Embed Size (px)
Citation preview
AMAZON WEB SERVICES (AWS) SERVICES
OVERVIEW & SECURITY TIPS
ENTREPRENEUR | CISO ADVISOR | CYBERFEMINIST | PEERLYST BRAND
AMBASSADOR | TOP 50 CYBER INFLUENCER | @RESPONSIBLE CYBER
MAGDA LILIA CHELLY
1
AGENDA
• AWS SERVICES OVERVIEW
• REGIONS & AVAILABILITY ZONES
• VIRTUAL PRIVATE CLOUD (VPC)
• ELASTIC COMPUTE CLOUD (EC2)
• AWS OBJECT STORAGE: S3, AND GLACIER
• IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
• CONTENT DELIVERY NETWORK (CDN)
• VERSIONING & ENCRYPTION
2
AWS SERVICES OVERVIEW
Amazon Web Services offers on-
demand cloud computing
services to individuals,
companies and governments, on
demand with a paid subscription
with an option available for 12
months.
APPLICATION
PLATFORM
INFRASTRUCTURE
3
AWS SERVICES OVERVIEW
Source: https://en.wikipedia.org/wiki/Cloud_computing#/media/File:Cloud_computing.svg
1. Infrastructure-as-a-service (IaaS)
Servers, virtual machines, storage,
networks, etc. provided by the cloud
provider and billed per usage.
2. Platform as a service (PaaS)
Access to a ready-made environment for
development, testing, delivering, and
managing software, billed per usage.
3. Software as a service (SaaS)
Access to applications over the Internet, like
for example Gmail, or Office365, billed per
usage.
4
AWS SERVICES OVERVIEW
5
WHAT DO YOU NEED ?
WHAT REGULATION IS YOUR BUSINESS SUBJECT TO ?
WHAT IS YOUR RESPONSIBILITY ?
WHERE DO YOU NEED THESE SERVICES ?
FIRST QUESTION - WHAT DO YOU NEED?
6
WHAT DO YOU NEED ?
Before starting the course, and your implementation it is very important to
understand your choice, and what would you and your business need as
architecture, and approach.
• Infrastructure as a service (IaaS)
• Platform as a service (PaaS)
• Software as a service (SaaS)
• Private cloud
• Public cloud
• Hybrid cloud
7
SECOND QUESTION - WHAT REGULATIONS
IS YOUR BUSINESS SUBJECT TO?
8
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?
AWS is providing great support in terms of good practices, and guidelines for
business compliance with local regulations.
For Singapore, financial institutions are highly regulated by the Monetary
Authority of Singapore (MAS). We can find publicly available: AWS User Guide
to Financial Services Regulations & Guidelines in Singapore, to support AWS
services deployment and configuration.
You can download the guide from the link:
https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulati
ons_Guidelines_in_Singapore.pdf
9
WHAT REGULATIONS IS YOUR BUSINESS SUBJECT TO?
AWS features also a list of
access-controlled documents
relevant to compliance and
security as AWS Artifact.
The list can be easily
accessible with an admin
account, and you can download
the correspondent document, to
follow the instructions.
https://console.aws.amazon.co
m/artifact
10
THIRD QUESTION – WHAT IS YOUR
RESPONSIBILITY ?
11
WHAT IS YOUR RESPONSIBILITY ?
Source: https://d0.awsstatic.com/whitepapers/compliance/Financial_Services_Regulations_Guidelines_in_Singapore.pdf
12
FOURTH QUESTION - WHERE DO YOU NEED
THESE SERVICES?
13
REGIONS & AVAILABILITY ZONES
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
AWS Services are located worldwide in
several locations.
These locations are composed of Regions
and Availability Zones.
Region = One Geographical Area
Availability Zone = Separated Location in a Geographical Area
Example:
https://ec2.ap-south-1.amazonaws.com
14
REGIONS & AVAILABILITY ZONES
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services
Regions are an important point
for AWS implementation and
deployment.
Your choices might vary
depending on the considered
region, as all services are not
available consistently over the
regions.
