Learning AWS Security Services

Fumiaki Ueno NRI Netcom / Cloud Architect experiences in Cloud migration and adoption projects with enterprise customers @fu3ak1

Security is our top priority at AWS(*) *AWS Security Incident Response Guide https://docs.aws.amazon.com/ja_jp/whitepapers/latest/aws-security-incident-response-guide/introduction.html

Security is everywhere For example, an architecture like this AWS Cloud VPC Public subnet Private subnet Application Load Balancer Private subnet Amazon EC2 Amazon Aurora

Security is everywhere There are many security features and services Audit log？Is the authority minimal？Is network access minimal？ How do you protect against application attacks？ AWS Cloud VPC Public subnet Private subnet Application Load Balancer Private subnet Amazon EC2 Amazon Aurora AWS WAF Amazon Inspector Amazon GuardDuty AWS CloudTrail AWS Config Flow logs Network access control list Security group Amazon CloudWatch AWS Identity and Access Management (IAM)

Cloud specific security settings AWS IAM Long-term security credential Permissions (Bucket Policy) Permissions (IAM Policy) Amazon S3 Are you OK to use credential? Too much open？

Learn the most important security, knowing extensive knowledge of AWS, Enjoy AWS safely!

Before learning AWS, what is the security?

3 Elements of Information Security Information confidential data、code、 financial data

3 Elements of Information Security Confidenti ality Integrity Availability Keep 3 elements Information confidential data、code、 financial data

3 Elements of Information Security intru sion des troy virus eavesdr opping Possibility of damage= risk remove vulnerabilities protect from threat Confidenti ality Integrity Availability Information confidential data、code、 financial data bad settings, etc.

3 Elements of Information Security Confidentiality Integrity Availability The ability of persons with valid rights (authorized persons) to use the information. The information has not been modified (by someone who does not have a valid right). Ability to use information when needed

Protecting information in AWS with security services

ID and Access Management AWS Security (related) services Detection Network and Application Protection Data protection Compliance IAM Amazon Cognito AWS Directory Service AWS Organizations AWS Resource Access Manager AWS IAM Identity Center AWS CloudTrail Amazon GuardDuty Amazon Inspector AWS Config AWS Security Hub Amazon CloudWatch AWS Shield AWS WAF Amazon Detective AWS Network Firewall Amazon Route 53 Amazon VPC Amazon Macie AWS CloudHSM AWS KMS AWS Secrets Manager AWS Certificate Manager (ACM) AWS Artifact AWS Systems Manager AWS Trusted Advisor AWS Control Tower Incident response Amazon S3 Amazon Athena Amazon EventBridge Amazon OpenSearch Service

ID and Access Management

AWS Identity and Access Management (IAM) • Who is the user? = Authentication、What can they use? = Authorization • IAM manages Authentication and Authorization • IAM has following basic resources • IAM User： create and authenticate for individually • IAM Group：manage multiple users in one group • IAM Policy：write about authorization information, can attach to User, Group, Role • IAM Role：can attach to AWS resources and the resource has a permission IAM User also be able to assume a Role IAM User IAM Group IAM Role IAM Policy IAM User belong Instance IAM Role IAM Policy IAM Policy assume

AWS Identity and Access Management (IAM) • How to write IAM Policy define what can we access(Resource), which operation(Action), Allow/Deny(Effect) in a policy add Condition as necessary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*" ], "Resource": [ "arn:aws:s3:::test-data”, “arn:aws:s3:::test-data/*" ], "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } ] } Data in a ‘test-data’ S3 bucket Operations beginning with Get. Allow MFA is enabled

AWS Identity and Access Management (IAM) • We define Principal that means who can use it in an IAM Role trust policy, Bucket policy, etc. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] } } ] } IAM Role IAM Policy trust policy EC2 can use this IAM Role • If you know basic resources such as Resource、Action、Effect、Condition、Principal、you can extensively understand AWS policies such as a Bucket policy, KMS key policy. Instance assume

AWS Identity and Access Management (IAM) • anti-patterns (Don’t do this) • Use a root user (account email address user) Instead of it, use IAM User • Use Access Key/Secret Access Key Instead of it, use IAM Role

AWS Organizations • A service that can manage multiple AWS accounts • Can manage accounts by groups by using Organizational Unit (OU) • Has aggregation feature and automatic enablement of security services • Can apply preventive guardrails with Service Control Policy(SCP) • Can share resources with AWS Resource Access Manager(RAM) AWS Organizations Management Organizational unit (OU) Organizational unit (OU) SCP IAM Policy SCP IAM Policy Valid policy IAM Policy Aggregate to 1 account & automatically enable services GuardDuty GuardDuty GuardDuty GuardDuty GuardDuty

