Staying in control on AWS - Secure Software Development Meetup

Transcript

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Marek Kuczynski Senior Solutions Architect - startups Amazon Web Services Staying in control on AWS Amsterdam Secure Software Development Meetup 28 August 2019

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. In this session… • A very brief introduction to AWS • Securing your virtual machines and networks • CI/CD, infrastructure as code and best practices • Serverless computing

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. About Marek Right now – building things • Senior Solutions Architect at AWS – startups • One of the serverless experts for Benelux area Before – breaking things • Vulnerability analyst and penetration tester at Shell • Threat intelligence analyst at Shell • Penetration tester and code auditor at KPMG @marekq

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. How I got interested in AWS https://aws.amazon.com/solutions/case-studies/royal-dutch-shell/

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. How I got interested in AWS https://aws.amazon.com/solutions/case-studies/royal-dutch-shell/

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. AWS was built to support virtually every workload Industry leading security and governance Elasticity and agility, pay as you go model Open and flexible platform Global footprint of 22 regions and over 180 POP’s Broadest and deepest choice of more than 165 services

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Customer obsessed of roadmap originates with customer requests 90% “Performance, reliability, and responsiveness are fundamental to our customer experience, and T3 instances help us to deliver on that customer promise while also controlling our costs.” —Heroku

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. At AWS, cloud security is job zero. All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. Gain access to a world-class security team Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards So AWS has world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other AWS customers

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud Customer AWS

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Defense in depth AWS Compliance Program Third Party Attestations Physical Security Groups VPC Configuration Network Web App Firewalls Bastion Hosts Encryption In-Transit Hardened AMIs OS and App Patch Mgmt. IAM Roles for EC2 IAM Credentials System Security Logical Access Controls User Authentication Encryption At-Rest Data Security

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EC2 Choices for Compute Virtual server instances in the cloud Amazon ECS, EKS, and Fargate Container management service for running Docker on a managed cluster of EC2 AWS Lambda Serverless compute for stateless code execution in response to triggers

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity and Access Management

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AAA with AWS Authenticate IAM Username/Password Access Key (+ MFA) Federation Authorize IAM Policies Audit CloudTrail

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Identity Authentication Authentication: How do we know you are who you say you are? AWS Management Console API access Login with Username/Password with optional MFA (recommended) Access API using Access Key + Secret Key, with optional MFA ACCESS KEY ID Ex: AKIAIOSFODNN7EXAMPLE SECRET KEY Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY For time-limited access: Call the AWS Security Token Service (STS) to get a temporary AccessKey + SecretKey + session token For time-limited access: a Signed URL can provide temporary access to the Console

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS IAM Hierarchy of Privileges AWS Account Owner (Root) AWS IAM User Temporary Security Credentials Permissions Example Unrestricted access to all enabled services and resources. Action: * Effect: Allow Resource: * (implicit) Access restricted by Group and User policies Action: [‘s3:*’,’sts:Get*’] Effect: Allow Resource: * Access restricted by generating identity and further by policies used to generate token Action: [ ‘s3:Get*’ ] Effect: Allow Resource: ‘arn:aws:s3:::mybucket/*’ Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies and temporary credentials.

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS CloudTrail Web service that records AWS API calls for your account and delivers logs. Who? When? What? Where to? Where from? Bill 3:27pm Launch Instance us-west-2 72.21.198.64 Alice 8:19am Added Bob to admin group us-east-1 54.16.113.91 Steve 2:22pm Deleted DynamoDB table eu-west-1 205.251.233.176

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Querying IAM services How many IAM users are in our account? $ aws iam list-users Who has access to our infrastructure with(out) MFA? $ aws iam list-mfa-devices Remove API access for a user immediately; $ aws iam delete-access-key

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Using the SDK to retrieve data You can programmatically read the details of your AWS accounts and infrastructure; https://github.com/marekq/list-ec2

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building your first, secure application

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Virtual machines – EC2 instances AMI Virtual Machine Configuration Instance Running or Stopped VM VPC AZ Availability Zone Amazon S3 EBS EBS EBS VPC EBS EBS EBS EBS Snapshots S3 Buckets Region

