Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Learning AWS Security Services

Learning AWS Security Services

fumiakiueno

May 01, 2023
Tweet

More Decks by fumiakiueno

Other Decks in Technology

Transcript

  1. Learning
    AWS Security Services

    View full-size slide

  2. Fumiaki Ueno
    NRI Netcom / Cloud Architect
    experiences in Cloud migration and adoption
    projects with enterprise customers
    @fu3ak1

    View full-size slide

  3. Security is our top priority at AWS(*)
    *AWS Security Incident Response Guide
    https://docs.aws.amazon.com/ja_jp/whitepapers/latest/aws-security-incident-response-guide/introduction.html

    View full-size slide

  4. Security is everywhere
    For example, an architecture like this
    AWS Cloud
    VPC
    Public subnet Private subnet
    Application Load
    Balancer
    Private subnet
    Amazon EC2 Amazon Aurora

    View full-size slide

  5. Security is everywhere
    There are many security features and services
    Audit log?Is the authority minimal?Is network access minimal?
    How do you protect against application attacks?
    AWS Cloud
    VPC
    Public subnet Private subnet
    Application Load
    Balancer
    Private subnet
    Amazon EC2 Amazon Aurora
    AWS WAF Amazon Inspector
    Amazon GuardDuty AWS CloudTrail AWS Config
    Flow logs
    Network access
    control list
    Security
    group
    Amazon CloudWatch
    AWS Identity and Access
    Management (IAM)

    View full-size slide

  6. Cloud specific security settings
    AWS IAM
    Long-term security
    credential
    Permissions
    (Bucket Policy)
    Permissions
    (IAM Policy)
    Amazon S3
    Are you OK to use credential? Too much open?

    View full-size slide

  7. Learn the most important security,
    knowing extensive knowledge of AWS,
    Enjoy AWS safely!

    View full-size slide

  8. Before learning AWS,
    what is the security?

    View full-size slide

  9. 3 Elements of Information Security
    Information
    confidential data、code、
    financial data

    View full-size slide

  10. 3 Elements of Information Security
    Confidenti
    ality
    Integrity Availability
    Keep 3 elements
    Information
    confidential data、code、
    financial data

    View full-size slide

  11. 3 Elements of Information Security
    intru
    sion
    des
    troy virus
    eavesdr
    opping
    Possibility of
    damage=
    risk
    remove
    vulnerabilities
    protect from
    threat
    Confidenti
    ality
    Integrity Availability
    Information
    confidential data、code、
    financial data
    bad settings,
    etc.

    View full-size slide

  12. 3 Elements of Information Security
    Confidentiality
    Integrity
    Availability
    The ability of persons with valid rights
    (authorized persons) to use the information.
    The information has not been modified (by
    someone who does not have a valid right).
    Ability to use information when needed

    View full-size slide

  13. Protecting information in AWS with
    security services

    View full-size slide

  14. ID and Access Management
    AWS Security (related) services
    Detection
    Network and
    Application Protection
    Data protection Compliance
    IAM Amazon Cognito AWS Directory
    Service
    AWS Organizations AWS Resource
    Access Manager
    AWS IAM
    Identity Center
    AWS CloudTrail Amazon GuardDuty
    Amazon Inspector
    AWS Config
    AWS Security Hub Amazon CloudWatch
    AWS Shield AWS WAF
    Amazon Detective
    AWS Network Firewall
    Amazon Route 53
    Amazon VPC
    Amazon Macie AWS CloudHSM AWS KMS
    AWS Secrets
    Manager
    AWS Certificate
    Manager (ACM)
    AWS Artifact AWS Systems Manager
    AWS Trusted Advisor
    AWS Control Tower
    Incident response
    Amazon S3 Amazon Athena
    Amazon EventBridge
    Amazon OpenSearch
    Service

    View full-size slide

  15. ID and Access Management

    View full-size slide

  16. AWS Identity and Access Management
    (IAM)
    • Who is the user? = Authentication、What can they use? = Authorization
    • IAM manages Authentication and Authorization
    • IAM has following basic resources
    • IAM User: create and authenticate for individually
    • IAM Group:manage multiple users in one group
    • IAM Policy:write about authorization information, can attach to User, Group, Role
    • IAM Role:can attach to AWS resources and the resource has a permission
    IAM User also be able to assume a Role
    IAM User
    IAM Group
    IAM Role
    IAM Policy
    IAM User
    belong
    Instance
    IAM Role
    IAM Policy IAM Policy
    assume

    View full-size slide

  17. AWS Identity and Access Management
    (IAM)
    • How to write IAM Policy
    define what can we access(Resource), which operation(Action),
    Allow/Deny(Effect) in a policy
    add Condition as necessary
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:Get*"
    ],
    "Resource": [
    "arn:aws:s3:::test-data”,
    “arn:aws:s3:::test-data/*"
    ],
    "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
    ]
    }
    Data in a ‘test-data’ S3
    bucket
    Operations beginning
    with Get.
    Allow
    MFA is enabled