AWS Control Tower • The service to automatically set up a best-practice multi-account environment • Automatically configures IAM Identity Center, CloudTrail, Config, and SNS Topic for notifications • Easily configure and manage preventive and detective guardrails • Can apply multi regions AWS Control Tower Management S3 • CloudTrail Logs • Config Logs Log Archive Audit AWS Config Aggregator AWS Organizations AWS IAM Identity Center Prod Security Baseline Amazon VPC （Network Baseline） Amazon SNS Security OU Workloads OU CloudTrail AWS Config

Detection

AWS CloudTrail • A service to store AWS operation history (who, when, what) • You need to configure additionally for data events such as S3 • By default, 90 days of events are stored by the service • You need to set up a trail for more 90 days and store in S3 buckets or CloudWatch Logs プログラム AWS Management Console Instance IAM CloudTrail S3 Logs Store operation history

AWS Config • A service to store AWS configuration history (what, when, how) • By default, 7years (2,557days) of events are stored by the service Application AWS Management Console t3.small S3 Deliver history Store configuration history AWS Config t3.large IAM Policy IAM Policy Change Change

AWS Config • AWS Config has Config Rules evaluate the configuration settings • For example, you can check following configurations • Trail in CloudTrail is enabled • SSH port is not exposed in Security Group • You can set up auto-remediation • Automation in Systems Manager can be used as an auto-remediation action. AWS Config Rule Security group Instance ①check Automation (auto-remediation) ②remediate

Amazon CloudWatch • A monitoring service in AWS to aggregate metrics and logs • CloudWatch has basic features such as Metrics, Logs, Alarms • CloudWatch has Events feature but new EventBridge is should be used • Synthetics, RUM, Evidently are relatively new features in CloudWatch • You can use CloudWatch with on-premise servers by installing agent Instance or Logs Amazon CloudWatch Server Application Amazon Aurora Metrics CloudWatch (Agent) Alarm Notification

Amazon EventBridge • A service that can perform notifications and processing when any event occurs in AWS • EventBridge is used for event-driven applications, but it is also widely used for security-related notifications and incident response • Security services such as GuardDuty also use EventBridge for notification Notification CloudTrail Event EventBridge SNS Topic Lambda function Connect specific operation as events Use SNS Topic for a notification Lambda function can be used as a target

Amazon GuardDuty • A service can detect threats in AWS accounts, you can use it by only enabling it • Inputs are VPC Flow Logs, CloudTrail, S3 data access logs, DNS logs, Kubernetes audit logs, EBS(Malware), RDS activities • EventBridge is used for a notification GuardDuty Flow logs CloudTrail Amazon RDS Amazon EKS S3 Amazon EBS DNS Logs Detect Event EventBridge Notification SNS Topic 2022/1 2020/7 2022/7 2023/3

AWS Security Hub • A service is an aggregation point (Hub) for various AWS security services • You can also aggregate 3rd-Party Security service’s information • You can check according to industry standards and best practices • CIS AWS Foundations Benchmark • Payment Card Industry Data Security Standard (PCI DSS) • AWS Foundational Security Best Practices GuardDuty Amazon Macie Amazon Inspector AWS Config AWS Security Hub Aggregate etc.. AWS Config （Rules） Deploy Config rules as standard checks Deploy rules

Amazon Inspector • A vulnerability scanning service • Inspector can be used with EC2 instances, ECR(Container images), Lambda Functions(New!) • Package vulnerability scans and network reachability scans are available • You need to install Systems Manager (SSM) agent with scanning packages in EC2 Amazon Inspector SSM Agent Amazon EC2 Amazon ECR Image AWS Lambda Scan vulnerability 2022/12

AWS Trusted Advisor • A service automatically checks for cost, performance, security, fault tolerance, and service limitations according to AWS best practices • Requires Business Support or higher support plan to use • Recommended to be viewed proactively as it is automatically enabled and free of charge

Network and application protection

Amazon VPC • VPC enables you to launch AWS resources into a virtual private network • There are public subnets that communicate directly with the Internet and private subnets that cannot communicate directly with the Internet • You can control access with Network ACL and Security Group • VPC Flow Logs can store in S3 or CloudWatch Logs • VPC endpoints are used for private connections to AWS services Virtual private cloud (VPC) Public subnet Private subnet Security group Instance Security group ALB NACL NACL Flow logs S3 Logs Endpoints S3 Security Group Network ACL Setting target Resources such as EC2 instance Subnets Default All Deny All Allow Allow/Deny Can configure only Allow Can configure Allow/Deny Stateful/ Stateless Stateful (set one direction) Stateless (set back and forth) 「Differences between Security Groups and Network ACL」

