AWS Security Deep Dive

AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical
Evangelist

Most Robust, Fully-Featured Technology Infrastructure Platform HYBRID ARCHITECTURE Data Backups
Integrated App Deployments Direct Connect Identity Federation Integrated Resource Management Integrated Networking VMware Integration MARKETPLACE Business Apps Databases DevOps Tools Networking Security Storage Business Intelligence INFRASTRUCTURE Availability Zones Points of Presence Regions CORE SERVICES Compute VMs, Auto-scaling, Load Balancing, Containers, Cloud functions Storage Object, Blocks, File, Archivals, Import/Export Databases Relational, NoSQL, Caching, Migration CDN Networking VPC, DX, DNS Access Control Identity Management Key Management & Storage Monitoring & Logs SECURITY & COMPLIANCE Resource & Usage Auditing Configuration Compliance Web application firewall Assessment and reporting TECHNICAL & BUSINESS SUPPORT Support Professional Services Account Management Partner Ecosystem Solutions Architects Training & Certification Security & Billing Reports Optimization Guidance ENTERPRISE APPS Backup Corporate Email Sharing & Collaboration Virtual Desktops IoT Rules Engine Registry Device Shadows Device Gateway Device SDKs DEVELOPMENT & OPERATIONS MOBILE SERVICES APP SERVICES ANALYTICS Data Warehousing Hadoop/ Spark Streaming Data Collection Machine Learning Elastic Search Push Notifications Identity Sync Resource Templates One-click App Deployment Triggers Containers DevOps Resource Management Application Lifecycle Management API Gateway Transcoding Queuing & Notifications Email Workflow Search Streaming Data Analysis Business Intelligence Mobile Analytics Single Integrated Console Mobile App Testing Data Pipelines Petabyte-Scale Data Migration Database Migration Schema Conversion Application Migration MIGRATION

Pace Of Innovation: New Capabilities Daily 1017

Evolution “Cloud will account for 92 percent of data center
traffic by 2020” - Global Cloud Index (GCI) Forecast

Confidentiality – only authorized users can access data Integrity –
data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design

• Access control on systems and/or data itself • Principal,
Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality

• Physical integrity • Replicate across independent systems • Mitigates
risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity

• Ability to access ANY copy of the data •
How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure
Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud

• Root Account • Enable Multi-Factor Authentication (MFA) • Use
it for managing account structure and permissions only • Store its credentials safely • Use AWS Identity and Access Management (IAM) for everything else • Create personal users • Use roles when possible (e.g. EC2 workloads) AWS Account Management

• AWS compliance program – updates • Security tool enhancements
in 2016 • How AWS handles security at scale • Recent announcements • The case for change

CARE DEEPLY ABOUT DATA SECURITY WE WORK TO GET THIS
RIGHT FOR CUSTOMERS AWS COMPLIANCE

Customers choose where to place their data AWS regions are
geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP

AWS Global Infrastructure

Our Audit and Certification Approach 70+ services 7,710 Audit Artifacts
2,670 Controls 3,030 Audit Requirements

COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an
easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact

MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM

MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS

SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION
& VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud § One-click launch § Ready-to-run on AWS § Pay only for what you use

MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE
IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail

AWS IDENTITY AND ACCESS MANAGEMENT (IAM) SECURELY CONTROL ACCESS TO
AWS SERVICES AND RESOURCES

Apply the security principles of “least privilege” and “segregation of
responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT

AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •
AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources

AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 •
Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations

SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND
ACTIVITY AMAZON INSPECTOR

Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via
API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS

AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for
Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels

AWS KEY MANAGEMENT SERVICE CONTROL YOUR ENCRYPTION KEYS

AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key
management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM

• Bring your own keys to AWS Key Management Service
using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016

CONSTRAINT-BASED MONITORING AUTOMATED REASONING

AWS SOLUTION: CONSTRAINT-BASED MONITORING A TOOL FOR STATIC ANALYSIS OF
AMAZON EC2/VPC NETWORKS

AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable
in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, please see session: SEC401 – Automated Formal Reasoning About AWS Systems

SPEED OF SECURITY GO BIG WITH INSTANCES

X1 INSTANCES

P2 INSTANCES

AWS Security – 2016 Pace of Innovation • Reviewed 2,233
services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD

How AWS handles security at scale • We operate over
2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data

AWS CloudTrail logs are a treasure trove of information •
Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs

Collecting raw NetFlow-like logs in AWS Scenario: You purchased a
company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server"

Autoticketing • Find and close gaps in security monitoring •
Be highly accurate and actionable • Deliver results with low latency

How AWS handles security at scale Work generator Corp S3
Results processor SNS Lambda (async) Scan target Lambda (sync)

Change Management • Problem: controlled automated deployment and validation of
daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented

Change Management 1 2 3 4 5

Change Management QA & Code Review 1 2 3 4
5 6

Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time:
09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket

AWS Security – re:Invent 2016 Preparation • Reviewed and tested
91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days)

Recent Announcements AWS Shield AWS Artifact (Compliance Reports) AWS Organizations
AWS WAF (CloudFront and ALB) Amazon Certificate Manager (CloudFront and ELB)

AWS Lambda triggered by “Security Events” Amazon CloudWatch Events AWS
WAF AWS Config AWS CloudTrail

The case for change • DevOps, Agile, and Scrum on
the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…

The DevSecOps mindset • Customer focus • Open and transparent
• Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org

Where to start? • Pontificate? • Checklists? • 1-pagers? 6-pagers?
Documents? Page 3 of 433 Security as code

Security as code is easy with AWS AWS provides all
the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations

How can we learn DevSecOps? Security as Code? Security as
Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps

Ready to build your DevSecOps platform? insights security science security
tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel

Evolution Today's "cloud-first" strategy is already moving toward "cloud-only" -
IDC, “Industry Predictions for 2017”

• https://aws.amazon.com/security/ • https://aws.amazon.com/compliance/ • https://aws.amazon.com/blogs/security/ ADDITIONAL RESOURCES

AWS Security Deep Dive Danilo Poccia @danilop danilop AWS Technical
Evangelist

AWS Security Deep Dive

AWS Security Deep Dive

More Decks by Danilo Poccia

Other Decks in Programming

Featured

Transcript