$30 off During Our Annual Pro Sale. View Details »

AWS Security Deep Dive

AWS Security Deep Dive

AWS User Group Glasgow, February 1st, 2017

An overview of how to approach security in the cloud, new services and features from AWS, and a glimpse of what we do internally to secure our operations.

Danilo Poccia

February 01, 2017
Tweet

More Decks by Danilo Poccia

Other Decks in Programming

Transcript

  1. AWS Security
    Deep Dive
    Danilo Poccia
    @danilop danilop
    AWS Technical Evangelist

    View Slide

  2. Most Robust, Fully-Featured
    Technology Infrastructure Platform
    HYBRID ARCHITECTURE
    Data Backups
    Integrated App
    Deployments
    Direct
    Connect
    Identity
    Federation
    Integrated Resource
    Management
    Integrated
    Networking
    VMware
    Integration
    MARKETPLACE
    Business
    Apps
    Databases
    DevOps
    Tools
    Networking
    Security Storage
    Business
    Intelligence
    INFRASTRUCTURE
    Availability
    Zones
    Points of
    Presence
    Regions
    CORE SERVICES
    Compute
    VMs, Auto-scaling, Load
    Balancing, Containers, Cloud
    functions
    Storage
    Object, Blocks, File,
    Archivals,
    Import/Export
    Databases
    Relational, NoSQL,
    Caching, Migration
    CDN
    Networking
    VPC, DX,
    DNS
    Access Control
    Identity
    Management
    Key Management
    & Storage
    Monitoring
    & Logs
    SECURITY & COMPLIANCE
    Resource &
    Usage Auditing
    Configuration
    Compliance
    Web application
    firewall
    Assessment and
    reporting
    TECHNICAL & BUSINESS SUPPORT
    Support
    Professional
    Services
    Account
    Management
    Partner
    Ecosystem
    Solutions
    Architects
    Training &
    Certification
    Security &
    Billing Reports
    Optimization
    Guidance
    ENTERPRISE APPS
    Backup
    Corporate
    Email
    Sharing &
    Collaboration
    Virtual
    Desktops
    IoT
    Rules
    Engine
    Registry
    Device
    Shadows
    Device
    Gateway
    Device
    SDKs
    DEVELOPMENT & OPERATIONS
    MOBILE SERVICES
    APP SERVICES
    ANALYTICS
    Data
    Warehousing
    Hadoop/
    Spark
    Streaming Data
    Collection
    Machine
    Learning
    Elastic
    Search
    Push
    Notifications
    Identity
    Sync
    Resource
    Templates
    One-click App
    Deployment
    Triggers
    Containers
    DevOps Resource
    Management
    Application Lifecycle
    Management
    API
    Gateway
    Transcoding
    Queuing &
    Notifications
    Email
    Workflow
    Search
    Streaming Data
    Analysis
    Business
    Intelligence
    Mobile
    Analytics
    Single Integrated
    Console
    Mobile App
    Testing
    Data
    Pipelines
    Petabyte-Scale
    Data Migration
    Database
    Migration
    Schema
    Conversion
    Application
    Migration
    MIGRATION

    View Slide

  3. Pace Of Innovation:
    New Capabilities Daily
    1017

    View Slide

  4. Evolution
    “Cloud will account for 92 percent of
    data center traffic by 2020”
    - Global Cloud Index (GCI) Forecast

    View Slide

  5. Confidentiality – only authorized users can access data
    Integrity – data can’t be changed without detection
    Availability – data is accessible when needed
    Goals for secure application design

    View Slide

  6. • Access control on systems and/or data itself
    • Principal, Action, Resource, Condition
    • Encryption
    • Renders data inaccessible without a key
    • Authenticated encryption protects data from modification
    • Easier to tightly control access to a key than the data
    • Independent controls for keys and data
    Confidentiality

    View Slide

  7. • Physical integrity
    • Replicate across independent systems
    • Mitigates risk of data corruption or code errors
    • Logical integrity
    • Checksum
    • Message authentication code (MAC)
    • Digital signature
    Integrity

    View Slide

  8. • Ability to access ANY copy of the data
    • How much time can your users live with zero access?
    • Latency of access to primary copy of the data
    • How much time can your users wait for normal access?
    Availability

