aws security event slides
DESCRIPTION
The slide from AWS Security EventTRANSCRIPT
-
AWS Security Overview
Bill Shinn
Principal Security Solutions Architect
-
Accelerating Security with AWS
AWS Overview / Risk Management / Compliance Overview Identity / Privilege Isolation Roles for EC2 / 3 Technical Use Cases
2
-
AWS Overview
3
-
What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Management
Database Storage Compute
4
-
AWS Global Infrastructure
9 Regions
25 Availability Zones
Continuous Expansion
5
-
AWS Availability Zones
Note: Conceptual drawing only. South America (Sao Paulo), GovCloud & Asia-Pacic (Toyko) not shown.
EU Region (Ireland)
Availability Zone A
Availability Zone B
US East Region (N. VA)
Availability Zone A
Availability Zone C
Availability Zone B
APAC Region (Sydney)
Availability Zone A
Availability Zone C
Availability Zone B
US West Region (N. California)
Availability Zone A
Availability Zone B
US West Region (Oregon)
Availability Zone A
Availability Zone B
APAC Region (Singapore)
Availability Zone B
Availability Zone A
6
-
AWS Approach to Risk Management, Security & Compliance
7
-
Architected for Enterprise Security Requirements
The Amazon Virtual Private Cloud
[Amazon VPC] was a unique option that
offered an additional level of security and
an ability to integrate with other aspects
of our infrastructure.
Dr. Michael Miller, Head of HPC for R&D
8
-
Security & Compliance Shared Responsibility
Facilities
Physical Security
Compute Infrastructure
Storage Infrastructure
Network Infrastructure
Virtualization Layer
Operating System
Applications
Security Groups
Firewalls
Network Configuration
Account Management
+ =
Customer
9
-
Benefits of Scale Apply to Security and Compliance
The entire community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements
Everyones Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements Requirements Requirements
Nothing better for the community than a tough set of customers
-
Accreditation & Compliance, Old and New
Old world
Functionally optional (you can build a secure system without it)
Audits done by an in-house team Accountable to yourself Must maintain talent and keep pace Check typically once a year, one
location
Workload-specific/regulation specific compliance checks
New world
Functionally necessary high watermark of requirements
Audits done by third party experts Accountable to everyone Security drives broad compliance Continuous monitoring, everywhere Compliance approach based on all
possible workload scenarios
-
Identity / Isolation / Trust Boundary Patterns
12
-
IAM enables customers to create and manage users in AWSs identity system
Identity Federation with local directory is an option for enterprises
Very familiar security model Users, groups, permissions
Allows customers to Create users Assign individual passwords, access keys, multi-
factor authentication devices Grant fine-grained permissions Optionally grant them access to the AWS Console Organize users in groups
Identity & Access Management
-
IAM Policy Structure
Action
Effect
Resource
Condition
-
IAM / Security Token Service
AssumeRole
Duration from 15 minutes to one hour
Returns access key ID, secret access key, and security token
-
Privilege Isolation
Account
IAM User/Group/Role
Region
Amazon VPC
Security Group
Resource
-
Privilege Isolation / Resources
Resource Permissions by Service (by API call) http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html
Amazon DynamoDB (tables and indexes) Amazon Elastic Beanstalk (application, applicationversion, solutionstack Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes) Amazon Glacier (vault) Amazon IAM (signing credentials, group, ) Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group) Amazon RDS Amazon Route53 (hosted zone) Amazon S3 (bucket) Amazon SNS (topic) Amazon SQS (queue)
-
Privilege Isolation / Resources
" Resource-based Permissions for EC2 announced on July 9th, 2013 " Assign permissions to EC2 & Other Resources
" Instance " Snapshot " Volume
" Combine with existing permissions and policies based on EC2 Actions to create
extremely fine-grained polices for managing AWS resources.
" Leverage Tagging and attribute-driven conditions
" Tags such as Production or AppName " Overlay organizational structure such as cost centers or departments " Require dedicated tenancy as a condition
" Available resources and conditions continue to grow
-
AWS IAM Credentials
require 'rubygems'!require 'aws-sdk'!!s3 = AWS::S3.new(! :access_key_id => 'AKIAIOSFODNN7EXAMPLE',! :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')!!document = s3.buckets['text-content'].objects[db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!
-
IAM Roles / EC2
Role
Instance Profile
Identity for the instance itself
Available to all application and users on host
-
IAM Roles / Instance Metadata Service
Entitlements of credentials => IAM Role
Short-life & Expiration
Managed rotation
No stored credentials!
-
AWS SDK Credential Chain
Static credentials provided to the AWS.config method. For example,
AWS.config(:access_key_id => '...', :secret_access_key => '...')
