Security best practices on AWS cloud
-
Upload
martin-yan -
Category
Technology
-
view
2.053 -
download
3
description
Transcript of Security best practices on AWS cloud
Martin Yan – Head of Enterprise Sales, AWS HK/Taiwan
Security best practices on AWS
What we will cover today
1. Quick intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
Database Storage Compute
AWS Global Infrastructure
9 Regions
25+ Availability Zones
Continuous Expansion
• $5.2B retail business
• 7,800 employees
• A whole lot of servers
Every day, AWS adds enough
server capacity to power that
whole $5B enterprise
Solving Problems for Organizations Around the World
Compute Services
Amazon EC2 Auto Scaling Elastic Load
Balancing
Actual
EC2
Elastic Virtual servers
in the cloud
Dynamic traffic
distribution
Automated scaling
of EC2 capacity
Networking Services
Amazon VPC: AWS DirectConnect Amazon Route 53
Availability
Zone B Availability
Zone A
Private, isolated
section of the AWS
Cloud
Private connectivity
between AWS and your
datacenter
Domain Name System
(DNS) web service.
Storage Services
Amazon EBS
EBS
Block storage for use
with Amazon EC2
Amazon S3
Images
Videos
Files
Binaries
Snapshots
Internet scale
storage via API
AWS Storage Gateway
S3,
Glacier
Integrates on-premises
IT and AWS storage
Amazon Glacier
Images
Videos
Files
Binaries
Snapshots
Storage for archiving
and backup
Application Services
Amazon CloudFront Amazon RDS Amazon Dynamo
DB
distribute content
globally
Managed relational
database service Managed NoSQL
database service
DBA
Amazon
CloudSearch
Managed search
service
Big Data Services
Amazon EMR
(Elastic Map Reduce)
Amazon Redshift AWS Data Pipeline
Hosted Hadoop
framework
Petabyte-scale data
warehouse service Move data among AWS
services and on-
premises data sources
Deployment & Administration
Amazon CloudWatch
AWS IAM (Identity
& Access Mgmt)
AWS OpsWorks
AWS CloudFormation
AWS Elastic Beanstalk
Web App
Enterprise
App
Database
Monitor resources Manage users,
groups &
permissions
Dev-Ops framework
for application
lifecycle management
Templates to deploy
& manage Automate resource
management
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management Features
6. Protecting your content on AWS
7. Building secure applications on AWS
Every customer has access to the same security capabilities
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
• SOC 2 Type 1
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP (FISMA), ITAR, FIPS 140-2
• HIPAA and MPAA capable
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Cu
sto
mer
s
• Culture of security and continual improvement
• Ongoing audits and assurance
• Protection of large-scale service endpoints
• Customers configure AWS security features
• Get access to a mature vendor marketplace
• Can implement and manage their own controls
• Gain additional assurance above AWS controls
Security is a shared responsibility between AWS and our customers
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Your compliant solutions
Cu
sto
mer
s
• Culture of security and continual improvement
• Ongoing audits and assurance
• Protection of large-scale service endpoints
You can build end-to-end compliance, certification and audit
Your certifications
Your external audits and
attestations
• Achieve PCI, HIPAA and MPAA compliance
• Certify against ISO27001 with a reduced scope
• Have key controls audited or publish your own independent attestations
Customers retain ownership of their intellectual property and content
• Customers manage their privacy objectives how they choose to
• Select the AWS geographical Region and no automatic replication elsewhere
• Customers can encrypt their content, retain management and ownership of keys
and implement additional controls to protect their content within AWS
The security of our services and customers is key to AWS
• Security starts at the top in Amazon with a dedicated CISO and strong
cultural focus
• Dedicated internal teams constantly looking at the security of our services
• AWS support personnel have no access to customer content
Customers retain full ownership and control of their content
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management Features
6. Protecting your content on AWS
7. Building secure applications on AWS
Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
AWS lets customers choose where their content goes
Availability Zone
Take advantage of high availability in every Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
Edge Locations
Dallas(2)
St.Louis
Miami
Jacksonville Los Angeles (2)
Palo Alto
Seattle
Ashburn(2)
Newark New York (2)
Dublin
London(2)
Amsterdam Stockholm
Frankfurt(2) Paris(2)
Singapore(2)
Hong Kong
Tokyo
Sao Paulo
South Bend
San Jose
Osaka Milan
Sydney
Chennai Mumbai
Use edge locations to serve content close to your customers
Build your solution for continuous, resilient operations
Scalable, fault tolerant services Build resilient solutions operating in multiple datacenters
AWS helps simplify active-active operations
All AWS facilities are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards
Robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
Each AWS Region has multiple availability zones A
va
ila
bil
ity Z
on
e A
Ava
ila
bil
ity Z
on
e B
Your VPC spans every availability zone in the Region A
va
ila
bil
ity Z
on
e A
Ava
ila
bil
ity Z
on
e B
Customers control their VPC IP address ranges
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
Ava
ila
bil
ity Z
on
e B
Choose your VPC address range
• Your own private, isolated
section of the AWS cloud
• Every VPC has a private IP
address space
• That maximum CIDR block you
can allocate is /16
• For example 10.0.0.0/16 – this
allows 256*256 = 65,536 IP
addresses
Select IP addressing strategy
• You can’t change the VPC
address space once it’s
created
• Think about overlaps with
other VPCs or existing
corporate networks
• Don’t waste address space,
but don’t’ constrain your
growth either
We will concentrate on a single availability zone just now
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
Segment your VPC address space into multiple subnets
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
NAT
10.0.5.0/24 10.0.4.0/24
EC2
EC2 Web
Place your EC2 instances in subnets according to your design
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Use VPC security groups to firewall your instances
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app
servers on port 8080”
Log
EC2 Web
Each instance can be in up to five security groups
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app
servers on port 8080”
“Allow outbound
connections to
the log server”
Log
EC2 Web
Use separate security groups for applications and management
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers can connect to app
servers on port 8080”
“Allow outbound
connections to
the log server” “Allow SSH and
ICMP from hosts
in the Jump Hosts
security group”
Log
EC2 Web
The VPC router will allow any subnet to route to another in the VPC