    View Slide

  9. AWS Foundation Services
    Compute Storage Database Networking
    AWS Global
    Infrastructure
    Regions
    Availability
    Zones Edge
    Locations
    Client-side Data
    Encryption
    Server-side Data
    Encryption
    Network Traffic
    Protection
    Platform, Applications, Identity & Access Management
    Operating System, Network & Firewall Configuration
    Customer content
    Customers
    Security is a shared responsibility
    Customers are
    responsible for
    their security IN
    the Cloud
    AWS is
    responsible for
    the security OF
    the Cloud

    View Slide

  10. • Root Account
    • Enable Multi-Factor Authentication (MFA)
    • Use it for managing account structure and
    permissions only
    • Store its credentials safely
    • Use AWS Identity and Access Management (IAM)
    for everything else
    • Create personal users
    • Use roles when possible (e.g. EC2 workloads)
    AWS Account Management

    View Slide

  11. • AWS compliance program – updates
    • Security tool enhancements in 2016
    • How AWS handles security at scale
    • Recent announcements
    • The case for change

    View Slide

  12. CARE DEEPLY ABOUT DATA SECURITY
    WE WORK TO GET THIS RIGHT FOR CUSTOMERS
    AWS COMPLIANCE

    View Slide

  13. Customers choose where to place their data
    AWS regions are geographically isolated by design
    Data is not replicated to other AWS regions
    and doesn’t move unless the customer tell us to do so
    Customers always own their data, the ability
    to encrypt it, move it, and delete it
    DATA OWNERSHIP

    View Slide

  14. AWS Global Infrastructure

    View Slide

  15. Our Audit and Certification Approach
    70+
    services
    7,710 Audit
    Artifacts
    2,670
    Controls
    3,030 Audit
    Requirements

    View Slide

  16. COMPLIANCE – AWS ARTIFACT
    AWS Artifact provides customers with an easier process to
    obtain AWS compliance reports (SOC, PCI, ISO) with self-
    service, on-demand access via the console
    AWS Artifact

    View Slide

  17. MAKING COMPLIANCE EASIER
    AWS SOLUTION: MARKETPLACE PROGRAM

    View Slide

  18. MAKING COMPLIANCE EASIER
    AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS

    View Slide

  19. SOLUTIONS IN AWS MARKETPLACE
    INFRASTRUCTURE
    SECURITY
    LOGGING
    & MONITORING
    CONFIGURATION
    & VULNERABILITY
    ANALYSIS
    DATA
    PROTECTION
    aws.amazon.com/mp/security
    IDENTITY & ACCESS
    MANAGEMENT
    Deep Security-as-a-Service
    VM-Series Next-
    Generation
    Firewall Bundle 2
    vSEC
    Web Application
    Firewall
    Unified Threat
    Management 9
    FortiGate-VM
    SecureSphere WAF
    CloudInsight
    Security Platform
    (ESP) for AWS
    SecOps
    Log Management & Analytics
    Enterprise
    Cost & Security Management
    DataControl
    Transparent
    Encryption for AWS
    SafeNet ProtectV
    Identity & Access
    Management or AWS
    Security Manager
    OneLogin for AWS
    Identity Management
    for the Cloud
    § One-click launch
    § Ready-to-run on AWS
    § Pay only for what you use

    View Slide

  20. MAKING COMPLIANCE EASIER
    AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN
    CLOUDTRAIL AND CLOUDWATCH EVENTS
    Amazon S3 AWS Lambda
    Amazon CloudWatch
    AWS CloudTrail

    View Slide

  21. • AWS compliance program – updates
    • Security tool enhancements in 2016
    • How AWS handles security at scale
    • Recent announcements
    • The case for change

    View Slide

  22. AWS IDENTITY AND ACCESS MANAGEMENT (IAM)
    SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES

    View Slide

  23. Apply the security principles of
    “least privilege” and
    “segregation of responsibilities”
    AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT

    View Slide

  24. AWS IDENTITY AND ACCESS MANAGEMENT
    FEATURES ADDED IN 2016
    • AWS Identity and Access Management (IAM) made 10 AWS
    managed policies available that align with common job
    functions in organizations
    • IAM console now helps prevent you from
    accidentally deleting in-use resources

