Tweet
Tweet

Slide 1

Slide 1 text

ARCHITECTURE FOR SECURITY ON AWS_ JON TOPPER | @jtopper | he/him/his @scalefactory

Slide 2

Slide 2 text

$ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for 20 years Infrastructure / AWS / DevOps

Slide 3

Slide 3 text

WEBINAR DETAILS_ Please use the Q&A button to ask questions This webinar will be recorded The slides will be available

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

THE TEAM_

Slide 6

Slide 6 text

OUR CLIENTS_

Slide 7

Slide 7 text

Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

Slide 8

Slide 8 text

Security Reliability Performance Efficiency Cost Optimization Operational Excellence

Slide 9

Slide 9 text

TODAY'S AGENDA_ Who’s responsible for security? Leveraging the AWS platform The 5 areas of security A Well-Architected review Q&A

Slide 10

Slide 10 text

WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_

Slide 11

Slide 11 text

WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE

Slide 12

Slide 12 text

WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE EVERYONE IS

Slide 13

Slide 13 text

ARCHITECTURE FOR SECURITY ON AWS_ @scalefactory

Slide 14

Slide 14 text

STATE OF DEVOPS REPORT_ DORA "Low performers take weeks to conduct security reviews and complete the changes identified. In contrast, elite performers build security in and can conduct security reviews and complete changes in just days."

Slide 15

Slide 15 text

THE SCALE FACTORY WAY_ People First Match solution to workload Leverage the AWS platform Automate Iterate

Slide 16

Slide 16 text

LEVERAGE THE AWS PLATFORM_ @scalefactory

Slide 17

Slide 17 text

Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Power Customer MySQL Compute Storage Data Centre HA Scripts Monitoring Config Mgmt Networking

Slide 18

Slide 18 text

Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Customer RDS Aurora

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Somebody Else's Problem

Slide 21

Slide 21 text

5 AREAS OF SECURITY_ Identity and access management Detective controls Infrastructure protection Data protection Incident response @scalefactory

Slide 22

Slide 22 text

IDENTITY & ACCESS MANAGEMENT_ @scalefactory

Slide 23

Slide 23 text

GOOD IAM PRACTICE_ No access to the root account Unique credentials per person Create least-privilege policies

Slide 24

Slide 24 text

USE MFA_

Slide 25

Slide 25 text

FEDERATED IDENTITY_

Slide 26

Slide 26 text

Root Account OU: Developers Jon's Sandbox Salma's Sandbox SSO Security DeveloperRole SecurityAdminRole OperatorRole OU: Services Live Staging Trust Relationship Policy DeveloperRole Security Log Bucket Service Control Policy AWS ORGANIZATIONS_

Slide 27

Slide 27 text

TEACH YOUR TEAMS AWS IAM @scalefactory

Slide 28

Slide 28 text

Instance App Instance Metadata Service 1 2 3 INSTANCE PROFILES_

Slide 29

Slide 29 text

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteObject", "s3:Put*", "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } LEAST PRIVILEGE?_ @scalefactory

Slide 30

Slide 30 text

TEACH YOUR TEAMS AWS IAM @scalefactory

Slide 31

Slide 31 text

YOUR IAM MIGHT NEED WORK IF YOU_ Log in with the root account Have >1 identity for a single person Don't use roles for compute services Don’t enforce MFA Hard-code secrets in app config (or code!) Have IAM policies with *s in (too permissive) Use a lot of AWS managed IAM policies

Slide 32

Slide 32 text

DETECTIVE CONTROLS_ @scalefactory

Slide 33

Slide 33 text

LOG EVERYTHING_ CloudWatch Logs CloudTrail VPC Flow Logs DNS Query Logs

Slide 34

Slide 34 text

USE THE LOGS_ ELK Stack / Vendor tools Queries with Athena Kinesis streams

Slide 35

Slide 35 text

AWS GUARDDUTY_

Slide 36

Slide 36 text

AWS SECURITY HUB_

Slide 37

Slide 37 text

AMAZON DETECTIVE_

Slide 38

Slide 38 text

YOUR CONTROLS MAY NEED WORK IF..._ You're not logging anything / enough You're not alerting on important log conditions Alerts/notifications are noisy or ignored You're only using logs when debugging

