© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 2016
Using AWS Networking and Logging Features to Enhance Security
Nathan McGuirt, Senior Solutions Architect, AWSDave Rogers, Head of Architecture & Security, UK MOJ Digital & Technology
Expectations
Managing traditional networks is hard
Lack of visibility Heavy technical lift
Network enforcement tools
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping service
10.0.0.2
Amazon Virtual Private Cloud VPC A
VPC B
Enforcement—security groupsWeb Server Security GroupAllow Inbound HTTP from 0.0.0.0/0
Allow Inbound HTTPS from 0.0.0.0/0
Allow Outbound SQL to DB Servers
DB Security GroupAllow Inbound SQL from Web Servers
AD Member Security GroupAllow Outbound AD traffic to AD Servers
XTCP 139
Enforcement—VPC subnet ACLs
Subnet ACL
VPC Subnet
Security Group
Enforcement—VPC route tables
VPC subnet VPC subnet
0.0.
0.0/
0
0.0.0.0/0
0.0.0.0/0
VPC subnet
X
X
Local routes only
0.0.0.0/0
Enforcement: AWS WAF (Web Application Firewall)
AWS Management ConsoleAdmins
Developers AWS APIWeb app in
Amazon CloudFront
Define rules
Deploy protection
AWS WAF
Traffic isolation—VPN and AWS Direct Connect
Customer gateway
Virtual gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Private fiber via peering facility
Traffic isolation—VPC endpoints
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
Isolation—VPC peering
Logging
Amazon CloudWatch Logs
Logging: VPC Flow Logs
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
Logging—AWS CloudTrail
"Records": [{ "eventVersion": "1.0", "userIdentity": {... "arn": "arn:aws:iam::123456789012:user/Alice",... }, "eventTime": "2015-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55",...
Logging—Elastic Load Balancing, CloudFront, Amazon S3 access logs
Logging destination bucket
Elastic Load Balancing
logs
CloudFront logs
Amazon S3 bucket logs
Change control
Normalize
RecordChanging resources
Deliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
Change control—AWS Config
Change control—AWS CloudFormation
Template StackAWSCloudFormation
Orchestrate changes across AWS services
Use as foundation to AWS Service Catalog products
Use with source code repositories to manage infrastructure changes
JSON-based text file describing infrastructure
Resources created from a template
Can be updated Updates can be
restricted
Change control—CloudFormation change sets
Separation of Duties
Making use of logs
Example events of concern
• Configuration changes that impact ability to detect or understand events
• Activities that are inconsistent with expectations• Activities that violate policy
Monitoring logging status—CloudTrailCloudTrail EventsCloudTrail
CloudWatch Logs CloudWatch Logs Filter
Metric filter"FilterPattern": ”{ ($.eventName = StopLogging) }",
CloudWatch metric
Air-raid siren
CloudWatch Alarm
Monitoring for unexpected (network) behavior
VPC
VPC Flow LogsAt some meaningful rate,
fire an alarm
Filter: RejectedFilter: Source: Internal
Take an automated action:Cut off network access
CloudWatch Logs Metric Filter CloudWatch Alarm AWS Lambda Function
Watching for disallowed configurations
AWS Config
Config Rule
Email alert
Automated action:modify SG
No TCP 22 from 0.0.0.0/0 in Production
SO’s mailbox
VPC Flow Logs—network dashboard
• Amazon Elasticsearch Service
• Amazon CloudWatch Logs subscriptions
All of this can be automatedSo what does that do for practices in the cloud?
Automation, enabled by public cloud, leads to continuous practice
continuous delivery is the foundation
continuous securityprevention & response
continuous deliverycontinuous security testingcontinuous hacking continuous risk managementcontinuous assurancecontinuous compliance
continuous security testing
continuous hacking
continuous risk management
continuous compliance the public cloud provides a platform
continuous securitydetection
continuous intrusion detectioncontinuous health checkingcontinuous anomaly detectioncontinuous capacity managementcontinuous scaling
continuous prevention& response
continuous detection
continuous delivery is hard
DevOps
Continuous
Delivery
DevOps is hard
because change toward DevOps is culture change
DevOps is culture changeNew skillsNew methodologiesNew hours & working locationsNew careersNew ways of thinkingNew planningNew governanceSometimes, new clothes
Rising cyber security threats require us to be adaptive.
Security conservatism, attempting to achieve stability through restricted change, increases risk.
We must embrace continuous practice.
Thank you!
Top Related