    View Slide

  25. AWS IDENTITY AND ACCESS MANAGEMENT
    FEATURES ADDED IN 2016
    • Administrator
    • Billing
    • Database Administrator
    • Data Scientist
    • Developer Power User
    • Network Administrator
    • System Administrator
    • Security Auditor
    • Support User
    • View-Only User
    • AWS Identity and Access Management (IAM) made 10 AWS
    managed policies available that align with common job
    functions in organizations

    View Slide

  26. SECURITY ASSESSMENT TOOL ANALYZING END TO END
    APPLICATION CONFIGURATION AND ACTIVITY
    AMAZON INSPECTOR

    View Slide

  27. Configuration
    Scanning
    Engine
    Activity
    Monitoring
    Built-in
    Content
    Library
    Automatable
    via API
    Fully
    Auditable
    AWS SOLUTION: AMAZON INSPECTOR
    Improved security posture Increased agility Embedded expertise Streamlined compliance
    AMAZON INSPECTOR BENEFITS

    View Slide

  28. AMAZON INSPECTOR
    FEATURES ADDED IN 2016
    • CIS certs for Windows Server 2008 R2,
    Server 2012, and Server 2012 R2
    • Assessments complete even if some targeted
    agents are offline
    • Filter findings based on severity levels

    View Slide

  29. AWS KEY MANAGEMENT SERVICE
    CONTROL YOUR ENCRYPTION KEYS

    View Slide

  30. AWS SOLUTION: KEY MANAGEMENT SERVICE
    Decide on an encryption key management strategy
    Manage and use
    keys in AWS Key
    Management Service
    (AWS KMS)
    Use service-provided
    built-in key
    management
    Use your own key
    management system
    Manage and use keys
    in AWS CloudHSM

    View Slide

  31. • Bring your own keys to AWS Key Management
    Service using the KMS import key feature
    • AWS encryption SDK
    KEY MANAGEMENT SERVICE
    Features added in 2016

    View Slide

  32. CONSTRAINT-BASED MONITORING
    AUTOMATED REASONING

    View Slide

  33. AWS SOLUTION: CONSTRAINT-BASED MONITORING
    A TOOL FOR STATIC ANALYSIS
    OF AMAZON EC2/VPC NETWORKS

    View Slide

  34. AWS SOLUTION: CONSTRAINT-BASED MONITORING
    • Making undecidable problems feel decidable in practice
    • Abstraction to finite/tractable problems
    • Counterexample-guided abstraction refinement
    • Interpolation for guessing inductive invariants
    To learn more please reference Byron Cook’s session, please see session:
    SEC401 – Automated Formal Reasoning About AWS Systems

    View Slide

  35. SPEED OF SECURITY
    GO BIG WITH INSTANCES

    View Slide

  36. X1 INSTANCES

    View Slide

  37. P2 INSTANCES

    View Slide

  38. • AWS compliance program – updates
    • Security tool enhancements in 2016
    • How AWS handles security at scale
    • Recent announcements
    • The case for change

    View Slide

  39. AWS Security – 2016 Pace of Innovation
    • Reviewed 2,233 services and features in the last year
    • 319 compliance programs in scope across 40+ services
    • 5,769 overall security reviews YTD

    View Slide

  40. How AWS handles security at scale
    • We operate over 2,400 controls, but multiply that by the 64
    services we have, over a period of 6 months that may be
    30 million instances of control performance
    • We collect terabytes and terabytes of logs on our own data

    View Slide

  41. AWS CloudTrail logs are a treasure trove of information
    • Examples: event type, source IP, principal/AKID, MFA used
    Use data to rapidly detect and respond to threats
    • “Walking” credentials
    • Compromised accounts
    • Other malicious behavior
    Detecting anomalies through AWS CloudTrail Logs

    View Slide

  42. Collecting raw NetFlow-like logs in AWS
    Scenario:
    You purchased a company running on EC2
    You've been asked "Tell us of any known suspicious activity or activity
    indicating possible compromise for the main web server"

