aws security: a practitioner’s perspectivefiles.meetup.com/1751034/sf-aws-ug-jachan.pdftraffic in...

AWS Security: A Practitioner’s Perspective

Jason Chanchan@netflix.com

San Francisco AWS Users Group April 17, 2012

Wednesday, April 18, 12

Jason Chan

• Cloud Security Architect @ Netflix

• Previously:

• Most recently led security team at VMware

• Primarily security consulting at @stake, iSEC Partners

• Some presentations at:

• http://www.slideshare.net/netflix

Wednesday, April 18, 12

Agenda

• Goals and non-goals

• AWS on one slide

• Netflix in the cloud

• AWS security: Overview

• AWS security: Gotchas

• AWS security: Recommendations

• Takeaways

Wednesday, April 18, 12

Non-Goals

• Primer on general cloud security issues

• AWS how-to

• Comprehensive guide to AWS security

• Info on designing for high-availability

Wednesday, April 18, 12

AWS Overview

Wednesday, April 18, 12

AWS on a Slide

“The  cloud  lets  its  users  focus  on  delivering  differen4a4ng  business  value  instead  of  was4ng  valuable  resources  on  the  undifferen)ated  heavy  li0ing  that  makes  up  most  of  IT  infrastructure.”-­‐  Werner  Vogels  (AWS  CTO)

           August  25,  2009,  ‘All  Things  Digital

Wednesday, April 18, 12

Netflix in the Cloud

Wednesday, April 18, 12

Datacenter(Capacity(

37x Growth 1/10 - 1/11

Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html

Netflix API: Growth in Requests

Wednesday, April 18, 12

Netflix Deployed on AWS

Content&

Video&Masters&

EC2&

S3&

CDN&

Logs&

S3&

EMR&Hadoop&

Hive&

Business&Intelligence&

Play&

DRM&

CDN&RouAng&

Bookmarks&

Logging&

WWW&

SignEup&

Search&&

Movie&Choosing&

RaAngs&

API&&

Metadata&

Device&Config&

TV&Movie&Choosing&

Social/Facebook&

CS&

InternaAonal&CS&Lookup&

DiagnosAcs&and&AcAons&

Customer&Call&Log&

CS&AnalyAcs&

2009 2009 2010 2010 2010 2011

EC2, S3, SQS, SDB, VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES

Wednesday, April 18, 12

AWS Security OverviewShared Responsibility

AWS Credentials and IdentifiersServices, Actions, and Resources

Controlling Network TrafficAWS Security-Related Services

Wednesday, April 18, 12

Shared Responsibility

http://aws.amazon.com/security/

YOU

AWS

Wednesday, April 18, 12

AWS Credentials and Identifiers

Access CredentialsAccess Credentials

Access Keys REST API

X.509 Certificates SOAP API, EC2 tools

Key Pairs CloudFront, EC2

Sign-In CredentialsSign-In Credentials

Main Account E-Mail/PW Console access

IAM Account Name/PW Console access

MFA Token HW/SW token for additional security

Account IdentifiersAccount Identifiers

Account ID 12 digit identifier

Canonical User ID Used for S3 permissioning

Resource IdentifierResource Identifier

Amazon Resource Name (ARN) Unique resource identifier:arn:aws:sns:us-east-1:1234567890123456:mytopic

http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html

Wednesday, April 18, 12

AWS Services, Actions, and Resources

Service Action Resource

S3Get Object,

Delete BucketBucket, Object

EC2Terminate Instances, Associate Address

Instance, AMI, EBS Volume

AWS policies can be applied to actions and resources. Compatibility is service-dependent.

http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html

Wednesday, April 18, 12

Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}

Which actions?

Allow or deny?Which resource?

To whom does the policy apply?

http://awspolicygen.s3.amazonaws.com/policygen.html

Any conditions? (optional)

Which service?

Wednesday, April 18, 12

Controlling Network Traffic in AWS

App Server DB ServerTCP 3306

Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306

AWS Configurationec2-authorize db -P tcp -p 3306 -s app

Wednesday, April 18, 12

Security Groups & ACLs

Type Stateful Ingress Egress EC2 VPC Cross-Account

Dynamic Membership

EC2 Security Group

Y Y N Y N Y N

VPC Security Group

Y Y Y N Y N Y

DB Security Group

Y Y N Y Y Y Y

VPC Network ACL

N Y Y N Y N/A N/A

Wednesday, April 18, 12

AWS Security-Related Services

• Identity and Access Management (IAM)

• Multi-Factor Authentication (MFA)

• Security Token Service (STS)

• Virtual Private Cloud (VPC)

Wednesday, April 18, 12

AWS Security GotchasAWS Limits

IP Addresses in EC2Elastic Load Balancing Security

S3 Policies and Object OwnershipAWS Resource Logging

Delivering Credentials to Instances

Wednesday, April 18, 12

AWS Limits• “Because the cloud is infinite if your requirements

are moderate”

• Many AWS services have a variety of limits

• Some of which are easily discoverable

• AWS services also have throttling (i.e. max RPS)

• Beware of self DoS via automation and autoscaling

• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests

• NOTE: Track limits and inspect error messages

Wednesday, April 18, 12

EC2 IP Addresses

• Each instance has two IPs - private and public

# ec2-metadata

...

local-hostname: ip-10-245-134-152.ec2.internal

local-ipv4: 10.245.134.152

...

public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com

public-ipv4: 72.44.52.70

...

Wednesday, April 18, 12

EC2 IP Addresses

• Name resolution depends on client location

# ec2-metadata -o

local-ipv4: 10.245.134.152

# dig +short ec2-72-44-52-70.compute-1.amazonaws.com

10.245.134.152

# dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com

72.44.52.70

Wednesday, April 18, 12

EC2 IP Addresses• Both public and private IPs are dynamic

• Elastic IPs can be used for persistent public IPs

• Within a region, instances use their private IPs

• Across regions & for Internet traffic, the public IP is used

• NOTE: Traffic to the public IP/EIP:

• Incurs regional data transfer costs

• Is less performant in-region

• Does not preserve source security group info

Wednesday, April 18, 12

Elastic Load Balancers• Service availability and

traffic balancing across EC2 instances

• Stable DNS for publicly-facing services

• Alias to the ELB DNS CNAME

• SSL termination, session stickiness, etc.

Internet

ELB

Instance Instance Instance

Wednesday, April 18, 12

Elastic Load Balancers• ELB intercepts and forwards traffic

• Traffic loses source IP

• Client IP is accessible via X-Forwarded For

• Backend instances must allow traffic from the ELB

• Traffic from ELB == Traffic from Internet

• Without additional (non security group) filtering, ELBs should only be used for public use cases

• NOTE: VPC ELBs can use security groups for limiting access

Wednesday, April 18, 12

• S3 bucket similar to container, object similar to a file

• Access control can be applied via bucket policy, bucket ACL, and object ACLs

• NOTE: Objects only inherit bucket-level permissions if written by bucket owner

• Default ACL is “object creator: full control”

• Objects written by non bucket owner are inaccessible by bucket owner

• Use “x-amz-acl” header on write to fix permissions

S3 Policies and Object Ownership

Wednesday, April 18, 12

AWS Resource Logging

• AWS APIs and resources are publicly (Internet) accessible

• So, your management interfaces, file store, databases, etc. are publicly addressable

• Preventing access is generally possible through policy configuration

• NOTE: AWS provides no capability for logging or auditing resource access

Wednesday, April 18, 12

Delivering Credentials to EC2 Instances

• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)

• Access to resources will generally require credentials

• Secure delivery and storage of credentials becomes difficult with scale and automation

• Some ideas:

• http://shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html

Wednesday, April 18, 12

AWS Security Recommendations

Systematic Approach to AWS SecurityShared ResponsibilityAWS Management

AWS Security Features and ServicesResource Security

Operations Security

Wednesday, April 18, 12

Systematic Approach to AWS Security

• Understand shared responsibility model

• Management of AWS

• AWS security features and services

• AWS resource security

• Secure AWS operations

Wednesday, April 18, 12

SharedResponsibility• Analyze what each side

provides in terms of security controls

• Understand legal/contractual aspects

• Make plans to bridge any gaps

https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Frameworkhttp://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html

Wednesday, April 18, 12

AWS Management• No longer any reason to not use IAM

• Enable:

• IAM

• MFA (for account and IAM accounts)

• Create groups and assign permissions appropriate for organizational model

• Consider using separate top-level accounts for compartmentalization

Wednesday, April 18, 12

AWS Security Features and Services

• Understand security features, limitations, and options of the features you use

• S3 - encryption, MFA delete, versioning

• EC2 - dedicated instances, disabling API termination

• Consider VPC based on use cases and requirements

Wednesday, April 18, 12

AWS Resource Security

• Review access requirements for AWS resources

• S3 buckets, SimpleDB domains, SQS queues

• Apply resource policies to control access appropriately

• Use policy conditions to enhance security

• SourceIP, CurrentTime, SecureTransport

Wednesday, April 18, 12

Secure AWS Operations

• Understand security group/ACL differences

• Design and implement according to architectural requirements

• Actively manage and monitor accounts and credentials

Wednesday, April 18, 12

Other Recommendations

• Tools like boto are useful for security monitoring and analysis

• Keep an eye on:

• http://aws.typepad.com/

• @jeffbarr

• AWS Endpoints: http://docs.amazonwebservices.com/general/latest/gr/rande.html

• EC2 IP Ranges: https://forums.aws.amazon.com/forum.jspa?forumID=30

Wednesday, April 18, 12

Takeaways

• AWS provides an array of services that allow you to construct and operate large scale web services in a self-service, pay as you go model

• The cloud operating model requires you to understand the security responsibilities of both provider and consumer

• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use

Wednesday, April 18, 12

Thanks!Questions?

chan@netflix.com

Wednesday, April 18, 12

Backup Slides

Wednesday, April 18, 12

Cloud and Platform Engineering

•  Orchestra*on,.build.and.deployment.Engineering'Tools'

• Monitoring,.consul*ng,.Simian.Army.Cloud'Solu0ons'

•  24/7.site.reliability.CORE''

•  Core.shared.components.and.libraries.Pla5orm'Engineering'

•  Applica*on,.engineering,.and.opera*onal.Security'

•  Cassandra,.SDB,.RDS.Cloud'Database'Engineering'

•  Tes*ng,.op*miza*on,.cost.Cloud'Performance'

•  Overall.design.paFerns.Cloud'Architecture'

Wednesday, April 18, 12

Netflix PaaS• Supports  all  AWS  regions  

and  availability  zones

• Supports multiple AWS accounts

• One-click deployment and load balancing across three datacenters

• Cross-region and account data replication and archive

• Dynamic and fine-grained security

• Automatic scaling to thousands of instances

• Monitoring for millions of metrics

• Base server and client

• I18n, L10n, geo IP routing

http://www.slideshare.net/netflix

Wednesday, April 18, 12

Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html

• Centralized framework for cloud security monitoring and analysis

• Leverages AWS APIs and common security tools

Wednesday, April 18, 12

Security Monkey

• Certificate monitoring

• Security group monitoring

• Exposed instances/applications

• Web application vulnerability scanning

• Upcoming:

• Policy analysis (firewall, user, S3, etc.)

Wednesday, April 18, 12

References

• http://www.slideshare.net/netflix

• http://techblog.netflix.com

• https://cloudsecurityalliance.org/

Wednesday, April 18, 12