Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Architecture for Security on AWS

Architecture for Security on AWS

Good security starts with a solid architecture. This slide deck is from a webinar we ran with AWS in which attendees learned about the security building blocks available on AWS, how to think about security as a first class consideration, and how customers in the e-commerce, media, healthcare, and financial services sectors are leveraging these techniques to secure their data.

A recording of this webinar will be available for a limited time at:
https://zoom.us/rec/share/3JRbIKztyD9LX52S5WTPfJM9XZTIeaa8hChK-_UPnhoq6cJDKZKTemclwrYvaHg0
Access Password: 8V%=1U^&

The Scale Factory

April 22, 2020
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. ARCHITECTURE FOR SECURITY ON AWS_ JON TOPPER | @jtopper |

    he/him/his @scalefactory
  2. $ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for

    20 years Infrastructure / AWS / DevOps
  3. WEBINAR DETAILS_ Please use the Q&A button to ask questions

    This webinar will be recorded The slides will be available
  4. None
  5. THE TEAM_

  6. OUR CLIENTS_

  7. Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

  8. Security Reliability Performance Efficiency Cost Optimization Operational Excellence

  9. TODAY'S AGENDA_ Who’s responsible for security? Leveraging the AWS platform

    The 5 areas of security A Well-Architected review Q&A
  10. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_

  11. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE

  12. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE EVERYONE

    IS
  13. ARCHITECTURE FOR SECURITY ON AWS_ @scalefactory

  14. STATE OF DEVOPS REPORT_ DORA "Low performers take weeks to

    conduct security reviews and complete the changes identified. In contrast, elite performers build security in and can conduct security reviews and complete changes in just days."
  15. THE SCALE FACTORY WAY_ People First Match solution to workload

    Leverage the AWS platform Automate Iterate
  16. LEVERAGE THE AWS PLATFORM_ @scalefactory

  17. Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Power

    Customer MySQL Compute Storage Data Centre HA Scripts Monitoring Config Mgmt Networking
  18. Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Customer

    RDS Aurora
  19. None
  20. Somebody Else's Problem

  21. 5 AREAS OF SECURITY_ Identity and access management Detective controls

    Infrastructure protection Data protection Incident response @scalefactory
  22. IDENTITY & ACCESS MANAGEMENT_ @scalefactory

  23. GOOD IAM PRACTICE_ No access to the root account Unique

    credentials per person Create least-privilege policies
  24. USE MFA_

  25. FEDERATED IDENTITY_

  26. Root Account OU: Developers Jon's Sandbox Salma's Sandbox SSO Security

    DeveloperRole SecurityAdminRole OperatorRole OU: Services Live Staging Trust Relationship Policy DeveloperRole Security Log Bucket Service Control Policy AWS ORGANIZATIONS_
  27. TEACH YOUR TEAMS AWS IAM @scalefactory

  28. Instance App Instance Metadata Service 1 2 3 INSTANCE PROFILES_

  29. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "s3:CreateBucket", "s3:DeleteObject", "s3:Put*", "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } LEAST PRIVILEGE?_ @scalefactory
  30. TEACH YOUR TEAMS AWS IAM @scalefactory

  31. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for a single person Don't use roles for compute services Don’t enforce MFA Hard-code secrets in app config (or code!) Have IAM policies with *s in (too permissive) Use a lot of AWS managed IAM policies
  32. DETECTIVE CONTROLS_ @scalefactory

  33. LOG EVERYTHING_ CloudWatch Logs CloudTrail VPC Flow Logs DNS Query

    Logs
  34. USE THE LOGS_ ELK Stack / Vendor tools Queries with

    Athena Kinesis streams
  35. AWS GUARDDUTY_

  36. AWS SECURITY HUB_

  37. AMAZON DETECTIVE_

  38. YOUR CONTROLS MAY NEED WORK IF..._ You're not logging anything

    / enough You're not alerting on important log conditions Alerts/notifications are noisy or ignored You're only using logs when debugging
  39. INFRASTRUCTURE PROTECTION_ @scalefactory

  40. None
  41. SECURITY GROUPS_ Default App1 App2

  42. FINE GRAINED POLICIES_ KMS key policies S3 bucket policies SNS

    access control
  43. DIRECT CONNECT_

  44. AWS Shield DDoS Protection AWS WAF Web Application Firewall

  45. AWS INSPECTOR_ Scans for network reachability Checks hosts against known

    CVEs Checks against CIS benchmarks Checks other security best practice Analyses app runtime behaviour
  46. None
  47. CASE STUDY_

  48. WHAT ABOUT SERVERLESS?_

  49. YOUR PROTECTION MAY NEED WORK IF..._ You have anything other

    than LB or NAT in public networks Your security groups are too permissive You mainly use CIDR network ranges in your SGs You're not protecting your application with WAF You're not actively scanning for vulnerabilities You're not checking your application dependencies' security
  50. DATA PROTECTION_ @scalefactory

  51. CLASSIFY DATA_ Identify different data classification levels Use tagging of

    resources Use KMS keys per classification level Control principal access to keys & resources Consider tokenisation Use AWS Macie to look for sensitive data in S3
  52. DATA AT REST_ Use service features to encrypt at rest

    Limit personnel access to data (IAM) Copy base AMIs with encryption
  53. PROTECT SECRETS_ AWS Secrets Manager Temporary RDS tokens Parameter Store

    Control principal access with IAM (Vendor solutions)
  54. DATA IN TRANSIT_ Use HTTPS listeners on load balancers Use

    HTTPS on CloudFront Use ACM for certificate management Use VPNs where necessary*
  55. DATA BACKUPS_ Use per-service backup features Replicate to other regions

    Limit personnel access to backups
  56. DATA PROTECTION MAY NEED WORK IF..._ Too many people have

    access to too much data You haven't thought about data classification You're not encrypting at rest You're not encrypting in transit You store secrets anywhere other than in AWS services You don't have complete backups You haven't tried restoring your backups recently
  57. INCIDENT RESPONSE_ @scalefactory

  58. AUTOMATE RESPONSE_ Use CloudWatch events Send notifications with SNS Trigger

    actions (Lambda, Step Functions)
  59. CLEAN ROOM_ Pre-install forensic tools Ensure security team shell access

    Automatically quarantine suspect nodes
  60. RUNBOOK/ PLAYBOOK_ Document incident response for your team Ensure team

    members are on call Run regular incident drills
  61. INCIDENT RESPONSE MAY NEED WORK IF..._ You can't remediate common

    incidents automatically You can't quarantine bad nodes for later forensics You don't have engineers on-call for security incidents Engineers don't know how to respond to on-call alerts You don't regularly practice incident response
  62. TOO MUCH TO THINK ABOUT!_ @scalefactory

  63. LANDING ZONE_

  64. LANDING ZONE_

  65. LANDING ZONE_

  66. LANDING ZONE_

  67. CASE STUDY_ “We’ve been continuously impressed with the expertise at

    The Scale Factory, their keenness to understand our business needs and pressures, and help us pave the foundations for a step change in our capability to serve our clients” James Ramirez CTO
  68. EVEN LANDING ZONE IS TOO MUCH TO THINK ABOUT!_ @scalefactory

  69. CONTROL TOWER_

  70. WHAT'S NEXT?_ @scalefactory

  71. TALK TO US ABOUT: CONSULTANCY TRAINING WELL-ARCHITECTED MIGRATION

  72. Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

    Book a Well-Architected review today https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work
  73. BREAKFAST OPS_ Monthly hosted discussion For CTOs and tech decision

    makers
  74. Q&A_

  75. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory [email protected]