@zinimanboazz@amazon.com

SecurityBestPractices

January2018

BoazZiniman- TechnicalEvangelist- AWS

LocalEvents:https://aws.amazon.com/events/aws-israel/

JourneyThroughtheCloud

Learn from the journeys taken by other AWS customers

Discover best practices that you can use to bootstrap your projects

Common use cases and adoption models for the AWS Cloud

SecurityBestPractices

• Architectedtobeoneofthemostflexibleandsecurecloudenvironments

• Removesmanyofthesecurityheadachesthatcomewithinfrastructure

• BuiltinSecurityFeatures

Agenda

• SharingtheSecurityResponsibility• OverviewofAWSSecurityFeatures• CurrentRecommendations• VerifyingourSecurity• CaseStudies&UsefulResources

AWSsecurityapproach

SizeofAWSsecurityteam

Visibilityintousage&resources

IncreasingyourSecurityPostureintheCloud

https://aws.amazon.com/security

BroadAccreditations&Certifications

https://aws.amazon.com/compliance

Partnerecosystem Customerecosystem Everyonebenefits

SecurityBenefitsfromCommunityNetworkEffect

SHARINGTHESECURITYRESPONSIBILITY

§ LetAWSdotheheavylifting§ Focusonwhat’smostvaluabletoyourbusiness

• Customer• ChoiceofGuestOS• ApplicationConfigurationOptions• AccountManagementflexibility• SecurityGroups• ACLs• IdentityManagement

• AWS• Facilityoperations• PhysicalSecurity• PhysicalInfrastructure• NetworkInfrastructure• VirtualisationInfrastructure• Hardwarelifecyclemanagement

SharedSecurityModel

Such as Amazon EC2, Amazon EBS, and Amazon VPC

SharedSecurityModel:InfrastructureServices

Such as Amazon RDS and Amazon EMR

SharedSecurityModel:ContainerServices

Such as Amazon S3 and Amazon DynamoDB

SharedSecurityModel:AbstractedServices

AWSSECURITYFEATURES

SECUREACCESSAPIENDPOINTSUSETLS

BUILT-INFIREWALLSYOUCONTROLACCESSTOYOURINSTANCES

APPLICATIONPROTECTIONCONTROLACCESSTOYOUAPPLEVEL

ROLE-BASEDACCESSCONTROLWITHFINE-GRAINEDPERMISSIONS

MULTI-FACTORAUTHENTICATION

BUILTIN

PRIVATESUBNETSWITHINYOURAWSVIRTUALPRIVATECLOUD

ENCRYPTYOURDATAATREST

USINGAES256BITENCRYPTIONKEYS

KMS&CLOUDHSMAHIGHLYSECUREWAYTOSTOREKEYS

DEDICATEDCONNECTIONANOPTIONWITHAWSDIRECTCONNECT

SECURITYLOGSAWSCLOUDTRAIL,AWSCONFIG&AMAZONCLOUDWATCHLOGS

TRUSTEDADVISORYOURCUSTOMISEDCLOUDEXPERT

ADVANCEDTOOLSYOUROWNSECURITYGUARD

CURRENTRECOMMENDATIONS

KnowtheAWSSharedResponsibilityModelBuildyoursystemsusingAWSasthefoundation&architectusinganISMSthattakesadvantageofAWSfeatures

RegionsAnindependentcollectionofAWSresourcesinadefinedgeographyAsolidfoundationformeetinglocation-dependentprivacyandcompliancerequirements

AvailabilityZonesDesignedasindependentfailurezonesPhysicallyseparatedwithinatypicalmetropolitanregion

UnderstandtheAWSSecureGlobalInfrastructureRegions,AvailabilityZonesandEndpoints

UnderstandtheAWSSecureGlobalInfrastructureUsingtheIAMservice

AWSIdentityandAccessManagement(IAM)enablesyoutosecurelycontrolaccesstoAWSservicesandresourcesforyourusers.

UsingIAM,youcancreateandmanageAWSusersandgroupsandusepermissionstoallowanddenytheiraccesstoAWSresourcesviacredentialssuchasaccesskeys,passwordsandmulti-factorauthenticationdevices.

YoucanalsofederatewithSAMLtoyourownpre-existingdirectoriesofuseraccountinformation,suchasOpenLDAPorActiveDirectory

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html

DefineandCategorise AssetsonAWS

Identifyalltheinformationassetsthatyouneedtoprotect

DesignYourISMStoProtectYourAssetsonAWSEstablishastandardforimplementing,operating,monitoring,reviewing,maintaining&improvingyourinformationsecuritymanagementsyste

AWSAccountYourAWSaccountrepresentsabusinessrelationshipbetweenyouandAWS.AWSaccountshaverootpermissionstoallAWSresourcesandservices,sotheyareverypowerful.

