Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Architecture for Security on AWS

Architecture for Security on AWS

This deck was used for a webinar in July 2020

The Scale Factory

July 29, 2020

More Decks by The Scale Factory

Other Decks in Technology


  1. WEBINAR DETAILS_ Please use the Q&A button to ask questions

    This webinar will be recorded The slides will be available
  2. TODAY'S AGENDA_ Who’s responsible for security? Leveraging the AWS platform

    The 5 areas of security A Well-Architected review Q&A
  3. STATE OF DEVOPS REPORT_ DORA "Low performers take weeks to

    conduct security reviews and complete the changes identified. In contrast, elite performers build security in and can conduct security reviews and complete changes in just days."
  4. THE SCALE FACTORY WAY_ People First Match solution to workload

    Leverage the AWS platform Automate Iterate
  5. Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Power

    Customer MySQL Compute Storage Data Centre HA Scripts Monitoring Config Mgmt Networking
  6. 5 AREAS OF SECURITY_ Identity and access management Detective controls

    Infrastructure protection Data protection Incident response @scalefactory
  7. GOOD IAM PRACTICE_ No access to the root account Unique

    credentials per person Create least-privilege policies
  8. Root Account OU: Developers Jon's Sandbox Salma's Sandbox SSO Security

    DeveloperRole SecurityAdminRole OperatorRole OU: Services Live Staging Trust Relationship Policy DeveloperRole Security Log Bucket Service Control Policy AWS ORGANIZATIONS_
  9. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "s3:CreateBucket", "s3:DeleteObject", "s3:Put*", "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } LEAST PRIVILEGE?_ @scalefactory

    the root account Have >1 identity for a single person Don't use roles for compute services Don’t enforce MFA Hard-code secrets in app config (or code!) Have IAM policies with *s in (too permissive) Use a lot of AWS managed IAM policies
  11. YOUR CONTROLS MAY NEED WORK IF..._ You're not logging anything

    / enough You're not alerting on important log conditions Alerts/notifications are noisy or ignored You're only using logs when debugging
  12. AWS INSPECTOR_ Scans for network reachability Checks hosts against known

    CVEs Checks against CIS benchmarks Checks other security best practice Analyses app runtime behaviour
  13. YOUR PROTECTION MAY NEED WORK IF..._ You have anything other

    than LB or NAT in public networks Your security groups are too permissive You mainly use CIDR network ranges in your SGs You're not protecting your application with WAF You're not actively scanning for vulnerabilities You're not checking your application dependencies' security
  14. CLASSIFY DATA_ Identify different data classification levels Use tagging of

    resources Use KMS keys per classification level Control principal access to keys & resources Consider tokenisation Use AWS Macie to look for sensitive data in S3
  15. DATA AT REST_ Use service features to encrypt at rest

    Limit personnel access to data (IAM) Copy base AMIs with encryption
  16. PROTECT SECRETS_ AWS Secrets Manager Temporary RDS tokens Parameter Store

    Control principal access with IAM (Vendor solutions)
  17. DATA IN TRANSIT_ Use HTTPS listeners on load balancers Use

    HTTPS on CloudFront Use ACM for certificate management Use VPNs where necessary*
  18. DATA PROTECTION MAY NEED WORK IF..._ Too many people have

    access to too much data You haven't thought about data classification You're not encrypting at rest You're not encrypting in transit You store secrets anywhere other than in AWS services You don't have complete backups You haven't tried restoring your backups recently
  19. RUNBOOK/ PLAYBOOK_ Document incident response for your team Ensure team

    members are on call Run regular incident drills
  20. INCIDENT RESPONSE MAY NEED WORK IF..._ You can't remediate common

    incidents automatically You can't quarantine bad nodes for later forensics You don't have engineers on-call for security incidents Engineers don't know how to respond to on-call alerts You don't regularly practice incident response
  21. CASE STUDY_ “We’ve been continuously impressed with the expertise at

    The Scale Factory, their keenness to understand our business needs and pressures, and help us pave the foundations for a step change in our capability to serve our clients” James Ramirez CTO
  22. Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

    Book a Well-Architected review today https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work