Slide 39

Slide 39 text

INFRASTRUCTURE PROTECTION_ @scalefactory

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

SECURITY GROUPS_ Default App1 App2

Slide 42

Slide 42 text

FINE GRAINED POLICIES_ KMS key policies S3 bucket policies SNS access control

Slide 43

Slide 43 text

DIRECT CONNECT_

Slide 44

Slide 44 text

AWS Shield DDoS Protection AWS WAF Web Application Firewall

Slide 45

Slide 45 text

AWS INSPECTOR_ Scans for network reachability Checks hosts against known CVEs Checks against CIS benchmarks Checks other security best practice Analyses app runtime behaviour

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

CASE STUDY_

Slide 48

Slide 48 text

WHAT ABOUT SERVERLESS?_

Slide 49

Slide 49 text

YOUR PROTECTION MAY NEED WORK IF..._ You have anything other than LB or NAT in public networks Your security groups are too permissive You mainly use CIDR network ranges in your SGs You're not protecting your application with WAF You're not actively scanning for vulnerabilities You're not checking your application dependencies' security

Slide 50

Slide 50 text

DATA PROTECTION_ @scalefactory

Slide 51

Slide 51 text

CLASSIFY DATA_ Identify different data classification levels Use tagging of resources Use KMS keys per classification level Control principal access to keys & resources Consider tokenisation Use AWS Macie to look for sensitive data in S3

Slide 52

Slide 52 text

DATA AT REST_ Use service features to encrypt at rest Limit personnel access to data (IAM) Copy base AMIs with encryption

Slide 53

Slide 53 text

PROTECT SECRETS_ AWS Secrets Manager Temporary RDS tokens Parameter Store Control principal access with IAM (Vendor solutions)

Slide 54

Slide 54 text

DATA IN TRANSIT_ Use HTTPS listeners on load balancers Use HTTPS on CloudFront Use ACM for certificate management Use VPNs where necessary*

Slide 55

Slide 55 text

DATA BACKUPS_ Use per-service backup features Replicate to other regions Limit personnel access to backups

Slide 56

Slide 56 text

DATA PROTECTION MAY NEED WORK IF..._ Too many people have access to too much data You haven't thought about data classification You're not encrypting at rest You're not encrypting in transit You store secrets anywhere other than in AWS services You don't have complete backups You haven't tried restoring your backups recently

Slide 57

Slide 57 text

INCIDENT RESPONSE_ @scalefactory

Slide 58

Slide 58 text

AUTOMATE RESPONSE_ Use CloudWatch events Send notifications with SNS Trigger actions (Lambda, Step Functions)

Slide 59

Slide 59 text

CLEAN ROOM_ Pre-install forensic tools Ensure security team shell access Automatically quarantine suspect nodes

Slide 60

Slide 60 text

RUNBOOK/ PLAYBOOK_ Document incident response for your team Ensure team members are on call Run regular incident drills

Slide 61

Slide 61 text

INCIDENT RESPONSE MAY NEED WORK IF..._ You can't remediate common incidents automatically You can't quarantine bad nodes for later forensics You don't have engineers on-call for security incidents Engineers don't know how to respond to on-call alerts You don't regularly practice incident response

Slide 62

Slide 62 text

TOO MUCH TO THINK ABOUT!_ @scalefactory

Slide 63

Slide 63 text

LANDING ZONE_

Slide 64

Slide 64 text

LANDING ZONE_

Slide 65

Slide 65 text

LANDING ZONE_

Slide 66

Slide 66 text

LANDING ZONE_

Slide 67

Slide 67 text

CASE STUDY_ “We’ve been continuously impressed with the expertise at The Scale Factory, their keenness to understand our business needs and pressures, and help us pave the foundations for a step change in our capability to serve our clients” James Ramirez CTO

Slide 68

Slide 68 text

EVEN LANDING ZONE IS TOO MUCH TO THINK ABOUT!_ @scalefactory

Slide 69

Slide 69 text

CONTROL TOWER_

Slide 70

Slide 70 text

WHAT'S NEXT?_ @scalefactory

Slide 71

Slide 71 text

TALK TO US ABOUT: CONSULTANCY TRAINING WELL-ARCHITECTED MIGRATION

Slide 72

Slide 72 text

Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018 Book a Well-Architected review today https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work

Slide 73

Slide 73 text

BREAKFAST OPS_ Monthly hosted discussion For CTOs and tech decision makers

Slide 74

Slide 74 text

Q&A_

Slide 75

Slide 75 text

KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory [email protected]