Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Development Security Best Practices in AWS

AWS User Group Belgrade
July 09, 2019
Programming
0
130

Development Security Best Practices in AWS

AWS User group meetup 2 was dedicated to Security. Development Security Best Practices in AWS presentation describes model of shared responsibility, IAM and best practices for DevSec in AWS

AWS User Group Belgrade

July 09, 2019
Tweet

More Decks by AWS User Group Belgrade

See All by AWS User Group Belgrade
The 11th Annual PostgreSQL Conference Europe
awsugbelgrade
0
36
Aurora Serverless / Goran Opacic
awsugbelgrade
1
42
AWS re:Inforce 2019 recap
awsugbelgrade
0
96

Other Decks in Programming

See All in Programming
Unleash the Power of Open Source Java Profilers
parttimenerd
0
140
EbitengineでGUIツール作ってみた
aethiopicuschan
0
370
Lightweight Architectures: With Angular's Signals and Standalone
manfredsteyer
PRO
0
120
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
740
Building Shared UIs across Platforms with Compose
heyitsmohit
1
170
Effortless Software Development
afilina
PRO
1
110
外部APIとズブズブな開発どうしてますか?
kin29
1
350
組織のコード品質を向上させる “レビューシステム”の取り組み
pospome
8
4.9k
Twillio SDKをFlutterアプリに統合した話/twilio-in-flutter
minma_curama
0
130
Astro 3.0入門
nozaki
0
200
理解して導入するWebフレームワーク ~解決すべき課題に着目する~ / Understanding and implementing web frameworks ~focusing on the problems to be solved~
seike460
PRO
3
720
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
640

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
15
2.8k
Done Done
chrislema
178
15k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
20k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The Cost Of JavaScript in 2023
addyosmani
9
1.5k
Web development in the modern age
philhawksworth
200
9.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Thoughts on Productivity
jonyablonski
55
3.1k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
In The Pink: A Labor of Love
frogandcode
135
21k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
1.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k

Transcript

  1. / 26
    1
    User Group Belgrade
    Development
    Security Best
    Practices in
    AWS
    Milan Boricic
    - Shared responsibility
    - IAM
    - Cognito
    - Secrets Manager
    - Serverless Sec
    User Group Belgrade

    View Slide

  2. / 26
    Development Security
    Best Practices
    AWS User Group Belgrade

    July 2019
    2
    by Milan Boričić (@boricic)

    View Slide

  3. / 26
    General security concepts
    • Security is the top priority for AWS

    • Shared responsibility model

    • Security “OF” the cloud - AWS is responsible
    for protecting the infrastructure that runs all of
    the services offered in the AWS Cloud

    • Security “IN” the cloud - Customer
    responsibility will be determined by the AWS
    Cloud services that a customer selects
    !3

    View Slide

  4. / 26
    On-premises data centers
    !4

    View Slide

  5. / 26
    AWS Infrastructure services
    !5

    View Slide

  6. / 26
    AWS Abstracted services
    !6

    View Slide

  7. / 26
    Levels of access
    •AWS root account

    •Full access - All services, billing, console, programatic access,
    customer support

    •IAM Users, Groups and Roles

    •Access to specific services

    •Access to web console / programatic access

    •Access to customer support

    •Temporary credentials

    •Access to specific services

    •Access to web console / programatic access
    !7

    View Slide

  8. / 26
    Identity and Access
    Management - IAM
    •Users - e.g. john

    •Groups - e.g. administrators

    •Roles - e.g. lambda_execution_role

    •Policies - allow/deny access

    •Tag based - allow/deny if tag present
    !8

    View Slide

  9. / 26
    IAM Policy example
    !9

    View Slide

  10. / 26
    IAM Tag based policy
    !10

    View Slide

  11. / 26
    Principals
    • Principals

    • AWS account - account number - e.g. 123456

    • IAM user - e.g. arn:aws:iam::123456:user/john

    • Temporary credentials - temporary token
    !11

    View Slide

  12. / 26
    Policy with principal
    !12

    View Slide

  13. / 26
    Top 10 IAM Best practices
    1.Users - Create individual users

    2.Permissions - Grant least privilege

    3.Groups - Manage permissions with groups

    4.Conditions - Restrict privileged access further with conditions

    5.Password - Configure a strong password policy

    6.Rotate - Rotate security credentials regularly

    7.MFA - Enable MFA for privileged users

    8.Sharing - Use IAM roles to share access

    9.Roles - Use IAM roles for Amazon EC2 instances

    10.Root - Reduce or remove use of root
    !13

    View Slide

  14. / 26
    AWS Organizations
    •Centrally manage multiple accounts

    •Simplified creation of new AWS
    accounts

    •Apply organizational control
    policies (OCP)

    •Simplified billing
    !14

    View Slide

  15. / 26
    AWS Organizations

    Multi account strategy
    !15

    View Slide

  16. / 26
    AWS Key Management
    Service - KMS
    •Centralized key management

    •Key access control via IAM

    •Manage encryption for AWS services

    •Custom Key Store - CloudHSM
    !16

    View Slide

  17. / 26
    Param Store VS Secrets
    manager
    •Param Store

    •Part of AWS System Manager

    •No additional cost, free of charge

    •Up to 10,000 params/secrets (upgrade to have more)

    •KMS integration

    •Secrets manager

    •Secret generation

    •Automatic password rotation (RDS)

    •$0.40 per secret stored, $0.05 for 10,000 API calls.

    •KMS integration

    •Extensible via Lambda
    !17

    View Slide

  18. / 26
    Storing secret params
    1. Create key for encrypting/decrypting secrets with KMS

    2. Create secret param encrypted with KMS key

    3. Create policy for ParamStore access

    4. Create policy for KMS

    5. Assign policies to IAM roles
    !18

    View Slide

  19. / 26
    Storing secret params
    !19
    Video

    View Slide

  20. / 26
    Browser upload to S3
    • Security concepts

    • Precursor to serverless

    • Steps:

    1. Acquire temporary credentials

    2. Use temp credentials to execute action
    !20

    View Slide

  21. / 26
    Browser upload to S3
    !21

    View Slide

  22. / 26
    Signing policy
    !22

    View Slide

  23. / 26
    Upload policy
    !23

    View Slide

  24. / 26
    Upload HTML
    !24

    View Slide

  25. / 26
    AWS Cognito
    •Authentication and authorization for your app

    •Custom attributes

    •A lot of UI out of the box

    •MFA, SMS verification, emailing

    •JWT, Social identity providers

    •Scalable, Rapid, Integrations (e.g. API Gateway)
    !25

    View Slide

  26. / 26
    API Gateway
    • Authorization integrations (Cognito, IAM, Custom)

    • API keys

    • Usage plans / throttling

    • Automatic (and free) DDOS protection for Cognito, IAM
    and Custom auth - not charged for failed requests

    • WebApplicationFirewall via CloudFront
    !26

    View Slide

  27. / 26
    Thank you!
    !27

    View Slide