AWS Webcast - Reduce the Attack Surface of Your AWS Deployments
-
Upload
amazon-web-services -
Category
Technology
-
view
938 -
download
2
description
Transcript of AWS Webcast - Reduce the Attack Surface of Your AWS Deployments
December 2, 2014
Reduce the Attack Surface
of your AWS Deployments
Today’s Speakers
Scott WardSolutions Architect
Amazon Web Services
Jack DanielStrategist
Tenable Network Security
Webinar Overview
• Submit Your Questions using the Q&A tool
• A copy of today’s presentation will be
made available on:
– AWS YouTube Channel: http://bit.ly/1BKni24
What We’ll Cover
• Overview of Amazon Web Services Security
• Vulnerability Management Lifecycle
• Challenges with Traditional Scanning
• Tenable and AWS Integration
• Q&A
Risk Management is a Process
1) Security within AWS
2) Audit Configurations
3) Identify Vulnerabilities
4) Detect Threats
5) Remediation
Why Deploy in AWS?
• No upfront investment. Save time and money by paying as you go without having to buy, set-up and maintain costly and complex infrastructure
Lower
Costs
• Provision, scale up and scale down capacity as needed, on-the-fly
Flexible Capacity
• Develop, test and deploy apps fasterBusiness
Agility
Security within AWS
A broad and deep platform that helps customers
build sophisticated, scalable applications
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Computing Platform
Shared Responsibility ModelSecurity experts are a scarce resource
Refocus security pros on a subset of the problem
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct
management
Authorization policies
+ =More secure and
compliant systems than
any one entity could
achieve on its own.
Customers
Compliance
Experts auditors give an unbiased view of compliance
Constantly engaged; the overall process never stops
Continuous monitoring
Customers
Nothing better for the entire community
than a tough set of customers…Everyone’s Systems and Applications
The customer community benefits from tough scrutiny,
the world-class AWS security team, market-leading
capabilities, and constant improvements
Security Infrastructure
Requirements Requirements Requirements
Defense in Depth
Physical Security of Data CentersAmazon has been building large-scale data centers for many yearsImportant attributes: Non-descript facilities Robust perimeter controls
Strictly controlled physical access 2 or more levels of two-factor auth
Controlled, need-based accessAll access is logged and reviewedSegregation of Duties Employees with physical access don’t have
logical privileges
AWS Security Features
EC2 Security
CloudTrail
VPC
S3 and EBS encryption
IAM
Trusted Advisor
New Services
Amazon EC2 Security
• Host operating system
– Individual SSH keyed logins via bastion host for
AWS admins
– All accesses logged and audited
• Guest (a.k.a. Instance) operating system
– Customer controlled (customer owns root/admin)
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default deny mode
– Customer controls configuration via Security
Groups
• Signed API calls
– Require X.509 certificate or customer’s secret AWS key
• Storage Security
– Disks wiped upon Volume creation
– All block storage supports user-implemented encryption
– All storage devices are securely decommissioned.
AWS CloudTrail
Record AWS API calls for your account and delivers log files to you.
Logs delivered (as JSON data) to your S3 Bucket
Region-by-Region API log isolation
Optionally log multiple AWS accounts to your bucket (ie, cross-account)
Currently covers API access to 21 different services
No cost beyond storage of logs
Amazon Virtual Private Cloud (VPC)Create a logically isolated environment within AWS
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups
Attach an Elastic IP address to any instance in your VPC so it can optionally be reached directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection
VPC Network Security Controls
S3 and EBS encryption
AWS provided for S3 and EBS
EBS encrypt at rest and in transit to EC2
S3 provide your encryption keys to S3 for encryption
Takes heavy lifting of encrypt away while retaining your keys
Encrypt yourself and manage the keys
AWS Identity and Access Management (IAM)Users and Groups within AccountsUnique security credentials Access Keys Login/Password Enforce password complexity Optional MFA device
Policies control access to AWS APIsAPI calls must be signed by either: X.509 certificate or secret key
Deep integration into some services S3: policies on objects and buckets
AWS Management Console supports user logonNot for Operating Systems or Applications Use LDAP, Active Directory/ADFS, etc..
