AWS Loft presentation on 04/28/16.
You’ve configured host and network based ACLs, enabled CloudTrail logging, encrypted all data at rest (EBS & S3), secured your AMIs, regularly patch EC2 instances, and locked down IAM roles. But are you secure? How do you know if/when a security incident has occurred, detect unauthorized access to data, identify vulnerabilities in your application, block online attacks in real-time, or certify your application as truly secure?
Theodore Kim, VP of Technical Operations at Jobvite, and his team will present a holistic approach to securing your application environment hosted in AWS. Topics will include:
- Do I need an Intrusion Detection/Prevention (IDS/IPS) System?
- How to detect and block network/application intrusion attempts in real time.
- Log file parsing/alerting via Security Information & Event Management (SIEM) systems to identify anomalous system activity.
- An overview of penetration/vulnerability testing services.
- Auditing your environment to identify security vulnerabilities and support compliance efforts.
- How to incorporate security vulnerability scanning into the build and release process.
11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN the
Cloud
AWS is
responsible for
the security OF
the Cloud
12. Your Applications
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
AWS Global Infrastructure
Regions Availability Zones Edge Locations
Foundation
Services
Application
Services
Deployment &
Management
Compute Storage Networking Databases
Content Delivery Applications Distributed Computing Libraries & SDK’s
EC2 S3 EBS Glacier Storage
Gateway
VPC Direct
Connect
ELB Route53 RDS ElastiCacheDynamo RedShift
CloudFront SES SNS SQS Elastic
Transcoder
CloudSearch SWF EMR
CloudWatch
Monitoring
BeanStalk OpsWorks Cloud
Formation
DataPipe
Deployment & Automation
IAM Federation
Identity & Access
Management
Console
Billing
Web Interface Human Interaction
Mechanical
Turk
AWS Global Infrastructure
Enterprise
Applications
Workspaces Zocalo
Virtual Desktop Document Collaboration
Overview of AWS Services
13. There Are Two Security Tracks
Compliance Security Headline Security
14. There’s a Big Gap Between Compliance &
Security
Compliance
Security
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1. Disable root API access key and secret key.
2. Enable MFA tokens everywhere.
3. Reduce number of IAM users with admin rights.
4. Use roles for EC2.
5. Least privilege: limit what IAM entities can do with strong/explicit policies.
6. Rotate all the keys regularly.
7. Enable CloudTrail wherever available.
8. Use Auto Scaling to handle traffic spikes.
9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.
10. Watch world-readable/listable S3 bucket policies.
(Based on our experience with Incident Response, top 10 to implement ASAP.)
Top 10 AWS security best practices
24. Identity Management
• Use IAM for central point of account
management (IAM/AD/LDAP
integration).
• Use roles for applications that run on
Amazon EC2 instances.
• Assign IAM group policies.
• Enable Multi-Factor Authentication
(MFA) instead of password aging.
• Restrict privileged access further with
policy conditions.
25. Encryption
• Encrypt all EBS/S3 data stores to
enforce data sovereignty.
• Enable encryption at rest for all
supported database stores (RedShift,
RDS).
• Manage encryption keys via KMS
• Software defined encryption
• API support
• Don’t hardcode keys!!!
27. Security Information & Event Management
(SIEM)
• Quite possibly the least sexy & loved
security tool.
• And yet absolutely necessary for compliance
(PCI, SOC II, ISO 27001).
• Essential for security breach root cause
analysis.
• No one wants to pay for Splunk!!!
• Can you mangle your ELK stack into a
SIEM? (Answer: kinda)
Compliance
DevOpsSecurity
SIEM
28. Vulnerability & Penetration Testing
• Point in time testing is virtually
useless in today’s security
landscape.
• Chose a continuous scanning
solution.
• Don’t pay for expensive consulting
companies. Crowdsource through
bounty programs.
30. Floating Keys
• IAM Access Keys baked into your app configs and/or code.
• Keys needed to be rotated.
• Keys would end up in the log files.
• Keys could end up in config files.
• Keys could leak to unauthorized individuals.
31. Need for a Web Application Firewall & Threat Manager
• How can we create security detection/prevention rules for certain types of web requests?
• How can we block unauthorized traffic (SQLi, HTTP Host header attacks, XSS, etc)?
• How can we easily filter and visualize detection and prevention data?
• How can we ensure safety from latest CVEs?
AWS WAF Challenges
• AWS WAF only ties to CloudFront distributions.
• CloudFront has a 60 second timeout limitation.
• No L1 team to analyze and re-rule to reduce false alarms.
Jobvite VPC
32. A Sea of Logs
• Too many logs
• No central logging location
• No real plan of action
33. Rapid Infrastructure Changes
• Continuous rapid deployments introduce risk.
• Do you constantly invoke security scans?
• Who receives dangerous security events?
• Is there a plan when they’re received?
34. SOLUTIONS OVERVIEW
• Benefits of Instance profiles vs Access Keys
• Installed a 3rd Party WAF
• Detect and alert on events with a SIEM
• Introduce Infrastructure Security Scans into the build system
35. INSTANCE PROFILES
• Define roles and granular policies.