Example: Glacier is not
available in Singapore.
15
AWS SERVICES OVERVIEW
16
YOUR ARE
AWESOMELY GETTING
THERE … ☺
LET’S CHECK THE
SECURITY TIPS
LET’S REMEMBER
THE IMPORTANT
BASICS
LET’SRECAP
VIRTUAL PRIVATE CLOUD (VPC)
17
AMAZON VIRTUAL PRIVATE CLOUD (VPC)
Amazon Virtual Private Cloud (VPC) – What is it ?
Amazon Virtual Private Cloud (Amazon VPC) allows you the provisioning of a
logically isolated section of the Amazon Web Services (AWS) cloud.
Your can select your own IP address range, create subnets, and configure
route tables and network gateways.
You can use both IPv4 and IPv6 in your VPC for secure and easy access to
resources and applications.
18
AMAZON VIRTUAL PRIVATE CLOUD (VPC)
This is an example of a simple
architecture with the different
services, including a VPC.
Inside the VPC, we have two different
subnets, a router, and an Internet
Gateway.
It is definitely recommended to use a
public subnet with an Internet
Gateway for Internet access.
19
ELASTIC COMPUTE CLOUD (EC2)
20
ELASTIC COMPUTE CLOUD (EC2)
Elastic Compute Cloud (EC2) – What is it ?
EC2 provides a web service that provides secure, resizable compute capacity in the
cloud.
The different types of EC2 will provide you various CPUs, memory capacities, storage
types, and networking capacity.
An instance type can be changed if it has an Elastic Block Store (EBS) store
volume root device.
Example:
21
Instance Type vCPUMemory
(GiB)
Storage
(GB)
Networking PerformancePhysical Processor
Clock Speed
(GHz)
t2.nano 1 0.5 EBS Only Low Intel Xeon family up to 3.3
t2.micro 1 1 EBS Only Low to Moderate Intel Xeon familyUp to 3.3
ELASTIC COMPUTE CLOUD (EC2)
Amazon Elastic Block Store (Amazon EBS) – What is it ?
Amazon Elastic Block Store (Amazon EBS) is a block storage volume for Amazon EC2
instances.
Data stored on an Amazon EBS volume can persist after instance termination, and
independently of the instance life.
EBS has four types of storage:
• Provisioned IOPS SSD (io1)
• General Purpose SSD (gp2)
• Throughput Optimized HDD (st1)
• Cold HDD (sc1)
You can not detach or attach instance store volume to another instance.
22
ELASTIC COMPUTE CLOUD (EC2)
23
Elastic Compute Cloud (EC2) – Some Tips ?
"Enable termination protection" option allows you to protect an accidental EC2
instance termination.
To enable termination protection for an instance at launch time
• Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
• On the dashboard, choose Launch Instance and follow the directions in the wizard.
• On the Configure Instance Details page, select the Enable termination protection check box.
To enable termination protection for a running or stopped instance
• Select the instance, choose Actions, Instance Settings, and then choose Change Termination
Protection.
• Select Yes, Enable.
In addition, enable backups, and output data to another AWS service.
ELASTIC COMPUTE CLOUD (EC2)
24
If you need to copy an EC2 instance to another region, you can create an Amazon
Machine Images (AMI). The AMI can be deployed then as it does represent a high
performance execution environment for applications running on EC2, and contains all the
information to launch an instance.
The most secure option to connect to instances without Internet connectivity in a private
subnet VPC is a bastion host server to connect to the instances.
Bastion hosts are instances within your public subnet and are typically accessed
using SSH or RDP. Once remote connectivity has been established with the bastion host,
it then behaves like a bridge, allowing you to use SSH or RDP to login to other instances
(within private subnets) within your network.
You can use bastion as a bridge with security groups and NACL to access other private
instances.
ELASTIC COMPUTE CLOUD (EC2)
25
Placement group is a logical grouping of instances within a single Availability Zone,
achieving high performance computing, with low-latency network performance.
