Best Practices for AWS Cloud Security & Cost Optimization

Copyright © 2016 Talentica Software (I) Pvt Ltd. All rightsCopyright © 2016 Talentica Software (I) Pvt Ltd. All rights
Best Practices for
AWS cloud security & Cost optimization
Presented By
Pulkit Gupta

Agenda
• What is Cloud Security?
• AWS Shared Security Model
• AWS Security Best Practices
• AWS Guard Duty: Intelligent threat detection
• Automate security checks
• AWS Cost Saving and Optimization Strategies
• AWS Cost analysis tool : Netflix ICE
• Discussion, Q&A

Cloud Security ?
Cloud security refers to a broad set of policies, technologies,
and controls deployed to protect data, applications, and the
associated infrastructure of cloud computing.

Cloud security controls
• Preventive controls
Preventive controls strengthen the system against incidents,
generally by reducing if not actually eliminating vulnerabilities
• Detective controls
Detective controls are intended to detect and react
appropriately to any incidents that occur.
• Corrective controls
Corrective controls reduce the consequences of an incident,
normally by limiting the damage. They come into effect during
or after an incident.

AWS Shared Security Model

Shared Security Model
for Infrastructure services (EC2, EBS, VPC)

Shared Security Model for Platform Services (RDS, EMR etc)

AWS Security Best Practices

Encrypt Everything !!

Encryption options
Server-side encryption for most services
S3, EBS, RDS, Redshift, etc.
Flexible key management
• AWS Key Management Service(KMS)
• AWS CloudHSM
3rd-party encryption
• Trend Micro, SafeNet, Vormetric, Hytrust, Sophos etc.
• AWS Marketplace :
https://aws.amazon.com/marketplace/
Client-side encryption
Tricky business, please be careful

Encryption while EBS Creation

Encryption while RDS Creation

IAM Best Practices
1. Create users
2. Apply the principle of least privilege
3. Factorize permissions with groups
4. Enable Cloudtrail to log all API calls
5. Use a strong password policy
6. Rotate security credentials regularly
7. Enable MFA for privileged users
8. Use IAM roles to delegate permissions
9. Delete credentials for the root account

Log Everything

Logs? Sure, we got logs!
Infrastructure Logs
• AWS CloudTrail
• VPC Flow Logs Service Logs
Service logs
• Amazon S3
• AWS Elastic Load Balancing
• Amazon CloudFront
• AWS Lambda
• AWS Elastic Beanstalk
Instance Logs
• UNIX / Windows logs
• NGINX/Apache/IIS
• Your own logs

Cloudtrail Logs
Enable Cloudtrail in all regions
• This takes 10 seconds
• It works for all regions, even if you don’t use them yet.
Encrypt logs
• SSE-S3 by default
• KMS is supported too
Export logs to Cloudwatch Logs
• Easier to search
• Trigger alerts on speciﬁc events
Centralize logs in a single place
• Single bucket , Could be in a dedicated account

Automate Security checks

You can automate on multiple levels
• Infrastructure / application automation
- AWS CloudFormation
- AWS OpsWorks
• DIY automation
- AWS CloudTrail > CloudWatch Logs > CloudWatch alerts
- API calls > Amazon CloudWatch Events > SNS / Lambda
• Compliance automation
- AWS Inspector
- AWS Config

AWS Inspector
• Automated security assessment service that helps improve
the security and compliance of applications deployed on
AWS.

Amazon Inspector
• This service allows you to check the conﬁguration and the
behaviour of EC2 instances.
• Agent-based
• Can run from 15 minutes to 24 hours
• Reports and advice on how to ﬁx issues
• Can be automated with the AWS API
• Built-in rule packages

AWS Config
• AWS service that enables you to assess, audit, and
evaluate the configurations of your AWS resources.

AWS Config Rules
• Config Rules checks that AWS resources are compliant
• You can use:
-Pre-defined rules: MFA on, CloudTrail on, EBS encryption, etc.
-Your own rules
• Checks can be:
-Periodic (1, 3, 6, 12 or 24 hours)
-Triggered by configuration changes
• Notifications are sent to SNS…
... Which means that you can process them with Lambda functions
• Non-compliant instance? Kill it!

