Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Amazon Web Services Security: Release Engineeri...

Amazon Web Services Security: Release Engineering & Recommended Architecture

2014 update briefing on AWS deployment security

Avatar for Kenn White

Kenn White

May 01, 2014
Tweet

More Decks by Kenn White

Other Decks in Technology

Transcript

  1. Amazon Web Services Security: Release Engineering & Recommended Architecture Kenneth

    White Principal, BAO Systems Raleigh ISSA Back-to-Basics May 1, 2014
  2. My Background Developer: Embedded, safety-critical, clinical trials Imaging: Signal processing,

    classifiers, ML OS: kernel, network, file/volume encryption DevOps: deployment, risk mgmt, lifecycle/governance Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA Security: DOD, Red Team, defense, forensics, TLS Service: Open Crypto Audit Project
  3. Agenda AWS Overview: footprint, offerings, major clients Current-gen infrastructure &

    services Recommended practices Access Control Identity Management File & Disk Encryption Orchestration Auditing Required Reading & Resources
  4. Amazon Web Services Footprint 2003: Chris Pinkham & Benjamin Black

    paper to Bezos 2004-2006: Team develops v. 1 in Cape Town (EC2+S3) 2008: EC2 reaches General Release (skipping a lot) 2014: $4.5B est. annual AWS revenue 5.1M public IP addresses Long-time leader in Gartner MQ for Cloud Infrastructure
  5. AWS Infrastructure & Service Offerings EC2: Virtual machines “Compute” (PVM

    & HVM) S3: Durable file/object storage Route 53: Geo-aware DNS, programmatic anycast VPC: Isolation, VLANs, h/w VPN integration, IPsec IAM: Fine-grain identity access, key management RDS: Managed DBs (MySQL, Oracle, Postgres, SQL Server) ELB: Programmatic load balancing, SSL termination EMR: Hadoop-as-a-Service, on-demand MapReduce
  6. Major Clients Federal Government DOE, CIA, NASA, HHS, FDA, NIH,

    CDC, Navy, AF, FBI, State May 2013: FedRAMP ATO, all US Regions http://www.gsa.gov/portal/content/171827 March 2014: DoD Authorization Level 1-2, GovCloud
  7. Current-gen infrastructure & services M1 is deprecated M1 is deprecated

    M1 is deprecated M1 is deprecated M1 is deprecated
  8. Current-gen infrastructure & services M3, C3, R3 instance types: All-SSD

    M3 best for general purpose All-SSD local storage M3 & R3 Intel Xeon E5-2670 (Sandy Bridge) CPUs C3 best for high CPU workload E5-2680 v2 (Ivy Bridge) R3 best for high-memory (up to 244GB) VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load
  9. Recommended Practices IAM Roles, Groups, Object-level control, time-limited Delegation (EC2

    roles, cross-account access) Policy variables Policy simulator 2FA One-time secret keys Native SSO SAML v 2.0 in AWS Management Console
  10. Recommended Practices File/Disk Encryption Vendor-managed S3 Client-managed Java, .Net SDK

    APIs & code samples DM-Crypt Key Management Integration for CMPs (Enstratius) Oracle RDS Transparent Data Encryption (TDE) Off-cloud key management for high-sensitivity workloads AWS HSM appliance
  11. Recommended Practices Orchestration Automate, automate, automate *So* many options ElasticBeanstalk

    CloudFormation Chef, Puppet, Salt, Ansible RightScale, Enstratius, …
  12. Recommended Practices Auditing & Logging IAM AD & Shibboleth CloudTrails,

    Sumo Logic Financial report automation Central logging Managed Splunk, et al
  13. Required Reading AWS Security by Stephen Schmidt: http://www.slideshare.net/AmazonWebServices/ aws-security-keynote-address-sec101-aws- reinvent-2013

    AWS Security Blog: http://blogs.aws.amazon.com/security/blog Security & Compliance Docs http://aws.amazon.com/compliance/