There is a soft limit of 20 instances per region. You can submit the limit increase form
and retry the failed requests once approved.
AWS OBJECT STORAGE: S3, AND GLACIER
26
AWS OBJECT STORAGE: S3, AND GLACIER
• S3 Amazon Simple Storage Service, min
object storage size is 0B
• S3 Standard - Infrequent Access (Standard
- IA), min object storage size is 128KB
• Amazon S3 Reduced Redundancy Storage,
min object storage size is 128KB
• Glacier
27
AWS provides various storage options – What are they ?
Let’s focus on the four below:
AWS OBJECT STORAGE: S3, AND GLACIER
28
AWS provides various storage options – Some Tips ?
AWS RRS provides the same functionality as AWS S3, but is cheaper.
It is ideally suited for non-mission, critical applications, such as files which can be
reproduced.
Example:
Storing image thumbnails can be a good use case for storing content in AWS RRS.
AWS OBJECT STORAGE: S3, AND GLACIER
Key points to remember regarding an S3 bucket are:
• S3 is a Object Based storage, only for, for example files. and not OS. It can store files from 0 to 5 TB
• Names of Buckets are universal, and therefore need to be unique
• HTTP 200 CODE is the confirmation for successful data upload
• When you upload an object, the object will be immediately available - Read after write consistency
• If you change/delete an object in the bucket, the object might not be immediately updated. It might
take few minutes - Override after put or deleting
• No partial or damaged/corrupted objects when uploading, updating, or deleting.
• Encryption is enabled
29
AWS OBJECT STORAGE: S3, AND GLACIER
30
Implementing versioning
and lifecycle rules are key
to prevent data loss.
Accidental deletion of data
from an S3 bucket can be
avoided by:
• Enabling versioning
• Enabling MFA access
IDENTITY AND ACCESS MANAGEMENT (IAM)
& SECURITY GROUPS
31
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Identity and Access Management (IAM) – What is it ?
Access Control is one of the most important security controls to put in place, and
therefore we can check the below important points offered par AWS services.
You can define your Identity Access Management rules, and create Security Groups to
control and limit the access to the resources.
The statement is the main element of the IAM policy and it is a must for a policy.
Elements such as condition, version and ID are not required.
32
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
You will have:
• A centralised control of your AWS account (I recommend hardware MFA for the root
account)
• Granular Permissions
• Identity Federation, including Active Directory
• Multi Factor Authentication
• Password Policies
• PCI DSS Compliance
33
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Identity and Access Management (IAM) – Some Tips ?
I encourage highly to use hardware MFA or Virtual MFA Device for your access control,
as for example Google Authenticator.
34https://aws.amazon.com/iam/details/mfa
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
35
When you create a new user, a pair of access key is generated if enabled.
Make sure that you do not enable it if not necessary.The access keys will not allow a user to connect to the console however will allow for an API to
get access.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
36
AWS Best practices advise a password with 14
characters’ length.
I recommend using at least 12 characters,
complexity, password expiration, and no
password reuse.
It is possible to create an IAM when an
instance is running ONLY if "no reboot"
option is checked.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
Security Group Network ACL
Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of
any rules
Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to
allow traffic
Applies to an instance only if someone specifies the security
group when launching the instance, or associates the security
group with the instance later on
Automatically applies to all instances in the subnets it's
associated with (backup layer of defense, so you don't have to
rely on someone specifying the security group)
37
Another access control measure is Security Groups. This in fact is one of the main
controls.
I highly recommend to add Network Access Control Lists as an additional layer of
security.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
38
Outbound Ports should be enabled on NACL, when an instance needs to be accessible by
everyone, even if port 80 allows inbound.
Source/Destination check should be disabled when a custom NAT instance is launched,
even after configuring security groups and NACL.
Instances should have either public IP or elastic IP to be able to reach the Internet. You
can have one Elastic IP address associated with a running instance at no charge.
You can also check the associated IP through the instance metadata.
For an instance to be able to connect to the Internet with an Internet Gateway, and a
public subnet, a route should be created as 0.0.0.0/0 and your internet gateway as target.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
39
Here you can find a great example of the different
between ACL and Security Groups.
