AWS Security Overview

Bill Shinn

Principal Security Solutions Architect

Accelerating Security with AWS

AWS Overview / Risk Management / Compliance Overview Identity / Privilege Isolation Roles for EC2 / 3 Technical Use Cases

2  

AWS Overview

3  

What is AWS?

AWS Global Infrastructure

Application Services

Networking

Deployment & Management

Database Storage Compute

4  

AWS Global Infrastructure

9 Regions

25 Availability Zones

Continuous Expansion

5  

AWS Availability Zones

Note:  Conceptual  drawing  only.  South  America  (Sao  Paulo),  GovCloud  &  Asia-­‐Pacific  (Toyko)  not  shown.  

EU  Region  (Ireland)

Availability  Zone  A

Availability  Zone  B

US  East  Region  (N.  VA)

Availability  Zone  A

Availability  Zone  C

Availability  Zone  B

APAC  Region (Sydney)  

Availability  Zone  A

Availability  Zone  C

Availability  Zone  B

US  West  Region (N.  California)  

Availability  Zone  A

Availability  Zone  B

US  West  Region  (Oregon)

Availability  Zone  A

Availability  Zone  B

APAC  Region  (Singapore)

Availability  Zone  B

Availability  Zone  A

6  

AWS Approach to Risk Management, Security & Compliance

7  

Architected for Enterprise Security Requirements

“The Amazon Virtual Private Cloud

[Amazon VPC] was a unique option that

offered an additional level of security and

an ability to integrate with other aspects

of our infrastructure.”

Dr. Michael Miller, Head of HPC for R&D

8  

Security & Compliance Shared Responsibility

Facilities

Physical Security

Compute Infrastructure

Storage Infrastructure

Network Infrastructure

Virtualization Layer

Operating System

Applications

Security Groups

Firewalls

Network Configuration

Account Management

+ =

Customer

9  

Benefits of Scale Apply to Security and Compliance

The entire community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements

Everyone’s Systems and Applications

                     

         

     

         

     

     

     

Security Infrastructure

Security Infrastructure

Requirements Requirements Requirements

Nothing better for the community than a tough set of customers…

Accreditation & Compliance, Old and New

Old world

•  Functionally optional (you can build a secure system without it)

•  Audits done by an in-house team

•  Accountable to yourself

•  Must maintain talent and keep pace

•  Check typically once a year, one location

•  Workload-specific/regulation specific compliance checks

New world

•  Functionally necessary – high watermark of requirements

•  Audits done by third party experts

•  Accountable to everyone

•  Security drives broad compliance

•  Continuous monitoring, everywhere

•  Compliance approach based on all possible workload scenarios

Identity / Isolation / Trust Boundary Patterns

12  

IAM enables customers to create and manage users in AWS’s identity system

•  Identity Federation with local directory is an option for enterprises

Very familiar security model •  Users, groups, permissions

Allows customers to •  Create users •  Assign individual passwords, access keys, multi-

factor authentication devices •  Grant fine-grained permissions •  Optionally grant them access to the AWS Console •  Organize users in groups

Identity & Access Management

IAM Policy Structure

•  Action

•  Effect

•  Resource

•  Condition

IAM / Security Token Service

•  AssumeRole

•  Duration from 15 minutes to one hour

•  Returns access key ID, secret access key, and security token

Privilege Isolation

Account

IAM User/Group/Role

Region

Amazon VPC

Security Group

Resource

Privilege Isolation / Resources

Resource Permissions by Service (by API call) http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html

•  Amazon DynamoDB (tables and indexes) •  Amazon Elastic Beanstalk (application, applicationversion, solutionstack •  Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes) •  Amazon Glacier (vault) •  Amazon IAM (signing credentials, group, …) •  Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group) •  Amazon RDS •  Amazon Route53 (hosted zone) •  Amazon S3 (bucket) •  Amazon SNS (topic) •  Amazon SQS (queue)

Privilege Isolation / Resources

"   “Resource-based Permissions for EC2” announced on July 9th, 2013 "   Assign permissions to EC2 & Other Resources

"   Instance "   Snapshot "   Volume

"   Combine with existing permissions and policies based on EC2 Actions to create

extremely fine-grained polices for managing AWS resources.

"   Leverage Tagging and attribute-driven conditions

"   Tags such as “Production” or “AppName” "   Overlay organizational structure such as cost centers or departments "   Require dedicated tenancy as a condition

"   Available resources and conditions continue to grow…

AWS IAM Credentials

require 'rubygems'!require 'aws-sdk'!!s3 = AWS::S3.new(! :access_key_id => 'AKIAIOSFODNN7EXAMPLE',! :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')!!document = s3.buckets['text-content'].objects[’db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!

IAM Roles / EC2

•  Role

•  Instance Profile

•  Identity for the instance itself

•  Available to all application and users on host

IAM Roles / Instance Metadata Service

•  Entitlements of credentials => IAM Role

•  Short-life & Expiration

•  Managed rotation

•  No stored credentials!