Environment Variables ('AWS' prefix): ENV['AWS_ACCESS_KEY'] and ENV['AWS_SECRET_ACCESS_KEY']
Environment Variables ('AMAZON' prefix): ENV['AMAZON_ACCESS_KEY'] and ENV['AMAZON_SECRET_ACCESS_KEY']
Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2 instance
-
AWS IAM Credentials / EC2 Roles
require 'rubygems'!require 'aws-sdk'!!#s3 = AWS::S3.new()!
# :access_key_id => 'AKIAIOSFODNN7EXAMPLE',!# :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)!!s3 = AWS::S3.new()!!document = s3.buckets['text-content'].objects[db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!
[ec2-user@ip-172-16-1-153 ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/DBA/!{! "Code" : "Success",! "LastUpdated" : "2013-10-09T04:20:10Z",! "Type" : "AWS-HMAC",! "AccessKeyId" : EXAMPLEACCESSID12345",! "SecretAccessKey" : "/1e2x3a4m5p6l7esecretAccessK3y+321987",! "Token" : "AQoDYXdzEIX//////////wEaoAJJ2rZZJat9wVl3Hub/ALObuZoLeOxLs48WqL0D0muqK9iMRrfAWQlhOtVzygfuRkLzAbKj3FUcNez6kqy/ljZkr461OMlBvt1LuRMGkZhGww8IqkS1Owrv1K3vEbbK6iPPjJNvzxGt0x9o8maoMh989EJNWuzQ6W6qq9UfopcZc9dCVGbo87b5Lo1yOJTnghyQI6XDqyImrUx+NMgQU2bOGiXyQ7RiWyhdkUXgBh4tuipsO4Q6XUE189NM0EKkeSDsKdzl/H+WX+IihSnYjjaLWHr6wSBVbmudoLb8RqE/urMGWhEolZuiXMGYvWOdau9MBkXF+4ciqlGx7mff6rOQoLqMzAhz4hWbEMOciVD7oUo3HvG/lLo4JOUyBEBHkJwglrPTkgU=",! "Expiration" : "2013-10-09T10:24:32Z"!}[ec2-user@ip-172-16-1-153 ~]$!
-
Roles for EC2 / 3 Use Cases
24
-
Bastion Host Role
Eliminates need for individual IAM credentials
Reduces or eliminates need for federation
Combine with auditing of shell commands
Control access by host / purpose
-
Web Application Access Role
Eliminates need for storing IAM credentials in config files,
Addresses key distribution and app deployment/bootstrap patterns (get secrets for database access, private keys for mutual auth, etc.)
Cant check secrets into GitHub or Perforce if there arent any
Easier coding, faster coding, more features
-
Security Auditing Role
Read-only access to AWS assets
Census picture of all assets (feed scanning & SIEM reconciliation)
RDS & RedShift query and connection auditing
Change detection of vital objects
-
Security Auditing Role / EC2 Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {! "Action": [!
! !"ec2:DescribeAddresses",!! !"ec2:DescribeImageAttribute",!
"ec2:DescribeImages",! "ec2:DescribeInstanceAttribute",! "ec2:DescribeInstanceStatus",! "ec2:DescribeInstances",!
! !"ec2:DescribeNetworkAcls",! "ec2:DescribeNetworkInterfaceAttribute",! "ec2:DescribeNetworkInterfaces",! "ec2:DescribeRouteTables",! "ec2:DescribeSecurityGroups",! "ec2:DescribeSubnets",!
! !"ec2:DescribeVpcs"! ],! "Resource": [! "*"! ],! "Effect": "Allow"! }! ! ]! }!
-
Security Auditing Role / RDS Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {! "Action": [! "rds:DescribeDBInstances",! "rds:DescribeDBLogFiles",! "rds:DescribeDBParameterGroups",! "rds:DescribeDBParameters",! "rds:DownloadDBLogFilePortion"! ],! ! "Resource": [! "*"! ],! "Effect": "Allow",! "Condition": {! "streq": {! "rds:db-tag/environment": [! "prod",! "dr"! ]! }! }! }! ]!}!
-
Security Auditing Role / RDS Read-only Policy
#!/usr/bin/env ruby!!require 'rubygems'!require 'aws-sdk!!rds = AWS::RDS.new(:region => 'us-east-1').client!!general = "general/mysql-general.log"!logdata = rds.download_db_log_file_portion(:db_instance_identifier => "rdsexample", :log_file_name => general)!!puts logdata[:log_file_data]!!
-
Security Auditing Role / RDS Read-only Policy
-
Thank You!
Bill Shinn
Principal Security Solutions Architect