AWS WAF • AWS Managed Web Application Firewall（WAF）Service • You can protect from Application attacks such as SQL Injection and Cross Site Scripting • WAF (WEB ACL) can be attached to Amazon CloudFront, Amazon API Gatewa, ALB, AWS AppSync, Amazon Cognito User pool • WEB ACL is like a box, you can add rules or rule groups in WEB ACL • AWS and Security companies provide managed rules, You can create rules such as IP restrictions Managed rule Rule WEB ACL ALB API Gateway CloudFront AppSync Cognito Attach 2022/8 2020/10

Data Protection

AWS Key Management Service （AWS KMS） • A service that manages keys used to encrypt data in AWS • KMS keys often used by other AWS services without user’s knowing • You can control access with Key Policy • KMS has an auto-rotation feature • Server-side encryption and Client-side encryption • AWS CloudHSM provides dedicated hardware, you can mange keys in VPC 「Encryption with S3 Bucket」 Application S3 「Client-side encryption」 Application Encrypt S3 「Server-side encryption」 Encrypt

AWS Key Management Service （AWS KMS） • You can protect your data-key with envelope encryption • Data is encrypted by data-key, data-key is encrypted by KMS-key • You can’t decrypt your data without KMS key, so you can store both of data-key and data in a database • KMS-key is called when data is decrypted Data Key Encrypted Data AWS KMS KMS Key Encrypt Encrypt

Amazon S3 • A high durability object storage service • You can control access with IAM Policy and Bucket Policy, Access Control List (ACL) • ACL is currently deprecated and is used only with per-object control https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-alternatives-guidelines.html • S3 has an object default encryption feature, you can encrypt objects by enabling it and can use KMS-key IAM Policy S3 Bucket Object Object ACL Access Bucket Policy Encrypt

AWS Secrets Manager • You can mange passwords and credentials with Secrets Manager • Applications can connect to databases using credentials stored in Secrets Manager • Systems Manager and Parameter Store are similar, but they have following differences Secrets Manager Parameter Store Target data Credentials A wide range of configuration data Data can be encrypted with Secure String Auto-rotation Yes no Database integration Support for RDS, Redshift, etc. no Price A charge Standard is free *KMS encryption and Advanced is a charge Instance アプリ AWS Secrets Manager Password Amazon RDS 1. Get credentials 2. Connect

Amazon Macie • Macie can discover Personally Identifiable Information(PII) in S3 Buckets • Macie can discover following data • AWS Credentials (Access Key) • Credit card number, expiration date, verification code • Birth date • Phone numbers • driver’s license identification numbers • You can build custom data identifiers • At re:Invent 2022, automated sensitive data discovery is announced https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-macie-automated-sensitive-data-discovery/ Amazon Macie S3 Bucket Scan, discover

Compliance

AWS Artifact • AWS Artifact provides on-demand downloads of AWS security and compliance documents • AWS ISO certifications, Payment Card Industry (PCI) reports are provided • You can submit the documents to your auditors or regulators • You can manager agreements such as a Business Associate Addendum (BAA) agreement is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) • You can manage agreements for multiple accounts with Organizations AWS Artifact Compliance documents Agreement download accept

Incident response

AWS Systems Manager • Systems Manager originally created for managing only EC2 instances, it now has many features to manage many resources in AWS • Key security-related features are following • Patch Manager: automates the process of patching • Inventory: provides visibility of software metadata • Session Manager: connect EC2 instances with IAM, without opening SG • Parameter Store: can store data such as passwords, database strings • OpsCenter: can manage operational work items as OpsItems related to AWS • Incident Manager: can manage events, escalation flows • Automation: can execute operations registered as Document • I can't show you everything of Systems Manger this page, so please refer to the official documents for more details https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

Amazon Athena • You can run SQL queries to data sources such as S3 • You can run developer related SQL queries ad hoc with low cost storages • From security perspective, analysis of CloudTrail and VPC Flow Logs can be used • Table schemas are managed by AWS Glue Data Catalog Flow logs CloudTrail ALB Amazon CloudFront S3 Athena Logs SQL Query AWS Glue Data Catalog

Amazon Detective • An investigation service for security events • You can see information related to IAM User, Role, IP addresses along with time-series information • For example, you can see what a particular IAM User was doing between 10:00~12:00 9:00 10:00 11:00 12:00 13:00 GuardDuty Security Hub Detective Threat at a point in time A period of time Assessment at a point in time Attack

Amazon OpenSearch Service • OpenSearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis. • Amazon OpenSearch is managed by AWS • From security perspective, you can aggregate logs and analyze security events • Multiple logs can be imported for correlation analysis and graphing • There is a solution “SIEM on Amazon OpenSearch Service” • At re:Invent 2022 OpenSearch serverless was announced SIEM on Amazon OpenSearch Service https://github.com/aws-samples/siem-on-amazon-opensearch-service

Good design based on understanding of security services

AWS Well-Architected Framework Security pillar Design principles • Implement a strong identity foundation • Maintain traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events AWS Well-Architected Framework Security Design principles https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-design.html

Thank you!