AWS Security and SecOps
Download as PPTX, PDF4 likes1,610 views
This document provides an overview of AWS security services and best practices. It discusses how AWS is responsible for security of the cloud, while customers control security in the cloud by choosing configurations and access controls. It also summarizes key AWS security services like CloudTrail, IAM, encryption, VPC networking, and compliance tools to help customers securely build applications on AWS.
![CloudTrail OFF event – Detect
"CloudTrailStopMetricFilter": {
"Type": "AWS::Logs::MetricFilter",
"Properties": {
"LogGroupName": { "Ref" : "LogGroupName" },
"FilterPattern": ”{ ($.eventName = StopLogging) }",
"MetricTransformations": [
{
"MetricNamespace": "CloudTrailMetrics",
"MetricName": "CloudTrailEventCount",
"MetricValue": "1"
}
]
}
},](https://image.slidesharecdn.com/awssecurityandsecops-160501222532/85/AWS-Security-and-SecOps-40-320.jpg)
![CloudTrail OFF event – Detect
"CloudTrailStoppedAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Properties": {
"AlarmName" : ”CloudTrailStoppedAlarm",
"AlarmDescription" : "Alarms when StopLogging API call is made",
"AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }],
"MetricName" : "CloudTrailEventCount",
"Namespace" : "CloudTrailMetrics",
"ComparisonOperator" : "GreaterThanOrEqualToThreshold",
"EvaluationPeriods" : "1",
"Period" : "300",
"Statistic" : "Sum",
"Threshold" : "1"
}
},](https://image.slidesharecdn.com/awssecurityandsecops-160501222532/85/AWS-Security-and-SecOps-41-320.jpg)
![{
"Sid": "Stmt0001",
"Effect": "Deny",
"Action": [
"cloudtrail:DeleteTrail",
"cloudtrail:StopLogging"
],
"Resource": [
"*"
]
}](https://image.slidesharecdn.com/awssecurityandsecops-160501222532/85/AWS-Security-and-SecOps-43-320.jpg)
AWS Security and SecOps
- 2. JOB ZERO
- 3. exactly GxP ISO 13485 AS9100 ISO/TS 16949 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud
- 4. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
- 5. Availability Zone A Resilient applications architecture Customer content backups, archives and continuity solutions Resilient infrastructure configurations Customer resilience and recovery processesCustomers Customers control how they manage continuity and recovery AWS builds resilient services and features to help customers Availability Zone B AWS business resiliency processes Customer content, transactions and data-stores
- 6. NIST 800-53PCI-DSS AWS managed and audited controls Customers control SOC 2SOC 1 ISO 27001 Other AWS service featuresLogging AWS provided, customer configured and managed controls Key management Virtual Private Cloud Customer provided and managed controls Technology risks Customer risk appetite and desired control environment Sourcing risksBusiness risks Security risks Compliance IDaMEncryptionClassification Monitoring ITSMGovernanceSecurity policy Operations Malware Risk management Customers decide on the appropriate controls and manage and monitor the effectiveness of those controls Customers take reliance on AWS control reports
- 7. SECURITY IS VISIBILITY AND AUDITABILITY
- 8. How often do you map your network? RIGHT NOW?