    View full-size slide

  18. AWS Identity and Access Management
    (IAM)
    • We define Principal that means who can use it in an IAM Role trust policy, Bucket policy, etc.
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "sts:AssumeRole"
    ],
    "Principal": {
    "Service": [
    "ec2.amazonaws.com"
    ]
    }
    }
    ]
    }
    IAM Role
    IAM Policy
    trust
    policy
    EC2 can use this IAM Role
    • If you know basic resources such as Resource、Action、Effect、Condition、Principal、you
    can extensively understand AWS policies such as a Bucket policy, KMS key policy.
    Instance
    assume

    View full-size slide

  19. AWS Identity and Access Management
    (IAM)
    • anti-patterns (Don’t do this)
    • Use a root user (account email address user)
    Instead of it, use IAM User
    • Use Access Key/Secret Access Key
    Instead of it, use IAM Role

    View full-size slide

  20. AWS Organizations
    • A service that can manage multiple AWS accounts
    • Can manage accounts by groups by using Organizational Unit (OU)
    • Has aggregation feature and automatic enablement of security services
    • Can apply preventive guardrails with Service Control Policy(SCP)
    • Can share resources with AWS Resource Access Manager(RAM)
    AWS Organizations
    Management
    Organizational unit (OU) Organizational unit (OU)
    SCP
    IAM Policy
    SCP IAM Policy
    Valid policy
    IAM Policy
    Aggregate to 1 account &
    automatically enable services
    GuardDuty GuardDuty GuardDuty GuardDuty
    GuardDuty

    View full-size slide

  21. AWS Control Tower
    • The service to automatically set up a
    best-practice multi-account
    environment
    • Automatically configures IAM
    Identity Center, CloudTrail, Config,
    and SNS Topic for notifications
    • Easily configure and manage
    preventive and detective guardrails
    • Can apply multi regions
    AWS Control Tower
    Management
    S3
    • CloudTrail Logs
    • Config Logs
    Log Archive
    Audit
    AWS Config
    Aggregator
    AWS Organizations AWS IAM Identity Center
    Prod
    Security Baseline
    Amazon VPC
    (Network Baseline)
    Amazon SNS
    Security OU Workloads OU
    CloudTrail AWS Config

    View full-size slide

  22. AWS CloudTrail
    • A service to store AWS operation history (who, when, what)
    • You need to configure additionally for data events such as S3
    • By default, 90 days of events are stored by the service
    • You need to set up a trail for more 90 days and store in S3 buckets or
    CloudWatch Logs
    プログラム
    AWS Management
    Console
    Instance
    IAM
    CloudTrail
    S3
    Logs
    Store operation history

    View full-size slide

  23. AWS Config
    • A service to store AWS configuration history (what, when, how)
    • By default, 7years (2,557days) of events are stored by the service
    Application
    AWS Management
    Console
    t3.small
    S3
    Deliver
    history
    Store configuration
    history
    AWS Config
    t3.large
    IAM Policy
    IAM Policy
    Change Change

    View full-size slide

  24. AWS Config
    • AWS Config has Config Rules evaluate the configuration settings
    • For example, you can check following configurations
    • Trail in CloudTrail is enabled
    • SSH port is not exposed in Security Group
    • You can set up auto-remediation
    • Automation in Systems Manager can be used as an auto-remediation action.
    AWS Config
    Rule
    Security group
    Instance
    ①check
    Automation
    (auto-remediation)
    ②remediate

    View full-size slide

  25. Amazon CloudWatch
    • A monitoring service in AWS to aggregate metrics and logs
    • CloudWatch has basic features such as Metrics, Logs, Alarms
    • CloudWatch has Events feature but new EventBridge is should be used
    • Synthetics, RUM, Evidently are relatively new features in CloudWatch
    • You can use CloudWatch with on-premise servers by installing agent
    Instance
    or
    Logs
    Amazon CloudWatch
    Server
    Application
    Amazon Aurora
    Metrics
    CloudWatch
    (Agent)
    Alarm
    Notification

    View full-size slide

  26. Amazon EventBridge
    • A service that can perform notifications and processing when any event
    occurs in AWS
    • EventBridge is used for event-driven applications, but it is also widely
    used for security-related notifications and incident response
    • Security services such as GuardDuty also use EventBridge for notification
    Notification
    CloudTrail
    Event
    EventBridge
    SNS Topic
    Lambda function
    Connect specific
    operation as events
    Use SNS Topic for a
    notification
    Lambda function can
    be used as a target