• Attach profiles to the EC2 and ASG.
• AWS SDKs and CLI support instance profiles.
• No more keys in the wild.
• Removed all API keys associated to IAM app users
• Enforced MFA on all remaining user accounts.
• Ensured IAM service was in scope of Evident.IO vulnerability scans.
36. IAM ROLES WITH POLICIES
• Default access denied
• Explicitly define which instances are allowed access to certain AWS resources.
• Explicit deny supersedes explicit allow.
• Roles
• Multiple policies can be applied to roles.
• Instance Profiles
• Assumes a role.
• Access key and temporary token are stored in instance metadata.
Role:
Prod-Hire
Policy: prod-platform
Policy: prod-hire
Hire Auto-
Scaling
Read access to s3://builds-bucket
Write Access to arn:aws:sqs:us-
east-1::hire-resumes
38. Centralized Logging & Notifications
• Centalized logging via Logstash.
• Organization of logs (app, system security, service security, etc)
• Notification of security events via SIEM script on top ElasticSearch.
39. SECURITY INFORMATION AND EVENT MANAGEMENT
• Tomcats and IIS apps use log4J and log4net to send JSON formatted logs to Logstash.
• CloudTrail, rsyslog for login events, Windows event logs via nxlog are sent to Logstash.
• Logstash sends the filtered results into the Logstash ElasticSearch cluster.
• Our home grown check_siem script searches ElasticSearch for event counts hooked into Nagios.
• Conditional matches are sent to SNS where emails and Pager escalations are subscribed.
CloudTrail
Tomcat / IIS
Rsyslog/NXLOG
Proxy logs
Logstash ES Cluster
Kibana
SNS
Topic
Here is more information about Jobvite. We deliver the leading and most comprehensive Recruiting Platform in the market. We have 10 years of experience in the recruiting and a track record of success.
Today, we are here to talk with you about how we can help you deliver tangible results to your organization. We are focused on helping companies hire better candidates, faster, and at a lower cost.
These statistics highlight the average results we see across our customer base.
Jobvite has been recognized in the industry and received numerous awards for our growth, the strength of our products and the level of service we deliver to our customers.
In particular, we are very proud of the distinction awarded to use by Forrester, a highly regarded industry research firm.
Jobvite was recognized as a leader in the Forrester Wave for Talent Acquisition.
Forester evaluated players in the Talent Acquisition market and narrowed down to 12 vendors based on inclusion criteria such as product fit, customer success and demand for the solution. These 12 vendors were evaluated against Forester’s 45 criteria that assessed strength of current offering, strategy and market presence. The evaluation process included an in-depth product demonstration and interviews with Jobvite customers. Jobvite emerged as a leader among all vendors.
Here is a small sample of Jobvite’s 1900+ customers many of whom are leaders in their space and count on Jobvite to help them stay one step ahead of their recruiting challenges.
Add your name and title to this slide. Please do not change fonts or size.
A lot of companies make HR platforms that keep track of employees, do training, things related to HR. Any such software has been lumped into HR systems. However, recruiting is an entirely different thing. And it is so important that it deserves its own system
We look after the security OF the cloud, and you look after your security IN the cloud.
AWS WAF closer to VPC Infrastructure.
Create and use IAM users instead of your root account
Grant least privilege
Manage permissions with groups
Restrict privileged access further with policy conditions
Enable AWS CloudTrail to get logs of API calls
Keys leaking beyond authorized employees.
Keys end up in application logging.
Key rotation requirements.
Keys in the log files.
Keys leaking beyond authorized employees.
Keys end up in application logging.
Key rotation requirements.
Keys in the log files.
There are GB to TB of logs flowing through businesses.
Who gets notified?
What criteria triggers the notification?
What grouping of technologies are required to interact with each other to identify and notify properly?
How do you sort through all the log events to accurately notify?
NOTE: NOT penetration testing.
AWS Resource vulnerability scanning and Application vulnerability scanning.
Migration to the cloud enabled more rapid deployments.
Migration to the cloud enabled code as infrastructure / programmatic infrastructure.
How do you ensure that the latest code which was just built and deployed into your CI/CD system doesn’t manipulate AWS resources in a way that opens a security hole?
Roles: created by app that exists.
Policies: Platform policy, app specific policy.
Roles: created by app that exists.
Policies: Platform policy, app specific policy.
Roles: created by app that exists.
Policies: Platform policy, app specific policy.
There are GB to TB of logs flowing through businesses.
Who gets notified?
What criteria triggers the notification?
What grouping of technologies are required to interact with each other to identify and notify properly?
How do you sort through all the log events to accurately notify?
Need to change this slide image….
- GIT to SVN (or we can leave it as GIT I guess)
- Change unit tests to Junit tests
- Build should point to Maven, not Ant
API call remains after deploy, but it should be an API call to Evident.IO
API call invokes an AWS resources scan on security groups, permissions, vulnerbailities in resource configs, etc.
We would also want to introduce a sourcecode based scan for vulnerabilities.... Like we saw last night. Something like CheckMarx
Roles: created by app that exists.
Policies: Platform policy, app specific policy.