AWS SDK Credential Chain

•  Static credentials provided to the AWS.config method. For example,

AWS.config(:access_key_id => '...', :secret_access_key => '...')

•  Environment Variables ('AWS' prefix): ENV['AWS_ACCESS_KEY'] and ENV['AWS_SECRET_ACCESS_KEY']

•  Environment Variables ('AMAZON' prefix): ENV['AMAZON_ACCESS_KEY'] and ENV['AMAZON_SECRET_ACCESS_KEY']

•  Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2 instance

AWS IAM Credentials / EC2 Roles

require 'rubygems'!require 'aws-sdk'!!#s3 = AWS::S3.new()!

# :access_key_id => 'AKIAIOSFODNN7EXAMPLE',!

# :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY’)!!s3 = AWS::S3.new()!!document = s3.buckets['text-content'].objects[’db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!

[ec2-user@ip-172-16-1-153 ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/DBA/!{! "Code" : "Success",! "LastUpdated" : "2013-10-09T04:20:10Z",! "Type" : "AWS-HMAC",! "AccessKeyId" : ”EXAMPLEACCESSID12345",! "SecretAccessKey" : "/1e2x3a4m5p6l7esecretAccessK3y+321987",! "Token" : "AQoDYXdzEIX//////////wEaoAJJ2rZZJat9wVl3Hub/ALObuZoLeOxLs48WqL0D0muqK9iMRrfAWQlhOtVzygfuRkLzAbKj3FUcNez6kqy/ljZkr461OMlBvt1LuRMGkZhGww8IqkS1Owrv1K3vEbbK6iPPjJNvzxGt0x9o8maoMh989EJNWuzQ6W6qq9UfopcZc9dCVGbo87b5Lo1yOJTnghyQI6XDqyImrUx+NMgQU2bOGiXyQ7RiWyhdkUXgBh4tuipsO4Q6XUE189NM0EKkeSDsKdzl/H+WX+IihSnYjjaLWHr6wSBVbmudoLb8RqE/urMGWhEolZuiXMGYvWOdau9MBkXF+4ciqlGx7mff6rOQoLqMzAhz4hWbEMOciVD7oUo3HvG/lLo4JOUyBEBHkJwglrPTkgU=",! "Expiration" : "2013-10-09T10:24:32Z"!}[ec2-user@ip-172-16-1-153 ~]$!

Roles for EC2 / 3 Use Cases

24  

Bastion Host Role

•  Eliminates need for individual IAM credentials

•  Reduces or eliminates need for federation

•  Combine with auditing of shell commands

•  Control access by host / purpose

Web Application Access Role

•  Eliminates need for storing IAM credentials in config files,

•  Addresses key distribution and app deployment/bootstrap patterns (get secrets for database access, private keys for mutual auth, etc.)

•  Can’t check secrets into GitHub or Perforce if there aren’t any

•  Easier coding, faster coding, more features

Security Auditing Role

•  Read-only access to AWS assets

•  Census picture of all assets (feed scanning & SIEM reconciliation)

•  RDS & RedShift query and connection auditing

•  Change detection of vital objects

Security Auditing Role / EC2 Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {!

"Action": [!! !"ec2:DescribeAddresses",!

! !"ec2:DescribeImageAttribute",! "ec2:DescribeImages",! "ec2:DescribeInstanceAttribute",!

"ec2:DescribeInstanceStatus",! "ec2:DescribeInstances",!

! !"ec2:DescribeNetworkAcls",! "ec2:DescribeNetworkInterfaceAttribute",! "ec2:DescribeNetworkInterfaces",!

"ec2:DescribeRouteTables",! "ec2:DescribeSecurityGroups",! "ec2:DescribeSubnets",!

! !"ec2:DescribeVpcs"! ],!

"Resource": [! "*"! ],!

"Effect": "Allow"! }!

! ]! }!

Security Auditing Role / RDS Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {!

"Action": [! "rds:DescribeDBInstances",!

"rds:DescribeDBLogFiles",! "rds:DescribeDBParameterGroups",! "rds:DescribeDBParameters",!

"rds:DownloadDBLogFilePortion"! ],!

! "Resource": [! "*"!

],! "Effect": "Allow",! "Condition": {!

"streq": {! "rds:db-tag/environment": [!

"prod",! "dr"! ]!

}! }!

}! ]!}!

Security Auditing Role / RDS Read-only Policy

#!/usr/bin/env ruby!!require 'rubygems'!require 'aws-sdk’!

!rds = AWS::RDS.new(:region => 'us-east-1').client!!

general = "general/mysql-general.log"!logdata = rds.download_db_log_file_portion(:db_instance_identifier => "rdsexample", :log_file_name => general)!

!puts logdata[:log_file_data]!!

Security Auditing Role / RDS Read-only Policy

Thank You!

Bill Shinn

Principal Security Solutions Architect