- 11. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
- 12. and notifies you
- 14. CONTENT
- 15. control of privacy you choose to do so encryption any way that you choose access lifecycle and disposal Customers retain full ownership and control of their content
- 16. US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) you put it Regions ASIA PAC (Seoul)
- 17. WHO CAN DO WHAT
- 18. segregate duties With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with two- factor authentication Integrated with your existing corporate directory using SAML 2.0 and single sign-on AWS account owner Network management Security management Server management Storage management
- 19. NETWORK
- 20. AvailabilityZoneA AvailabilityZoneB AWS Virtual Private Cloud • Provision a logically isolated section of the AWS cloud • You choose a private IP range for your VPC • Segment this into subnets to deploy your compute instances AWS network security • AWS network will prevent spoofing and other common layer 2 attacks • You cannot sniff anything but your own EC2 host network interface • Control all external routing and connectivity
- 21. YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES Digital Websites Big Data Analytics Dev and Test Enterprise Apps AWS Internet VPN
- 23. Launch instance EC2 AMI catalogue Running instance Your instance Hardening and configuration Audit and logging Vulnerability management Malware and IPS Whitelisting and integrity User administration Operating system Configure instance Configure your environment as you like You get to apply your existing security policy Create or import your own ‘gold’ images • Import existing VMs to AWS or save your own custom images Choose how to build your standard host security environment Apply your existing host controls and configurations
- 24. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
- 25. Key Management Service Encryption key management and compliance made easy
- 26. you fully control the keys Increase performance Comply with stringent regulatory single tenant for you EC2 Instance AWS CloudHSM AWS CloudHSM You can also store your encryption keys in AWS CloudHSM
- 28. CloudWatch Logs log everything and monitor events in those logs • Storage is cheap - collect and keep your logs • Store logs durably in write-only storage • Integration with Cloudwatch Metrics and Alarms means you can continually scan for events you know might be suspicious IF (detect web attack > 10 in a 1 minute period) ALARM - INCIDENT IN PROGRESS NOTIFY CERT
- 29. AUDIT EVERYTHING
- 31. SECURITY + DEVOPS = DEVSECOPS
- 33. OPS SEC DEV AppSec • Security as Code • Self-Service Testing • Red Team/Blue Team • Inline Enforcement • Analytics & Insights • Detect & Contain • Incident Response • Investigations • Forensics
- 35. • Fun: Scan API + Ingest Config/Cloudtrail, trigger fw audits and revert unapproved changes • Fun: Track known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys.
- 36. • Fun: Enforce encryption of all assets with HIPAA or data classification tags. Continuous enforcement! (KMS!) • Fun: Cloudtrail/Config user attribution of use/abuse. • More Fun: Maps to PCI DSS7.1.3, COBIT DS5.4, ISO17799, and more!
- 37. SECURITY “EVENTS” Detect Investigate Protect Communicate
- 39. "userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": “55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null, ....
- 40. CloudTrail OFF event – Detect "CloudTrailStopMetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": { "Ref" : "LogGroupName" }, "FilterPattern": ”{ ($.eventName = StopLogging) }", "MetricTransformations": [ { "MetricNamespace": "CloudTrailMetrics", "MetricName": "CloudTrailEventCount", "MetricValue": "1" } ] } },
- 41. CloudTrail OFF event – Detect "CloudTrailStoppedAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmName" : ”CloudTrailStoppedAlarm", "AlarmDescription" : "Alarms when StopLogging API call is made", "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], "MetricName" : "CloudTrailEventCount", "Namespace" : "CloudTrailMetrics", "ComparisonOperator" : "GreaterThanOrEqualToThreshold", "EvaluationPeriods" : "1", "Period" : "300", "Statistic" : "Sum", "Threshold" : "1" } },
- 42. "userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": "55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null, ....
- 43. { "Sid": "Stmt0001", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:StopLogging" ], "Resource": [ "*" ] }
- 44. ..... "eventTime": "2015-09-20T18:53:02Z", "eventSource": "iam.amazonaws.com", "eventName": " ", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55", "userAgent": "signin.amazonaws.com", "requestParameters": { "userName": ”bob", "serialNumber": "arn:aws:iam::000019241430:mfa/bob" }, "responseElements": null, "requestID": "d1a9ebf8-5fc8-11e5-9d8f-1bc7c6757e61", .....
- 48. Users CloudFront Static Files S3 Bucket CloudFront Access Log S3 Bucket WAF Elastic Load Balancing Amazon Lambda Web Servers CloudWatch Amazon RDS DDoS X
- 51. ARE YOU WELL SECURED?
Editor's Notes
- #11: AWS allows you to see your ENTIRE infrastructure at the click of a mouse Can you map your current network? Also, you can do that automatically via the API, as many times as you need.
- #12: Exciting new service – OK, exciting if you’re a security professional like me, perhaps not exciting as my kids view the world. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when.