IAMUsersWithIAMyoucancreatemultipleusers,eachwithindividualsecuritycredentials,allcontrolledunderasingleAWSaccount.IAMuserscanbeaperson,service,orapplicationthatneedsaccesstoyourAWSresourcesthroughthemanagementconsole,CLI,ordirectlyviaAPIs.

ManageAWSAccounts,IAMUsers,Groups&RolesOperateundertheprincipleofLeastPrivilege

ManageAWSAccounts,IAMUsers,Groups&RolesStrategiesforusingmultipleAWSaccounts

Business Requirement Proposed Design Comments

Centralised security management Single AWS Account Centralize information security management and minimize overhead.

Separation of production, development & testing accounts Three AWS Accounts Create one AWS account for production services, one for development and one for testing

Multiple autonomous departments Multiple AWS Accounts Create separate AWS accounts for each autonomous part of the organization. You can assign permissions and policies under each account

Centralized security management with multiple autonomous independent projects

Multiple AWS Accounts Create a single AWS account for common project resources (such as DNS services, Active Directory, CMS etc.). Then create separate AWS accounts per project. You can assign permissions and policies under each project account and grant access to resources across accounts.

ManageAWSAccounts,IAMUsers,Groups&RolesDelegationusingIAMRolesandTemporarySecurityCredentials

Applications on Amazon EC2 and other services that need to access AWS resourcesCross Account AccessIdentity Federation

http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

ManageAWSAccounts,IAMUsers,Groups&RolesControlmultipleaccountswithAmazonOrganizations

Centrally manage policies across multiple AWS accounts

Automate AWS account creation and management

Control access to AWS services

AmazonEC2KeyPairsUsedtoauthenticateSSHaccesstoLinuxinstancesandtogeneratetheinitialadministratorpasswordonWindowsinstances.

Ifyouhavehighersecurityrequirements,youarefreetoimplementalternativeauthenticationmechanismsanddisableAmazonEC2KeyPairAuthentication

ManageOS-levelAccesstoAmazonEC2InstancesYouownthecredentials,butAWShelpsyoubootstrapinitialaccesstotheOS

ResourceAccessAuthorisationUsersorIAMRolescanonlyaccessresourcesafterauthentication

Fine-grainedresourcespoliciescanrestrictusersorpermituserstoaccessonlytheresourcesthatyouspecify

{"Effect": "Allow”,"Action": ["s3:GetObject”,"s3:PutObject”],"Resource": ["arn:aws:s3:::myBucket/amazon/snakegame/${cognito-identity.amazonaws.com:sub}"]

}

SecureYourData

Atrest&intransit

SecureYourData

Atrest&intransit

ProtectingDataatRestOptionsdifferbyAWSService.AmazonS3– ServersideencryptionwithAmazonS3managedkeys,yourownencryptionkeyswithCustomer-ProvidedKeys(SSE-C),orkeysmanagedbyKMS

AmazonEBS– usevolumeencryptionprovidedbyyouroperatingsystemorKMS.Forexample,WindowsEFSorMicrosoftWindowsBitlocker,Linuxdm-crypt,CloudHSMoron-premiseHSMwithSafeNetProtectV

AmazonRDS– usedatabasespecificcryptographicfunctions,orKMSEMR/DynamoDB– seeSecurityBestPracticesWhitepaperforoptions

OS Hardening and UpdatesUse of Amazon Machine Images (AMIs) makes it easy to deploy standardized operating system and application builds

Amazon provides and maintains a preconfigured set of AMIs, but you are also free to create your own and use these as the basis for EC2 instances that you deploy

Standard OS hardening principles (eg CIS Benchmarks, DISA STIGs) can and should be applied to the operating systems that you chose to run on EC2 instances

There are lots more detailed recommendations for securing your OS environment in the AWS Security Best Practices Whitepaper

SecureYourOperatingSystems&ApplicationsWiththesharedresponsibilitymodelyoumanageoperatingsystems&applicationsecurity

AmazonVirtualPrivateCloud(VPC)CreateprivatecloudswithLayer2separation,withintheAWSCloud

UseyourownIPaddressspace,allocatedbyyou.UseRFC1918privateaddressspacefornon-internet-routablenetworks

ConnecttoyourVPCviatheInternet,IPsecovertheInternet,AWSDirectConnect,AWSDirectConnectwithIPsecoracombinationofthese.Defineyourownsubnettopology,routingtableandcreatecustomserviceinstancessuchasDNSortimeservers

SecureYourInfrastructure

UsingAWSplatformfeatures

SecureYourInfrastructure

UsingAWSplatformfeatures

SecurityZoningandNetworkSegmentationNetworksegmentationsimplyisolatesonenetworkfromanother

Securityzonesaregroupsofsystemcomponentswithsimilarsecuritylevelsthathavecommoncontrolsappliedtothem