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
Use Network Access Control Lists to restrict internal VPC traffic
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
“Deny all traffic between the web
server subnet and the database
server subnet”
Use Network Access Control Lists for defence in depth
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
NACLs are optional • Applied at subnet level, stateless and
permit all by default
• ALLOW and DENY
• Applies to all instances in the subnet
• Use as a second line of defence
Use Elastic Load Balancers to distribute traffic between instances
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web
Elastic Load Balancer
Elastic Load Balancers are also placed in security groups
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web EC2 EC2 EC2 Web
Elastic Load Balancer
Your security can scale up and down with your solution
VPC A - 10.0.0.0/16
Ava
ila
bil
ity Z
on
e A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
Router
NAT
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web EC2 Web EC2 EC2 Web
Elastic load balancers
• Instances can automatically be
added and removed from the
balancing pool using rules
• You can add instances into
security groups at launch time
Elastic Load Balancer
Auto scaling
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
AWS IAM enables you to securely control access to AWS services
and resources
• Fine grained control of user permissions, resources and actions
• Now includes support for RunInstances
• Add multi factor authentication
• Hardware token or smartphone apps
• Test out your new policies using the Identity and Access
Management policy simulator
You have fine grained control of your AWS environment
Segregate duties between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
You get to choose who can do what in your AWS environment and from where
AWS account owner (master)
Network management
Security management
Server management
Storage management
Manage and operate
Increase your visibility of what happened in your AWS
environment
• CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were
made
• Who did what and when and from what IP address
• Be notified of log file delivery using the AWS Simple
Notification Service
• Support for many AWS services including EC2, EBS, VPC,
RDS, IAM, STS and RedShift
• Aggregate log information into a single S3 bucket
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and
SumoLogic.
Use AWS CloudTrail (beta) to track access to APIs and IAM
AWS CloudTrail logs can be used for many powerful use cases
CloudTrail can help you achieve many tasks
• Security analysis
• Track changes to AWS resources, for example
VPC security groups and NACLs
• Compliance – understand AWS API call history
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
CloudTrail is currently available in US-WEST1 and US-EAST1
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
AWS has many different content storage services
EBS
DBA S3 RDS
Redshift
Configure S3 access controls at bucket and object level
• Restrict access and rights as tightly as possible and regularly review access logs
• Use versioning for important file, with MFA required for delete Use S3 cryptographic features
• Use SSL to protect data in transit
• S3 server side encryption
• AWS will transparently encrypt your objects using AES-256 and manage the keys on your behalf
• Use S3 client side encryption
• Encrypt information before sending it to S3
• Build yourself or use the AWS Java SDK
• Use MD5 checksums to verify the integrity of objects loaded into S3
Making use of available Amazon S3 security features
Making the most of Amazon RDS security features
RDS can reduce the security burden of running your databases
• Limit security group access to RDS instances
• Limit RDS management plane access with AWS IAM permissions
Encrypt data in flight
• Oracle Native Network Encryption, SSL for SQL Server, MySQL and
PostgreSQL – especially if the database is accessible from the Internet
Encrypt data at rest in sensitive table space
• Native RDS via SQL Server and Oracle Transparent Data Encryption
• Encrypt sensitive information at application level or use a DB proxy
Configure automatic patching of minor updates – let AWS do the heavy lifting
for you within a maintenance window you choose
DBA
RDS
Encrypting EBS volumes on Amazon EC2 instances
Roll your own encryption or use commercial solutions
• Windows BitLocker or Linux LUKS for encrypted volumes and
TrueCrypt for containers
• SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer
boot volume encryption
• MapReduce volumes can use Gazzang
Managing encryption keys is critical and difficult!
• How will you manage keys and make sure they are available when
required, for example at instance start-up?
• How will you keep them available and prevent loss?
• How will you rotate keys on a regular basis and keep them private?
EBS
Security best practices for AWS
1. Quick Intro on AWS
2. Understanding shared responsibility for security
3. Using AWS global reach and availability features
4. Building a secure virtual private cloud
5. Using AWS Identity and Access Management
6. Protecting your content on AWS
7. Building secure applications on AWS
You decide how to configure your instance environment
Launch instance
EC2
AMI catalogue Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure instance
You take responsibility for final configuration Harden operating system and platforms
• Use standard hardening guides and techniques
• Apply latest security patches – Amazon maintains repositories
Use host-based protection software
• Think of how they will work in an elastic environment - hosts may only
be in use for hours before being replaced
Think about how you will manage administrative users
• Restrict access as much as possible
Build out the rest of your standard security environment
Browse and read AWS security whitepapers and good practices • http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, including CSA questionnaire response
• Security best practices • Audit and operational checklists to help you assess security before
you go live Sign up for AWS support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment
Where you can go for help and further information
Get training from an instructor or try the self-paced labs • http://aws.amazon.com/training/
Become AWS certified and gain recognition and visibility • http://aws.amazon.com/certification
• Demonstrate that you have skills, knowledge and expertise to design, deploy
and manage projects applications on the AWS platform
• Prove skills and foster credibility with your employer and peers
Choose your discipline, or do all of them! • AWS Certified Solutions Architect – Associate Level
• AWS Certified Developer – Associate Level (Beta)
• AWS Certified SyOps Administrator – Associate Level (Beta)
Get training and become AWS certified in your discipline
Any questions? Martin Yan [email protected]
Thank you for your time today