Trusted Advisor
Security Checks
EC2 Security Group Rules
(Hosts & Ports)
IAM Use
S3 Policies
MFA
Password Policy
RDS Security Groups
Cloud Trail auditing
Route SPF for email
AWS Key Management Service
Centralized Key Management
Integrated with AWS S3, AWS EBS and AWS Redshift for encryption of data at rest.
SDK to provide programmatic integration of encryption and key management within your own applications
Built in auditing. Integrated with Amazon Cloudtrail to log all API calls made to or by the AWS Key Management service
Fully managed. AWS takes care of the availability, physical security and hardware maintenance of the underlying infrastructure
Low cost. No charge for storage of default keys. Pay only for additional master keys and key usage
Secure. KMS keys are never transmitted outside of the AWS region in which they were created
AWS ConfigView continuously updated details of all configuration attributes associated with AWS resources.
Notifications via Amazon Simple Notification Service (SNS) of every configuration change
Fully Managed. No software agents to install or databases to manage
Accessible via Management Console, CLI or SDKs
Enabled by two clicks
Use for:• Discovery
• Change Management
• Audit and Compliance
• Troubleshooting
• Security and Incident Analysis
Partner Ecosystem Security
Partner Ecosystem Security
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct
management
Authorization policies
+ =More secure and
compliant systems than
any one entity could
achieve on its own.
Customers
Vulnerability Management and AWS
Jack Daniel- Strategist
Why is VA Important?
Enables AWS customers to find vulnerabilities, the threats that exploit them, and the systems already compromised for immediate response.
Provides vulnerability scanning for the AWS cloud computing platform and all the 3rd party AMIs that run on it.
It helps secure AMIs throughout the SDLC (software development lifecycle)
Concerns with AWS Deployments
1 How do I ensure that my AWS
instances are configured correctly?
How do I identify AWS instances
that are running vulnerable operating
systems?
3How do I identify compromised
AWS instances?
4How do I routinely scan AWS
instances without the overhead of
scan authorization each time?
5Can I run an integrated scan
(threats, vulns, compliance) without
separate scan authorization?
6Can I identify vulnerable web
applications running in the AWS
cloud?
2
Scanning AWS Instances
Installation
• Inconvenience of manually installing scanning software
AWS Instances
• Continually managing risk from AWS instances vs. IPs
Scan Request Form
• Submit AWS scan request form
Integrated Scans
• Perform integrated scans (VA, Compliance, Threats, WAS)
When is VA Scanning Performed?
• Scan AMI images after each build to ensure secure codingDevelopment
• Scan AMI images during testing, before deploying to production on the AWS Cloud
Staging
• Scan AMI images for the latest patches and leverage other Tenable products to monitor continuously
Production
Tenable Solutions on AWS Marketplace
• A virtual machine (AMI) that is installed in AWS and scans AMI assets within the AWS cloud.
• This AMI is purchased directly and the subscription is renewed automatically from the AWS Marketplace.
Nessus Enterprise for AWS
• A virtual machine (AMI) that is installed in AWS and can scan assets outside of the AWS cloud.
• This AMI is available as BYOL – Bring Your Own License. This means customers can apply their existing Nessus licenses (purchased from store, reseller, etc.) to this AMI.
Nessus AMI
https://aws.amazon.com/marketplace (search for “Tenable”)
Nessus Enterprise for AWS
Scan Policy
Scan Policy
Scan results
Remediation Advice
Key Benefits
Low OverheadAvoid the manual approval process for scanning AWS
instances
IntegratedIntegrated assessment of vulnerabilities, advanced threats, web application security, and compliance
violations
DeploymentQuickly roll out Nessus
scanners in the AWS cloud
AdministrationSimplify administration of multiple Nessus scanners,
users, and policies
CentralizedCentralize cloud and on-premise scan results for security and compliance assessment across the
organization
Recommendations
• Risk Management is a process – not a product
• Start with basics and reduce your attack surface
(Config audit, VM, etc.)
• Use vulnerability management solutions designed
for AWS
• Patching is crucial. Use VMs to validate patching
• Perform regular scans and monitor continuously
Purchase on the AWS Marketplace
• Visit the AWS Marketplaceo https://aws.amazon.com/marketplace
• Search for “Tenable”
• Select the Nessus AMI for your needs
o Nessus Enterprise for AWS: Pre-authorized for scanning AWS instances• Annual Pricing
• Hourly Pricing
o Nessus (BYOL): Scan assets outside of AWS
Questions