AWS Trusted Advisor
• AWS online resource to help you reduce cost, increase
performance, and improve security by optimizing your AWS
environment

Trusted Advisor

AWS Trusted Advisor

• Amazon GuardDuty is a managed threat detection service that
continuously monitors for malicious or unauthorized behaviour and
protects entire AWS accounts & workload.
• Latest service by AWS, Launched in re:Invent, Nov. 2017
• Can be enabled with a few clicks in the AWS Management Console,
Amazon GuardDuty can immediately begin analysing billions of events
across your AWS accounts for signs of risk.
• When it has found something, GuardDuty gives that warning a severity
rating of low, medium, or high, and customers can link those alerts into
existing monitoring systems like Splunk or PagerDuty.
AWS GuardDuty

• It monitors for activity such as unusual API calls or potentially
unauthorized deployments that indicate a possible account compromise.
• GuardDuty also detects potentially compromised instances or
reconnaissance by attackers.
• GuardDuty runs on AWS’s own infrastructure, which means customers
don’t have to pay for computing instances to run it, although it’s not free.
• When you enable GuardDuty for the first time, your AWS account is
automatically enrolled in a 30-day GuardDuty free trial.

How GuardDuty works

Benefits
• Intelligent threat detection
• Centralized threat detection across all of your AWS accounts
• Strengthens security through automation
• Pricing :
https://aws.amazon.com/guardduty/pricing/
• Amazon GuardDuty is priced is based on two dimensions.
• Quantity of AWS CloudTrail Events analyzed (per 1,000,000
events)
• Volume of Amazon VPC Flow Log and DNS Log data analyzed (per
GB).

AWS GuardDuty

AWS Accounts one or many ?
37
Use a single AWS account when:
• You only need simple controls on who does what
• You don’t need to isolate projects or teams
• You don’t need to track costs separately
Use multiple accounts when:
• You need total isolation between projects or teams
• You need total isolation for some of your data (such as Cloudtrail logs)
• You want to keep track of costs separately (you can still get a single bill with
Consolidated Billing)

Please promise me this !!!
• Never share credentials across users / applications
• Never store credentials in source code (they’ll end up on Github)
• Never store credentials on EC2 instances
• (Almost) never work with the root account
• Use MFA for privileged accounts
• Enable CloudTrail in all regions
• Encrypt everything
• Automate security checks and alarms

Best Practices for AWS
Cost Optimization

Who is responsible for cost control??

If you don’t Measure it.
You cant Improve it

Cost Optimization

Knowing your usage

Pillar 2 : Increase Elasticity

Auto scaling Options

Pillar 3 : Right Pricing Model

Use Appropriate Size EBS

• Tools that measure and monitor AWS usage and
spending
• ICE
• Cloudyn
• Cloudability
• Newvem
• CloudCheckr
• Cloud Vertical

Netflix ICE
• A cost analysis tool that measure and monitor AWS
usage and spending.
• Ice is a Grails project. It consists of three parts:
processor, reader and UI. Processor processes the
Amazon detailed billing file into data readable by
reader.
• Reader reads data generated by processor and
renders them to UI. UI queries reader and renders
interactive graphs and tables in the browser.

• Ice communicates with AWS Programmatic Billing Access and
maintains knowledge of the following key AWS entity categories:
• Accounts
• Regions
• Services (e.g. EC2, S3, EBS)
• Usage types (e.g. EC2 - m1.xlarge)
• Cost and Usage Categories (On-Demand, Reserved, etc.)
The UI allows you to filter directly on the above categories to
custom tailor your view.

• Installation of ICE:
• https://github.com/Teevity/ice
• Ice Docker Image:
• A community image is available for deploying Ice via Docker
https://github.com/jonbrouse/docker-ice
• Ice Cookbook:
• A community cookbook is available for deploying Ice via Chef
https://github.com/mdsol/ice_cookbook.

Detail page grouped by product

Reservation page grouped by on-demand, un-used, reserved, upfront costs

Questions ??

Thank You

Presented By
Pulkit Guptapulkitgupta378@gmail.com
https://github.com/pulkitgupta378
https://twitter.com/pulkitgupta378
https://www.linkedin.com/in/pulkit-gupta-55095224/

Best Practices for AWS Cloud Security & Cost Optimization

Recommandé

Recommandé

Contenu connexe

Dernier

Dernier (20)

En vedette

En vedette (20)

Best Practices for AWS Cloud Security & Cost Optimization