://amzn.to/2AaOwSg
https://amzn.to/2DSTLdK
https://amzn.to/2Qihzxm
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Automate checks
Config Rules
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Protect data
Encryption mechanisms are enforced
Verify accessibility of data, e.g. Amazon S3 & EBS
Consider AWS Certificate Manager
Consider tokenization to substitute sensitive data
Data segmentation and isolation
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Classify your data
• Start classifying data based on sensitivity
• Use resource tags to help define the policy
Amazon Macie discover, classify, and protect sensitive data in AWS
IAM control: http://bit.ly/IAMctrlTAG
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Keep people away from data
Dashboards for users
Tools for administrators
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Top best practices: Incident response
Prepare for different scenarios
Pre-deploy tools using automation
Pre-provision access for response teams
Practice responding through game days
Continuously improve your processes
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Run incident response game day
1. Schedule a four to eight hour block
2. Find a prize (bribery)
3. Supply junk food & beverages
4. Pick relevant scenarios from:
https://amzn.to/2PetNro
5. Create a runbook
6. Practice
7. Have fun!
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to: Simple run book
Event description
[Attack Type]
[Attack Description]
Data to gather for troubleshooting
[Evaluation of current data]
Steps to troubleshoot and fix
[Contain / impact / recovery / forensics]
Urgency category
[Critical, Important, moderate, informational]
Communications & escalation
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Take action!
CAF: aws.amazon.com/professional-services/CAF/
W-A: aws.amazon.com/well-architected
W-A Labs: http://bit.ly/AWSWALabs
AWS sec twitter: @AWSSecurityInfo
AWS sec blog: https://aws.amazon.com/blogs/security/