aws security overview - meetupfiles.meetup.com/8763012/bill shinn_10-10 security event... ·...
TRANSCRIPT
AWS Security Overview
Bill Shinn
Principal Security Solutions Architect
Accelerating Security with AWS
AWS Overview / Risk Management / Compliance Overview Identity / Privilege Isolation Roles for EC2 / 3 Technical Use Cases
2
AWS Overview
3
What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Management
Database Storage Compute
4
AWS Global Infrastructure
9 Regions
25 Availability Zones
Continuous Expansion
5
AWS Availability Zones
Note: Conceptual drawing only. South America (Sao Paulo), GovCloud & Asia-‐Pacific (Toyko) not shown.
EU Region (Ireland)
Availability Zone A
Availability Zone B
US East Region (N. VA)
Availability Zone A
Availability Zone C
Availability Zone B
APAC Region (Sydney)
Availability Zone A
Availability Zone C
Availability Zone B
US West Region (N. California)
Availability Zone A
Availability Zone B
US West Region (Oregon)
Availability Zone A
Availability Zone B
APAC Region (Singapore)
Availability Zone B
Availability Zone A
6
AWS Approach to Risk Management, Security & Compliance
7
Architected for Enterprise Security Requirements
“The Amazon Virtual Private Cloud
[Amazon VPC] was a unique option that
offered an additional level of security and
an ability to integrate with other aspects
of our infrastructure.”
Dr. Michael Miller, Head of HPC for R&D
8
Security & Compliance Shared Responsibility
Facilities
Physical Security
Compute Infrastructure
Storage Infrastructure
Network Infrastructure
Virtualization Layer
Operating System
Applications
Security Groups
Firewalls
Network Configuration
Account Management
+ =
Customer
9
Benefits of Scale Apply to Security and Compliance
The entire community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements
Everyone’s Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements Requirements Requirements
Nothing better for the community than a tough set of customers…
Accreditation & Compliance, Old and New
Old world
• Functionally optional (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year, one location
• Workload-specific/regulation specific compliance checks
New world
• Functionally necessary – high watermark of requirements
• Audits done by third party experts
• Accountable to everyone
• Security drives broad compliance
• Continuous monitoring, everywhere
• Compliance approach based on all possible workload scenarios
Identity / Isolation / Trust Boundary Patterns
12
IAM enables customers to create and manage users in AWS’s identity system
• Identity Federation with local directory is an option for enterprises
Very familiar security model • Users, groups, permissions
Allows customers to • Create users • Assign individual passwords, access keys, multi-
factor authentication devices • Grant fine-grained permissions • Optionally grant them access to the AWS Console • Organize users in groups
Identity & Access Management
IAM Policy Structure
• Action
• Effect
• Resource
• Condition
IAM / Security Token Service
• AssumeRole
• Duration from 15 minutes to one hour
• Returns access key ID, secret access key, and security token
Privilege Isolation
Account
IAM User/Group/Role
Region
Amazon VPC
Security Group
Resource
Privilege Isolation / Resources
Resource Permissions by Service (by API call) http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html
• Amazon DynamoDB (tables and indexes) • Amazon Elastic Beanstalk (application, applicationversion, solutionstack • Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes) • Amazon Glacier (vault) • Amazon IAM (signing credentials, group, …) • Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group) • Amazon RDS • Amazon Route53 (hosted zone) • Amazon S3 (bucket) • Amazon SNS (topic) • Amazon SQS (queue)
Privilege Isolation / Resources
" “Resource-based Permissions for EC2” announced on July 9th, 2013 " Assign permissions to EC2 & Other Resources
" Instance " Snapshot " Volume
" Combine with existing permissions and policies based on EC2 Actions to create
extremely fine-grained polices for managing AWS resources.
" Leverage Tagging and attribute-driven conditions
" Tags such as “Production” or “AppName” " Overlay organizational structure such as cost centers or departments " Require dedicated tenancy as a condition
" Available resources and conditions continue to grow…
AWS IAM Credentials
require 'rubygems'!require 'aws-sdk'!!s3 = AWS::S3.new(! :access_key_id => 'AKIAIOSFODNN7EXAMPLE',! :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY')!!document = s3.buckets['text-content'].objects[’db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!
IAM Roles / EC2
• Role
• Instance Profile
• Identity for the instance itself
• Available to all application and users on host
IAM Roles / Instance Metadata Service
• Entitlements of credentials => IAM Role
• Short-life & Expiration
• Managed rotation
• No stored credentials!
AWS SDK Credential Chain
• Static credentials provided to the AWS.config method. For example,
AWS.config(:access_key_id => '...', :secret_access_key => '...')
