AWS Security Deep Dive

AWS Security Deep Dive

AWS User Group Glasgow, February 1st, 2017

An overview of how to approach security in the cloud, new services and features from AWS, and a glimpse of what we do internally to secure our operations.

7c9b8b368924556d8642bdaed3ded1f5?s=128

Danilo Poccia

February 01, 2017
Tweet

Transcript

  1. 2.

    Most Robust, Fully-Featured Technology Infrastructure Platform HYBRID ARCHITECTURE Data Backups

    Integrated App Deployments Direct Connect Identity Federation Integrated Resource Management Integrated Networking VMware Integration MARKETPLACE Business Apps Databases DevOps Tools Networking Security Storage Business Intelligence INFRASTRUCTURE Availability Zones Points of Presence Regions CORE SERVICES Compute VMs, Auto-scaling, Load Balancing, Containers, Cloud functions Storage Object, Blocks, File, Archivals, Import/Export Databases Relational, NoSQL, Caching, Migration CDN Networking VPC, DX, DNS Access Control Identity Management Key Management & Storage Monitoring & Logs SECURITY & COMPLIANCE Resource & Usage Auditing Configuration Compliance Web application firewall Assessment and reporting TECHNICAL & BUSINESS SUPPORT Support Professional Services Account Management Partner Ecosystem Solutions Architects Training & Certification Security & Billing Reports Optimization Guidance ENTERPRISE APPS Backup Corporate Email Sharing & Collaboration Virtual Desktops IoT Rules Engine Registry Device Shadows Device Gateway Device SDKs DEVELOPMENT & OPERATIONS MOBILE SERVICES APP SERVICES ANALYTICS Data Warehousing Hadoop/ Spark Streaming Data Collection Machine Learning Elastic Search Push Notifications Identity Sync Resource Templates One-click App Deployment Triggers Containers DevOps Resource Management Application Lifecycle Management API Gateway Transcoding Queuing & Notifications Email Workflow Search Streaming Data Analysis Business Intelligence Mobile Analytics Single Integrated Console Mobile App Testing Data Pipelines Petabyte-Scale Data Migration Database Migration Schema Conversion Application Migration MIGRATION
  2. 4.

    Evolution “Cloud will account for 92 percent of data center

    traffic by 2020” - Global Cloud Index (GCI) Forecast
  3. 5.

    Confidentiality – only authorized users can access data Integrity –

    data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design
  4. 6.

    • Access control on systems and/or data itself • Principal,

    Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality
  5. 7.

    • Physical integrity • Replicate across independent systems • Mitigates

    risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity
  6. 8.

    • Ability to access ANY copy of the data •

    How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability
  7. 9.

    AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure

    Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  8. 10.

    • Root Account • Enable Multi-Factor Authentication (MFA) • Use

    it for managing account structure and permissions only • Store its credentials safely • Use AWS Identity and Access Management (IAM) for everything else • Create personal users • Use roles when possible (e.g. EC2 workloads) AWS Account Management
  9. 11.

    • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  10. 12.

    CARE DEEPLY ABOUT DATA SECURITY WE WORK TO GET THIS

    RIGHT FOR CUSTOMERS AWS COMPLIANCE
  11. 13.

    Customers choose where to place their data AWS regions are

    geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP
  12. 16.

    COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an

    easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact
  13. 19.

    SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION

    & VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud § One-click launch § Ready-to-run on AWS § Pay only for what you use
  14. 20.

    MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE

    IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail
  15. 21.

    • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  16. 23.

    Apply the security principles of “least privilege” and “segregation of

    responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
  17. 24.

    AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •

    AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources
  18. 25.

    AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •

    Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations
  19. 27.

    Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via

    API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS
  20. 28.

    AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for

    Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels
  21. 30.

    AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key

    management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM
  22. 31.

    • Bring your own keys to AWS Key Management Service

    using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016
  23. 34.

    AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable

    in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, please see session: SEC401 – Automated Formal Reasoning About AWS Systems
  24. 38.

    • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  25. 39.

    AWS Security – 2016 Pace of Innovation • Reviewed 2,233

    services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD
  26. 40.

    How AWS handles security at scale • We operate over

    2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data
  27. 41.

    AWS CloudTrail logs are a treasure trove of information •

    Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs
  28. 42.

    Collecting raw NetFlow-like logs in AWS Scenario: You purchased a

    company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server"
  29. 43.

    Autoticketing • Find and close gaps in security monitoring •

    Be highly accurate and actionable • Deliver results with low latency
  30. 44.

    How AWS handles security at scale Work generator Corp S3

    Results processor SNS Lambda (async) Scan target Lambda (sync)
  31. 45.

    Change Management • Problem: controlled automated deployment and validation of

    daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented
  32. 48.

    Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time:

    09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket
  33. 49.

    • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  34. 50.

    AWS Security – re:Invent 2016 Preparation • Reviewed and tested

    91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days)
  35. 51.

    Recent Announcements AWS Shield AWS Artifact (Compliance Reports) AWS Organizations

    AWS WAF (CloudFront and ALB) Amazon Certificate Manager (CloudFront and ELB)
  36. 53.

    • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  37. 54.

    The case for change • DevOps, Agile, and Scrum on

    the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…
  38. 55.

    The DevSecOps mindset • Customer focus • Open and transparent

    • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org
  39. 56.
  40. 57.

    Security as code is easy with AWS AWS provides all

    the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations
  41. 58.

    How can we learn DevSecOps? Security as Code? Security as

    Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps
  42. 59.

    Ready to build your DevSecOps platform? insights security science security

    tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel