Security in Cloud Workshop

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 58

AWS Security Essentials

Herman Mak, Solutions


Architect

March 8, 2019
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Schedule

1. AWS Security Model


2. AWS Compliance and Security
3. AWS Security Technologies and
Services

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security is Job Zero at
AWS

PEOPLE & PROCESS

SYSTEM

NETWORK

PHYSICAL

Familiar Security Validated and driven by Benefits all customers


Model customers’ security experts

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model: for Infrastructure
Services

Customer IAM
Customer content
Platform & Applications Management Managed by
Mgmt
Protocol

Customers
Operating System, Network & Firewall Configuration s

AWS IAM
Client-Side Data encryption Server-Side Encryption Network Traffic Protection
& Data Integrity Authentication Fire System and/or Data Encryption / Integrity / Identity
API
Optional – Opaque data: 1’s and 0’s (in transit/at rest) Calls

AWS Foundation Services


Managed by

API Endpoints
Networkin
Compute Storage
g
Database
Availability Zones
AWS Global Edge Locations
Infrastructur
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
e
Infrastructure Service Example –
EC2 • Customer Data • High Availability, Scaling
Customers

• Customer Application • Instance Management


• Operating System • Data Protection (Transit, Rest, Backup)
• Network & Firewall • AWS IAM (Users, Groups, Roles, Policies)
• Customer IAM (Corporate Directory
Service)

RESPONSIBILITIES

• Foundation Services — Networking, Compute, Storage

AWS
• AWS Global Infrastructure
• AWS API Endpoints

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model:for Container
Services Managed by

Customers
Customer IAM AWS IAM
Customer content

n
Configuratio
Firewall
Client-Side Data encryption Network Traffic Protection Mgmt
& Data Integrity Authentication Encryption / Integrity / Identity
Protocol
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
s
API
Calls
Platform & Applications Management

Operating System, Network Configuration

API Endpoints
AWS Foundation Services
Managed by
Networkin
Compute Storage
g
Database
Availability Zones
AWS Global Edge Locations
Infrastructur
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regions
e
Infrastructure Service Example –
RDS

• Customer Data • High Availability


Customers

• Firewall (VPC) • Data Protection (Transit, Rest,


• Customer IAM (DB Users, Table Backup)
Permissions) • Scaling
• AWS IAM (Users, Groups, Roles,
Policies)

RESPONSIBILITIES

• Foundational Services – • AWS API Endpoints


Networking, Compute, Storage

AWS
• Operating System
• AWS Global Infrastructure • Platform / Application

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility
Model: for Abstract Services Managed by

Customers
Customer content

AWS IAM
Client-Side Data Encryption API Calls
(optional) & Data Integrity Authentication

Opaque Data: 1’s and 0’s Data Protection by the Platform


Protection of Data at Rest

(in flight / at rest) Network Traffic Protection by the Platform


Protection of Data at in Transit

Platform & Applications Management

API Endpoints
Operating System, Network & Firewall Configuration Managed by
AWS Foundation Services
Networkin
Compute Storage Database g

AWS Global Availability Zones


Edge Locations
I n f r a s t r u c t Regions
© 2019, A m azo n W e b Se rvi ces , In c. o r it s

A u re
ffilia te s. All rights reserved.
Infrastructure Service Example –
S3

• Customer Data
Customers

• Data Protection (Rest – CSE)


• AWS IAM (Users, Groups, Roles, Policies)

• Foundational Services • Platform / Application


• AWS Global Infrastructure • Data Protection (Rest - SSE, Transit)

AWS
• AWS API Endpoints • High Availability / Scaling
• Operating System

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary of Customer Responsibility in the
Cloud

Infrastructure Container Abstract


Services Services
Services
Data Data Data

Customer IAM Customer IAM AWS IAM

AWS IAM AWS IAM

Applications Firewall

Operating System

Networking/Firewall

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Identity Management?

“…the management of individual principals, their


authentication, authorization, and privileges
…with the goal of increasing security and
productivity while decreasing cost, downtime and
repetitive tasks.”
(Wikipedia)

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Principals

Account Owner ID (Root Account)


• Access to all subscribed services.
• Access to billing.
• Access to console and APIs.
• Access to Customer Support.

IAM Users, Groups and Roles


• Access to specific services.
• Access to console and/or APIs.
• Access to Customer Support (Business and Enterprise).

Temporary Security Credentials


• Access to specific services.
• Access to console and/or APIs.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.

Username Manage groups Centralized Access


/ User of users Control

Optional Configurations:
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
• X.509 certificate
• Access/Secret Keys
• Multi-factor Authentication (MFA)

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assurance Programs

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Artifacts - Compliance
reports

Provides customers with an easier process to obtain AWS


compliance reports with self-service, on-demand access via the
console

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Responsibilities

Physical Security of Data Center

• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
One last thing about data
sanitization
To This

From this
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Global
Infrastructure
20 Regions – 60 Availability Zones – 160 Points of Regions and Availability Zones
presence US East China
N. Virginia (6) Beijing (2)
Ohio (3) Ningxia (3)
US West Europe
N. California (3) Frankfurt (3)
Oregon (3) Ireland (3)
Asia Pacific London (3)
Mumbai (2) Paris (3)
Seoul (2) Stockholm (3)
Singapore (3) South America
Sydney (3) São Paulo (3)
Tokyo (4) GovCloud (US)
Osaka-Local US-East (3)
(1) US-West (3)
Canada
Central (2)
New Region (coming soon)
Bahrain, Cape Town, Hong Kong SAR, Milan

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
VPC = Virtual Private Cloud
Your virtual data center on
AWS
Block of IPs that define your
network (typically RFC
Availability Zone A Availability Zone B
1918) VPCs
Default Can span multiple
VPC CIDR: 10.1.0.0 /16 AZs

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
subnet
Range of IPs in your VPC
IP range
Lives inside an AZ
Can provide security at the
10.1.10.0/24
subnet or network level
10.1.1.0/24

Subnet Subnet
with access control lists
Availability Zone A Availability Zone B
(ACLs)
VPC CIDR: 10.1.0.0 /16
Can route at the subnet
level Default VPC subnets

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Internet
gateway
AWS Public
API Endpoints
Internet

Internet Gateway

IGW = Internet gateway


Enables your instances
10.1.1.0/24 10.1.10.0/24
to connect to the
Subnet Subnet Internet
Availability Zone A Availability Zone B
Default VPC includes an
VPC CIDR: 10.1.0.0 /16
IGW

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Route table
AWS Public
API Endpoints
Internet Contains a set of rules, called
routes, that are used to
determine where network traffic
Internet Gateway

is directed
Subnets have one route table
10.1.1.0/24 10.1.10.0/24
Controls routing for the subnet
Subnet

Availability Zone A
Subnet
to the IGW and VGW
Availability Zone B

Route Table VPC CIDR: 10.1.0.0 /16


A route table can belong to
Destination Target many subnets
10.1.0.0/16 local

0.0.0.0/0 igw

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VGW and VPN
connection
VPN over
the Internet
Customer Gateway

Internal
User
Corporate Data
Center

VGW = virtual private


VGW

gateway A VPG is the logical


10.1.1.0/24 10.1.10.0/24 construct
Subnet
representing the VPN endpoint
Subnet
Availability Zone A Availability Zone B
to terminate connections from
VPC CIDR: 10.1.0.0 /16 your on-premises network
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
It is also the endpoint for
Network access control
list
VPC Subnet with ACL

NACL = network access


control list
An optional layer of security
that acts as a firewall for a
subnet
EC2 EC2

VPC Subnet with ACL VPC Subnet with ACL


Availability Zone A Availability Zone B A numbered list of rules that
VPC CIDR: 10.1.0.0 /16 we evaluate in order
ACLs are stateless and have
separate inbound and
outbound rules
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security group Security Group

A security group acts as a


virtual firewall for your EC2
instance
EC2 EC2
An EC2 instance can have up
Subnet: 10.1.1.0/24 Subnet: 10.1.10.0/24
to five security groups
Availability Zone A Availability Zone B Security groups act at the
VPC CIDR: 10.1.0.0 /16 instance level, not the
subnet level
Security groups are stateful

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC VPC 10.1.0.0/16
security EC2
EC2 EC2
controls Instance 1
10.1.1.6
Instance 2
10.1.1.7
Instance 3
10.1.10.20

Virtual Router
Route Route
Table Table

Internet Virtual Private


Gateway Gateway
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Groups = stateful
firewall

In English: Hosts in this group are reachable


from the Internet on port 80 (HTTP)

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights


reserved.
Multi-tier architecture using Security
Groups

Web Layer

Application Layer

Database Layer

Only 80 and 443 open


to Internet

Open access only to Web


Layer and ssh open to
management bastion Amazon EC2
Security Group
By default, all ports are Firewall
closed

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network ACLs = Stateless Firewall
Rules
Can be applied on a subnet basis

English translation: Allow all traffic in

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is DDoS
Attack?

Distributed Denial Of
Service

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of DDoS
attacks
Application-layer DDoS attacks

Use well-formed but malicious requests to


circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)

State-exhaustion DDoS attacks

Abuse protocols to stress systems like


firewalls, IPS, or load balancers (e.g., TCP
SYN flood)

Volumetric DDoS attacks

Congest networks by flooding them with more


traffic than they are able to handle (e.g., UDP
reflection attacks)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield Standard
protections

Layer 3/4 protection Layer 7 protection

 Protect from most common attacks  AWS WAF for Layer 7 DDoS attack
(SYN/UDP Floods, Reflection Attacks, mitigation
etc.)
 Self-service & pay-as-you-go
 Automatically detect & mitigate

 Built into AWS services

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shield
Advanced
Always-on monitoring &
detection

AWS bill protection Advanced L3/4 & L7 DDoS


protection

24x7 access to DDoS Attack notification and


Response Team reporting

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF – Layer 7 application
protection

IP reputation HTTP floods Scanners and


lists probes

Bots and Cross-site


SQL injection
scripting
scrapers
AWS WAF Security Automations
https://aws.amazon.com/answers/security/aws-waf-security-automations/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor – Real time
guidance

Security configuration checks of your AWS


environment:
• Open ports
• Unrestricted access
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor auth
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer config

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Trusted Advisor Demo

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch Logs – Centralization of
logs

CloudWatch Logs provides a centralized service to


absorb, store, analyze, and take action on a
variety of log sources.
• Operating system logs
• Webserver logs
• Application logs

Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow
Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics

Interface Source IP Source port Protocol Packets

AWS Accept or
account reject

Destination IP Destination port Bytes Start/end time

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs – CloudWatch Alarms

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Flow Logs

• Amazon
Elasticsearch
Service

• Amazon
CloudWatch
Logs
subscriptions

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Full visibility and logging
features

Full visibility of your AWS environment


• CloudTrail will record access to API calls and save logs in your S3
buckets, no matter how those API calls were made

Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms

Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
example

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate actions on
events

Amazon Amazon
CloudWatc
h Lambda

Amazon SNS

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.

AWS Config
EC2 EBS

VPC CloudTrail

Security Audit Change Troubleshooting Discovery


Compliance Management
Analysis
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Demo

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Encryption At-
Rest

AWS CloudHSM AWS Key Management Service

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key handling questions for any
solution
Where are keys generated and stored?
• Hardware you own?
• Hardware the cloud provider owns?

Where are keys used?


• Client software you control?
• Server software the cloud provider controls?

Who can use the keys?


• Users and applications that have permissions?
• Cloud provider applications you give permissions?

What assurances are there for proper security around


keys?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for using encryption in
AWS

Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK

Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift,
WorkSpaces, Amazon Kinesis Firehose, CloudTrail

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (AWS
KMS)

• Managed service that simplifies creation, control,


rotation, deletion, and use of encryption keys in your
applications
• Integrated with many AWS services for server-side
encryption
• Integrated with AWS service clients/SDKs
• S3, EMRFS, DynamoDB, AWS Encryption SDK
• Integrated with CloudTrail to provide auditable logs of key
usage for regulatory and compliance activities
• Available in all commercial regions except China

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS is fully integrated with AWS
IAM

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS KMS integration with AWS
services

* Supports only AWS managed KMS keys


© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bring Your Own
Key Create
Create customer master key
s
(CMK) container
KMS Empty CMK container
with unique key ID

Download
Download a public
wrapping key
RSA public key
KMS

Export your key material Export


encrypted under the public
wrapping key Your key Your 256-bit key
management material encrypted
under KMS public key
infrastructur
e
Import encrypted key material Import
under the KMS CMK key ID;
set optional expiration period
Your key material
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
protected in
KMS
AWS CloudHSM

• Dedicated access to HSM appliances


• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your AWS administrator—
Manages the appliance
keys and operations on the keys
• HSMs are inside your Amazon VPC,
isolated from the rest of the You—Control keys and
CloudHSM
network crypto operations

• Setup right from the console Amazon VPC

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudHSM

Available in multiple AWS regions


worldwide Compliance
• Included in AWS PCI DSS and SOC
compliance packages
• FIPS 140-2 level 3 (AWS CloudHSM)
• FIPS 140-2 level 2 (AWS CloudHSM Classic)
Typical use cases
• Electronic invoicing and document signing
• Use with Amazon Redshift and RDS for
Oracle
• Integrate with third-party software (Oracle, Microsoft SQL
Server, Apache, SafeNet, OpenSSL)
• Build your own custom applications
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key handling solutions from AWS
Marketplace
• Browse, test, and buy encryption and key management
solutions
• Pay by the hour, monthly, or annually
• Software fees added to AWS bill
• Bring Your Own License

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Security
Partners
Identity and Configuration & Logs and
Infrastructure security Access Vulnerability Analysis monitoring
control

Protección de
datos

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace Demo

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You
Herman Mak
Solutions Architect

Twitter: @hermanmakHK
Github: hermanmak
Submit your Feedback to get
25$ AWS Credit

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

You might also like