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Nitro System Nitro Hypervisor Nitro Card Nitro Security Chip • Lightweight hypervisor • Memory and CPU allocation • Bare Metal-like performance • VPC Networking • Amazon EBS • Local Instance • System Controller • Integrated into motherboard • Protects hardware resources • Hardware Root of Trust Modular Building Blocks for rapid design and delivery of EC2 instances

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. https://www.awsgeek.com/posts/AWS-reInvent-2018-Evolution-of-the-EC2-Host/

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. EC2 Host Virtualization Firewall Physical Interfaces Hypervisor Large Small … … Virtual Interfaces Security Groups Security Groups Security Groups Small Customer Instances Physical Host

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Tiered EC2 Security Groups Hierarchical Security Group Rules • Dynamically created rules • Based on Security Group membership • Create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Modernizing your application Amazon DynamoDB Amazon RDS Amazon ElastiCache Amazon S3 Amazon Elasticsearch Amazon Redshift logging rich search key/value simple query hot reads analytics complex queries & transactions

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Retrieve database credentials securely AWS Resources Your Code Operating System EC2 Instance Authorized call to Secrets Manager Other Resources AWS credentials plumbed (as before) DB creds loaded DB creds returned connection established Safe rotation Combo provides your apps a reliable, secure, auto-rotating solution for ALL credentials

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Use IAM roles to grant access to instances AWS Resources Your Code Operating System EC2 Instance AWS credentials auto delivered and rotated AWS credentials auto discovered and used Access controlled by policy attached to role Also works with AWS Lambda & Amazon ECS

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon Inspector • Vulnerability Assessment Service • Built from the ground up to support DevSecOps • Automatable via APIs • Integrates with CI/CD tools • On-Demand Pricing model • Static and Dynamic Rules Packages

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. AWS Session Manager • Connect to your instance directly from the console. • All sessions and commands are logged. • No need to provision SSH keys or open up security groups.

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Staying secure at scale

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Build Test Release Build Test Release Build Test Release Build Test Release Microservice Development Cycle Developers Services Delivery Pipelines

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Use pipelines to deploy your applications Source Build Test Product ion

34. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Infrastructure as Code - CloudFormation

35. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CloudFormation template for a Linux instance

36. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. v2 v2 v2 v2 v2 v2 One at a time Half at a time All at once v2 v2 v2 v1 v1 v1 v2 v1 v1 v1 v1 v1 Agent Dev deployment group OR Prod deployment group Choose deployment speed and group Agent Agent Agent Agent Agent Agent Agent

37. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. New! The AWS Cloud Development Kit https://docs.aws.amazon.com/cdk/latest/guide/home.html

38. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Use dedicated AWS accounts AWS Organizations can create an OU-like structure of all your accounts. Service Control Policies (SCP’s) can be applied on accounts to restrict functionality.

39. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. SCP’s – disable disabling CloudTrail

40. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. SCP’s – blocking AWS regions outside the EU

41. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Best practices regarding AWS accounts • Your production AWS accounts are read only and deployments happen through pipelines only. • Dedicated security accounts are used to store CloudFormation any any other relevant logs (acting as the “black box” in case of a security event). • Acceptance and test environments allow a bit more access, but for example block any external, Internet facing exposure.

42. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Looking forward

43. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EC2 Choices for Compute Virtual server instances in the cloud Amazon ECS, EKS, and Fargate Container management service for running Docker on a managed cluster of EC2 AWS Lambda Serverless compute for stateless code execution in response to triggers

44. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

45. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Event based architectures SERVICES (ANYTHING) Changes in data state Requests to endpoints Changes in resource state EVENT SOURCE LAMBDA FUNCTION Node.js Python Java C# Go Ruby PowerShell Bring your own runtime

46. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Moving towards services higher in the stack

47. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. A serverless web application Data stored in Amazon DynamoDB Dynamic content in AWS Lambda Amazon API Gateway Browser Amazon CloudFront Amazon S3 Amazon Cognito

48. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

49. © 2019, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Thank you! Please feel free to reach out; @marekq [email protected]