aws security meetup: how to implement top 10 aws security best practices
Post on 06-Aug-2015
65 Views
Preview:
TRANSCRIPT
How to Implement Top 10 AWS Security Best Practices with Evident.io
William Knowles
Customer Success Advocate
2015-06-16
Top 10 AWS Security Best Practices
1. Disable root API access key and secret key
2. Enable MFA tokens everywhere
3. Reduce number of IAM users with Admin rights
4. Use Roles for EC2
5. Least privilege: limit what IAM entities can do with strong/explicit policies
6. Rotate all the keys regularly
7. Use IAM roles with STS AssumeRole where possible
8. Use AutoScaling to dampen DDoS effects
9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it
10. Watch world-readable/listable S3 bucket policies
Check out http://blog.evident.io
3
“Root” account has no restrictionsCreate administrative IAM usersUse Roles for EC2 (#4)Make sure billing and contact questions
are filled outBonus: Set up MFA on root and throw away
the key!
#1 - Disable Root Account API Access Key
4
#2 - 1 Enable MFA Tokens Everywhere
Provide an additional factor to the authentication step
MFA is assigned to root account and IAM users
Can be assigned to rolesPhysical or virtualVirtual has choices (Google Authenticator,
Authy, etc.)
5
How many people have the keys to your kingdom?
Not just people - appsReview IAM policies on Users, Groups
and RolesRemember #1Consider Identity Federation
#3 - Reduce Number of IAM users with Admin
6
Do your EC2 instances need to contact other AWS Services?
AWS SDKs and aws-cli support EC2 RolesReduced attack surface areaSecure DevOps on EC2Create an EC2 specific roleAssign a specific policy to that roleLaunch an EC2 instance with that roleEasy to test with aws-cli on EC2
#4 - Use Roles for EC2
7
Programs should operate using the least amount of privilege to get the job done
IAM can get very granularWorks in tandem with #4 on
EC2Should be applied to all
automated workflows, tooVery specific IAM policies - only
allow what you meanIAM managed policies make
this easierUse the IAM policy generator
and policy simulator to help
#5 - Least Privilege
8
Compromised access keys are very annoying and can cost your business dearly
IAM users should have keys rotated every 90 days minimum
Mostly useful for when Roles for EC2 won’t work in automated workflows
Sample process:Track age of Access KeysCreate new keySupply key to automation processTestDeactivate old key
#6 - Rotate all the Keys Regularly
9
Similar to EC2 RolesCan be used in place of privileged IAM user Access
KeysTemporary credentialsAllows for 3rd parties such as Evident.io to access
your AWS accounts more securelyExtended version of AssumeRole allows for Identity
Federation
#7 - Use IAM Roles with STS AssumeRole
10
AutoScaling allows you to increase number of EC2 instances automatically
More instances means site stays upSmall price to pay for site reliabilityYou may need a temporary increase in EC2
limitsYou may need to temporarily increase
desired number of instances in ASGWork with AWS, they may be able to help
you on the network edge
#8 - Use AutoScaling to Dampen DDoS
11
Unless you really mean itLike leaving the door wide openEC2 IP address range is a favorite
for scanners Monitor Security Groups regularly
(HINT: Evident.io can help)Affects not just EC2 instances, but:ELBsRDS Database ServersElastiCache ClustersEMR Nodesand others…
#9 - Do not allow ALL in Security Groups
12
Open S3 buckets a favorite for trolling for API Access Keys
Check your Bucket ACLs regularlyWatch for all grantees, including
AuthenticatedUsersCheck your Bucket Policies
regularly
#10 - Watch Readable and Listable S3 Buckets
13
Evident.io Can Help!
14
william@evident.iohttp://blog.evident.iohttps://www.evident.io
top related