    View full-size slide

  27. Amazon GuardDuty
    • A service can detect threats in AWS accounts, you can use it by only
    enabling it
    • Inputs are VPC Flow Logs, CloudTrail, S3 data access logs, DNS logs,
    Kubernetes audit logs, EBS(Malware), RDS activities
    • EventBridge is used for a notification
    GuardDuty
    Flow logs
    CloudTrail
    Amazon RDS
    Amazon EKS
    S3
    Amazon EBS DNS Logs
    Detect
    Event
    EventBridge
    Notification
    SNS Topic
    2022/1
    2020/7
    2022/7
    2023/3

    View full-size slide

  28. AWS Security Hub
    • A service is an aggregation point (Hub) for various AWS security services
    • You can also aggregate 3rd-Party Security service’s information
    • You can check according to industry standards and best practices
    • CIS AWS Foundations Benchmark
    • Payment Card Industry Data Security Standard (PCI DSS)
    • AWS Foundational Security Best Practices
    GuardDuty
    Amazon Macie
    Amazon Inspector
    AWS Config
    AWS Security Hub
    Aggregate
    etc..
    AWS Config
    (Rules)
    Deploy Config rules as
    standard checks
    Deploy rules

    View full-size slide

  29. Amazon Inspector
    • A vulnerability scanning service
    • Inspector can be used with EC2 instances, ECR(Container images),
    Lambda Functions(New!)
    • Package vulnerability scans and network reachability scans are available
    • You need to install Systems Manager (SSM) agent with scanning
    packages in EC2
    Amazon Inspector
    SSM Agent
    Amazon EC2
    Amazon ECR
    Image
    AWS Lambda
    Scan
    vulnerability
    2022/12

    View full-size slide

  30. AWS Trusted Advisor
    • A service automatically checks for cost, performance, security, fault
    tolerance, and service limitations according to AWS best practices
    • Requires Business Support or higher support plan to use
    • Recommended to be viewed proactively as it is automatically enabled
    and free of charge

    View full-size slide

  31. Network and application
    protection

    View full-size slide

  32. Amazon VPC
    • VPC enables you to launch AWS resources into a virtual private network
    • There are public subnets that communicate directly with the Internet
    and private subnets that cannot communicate directly with the Internet
    • You can control access with Network ACL and Security Group
    • VPC Flow Logs can store in S3 or CloudWatch Logs
    • VPC endpoints are used for private connections to AWS services
    Virtual private cloud (VPC)
    Public subnet
    Private subnet
    Security group
    Instance
    Security group
    ALB
    NACL
    NACL
    Flow logs
    S3
    Logs
    Endpoints S3
    Security Group Network ACL
    Setting
    target
    Resources such as
    EC2 instance
    Subnets
    Default All Deny All Allow
    Allow/Deny Can configure only Allow Can configure Allow/Deny
    Stateful/
    Stateless
    Stateful
    (set one direction)
    Stateless
    (set back and forth)
    「Differences between Security Groups and Network ACL」

    View full-size slide

  33. AWS WAF
    • AWS Managed Web Application Firewall(WAF)Service
    • You can protect from Application attacks such as SQL Injection and Cross Site
    Scripting
    • WAF (WEB ACL) can be attached to Amazon CloudFront, Amazon API Gatewa,
    ALB, AWS AppSync, Amazon Cognito User pool
    • WEB ACL is like a box, you can add rules or rule groups in WEB ACL
    • AWS and Security companies provide managed rules, You can create rules such
    as IP restrictions
    Managed rule
    Rule
    WEB ACL ALB
    API Gateway
    CloudFront
    AppSync
    Cognito
    Attach
    2022/8
    2020/10

    View full-size slide

  34. Data Protection

    View full-size slide

  35. AWS Key Management Service
    (AWS KMS)
    • A service that manages keys used to encrypt data in AWS
    • KMS keys often used by other AWS services without user’s knowing
    • You can control access with Key Policy
    • KMS has an auto-rotation feature
    • Server-side encryption and Client-side encryption
    • AWS CloudHSM provides dedicated hardware, you can mange keys in VPC
    「Encryption with S3 Bucket」
    Application
    S3
    「Client-side encryption」
    Application
    Encrypt
    S3
    「Server-side encryption」
    Encrypt

    View full-size slide

  36. AWS Key Management Service
    (AWS KMS)
    • You can protect your data-key with envelope encryption
    • Data is encrypted by data-key, data-key is encrypted by KMS-key
    • You can’t decrypt your data without KMS key, so you can store both of
    data-key and data in a database
    • KMS-key is called when data is decrypted
    Data Key
    Encrypted
    Data
    AWS KMS
    KMS Key
    Encrypt
    Encrypt