- #16: AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check. The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
- #19: Enterprises segregate important duties to reduce risk of accidental or malicious changes AWS allows fine-grained segregation across virtually all aspects of the service For example, you can segregate Who can change network configuration Who can change firewalls Who can change how the VPC connects to the Internet or back to your corporate premises Who can start and stop servers Who can snapshot and restore storage volumes AWS IAM offers a programatic level of control and granularity that would not be possible to implement in traditional on-premise environments
- #25: You can use storage services, such as S3 and EBS, which allow you to encrypt data automatically, where we manage the keys on your behalf, so you don’t have to worry about them. You can also bring your own keys to use with S3 or EBS encryption, or you can use CloudHSM services, where you can store your keys in a physical piece of hardware which is specifically designed to be tamper proof - if someone tries to break in, it shuts down and self-destructs. For a lot of customers, they are happy to let us manage the keys for them, however, other customers want more control over how keys are managed, and how they are put to use in their applications, across their data and within the organization.
- #26: AWS KMS provides a single place to manage your organization’s encryption keys. KMS presents a single view for all of the key usage, and allows you to easily implement key creation, rotation, usage policies, and auditing to help keep all of your encryption key management in check. The AWS Key Management Service provides audit trail information directly to AWS CloudTrail. These audit trails help you meet compliance and regulatory requirements by providing logs of who used which key to access which data and when that access occurred.
- #31: These are services that can be directly used during an audit AWS Config This new service will really help you understand what is your current state of systems and relationships, and how they change over time. KMS Customer-managed key service CloudTrail API activity logs Trusted Advisor Automated security checks IAM console: at a glance view of Last AWS Sign-in A quick at-a-glance view from the IAM console showing those who have logged into AWS and how they did it. IAM Credential Reports This is in case you want evidence that your users are following security best practices, such as requiring MFA for administrative-level users. I’m going to spend a little time talking about some of these innovations for auditors.
- #37: Monitors information system accounts for and reports atypical usage of information system accounts.
- #39: Beetle: And if you click “Continue”, then when you look at a CloudTrail configuration screen, you can see that Logging is “OFF”. Speaking from the perspective of a security geek, it is probably a good idea to know if and when CloudTrail is turned off. But I would like to not have to visit each Cloudtrail account configuration to figure that out. Josh, there has to be a better way for knowing if and when CloudTrail is turned off.
- #40: Josh: There is. With CloudTrail turned on, you have a record of the API request that turned CloudTrail OFF. Here is what that API request would look like. You will notice that the “StopLogging” API request was made to the CloudTrail service in the us-west-2 region.
- #41: Josh: So if we looked in that CloudFormation template, you would see something like this. This is a AWS CloudWatch Metric Filter that is defined within a CloudFormation template in JSON format. The important thing to notice is what is highlighted in white there – I’m filtering CloudTrail event records for the “EventName” of StopLogging. I can then use this metric in combination with an alarm to send me a notification when it is detected.
- #42: Josh: Here is a CloudWatch Alarm for the previous metric filter
- #43: Josh Now let’s investigate. As CloudTrail will log the event “StopLogging”, we can see who made the request to do this. So if we pull up the CloudTrail event, we can see the IAM user named ‘reinvent-sc308’ was the user who made this request and the request originated from 55.55.55.55 .
- #44: Josh: So now that we know what happened, how could we protect this from happening in the future. Well, we could simply add an IAM policy to our AM Groups or Roles in order to deny permissions we don’t want our users to have.
- #45: Beetle: When you look in your CloudTrail logs, this is a snippet of what the MFA Deactivate request would look like. Notice the EventName is “DeactivateMFADevice”.
- #46: Josh: But how can we force individuals to use their MFA devices? Well, we have a blog post that talks about that specifically. I’d recommend you check it out : http://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users ----- Meeting Notes (10/6/15 11:53) ----- screenshot of blog post?
- #47: [Josh] So some customers would prefer to know when unapproved AMIs are launched. So how can we detect this? Well, we’d want to compare each launched instance’s AMI against a whitelist of approved AMI ID’s. What is the best way? A whitelist could be rather long…
- #48: [Josh] So let’s look at a flow diagram of how this works. We configure AWS CloudTrail to send logs to our Amazon S3 bucket. We then want Amazon S3 to send event notifications to Amazon SNS whenever a new log is deposited in the bucket. The SNS topic can have multiple Lambda subscribers, which can then each check and react to different things.