    View Slide

  43. Autoticketing
    • Find and close gaps in security monitoring
    • Be highly accurate and actionable
    • Deliver results with low latency

    View Slide

  44. How AWS handles security at scale
    Work
    generator
    Corp
    S3
    Results
    processor
    SNS
    Lambda
    (async)
    Scan
    target
    Lambda
    (sync)

    View Slide

  45. Change Management
    • Problem: controlled automated deployment and validation of
    daily deployments
    • Our response: automated auditable deployment and validation
    environment
    • How we use it: auditor validation of our preventative and
    detective change management controls
    • Benefit: all changes to environment and controlled and
    documented

    View Slide

  46. Change Management
    1 2 3 4 5

    View Slide

  47. Change Management
    QA & Code Review
    1 2 3 4 5 6

    View Slide

  48. Change Management
    Flagged Deployment
    ID: 47365690
    Deployer: johndoe@
    Deployment Time: 09:56:23 11/15/2016
    Flag reason: Approval was not documented in the change ticket

    View Slide

  49. • AWS compliance program – updates
    • Security tool enhancements in 2016
    • How AWS handles security at scale
    • Recent announcements
    • The case for change

    View Slide

  50. AWS Security – re:Invent 2016 Preparation
    • Reviewed and tested 91 service and feature launches for
    re:Invent 2016
    • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security
    completed 139 pen-tests (equaling 2,357 person days)

    View Slide

  51. Recent Announcements
    AWS Shield
    AWS Artifact (Compliance Reports)
    AWS Organizations
    AWS WAF (CloudFront and ALB)
    Amazon Certificate Manager (CloudFront and ELB)

    View Slide

  52. AWS Lambda triggered by “Security Events”
    Amazon CloudWatch Events
    AWS WAF
    AWS Config
    AWS CloudTrail

    View Slide

  53. • AWS compliance program – updates
    • Security tool enhancements in 2016
    • How AWS handles security at scale
    • Recent announcements
    • The case for change

    View Slide

  54. The case for change
    • DevOps, Agile, and Scrum on the rise…
    • Workload migrations to software defined environments…
    • Mass adoption of the public cloud…
    • Talent migration to progressive cloud companies…
    • Startups have game-changing tech at their disposal…
    • Competitive landscape is becoming fierce…
    • The perimeter is no longer an option…
    • Security, now more than ever, is an arms race…

    View Slide

  55. The DevSecOps mindset
    • Customer focus
    • Open and transparent
    • Iteration over perfection
    • Hunting over reaction
    • Hmmm → Wait a minute, this sounds like a
    manifesto…insert shameless plug here:
    http://www.devsecops.org

    View Slide

  56. Where to start?
    • Pontificate?
    • Checklists?
    • 1-pagers? 6-pagers?
    Documents?
    Page 3 of 433
    Security as code

    View Slide

  57. Security as code is easy with AWS
    AWS provides all the APIs!
    • Programmatically test environments
    • Determine state of environment at a
    specific point in time
    • Repeatable processes
    • Scalable operations

    View Slide

  58. How can we learn DevSecOps?
    Security as
    Code?
    Security as
    Operations?
    Compliance
    Operations?
    Science?
    Experiment:
    Automate
    Policy
    Governance
    Experiment:
    Detection
    via Security
    Operations
    Experiment:
    Compliance
    via
    DevSecOps
    Toolkit
    Experiment:
    Science via
    Profiling
    DevOps
    +
    Security
    Start
    Here?
    DevOps
    +
    DevSecOps

    View Slide

  59. Ready to build your DevSecOps platform?
    insights
    security
    science
    security
    tools & data
    AWS
    accounts
    S3
    Glacier
    EC2
    CloudTrail
    ingestion
    threat intel

    View Slide

  60. Evolution
    Today's "cloud-first" strategy is
    already moving toward "cloud-only"
    - IDC, “Industry Predictions for 2017”

    View Slide

  61. • https://aws.amazon.com/security/
    • https://aws.amazon.com/compliance/
    • https://aws.amazon.com/blogs/security/
    ADDITIONAL RESOURCES

    View Slide

  62. AWS Security
    Deep Dive
    Danilo Poccia
    @danilop danilop
    AWS Technical Evangelist

    View Slide