Amazon Web Services Security: Release Engineering & Recommended Architecture Kenneth White Principal, BAO Systems Raleigh ISSA Back-to-Basics May 1, 2014 

My Background Developer: Embedded, safety-critical, clinical trials Imaging: Signal processing, classifiers, ML OS: kernel, network, file/volume encryption DevOps: deployment, risk mgmt, lifecycle/governance Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA Security: DOD, Red Team, defense, forensics, TLS Service: Open Crypto Audit Project 

Agenda AWS Overview: footprint, offerings, major clients Current-gen infrastructure & services Recommended practices Access Control Identity Management File & Disk Encryption Orchestration Auditing Required Reading & Resources 

Disclosures Views expressed are my own No financial interests in vendors presented 

Security is hard 

So, what is AWS? 

Amazon Web Services Footprint 2003: Chris Pinkham & Benjamin Black paper to Bezos 2004-2006: Team develops v. 1 in Cape Town (EC2+S3) 2008: EC2 reaches General Release (skipping a lot) 2014: $4.5B est. annual AWS revenue 5.1M public IP addresses Long-time leader in Gartner MQ for Cloud Infrastructure 

AWS Infrastructure & Service Offerings EC2: Virtual machines “Compute” (PVM & HVM) S3: Durable file/object storage Route 53: Geo-aware DNS, programmatic anycast VPC: Isolation, VLANs, h/w VPN integration, IPsec IAM: Fine-grain identity access, key management RDS: Managed DBs (MySQL, Oracle, Postgres, SQL Server) ELB: Programmatic load balancing, SSL termination EMR: Hadoop-as-a-Service, on-demand MapReduce 

Major Clients Federal Government DOE, CIA, NASA, HHS, FDA, NIH, CDC, Navy, AF, FBI, State May 2013: FedRAMP ATO, all US Regions http://www.gsa.gov/portal/content/171827 March 2014: DoD Authorization Level 1-2, GovCloud 

Major Clients Enterprise GE SAP Comcast Discovery Nasdaq Medidata Bristol-Myers Squibb Pfizer J&J 

Current-gen infrastructure & services M1 is deprecated M1 is deprecated M1 is deprecated M1 is deprecated M1 is deprecated 

Current-gen infrastructure & services M3, C3, R3 instance types: All-SSD M3 best for general purpose All-SSD local storage M3 & R3 Intel Xeon E5-2670 (Sandy Bridge) CPUs C3 best for high CPU workload E5-2680 v2 (Ivy Bridge) R3 best for high-memory (up to 244GB) VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load 

Recommended Practices IAM Roles, Groups, Object-level control, time-limited Delegation (EC2 roles, cross-account access) Policy variables Policy simulator 2FA One-time secret keys Native SSO SAML v 2.0 in AWS Management Console 

Recommended Practices File/Disk Encryption Vendor-managed S3 Client-managed Java, .Net SDK APIs & code samples DM-Crypt Key Management Integration for CMPs (Enstratius) Oracle RDS Transparent Data Encryption (TDE) Off-cloud key management for high-sensitivity workloads AWS HSM appliance 

Recommended Practices Orchestration Automate, automate, automate *So* many options ElasticBeanstalk CloudFormation Chef, Puppet, Salt, Ansible RightScale, Enstratius, … 

Recommended Practices Auditing & Logging IAM AD & Shibboleth CloudTrails, Sumo Logic Financial report automation Central logging Managed Splunk, et al 

Required Reading AWS Security by Stephen Schmidt: http://www.slideshare.net/AmazonWebServices/ aws-security-keynote-address-sec101-aws- reinvent-2013 AWS Security Blog: http://blogs.aws.amazon.com/security/blog Security & Compliance Docs http://aws.amazon.com/compliance/ 

How good are your controls? 

Thank you! 

Contacts Twitter: @kennwhite LinkedIn: www.linkedin.com/in/biotech Email: kwhite @ baosystems . com Web: opencryptoaudit.org/people