Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Web Services Security: Release Engineering & Recommended Architecture

Amazon Web Services Security: Release Engineering & Recommended Architecture

2014 update briefing on AWS deployment security

Kenn White

May 01, 2014
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Amazon Web Services Security:
    Release Engineering &
    Recommended Architecture
    Kenneth White
    Principal, BAO Systems
    Raleigh ISSA Back-to-Basics
    May 1, 2014

    View Slide

  2. My Background
    Developer: Embedded, safety-critical, clinical trials
    Imaging: Signal processing, classifiers, ML
    OS: kernel, network, file/volume encryption
    DevOps: deployment, risk mgmt, lifecycle/governance
    Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA
    Security: DOD, Red Team, defense, forensics, TLS
    Service: Open Crypto Audit Project

    View Slide

  3. Agenda
    AWS Overview: footprint, offerings, major clients
    Current-gen infrastructure & services
    Recommended practices
    Access Control
    Identity Management
    File & Disk Encryption
    Orchestration
    Auditing
    Required Reading & Resources

    View Slide

  4. Disclosures
    Views expressed are my own
    No financial interests in vendors presented

    View Slide

  5. Security is hard

    View Slide

  6. So, what is AWS?

    View Slide

  7. Amazon Web Services
    Footprint
    2003: Chris Pinkham & Benjamin Black paper to Bezos
    2004-2006: Team develops v. 1 in Cape Town (EC2+S3)
    2008: EC2 reaches General Release
    (skipping a lot)
    2014: $4.5B est. annual AWS revenue
    5.1M public IP addresses
    Long-time leader in Gartner MQ for Cloud Infrastructure

    View Slide

  8. AWS Infrastructure & Service
    Offerings
    EC2: Virtual machines “Compute” (PVM & HVM)
    S3: Durable file/object storage
    Route 53: Geo-aware DNS, programmatic anycast
    VPC: Isolation, VLANs, h/w VPN integration, IPsec
    IAM: Fine-grain identity access, key management
    RDS: Managed DBs (MySQL, Oracle, Postgres, SQL
    Server)
    ELB: Programmatic load balancing, SSL termination
    EMR: Hadoop-as-a-Service, on-demand MapReduce

    View Slide

  9. Major Clients
    Federal Government
    DOE, CIA, NASA, HHS, FDA, NIH, CDC, Navy, AF, FBI,
    State
    May 2013: FedRAMP ATO, all US Regions
    http://www.gsa.gov/portal/content/171827
    March 2014: DoD Authorization Level 1-2, GovCloud

    View Slide

  10. Major Clients
    Enterprise
    GE
    SAP
    Comcast
    Discovery
    Nasdaq
    Medidata
    Bristol-Myers Squibb
    Pfizer
    J&J

    View Slide

  11. Current-gen infrastructure &
    services
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated

    View Slide

  12. Current-gen infrastructure &
    services
    M3, C3, R3 instance types: All-SSD
    M3 best for general purpose
    All-SSD local storage
    M3 & R3
    Intel Xeon E5-2670 (Sandy Bridge) CPUs
    C3 best for high CPU workload
    E5-2680 v2 (Ivy Bridge)
    R3 best for high-memory (up to 244GB)
    VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load

    View Slide

  13. Recommended Practices
    IAM
    Roles, Groups, Object-level control, time-limited
    Delegation (EC2 roles, cross-account access)
    Policy variables
    Policy simulator
    2FA
    One-time secret keys
    Native SSO SAML v 2.0 in AWS Management Console

    View Slide

  14. Recommended Practices
    File/Disk Encryption
    Vendor-managed S3
    Client-managed
    Java, .Net SDK APIs & code samples
    DM-Crypt
    Key Management Integration for CMPs (Enstratius)
    Oracle RDS Transparent Data Encryption (TDE)
    Off-cloud key management for high-sensitivity
    workloads
    AWS HSM appliance

    View Slide

  15. Recommended Practices
    Orchestration
    Automate, automate, automate
    *So* many options
    ElasticBeanstalk
    CloudFormation
    Chef, Puppet, Salt, Ansible
    RightScale, Enstratius, …

    View Slide

  16. Recommended Practices
    Auditing & Logging
    IAM
    AD & Shibboleth
    CloudTrails, Sumo Logic
    Financial report automation
    Central logging
    Managed
    Splunk, et al

    View Slide

  17. Required Reading
    AWS Security by Stephen Schmidt:
    http://www.slideshare.net/AmazonWebServices/
    aws-security-keynote-address-sec101-aws-
    reinvent-2013
    AWS Security Blog:
    http://blogs.aws.amazon.com/security/blog
    Security & Compliance Docs
    http://aws.amazon.com/compliance/

    View Slide

  18. How good are your controls?

    View Slide

  19. Thank you!

    View Slide

  20. Contacts
    Twitter: @kennwhite
    LinkedIn: www.linkedin.com/in/biotech
    Email: kwhite @ baosystems . com
    Web: opencryptoaudit.org/people

    View Slide