Security groups — Act as a firewall for Amazon EC2
instances
Network access control lists (ACLs) — Act as a
firewall for subnets
Changes to Security Groups rules are automatically
applied after a short period.
IDENTITY AND ACCESS MANAGEMENT (IAM) & SECURITY GROUPS
40
By default, security groups are configured as below:
• Allow no inbound traffic
• Allow all outbound traffic
• Allow instances associated with this security group to communicate
You can create an IAM role with two attached policies to delegate permission to access
a resource. The permission policy grants the user for the desired task on the resource
and the trust policy indicates which trusted accounts are allowed to grant its users
permissions to assume the role.
CONTENT DELIVERY NETWORK (CDN)
41
CONTENT DELIVERY NETWORK (CDN)
Content Delivery Network – What is it ?
Another service that is provided by AWS and is critical is the CDN CloudFront.
This service is critical when hosting a web application online.
It delivers content by replicating commonly requested files (static content) across a
globally distributed set of caching servers.
From my experience, I suggest analyse your business requirements, as you might have
additional functionalities needed.
Amazon CloudFront doesn’t have these features: purge it all, or purge instant, SPDY
Protocol Support, Real time statistics or CDN balancing tech.
42
CONTENT DELIVERY NETWORK (CDN)
43
VERSIONING & ENCRYPTION
44
VERSIONING & ENCRYPTION
45
Encryption – What is it ?
AWS offers various types of encryption:
At rest,
Server Side Encryption
• S3 Managed keys – SSE-S3
• AWS Key Management Service,
SSE-KMS
• Server Side Encryption with
Customer Provided Keys – SSE-C
Client Side Encryption
AWS DATABASES
46
AWS DATABASE
If You Need Consider UsingProduct Type
A managed relational database in the cloud that you can launch
in minutes with a just a few clicks.Amazon RDS Relational Database
A fully managed MySQL and PostgreSQL-compatible relational
database with 5X performance and enterprise level features.Amazon Aurora Relational Database
A managed NoSQL database that offers extremely fast
performance, seamless scalability and reliabilityAmazon DynamoDB NoSQL Database
A fast, fully managed, petabyte-scale data warehouse at less
than a tenth the cost of traditional solutions.Amazon Redshift Data Warehouse
To deploy, operate, and scale in-memory cache based on
memcached or Redis in the cloud.Amazon ElastiCache In-Memory Cache
Help migrating your databases to AWS easily and inexpensively
with zero downtime.
AWS Database Migration
ServiceDatabase Migration
To build flexible cloud-native directories for organizing
hierarchies of data along multiple dimensions.Amazon Cloud Directory Directory
47Source: aws.com
ADDITIONAL RESOURCES
AWS GitHub script to scan for CIS compliance
Link to CIS Benchmark Guideline
Link to CIS Three-Tier Guideline
AWS Well Architected
AWS Cloud Adoption Framework – Security
48
MAGDA CHELLY, CYBERFEMINIST, CISSP
MAGDA LILIA CHELLY, IS THE MANAGING DIRECTOR OF RESPONSIBLE CYBER BY DAY,
AND A CYBER FEMINIST HACKER BY NIGHT. SHE SPEAKS FIVE LANGUAGES FLUENTLY,
AND HAS A PHD IN TELECOMMUNICATION ENGINEERING WITH A SUBSEQUENT
SPECIALIZATION IN CYBER SECURITY (CISSP).
‘’Your employees are your company’s biggest asset yet equally represent your weakest
link. Empower YOUR people to protect YOUR business with a trusted, value-adding and
effective cyber-security provider’’
Magda Chelly, CyberFeminist, CISSP
MAGDA WAS RECENTLY NOMINATED AS GLOBAL LEADER OF THE YEAR AT THE WOMEN
IN IT AWARDS 2017, AND TOP 50 CYBER SECURITY INFLUENCER, GLOBALLY.
49
THANK YOU !
PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS
50