• Environment Variables ('AWS' prefix): ENV['AWS_ACCESS_KEY'] and ENV['AWS_SECRET_ACCESS_KEY']
• Environment Variables ('AMAZON' prefix): ENV['AMAZON_ACCESS_KEY'] and ENV['AMAZON_SECRET_ACCESS_KEY']
• Instance Metadata Service, which provides the credentials associated with the IAM role for the EC2 instance
AWS IAM Credentials / EC2 Roles
require 'rubygems'!require 'aws-sdk'!!#s3 = AWS::S3.new()!
# :access_key_id => 'AKIAIOSFODNN7EXAMPLE',!
# :secret_access_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY’)!!s3 = AWS::S3.new()!!document = s3.buckets['text-content'].objects[’db-backup-schedule.txt']!!File.open("local-file.txt", "w") do |f|! f.write(document.read)!end!
[ec2-user@ip-172-16-1-153 ~]$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/DBA/!{! "Code" : "Success",! "LastUpdated" : "2013-10-09T04:20:10Z",! "Type" : "AWS-HMAC",! "AccessKeyId" : ”EXAMPLEACCESSID12345",! "SecretAccessKey" : "/1e2x3a4m5p6l7esecretAccessK3y+321987",! "Token" : "AQoDYXdzEIX//////////wEaoAJJ2rZZJat9wVl3Hub/ALObuZoLeOxLs48WqL0D0muqK9iMRrfAWQlhOtVzygfuRkLzAbKj3FUcNez6kqy/ljZkr461OMlBvt1LuRMGkZhGww8IqkS1Owrv1K3vEbbK6iPPjJNvzxGt0x9o8maoMh989EJNWuzQ6W6qq9UfopcZc9dCVGbo87b5Lo1yOJTnghyQI6XDqyImrUx+NMgQU2bOGiXyQ7RiWyhdkUXgBh4tuipsO4Q6XUE189NM0EKkeSDsKdzl/H+WX+IihSnYjjaLWHr6wSBVbmudoLb8RqE/urMGWhEolZuiXMGYvWOdau9MBkXF+4ciqlGx7mff6rOQoLqMzAhz4hWbEMOciVD7oUo3HvG/lLo4JOUyBEBHkJwglrPTkgU=",! "Expiration" : "2013-10-09T10:24:32Z"!}[ec2-user@ip-172-16-1-153 ~]$!
Roles for EC2 / 3 Use Cases
24
Bastion Host Role
• Eliminates need for individual IAM credentials
• Reduces or eliminates need for federation
• Combine with auditing of shell commands
• Control access by host / purpose
Web Application Access Role
• Eliminates need for storing IAM credentials in config files,
• Addresses key distribution and app deployment/bootstrap patterns (get secrets for database access, private keys for mutual auth, etc.)
• Can’t check secrets into GitHub or Perforce if there aren’t any
• Easier coding, faster coding, more features
Security Auditing Role
• Read-only access to AWS assets
• Census picture of all assets (feed scanning & SIEM reconciliation)
• RDS & RedShift query and connection auditing
• Change detection of vital objects
Security Auditing Role / EC2 Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {!
"Action": [!! !"ec2:DescribeAddresses",!
! !"ec2:DescribeImageAttribute",! "ec2:DescribeImages",! "ec2:DescribeInstanceAttribute",!
"ec2:DescribeInstanceStatus",! "ec2:DescribeInstances",!
! !"ec2:DescribeNetworkAcls",! "ec2:DescribeNetworkInterfaceAttribute",! "ec2:DescribeNetworkInterfaces",!
"ec2:DescribeRouteTables",! "ec2:DescribeSecurityGroups",! "ec2:DescribeSubnets",!
! !"ec2:DescribeVpcs"! ],!
"Resource": [! "*"! ],!
"Effect": "Allow"! }!
! ]! }!
Security Auditing Role / RDS Read-only Policy {! "Version": "2012-10-17",! "Statement": [! {!
"Action": [! "rds:DescribeDBInstances",!
"rds:DescribeDBLogFiles",! "rds:DescribeDBParameterGroups",! "rds:DescribeDBParameters",!
"rds:DownloadDBLogFilePortion"! ],!
! "Resource": [! "*"!
],! "Effect": "Allow",! "Condition": {!
"streq": {! "rds:db-tag/environment": [!
"prod",! "dr"! ]!
}! }!
}! ]!}!
Security Auditing Role / RDS Read-only Policy
#!/usr/bin/env ruby!!require 'rubygems'!require 'aws-sdk’!
!rds = AWS::RDS.new(:region => 'us-east-1').client!!
general = "general/mysql-general.log"!logdata = rds.download_db_log_file_portion(:db_instance_identifier => "rdsexample", :log_file_name => general)!
!puts logdata[:log_file_data]!!
Security Auditing Role / RDS Read-only Policy
Thank You!
Bill Shinn
Principal Security Solutions Architect