CombineAWSplatformsecurityfeatureswithyourownoverlayinfrastructurecomponentssuchasrepositories,DNS&timeserverstosegmentnetworksandcreatesecurityzones

TheAWSelasticcloudinfrastructure&automateddeploymenttoolsmeanthatyoucanapplythesamesecuritycontrolsacrossallAWSregionsRepeatableanduniformdeploymentsimproveyouroverallsecurityposture

ImplementOS&HigherLevelMonitoringLogsmaybegeneratedbyavarietyofnetworkcomponentsaswellasoperatingsystems,platformsandapplicationsWerecommendloggingandanalysisofthefollowingeventtypes:• Actionstakenbyanyindividualwithrootoradministrativeprivileges• Accesstoallaudittrails• Invalidlogicalaccessattempts• Useofidentificationandauthenticationmechanisms• Initialisationofauditlogs• Creation,deletionandmodificationofsystemlevelobjects

Area Consideration

Log collection Note how log files are collected. Often operating system, application, or third-party/middleware agents collect log file information

Log transport When log files are centralized, transfer them to the central location in a secure, reliable, and timely fashion

Log storage Centralize log files from multiple instances to facilitate retention policies, as well as analysis and correlation

Log taxonomy Present different categories of log files in a format suitable for analysis

Log analysis/correlation

Log files provide security intelligence after you analyze them and correlate events in them. You can analyze logs in real time, or at scheduled intervals.

Log protection/security

Log files are sensitive. Protect them through network control, identity and access management, protection/ encryption, data integrity authentication, and tamper-proof time-stamping

Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud

Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud

UseCloudWatchLogstoCentraliseYourLogsCloudWatchLogsenablesyoutomonitorandtroubleshootyoursystemsandapplicationsusingyourexistingsystem,application,andcustomlogfiles.

Sendyourexistingsystem,application,andcustomlogfilestoCloudWatchLogsviaouragent,andmonitortheselogsinnearreal-time.

Thiscanhelpyoubetterunderstandandoperateyoursystemsandapplications,andyoucanstoreyourlogsusinghighlydurable,low-coststorageforlateraccess

Area Consideration

Log collection Note how log files are collected. Often operating system, application, or third-party/middleware agents collect log file information

Log transport When log files are centralized, transfer them to the central location in a secure, reliable, and timely fashion

Log storage Centralize log files from multiple instances to facilitate retention policies, as well as analysis and correlation

Log taxonomy Present different categories of log files in a format suitable for analysis

Log analysis/correlation

Log files provide security intelligence after you analyze them and correlate events in them. You can analyze logs in real time, or at scheduled intervals.

Log protection/security

Log files are sensitive. Protect them through network control, identity and access management, protection/ encryption, data integrity authentication, and tamper-proof time-stamping

Monitoring,Alerting,AuditTrail&IncidentResponseAdaptexistingprocesses,tools&methodologiesforuseinthecloud

UseCloudTrailtoRecordAWSAPICallsAWSCloudTrailisawebservicethatrecordsAWSAPIcallsforyouraccountanddeliverslogfilestoyou.

TherecordedinformationincludestheidentityoftheAPIcaller,thetimeoftheAPIcall,thesourceIPaddressoftheAPIcaller,therequestparameters,andtheresponseelementsreturnedbytheAWSservice.

WithCloudTrail,youcangetahistoryofAWSAPIcallsforyouraccount.TheAWSAPIcallhistoryproducedbyCloudTrailenablessecurityanalysis,resourcechangetracking,andcomplianceauditing.

RESOURCESYOUCANUSETOLEARNMORE

aws.amazon.com/security/

AWSTechnicalDocumentation

https://aws.amazon.com/blogs/security/

IntroductiontoAWSSecurity

SecurityatScale:GovernanceinAWS

SecurityatScale:LogginginAWS

AWSSecurityBestPractices

SecuringDataatRestwithEncryption

AWSAnswerstoKeyComplianceQuestions

AWSSecurityWhitePapers

https://aws.amazon.com/whitepapers/#security

aws.amazon.com/architecture/

CertificationSelf-PacedLabs

aws.amazon.com/training

Tryproducts,gainnewskills,andgethands-onpracticeworkingwith

AWStechnologies

Training

ValidateyourprovenskillsandexpertisewiththeAWSplatform

Buildtechnicalexpertisetodesignandoperatescalable,efficient

applicationsonAWS

AWSTraining&Certification

aws.amazon.com/training/self-paced-labs

aws.amazon.com/certification

https://aws.amazon.com/summits/summit-tel-aviv/

@zinimanboazz@amazon.com

ThankYou!January2018

BoazZiniman- TechnicalEvangelist- AWS

FullSeries:http://bit.ly/JTTCloudHeb

https://aws.amazon.com/summits/summit-tel-aviv/