Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Web Services Security: Release Engineering & Recommended Architecture

Amazon Web Services Security: Release Engineering & Recommended Architecture

2014 update briefing on AWS deployment security

Kenn White

May 01, 2014
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Amazon Web Services Security:
    Release Engineering &
    Recommended Architecture
    Kenneth White
    Principal, BAO Systems
    Raleigh ISSA Back-to-Basics
    May 1, 2014

    View full-size slide

  2. My Background
    Developer: Embedded, safety-critical, clinical trials
    Imaging: Signal processing, classifiers, ML
    OS: kernel, network, file/volume encryption
    DevOps: deployment, risk mgmt, lifecycle/governance
    Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA
    Security: DOD, Red Team, defense, forensics, TLS
    Service: Open Crypto Audit Project

    View full-size slide

  3. Agenda
    AWS Overview: footprint, offerings, major clients
    Current-gen infrastructure & services
    Recommended practices
    Access Control
    Identity Management
    File & Disk Encryption
    Orchestration
    Auditing
    Required Reading & Resources

    View full-size slide

  4. Disclosures
    Views expressed are my own
    No financial interests in vendors presented

    View full-size slide

  5. Security is hard

    View full-size slide

  6. So, what is AWS?

    View full-size slide

  7. Amazon Web Services
    Footprint
    2003: Chris Pinkham & Benjamin Black paper to Bezos
    2004-2006: Team develops v. 1 in Cape Town (EC2+S3)
    2008: EC2 reaches General Release
    (skipping a lot)
    2014: $4.5B est. annual AWS revenue
    5.1M public IP addresses
    Long-time leader in Gartner MQ for Cloud Infrastructure

    View full-size slide

  8. AWS Infrastructure & Service
    Offerings
    EC2: Virtual machines “Compute” (PVM & HVM)
    S3: Durable file/object storage
    Route 53: Geo-aware DNS, programmatic anycast
    VPC: Isolation, VLANs, h/w VPN integration, IPsec
    IAM: Fine-grain identity access, key management
    RDS: Managed DBs (MySQL, Oracle, Postgres, SQL
    Server)
    ELB: Programmatic load balancing, SSL termination
    EMR: Hadoop-as-a-Service, on-demand MapReduce

    View full-size slide

  9. Major Clients
    Federal Government
    DOE, CIA, NASA, HHS, FDA, NIH, CDC, Navy, AF, FBI,
    State
    May 2013: FedRAMP ATO, all US Regions
    http://www.gsa.gov/portal/content/171827
    March 2014: DoD Authorization Level 1-2, GovCloud

    View full-size slide

  10. Major Clients
    Enterprise
    GE
    SAP
    Comcast
    Discovery
    Nasdaq
    Medidata
    Bristol-Myers Squibb
    Pfizer
    J&J

    View full-size slide

  11. Current-gen infrastructure &
    services
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated

    View full-size slide

  12. Current-gen infrastructure &
    services
    M3, C3, R3 instance types: All-SSD
    M3 best for general purpose
    All-SSD local storage
    M3 & R3
    Intel Xeon E5-2670 (Sandy Bridge) CPUs
    C3 best for high CPU workload
    E5-2680 v2 (Ivy Bridge)
    R3 best for high-memory (up to 244GB)
    VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load

    View full-size slide

  13. Recommended Practices
    IAM
    Roles, Groups, Object-level control, time-limited
    Delegation (EC2 roles, cross-account access)
    Policy variables
    Policy simulator
    2FA
    One-time secret keys
    Native SSO SAML v 2.0 in AWS Management Console

    View full-size slide

  14. Recommended Practices
    File/Disk Encryption
    Vendor-managed S3
    Client-managed
    Java, .Net SDK APIs & code samples
    DM-Crypt
    Key Management Integration for CMPs (Enstratius)
    Oracle RDS Transparent Data Encryption (TDE)
    Off-cloud key management for high-sensitivity
    workloads
    AWS HSM appliance

    View full-size slide

  15. Recommended Practices
    Orchestration
    Automate, automate, automate
    *So* many options
    ElasticBeanstalk
    CloudFormation
    Chef, Puppet, Salt, Ansible
    RightScale, Enstratius, …

    View full-size slide

  16. Recommended Practices
    Auditing & Logging
    IAM
    AD & Shibboleth
    CloudTrails, Sumo Logic
    Financial report automation
    Central logging
    Managed
    Splunk, et al

    View full-size slide

  17. Required Reading
    AWS Security by Stephen Schmidt:
    http://www.slideshare.net/AmazonWebServices/
    aws-security-keynote-address-sec101-aws-
    reinvent-2013
    AWS Security Blog:
    http://blogs.aws.amazon.com/security/blog
    Security & Compliance Docs
    http://aws.amazon.com/compliance/

    View full-size slide

  18. How good are your controls?

    View full-size slide

  19. Contacts
    Twitter: @kennwhite
    LinkedIn: www.linkedin.com/in/biotech
    Email: kwhite @ baosystems . com
    Web: opencryptoaudit.org/people

    View full-size slide