Pro Yearly is on sale from $80 to $50! »

AWS Security Deep Dive

AWS Security Deep Dive

AWS User Group Glasgow, February 1st, 2017

An overview of how to approach security in the cloud, new services and features from AWS, and a glimpse of what we do internally to secure our operations.

7c9b8b368924556d8642bdaed3ded1f5?s=128

Danilo Poccia

February 01, 2017
Tweet

Transcript

  1. AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical

    Evangelist
  2. Most Robust, Fully-Featured Technology Infrastructure Platform HYBRID ARCHITECTURE Data Backups

    Integrated App Deployments Direct Connect Identity Federation Integrated Resource Management Integrated Networking VMware Integration MARKETPLACE Business Apps Databases DevOps Tools Networking Security Storage Business Intelligence INFRASTRUCTURE Availability Zones Points of Presence Regions CORE SERVICES Compute VMs, Auto-scaling, Load Balancing, Containers, Cloud functions Storage Object, Blocks, File, Archivals, Import/Export Databases Relational, NoSQL, Caching, Migration CDN Networking VPC, DX, DNS Access Control Identity Management Key Management & Storage Monitoring & Logs SECURITY & COMPLIANCE Resource & Usage Auditing Configuration Compliance Web application firewall Assessment and reporting TECHNICAL & BUSINESS SUPPORT Support Professional Services Account Management Partner Ecosystem Solutions Architects Training & Certification Security & Billing Reports Optimization Guidance ENTERPRISE APPS Backup Corporate Email Sharing & Collaboration Virtual Desktops IoT Rules Engine Registry Device Shadows Device Gateway Device SDKs DEVELOPMENT & OPERATIONS MOBILE SERVICES APP SERVICES ANALYTICS Data Warehousing Hadoop/ Spark Streaming Data Collection Machine Learning Elastic Search Push Notifications Identity Sync Resource Templates One-click App Deployment Triggers Containers DevOps Resource Management Application Lifecycle Management API Gateway Transcoding Queuing & Notifications Email Workflow Search Streaming Data Analysis Business Intelligence Mobile Analytics Single Integrated Console Mobile App Testing Data Pipelines Petabyte-Scale Data Migration Database Migration Schema Conversion Application Migration MIGRATION
  3. Pace Of Innovation: New Capabilities Daily 1017

  4. Evolution “Cloud will account for 92 percent of data center

    traffic by 2020” - Global Cloud Index (GCI) Forecast
  5. Confidentiality – only authorized users can access data Integrity –

    data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design
  6. • Access control on systems and/or data itself • Principal,

    Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality
  7. • Physical integrity • Replicate across independent systems • Mitigates

    risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity
  8. • Ability to access ANY copy of the data •

    How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability
  9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure

    Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  10. • Root Account • Enable Multi-Factor Authentication (MFA) • Use

    it for managing account structure and permissions only • Store its credentials safely • Use AWS Identity and Access Management (IAM) for everything else • Create personal users • Use roles when possible (e.g. EC2 workloads) AWS Account Management
  11. • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  12. CARE DEEPLY ABOUT DATA SECURITY WE WORK TO GET THIS

    RIGHT FOR CUSTOMERS AWS COMPLIANCE
  13. Customers choose where to place their data AWS regions are

    geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP
  14. AWS Global Infrastructure

  15. Our Audit and Certification Approach 70+ services 7,710 Audit Artifacts

    2,670 Controls 3,030 Audit Requirements
  16. COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an

    easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact
  17. MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM

  18. MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS

  19. SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION

    & VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud § One-click launch § Ready-to-run on AWS § Pay only for what you use
  20. MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE

    IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail
  21. • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  22. AWS IDENTITY AND ACCESS MANAGEMENT (IAM) SECURELY CONTROL ACCESS TO

    AWS SERVICES AND RESOURCES
  23. Apply the security principles of “least privilege” and “segregation of

    responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
  24. AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •

    AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources
  25. AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •

    Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations
  26. SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND

    ACTIVITY AMAZON INSPECTOR
  27. Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via

    API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS
  28. AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for

    Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels
  29. AWS KEY MANAGEMENT SERVICE CONTROL YOUR ENCRYPTION KEYS

  30. AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key

    management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM
  31. • Bring your own keys to AWS Key Management Service

    using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016
  32. CONSTRAINT-BASED MONITORING AUTOMATED REASONING

  33. AWS SOLUTION: CONSTRAINT-BASED MONITORING A TOOL FOR STATIC ANALYSIS OF

    AMAZON EC2/VPC NETWORKS
  34. AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable

    in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, please see session: SEC401 – Automated Formal Reasoning About AWS Systems
  35. SPEED OF SECURITY GO BIG WITH INSTANCES

  36. X1 INSTANCES

  37. P2 INSTANCES

  38. • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  39. AWS Security – 2016 Pace of Innovation • Reviewed 2,233

    services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD
  40. How AWS handles security at scale • We operate over

    2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data
  41. AWS CloudTrail logs are a treasure trove of information •

    Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs
  42. Collecting raw NetFlow-like logs in AWS Scenario: You purchased a

    company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server"
  43. Autoticketing • Find and close gaps in security monitoring •

    Be highly accurate and actionable • Deliver results with low latency
  44. How AWS handles security at scale Work generator Corp S3

    Results processor SNS Lambda (async) Scan target Lambda (sync)
  45. Change Management • Problem: controlled automated deployment and validation of

    daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented
  46. Change Management 1 2 3 4 5

  47. Change Management QA & Code Review 1 2 3 4

    5 6
  48. Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time:

    09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket
  49. • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  50. AWS Security – re:Invent 2016 Preparation • Reviewed and tested

    91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days)
  51. Recent Announcements AWS Shield AWS Artifact (Compliance Reports) AWS Organizations

    AWS WAF (CloudFront and ALB) Amazon Certificate Manager (CloudFront and ELB)
  52. AWS Lambda triggered by “Security Events” Amazon CloudWatch Events AWS

    WAF AWS Config AWS CloudTrail
  53. • AWS compliance program – updates • Security tool enhancements

    in 2016 • How AWS handles security at scale • Recent announcements • The case for change
  54. The case for change • DevOps, Agile, and Scrum on

    the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…
  55. The DevSecOps mindset • Customer focus • Open and transparent

    • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org
  56. Where to start? • Pontificate? • Checklists? • 1-pagers? 6-pagers?

    Documents? Page 3 of 433 Security as code
  57. Security as code is easy with AWS AWS provides all

    the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations
  58. How can we learn DevSecOps? Security as Code? Security as

    Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps
  59. Ready to build your DevSecOps platform? insights security science security

    tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
  60. Evolution Today's "cloud-first" strategy is already moving toward "cloud-only" -

    IDC, “Industry Predictions for 2017”
  61. • https://aws.amazon.com/security/ • https://aws.amazon.com/compliance/ • https://aws.amazon.com/blogs/security/ ADDITIONAL RESOURCES

  62. AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical

    Evangelist