Amazon Web Services Security: Release Engineering & Recommended Architecture

Amazon Web Services Security: Release Engineering & Recommended Architecture

2014 update briefing on AWS deployment security


Kenneth White

May 01, 2014


  1. 1.

    Amazon Web Services Security: Release Engineering & Recommended Architecture Kenneth

    White Principal, BAO Systems Raleigh ISSA Back-to-Basics May 1, 2014
  2. 2.

    My Background Developer: Embedded, safety-critical, clinical trials Imaging: Signal processing,

    classifiers, ML OS: kernel, network, file/volume encryption DevOps: deployment, risk mgmt, lifecycle/governance Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA Security: DOD, Red Team, defense, forensics, TLS Service: Open Crypto Audit Project
  3. 3.

    Agenda AWS Overview: footprint, offerings, major clients Current-gen infrastructure &

    services Recommended practices Access Control Identity Management File & Disk Encryption Orchestration Auditing Required Reading & Resources
  4. 7.

    Amazon Web Services Footprint 2003: Chris Pinkham & Benjamin Black

    paper to Bezos 2004-2006: Team develops v. 1 in Cape Town (EC2+S3) 2008: EC2 reaches General Release (skipping a lot) 2014: $4.5B est. annual AWS revenue 5.1M public IP addresses Long-time leader in Gartner MQ for Cloud Infrastructure
  5. 8.

    AWS Infrastructure & Service Offerings EC2: Virtual machines “Compute” (PVM

    & HVM) S3: Durable file/object storage Route 53: Geo-aware DNS, programmatic anycast VPC: Isolation, VLANs, h/w VPN integration, IPsec IAM: Fine-grain identity access, key management RDS: Managed DBs (MySQL, Oracle, Postgres, SQL Server) ELB: Programmatic load balancing, SSL termination EMR: Hadoop-as-a-Service, on-demand MapReduce
  6. 9.

    Major Clients Federal Government DOE, CIA, NASA, HHS, FDA, NIH,

    CDC, Navy, AF, FBI, State May 2013: FedRAMP ATO, all US Regions March 2014: DoD Authorization Level 1-2, GovCloud
  7. 11.

    Current-gen infrastructure & services M1 is deprecated M1 is deprecated

    M1 is deprecated M1 is deprecated M1 is deprecated
  8. 12.

    Current-gen infrastructure & services M3, C3, R3 instance types: All-SSD

    M3 best for general purpose All-SSD local storage M3 & R3 Intel Xeon E5-2670 (Sandy Bridge) CPUs C3 best for high CPU workload E5-2680 v2 (Ivy Bridge) R3 best for high-memory (up to 244GB) VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load
  9. 13.

    Recommended Practices IAM Roles, Groups, Object-level control, time-limited Delegation (EC2

    roles, cross-account access) Policy variables Policy simulator 2FA One-time secret keys Native SSO SAML v 2.0 in AWS Management Console
  10. 14.

    Recommended Practices File/Disk Encryption Vendor-managed S3 Client-managed Java, .Net SDK

    APIs & code samples DM-Crypt Key Management Integration for CMPs (Enstratius) Oracle RDS Transparent Data Encryption (TDE) Off-cloud key management for high-sensitivity workloads AWS HSM appliance
  11. 15.

    Recommended Practices Orchestration Automate, automate, automate *So* many options ElasticBeanstalk

    CloudFormation Chef, Puppet, Salt, Ansible RightScale, Enstratius, …
  12. 16.

    Recommended Practices Auditing & Logging IAM AD & Shibboleth CloudTrails,

    Sumo Logic Financial report automation Central logging Managed Splunk, et al
  13. 17.

    Required Reading AWS Security by Stephen Schmidt: aws-security-keynote-address-sec101-aws- reinvent-2013

    AWS Security Blog: Security & Compliance Docs