    View full-size slide

  37. Amazon S3
    • A high durability object storage service
    • You can control access with IAM Policy and Bucket Policy, Access Control
    List (ACL)
    • ACL is currently deprecated and is used only with per-object control
    https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-alternatives-guidelines.html
    • S3 has an object default encryption feature, you can encrypt objects by
    enabling it and can use KMS-key
    IAM Policy
    S3 Bucket
    Object Object ACL
    Access
    Bucket
    Policy
    Encrypt

    View full-size slide

  38. AWS Secrets Manager
    • You can mange passwords and credentials with Secrets Manager
    • Applications can connect to databases using credentials stored in Secrets Manager
    • Systems Manager and Parameter Store are similar, but they have following
    differences
    Secrets Manager Parameter Store
    Target data Credentials A wide range of configuration data
    Data can be encrypted with Secure String
    Auto-rotation Yes no
    Database integration Support for RDS, Redshift, etc. no
    Price A charge Standard is free
    *KMS encryption and Advanced is a charge
    Instance
    アプリ
    AWS Secrets
    Manager
    Password
    Amazon RDS
    1. Get credentials
    2. Connect

    View full-size slide

  39. Amazon Macie
    • Macie can discover Personally Identifiable Information(PII) in S3 Buckets
    • Macie can discover following data
    • AWS Credentials (Access Key)
    • Credit card number, expiration date, verification code
    • Birth date
    • Phone numbers
    • driver’s license identification numbers
    • You can build custom data identifiers
    • At re:Invent 2022, automated sensitive data discovery is announced
    https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-macie-automated-sensitive-data-discovery/
    Amazon Macie S3 Bucket
    Scan, discover

    View full-size slide

  40. AWS Artifact
    • AWS Artifact provides on-demand downloads of AWS security and
    compliance documents
    • AWS ISO certifications, Payment Card Industry (PCI) reports are provided
    • You can submit the documents to your auditors or regulators
    • You can manager agreements such as a Business Associate Addendum
    (BAA) agreement is required for companies that are subject to the Health
    Insurance Portability and Accountability Act (HIPAA)
    • You can manage agreements for multiple accounts with Organizations
    AWS Artifact
    Compliance
    documents
    Agreement
    download
    accept

    View full-size slide

  41. Incident response

    View full-size slide

  42. AWS Systems Manager
    • Systems Manager originally created for managing only EC2 instances,
    it now has many features to manage many resources in AWS
    • Key security-related features are following
    • Patch Manager: automates the process of patching
    • Inventory: provides visibility of software metadata
    • Session Manager: connect EC2 instances with IAM, without opening SG
    • Parameter Store: can store data such as passwords, database strings
    • OpsCenter: can manage operational work items as OpsItems related to AWS
    • Incident Manager: can manage events, escalation flows
    • Automation: can execute operations registered as Document
    • I can't show you everything of Systems Manger this page, so please refer to the
    official documents for more details
    https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

    View full-size slide

  43. Amazon Athena
    • You can run SQL queries to data sources such as S3
    • You can run developer related SQL queries ad hoc with low cost storages
    • From security perspective, analysis of CloudTrail and VPC Flow Logs can
    be used
    • Table schemas are managed by AWS Glue Data Catalog
    Flow logs
    CloudTrail
    ALB
    Amazon CloudFront
    S3
    Athena
    Logs
    SQL Query
    AWS Glue
    Data Catalog

    View full-size slide

  44. Amazon Detective
    • An investigation service for security events
    • You can see information related to IAM User, Role, IP addresses along
    with time-series information
    • For example, you can see what a particular IAM User was doing between
    10:00~12:00
    9:00 10:00 11:00 12:00 13:00
    GuardDuty
    Security Hub
    Detective
    Threat at a
    point in time
    A period
    of time
    Assessment at
    a point in time
    Attack

    View full-size slide

  45. Amazon OpenSearch Service
    • OpenSearch is a fully open-source search and analytics engine for use cases
    such as log analytics, real-time application monitoring, and clickstream analysis.
    • Amazon OpenSearch is managed by AWS
    • From security perspective, you can aggregate logs and analyze security events
    • Multiple logs can be imported for correlation analysis and graphing
    • There is a solution “SIEM on Amazon OpenSearch Service”
    • At re:Invent 2022 OpenSearch serverless was announced
    SIEM on Amazon OpenSearch Service
    https://github.com/aws-samples/siem-on-amazon-opensearch-service

    View full-size slide

  46. Good design based on understanding
    of security services

    View full-size slide

  47. AWS Well-Architected Framework
    Security pillar Design principles
    • Implement a strong identity foundation
    • Maintain traceability
    • Apply security at all layers
    • Automate security best practices
    • Protect data in transit and at rest
    • Keep people away from data
    • Prepare for security events
    AWS Well-Architected Framework Security Design principles
    https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-design.html

    View full-size slide