AWS User group meetup 2 was dedicated to Security. Development Security Best Practices in AWS presentation describes model of shared responsibility, IAM and best practices for DevSec in AWS
priority for AWS • Shared responsibility model • Security “OF” the cloud - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud • Security “IN” the cloud - Customer responsibility will be determined by the AWS Cloud services that a customer selects !3
- All services, billing, console, programatic access, customer support •IAM Users, Groups and Roles •Access to specific services •Access to web console / programatic access •Access to customer support •Temporary credentials •Access to specific services •Access to web console / programatic access !7
individual users 2.Permissions - Grant least privilege 3.Groups - Manage permissions with groups 4.Conditions - Restrict privileged access further with conditions 5.Password - Configure a strong password policy 6.Rotate - Rotate security credentials regularly 7.MFA - Enable MFA for privileged users 8.Sharing - Use IAM roles to share access 9.Roles - Use IAM roles for Amazon EC2 instances 10.Root - Reduce or remove use of root !13
of AWS System Manager •No additional cost, free of charge •Up to 10,000 params/secrets (upgrade to have more) •KMS integration •Secrets manager •Secret generation •Automatic password rotation (RDS) •$0.40 per secret stored, $0.05 for 10,000 API calls. •KMS integration •Extensible via Lambda !17
secrets with KMS 2. Create secret param encrypted with KMS key 3. Create policy for ParamStore access 4. Create policy for KMS 5. Assign policies to IAM roles !18
•Custom attributes •A lot of UI out of the box •MFA, SMS verification, emailing •JWT, Social identity providers •Scalable, Rapid, Integrations (e.g. API Gateway) !25
• API keys • Usage plans / throttling • Automatic (and free) DDOS protection for Cognito, IAM and Custom auth - not charged for failed requests • WebApplicationFirewall via CloudFront !26