Development Security Best Practices in AWS

Transcript

1. / 26 1 User Group Belgrade Development Security Best Practices

   in AWS Milan Boricic - Shared responsibility - IAM - Cognito - Secrets Manager - Serverless Sec User Group Belgrade

2. / 26 Development Security Best Practices AWS User Group Belgrade

   July 2019 2 by Milan Boričić (@boricic)

3. / 26 General security concepts • Security is the top

   priority for AWS • Shared responsibility model • Security “OF” the cloud - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud • Security “IN” the cloud - Customer responsibility will be determined by the AWS Cloud services that a customer selects !3

4. / 26 On-premises data centers !4

5. / 26 AWS Infrastructure services !5

6. / 26 AWS Abstracted services !6

7. / 26 Levels of access •AWS root account •Full access

   - All services, billing, console, programatic access, customer support •IAM Users, Groups and Roles •Access to specific services •Access to web console / programatic access •Access to customer support •Temporary credentials •Access to specific services •Access to web console / programatic access !7

8. / 26 Identity and Access Management - IAM •Users -

   e.g. john •Groups - e.g. administrators •Roles - e.g. lambda_execution_role •Policies - allow/deny access •Tag based - allow/deny if tag present !8

9. / 26 IAM Policy example !9

10. / 26 IAM Tag based policy !10

11. / 26 Principals • Principals • AWS account - account

    number - e.g. 123456 • IAM user - e.g. arn:aws:iam::123456:user/john • Temporary credentials - temporary token !11

12. / 26 Policy with principal !12

13. / 26 Top 10 IAM Best practices 1.Users - Create

    individual users 2.Permissions - Grant least privilege 3.Groups - Manage permissions with groups 4.Conditions - Restrict privileged access further with conditions 5.Password - Configure a strong password policy 6.Rotate - Rotate security credentials regularly 7.MFA - Enable MFA for privileged users 8.Sharing - Use IAM roles to share access 9.Roles - Use IAM roles for Amazon EC2 instances 10.Root - Reduce or remove use of root !13

14. / 26 AWS Organizations •Centrally manage multiple accounts •Simplified creation

    of new AWS accounts •Apply organizational control policies (OCP) •Simplified billing !14

15. / 26 AWS Organizations
 Multi account strategy !15

16. / 26 AWS Key Management Service - KMS •Centralized key

    management •Key access control via IAM •Manage encryption for AWS services •Custom Key Store - CloudHSM !16

17. / 26 Param Store VS Secrets manager •Param Store •Part

    of AWS System Manager •No additional cost, free of charge •Up to 10,000 params/secrets (upgrade to have more) •KMS integration •Secrets manager •Secret generation •Automatic password rotation (RDS) •$0.40 per secret stored, $0.05 for 10,000 API calls. •KMS integration •Extensible via Lambda !17

18. / 26 Storing secret params 1. Create key for encrypting/decrypting

    secrets with KMS 2. Create secret param encrypted with KMS key 3. Create policy for ParamStore access 4. Create policy for KMS 5. Assign policies to IAM roles !18

19. / 26 Storing secret params !19 Video

20. / 26 Browser upload to S3 • Security concepts •

    Precursor to serverless • Steps: 1. Acquire temporary credentials 2. Use temp credentials to execute action !20

21. / 26 Browser upload to S3 !21

22. / 26 Signing policy !22

23. / 26 Upload policy !23

24. / 26 Upload HTML !24

25. / 26 AWS Cognito •Authentication and authorization for your app

    •Custom attributes •A lot of UI out of the box •MFA, SMS verification, emailing •JWT, Social identity providers •Scalable, Rapid, Integrations (e.g. API Gateway) !25

26. / 26 API Gateway • Authorization integrations (Cognito, IAM, Custom)

    • API keys • Usage plans / throttling • Automatic (and free) DDOS protection for Cognito, IAM and Custom auth - not charged for failed requests • WebApplicationFirewall via CloudFront !26

27. / 26 Thank you! !27