enhanced security and compliance with aws
TRANSCRIPT
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Enhanced Security and Compliance with AWS
Brad Dispensa - AWSJustin Lundy - Evident.io
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
familiar security model
validated and driven by customers’ security experts
benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is job zero
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
physical infrastructure
hardware
hypervisor
guest operating system
logical security
data and application
software firewalls/IDS/AV
customer control andcustomer responsibility
AWS control andAWS responsibility
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Key AWS certifications and assurance programs
certifications and accreditations for workloads that matter
AWS CloudTrail – AWS API call logging for governance & compliance
stores data in S3 or archive to Amazon Glacier
log and review user activity
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
• You benefit from an environment built for the most security-sensitive organizations
• AWS manages 1800+ physical security controls so you don’t have to• You get to define the right security controls for your workload
sensitivity• You always have full ownership and control of your data• You are responsible for logical security configuration of the AWS
services you use above the hypervisor
What this means
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Economies of scale: World-class teams• Where would some of the world’s best security
experts like to work?• They want to work on huge challenges with huge
impact!• AWS has highly leveraged, world-class teams watching
your back!
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
{ "Version": "2012-10-17", "Statement": [ { "Sid": ”xxxxxxx", "Effect": "Allow", "Action": [ "ec2:*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/User": "Developer" } }, "Resource": [ "arn:aws:ec2:us-west-2:1234567890:instance/*" ] } ]}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws kms encrypt --region us-west-1 --key-id arn:aws:kms:us-west-1:1234567890:key/6a39053e-17b8-4b35-83ca-xxxxxxxx --plaintext "Secret information" --query CiphertextBlob --output text| base64 --decode > encoded
[ec2-user@ip-172-31-7-156 ~]$ cat encoded
0a0_0Z?G`?He.0M? ??r?>?? ׅ????x?L?mZ?G?? ֮?E??M? ??r?>?? ׅ???p0n*?H?? \?N?5????-f??-2???.1$N,???0??2?T?@>??\??CA?Kz??U
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws kms decrypt --region us-west-1 --ciphertext-blob fileb://encoded --output text --query Plaintext |base64 –decodeSecret information
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp encoded s3://wwps-dc-demo/encodedupload: ./encoded to s3://wwps-dc-demo/encoded[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp s3://wwps-dc-demo/encoded secret-stuffdownload: s3://wwps-dc-demo/encoded to ./secret-stuff
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
[ec2-user@ip-172-31-7-156 ~]$ aws s3 ls --region us-west-1 s3://wwps-dc-demo
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
You get to control who can do what in your AWS environment as well as when and from where
Fine-grained control of your AWS cloud with multi-factor authentication
Integrate with your existing Active Directory directory using federation and single sign-on
AWS account owner
network management
security management
server management
storage management
Control access and segregate duties everywhere
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
• Native encryption across services for free– Amazon S3, EBC, Amazon RDS, Amazon Redshift
– End-to-end SSL/TLS
• Scalable key management– AWS Key Management Service provides scalable, low-cost key management
– AWS CloudHSM provides hardware-based, high assurance key generation,
storage, and management
• Third-party encryption options– Trend Micro, SafeNet, Vormetric, Hytrust, Sophos, etc.
Encrypt your sensitive information
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
EC2
template catalog running instance your instance
hardening
audit and logging
vulnerability management
malware and HIPS
whitelisting and integrity
user administration
operating system
Configure and harden EC2 instances to your own specs
Use host-based protection software
Manage administrative users
Enforce separation of duties and least privilege
Connect to your existing services (for example, SIEM), patching
Enforce consistent security on servers
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
virtual private cloud
Availability Zone
security group
user
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Your organization
project teams marketing
business units reporting
digital/websites
dev and test Amazon Redshift EMR Analytics
internal enterprise apps
Amazon S3
Amazon Glacier
storage/backup
Create flexible, resilient, segmented environments
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Understand configuration changes
• Automate IT asset inventory
• Discover and provision cloud services
• Audit and troubleshoot configuration changes in the cloud
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Full visibility of your AWS environment• CloudTrail will record access to API calls and save logs in your S3 buckets, no
matter how those API calls were made
Who did what and when and from where (IP address)• CloudTrail support for a growing list of AWS services, including EC2, EBS, VPC, RDS,
IAM, and Amazon Redshift• Easily aggregate all log information
Out-of-the-box integration with log analysis tools from AWS partners, including Splunk, AlertLogic, and SumoLogic
Monitoring: Get consistent visibility of logs
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
• Performs a series of security configuration checks of your AWS environment:
• Open ports• Unrestricted access• IAM use• CloudTrail logging• S3 bucket permissions• Multi-factor authentication• Password policy• DB access risk• DNS records• Load balancer config
Getting some help – Trusted Advisor
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
• Performs a larger series of security configuration checks of your AWS environment:
• Open ports, unrestricted access• IAM use, encryption, policy, users• CloudTrail logging• S3 bucket permissions• Multi-factor authentication• Password policy• DNS records• Load balancer config• Route53 config• Credential rotation• Over 100 security checks vs. Trusted
Advisor’s 12• Custom signature flexibility
Getting even more help – Evident.io
Evident dashboard
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Evident helps organizations of all sizes proactively manage information security risk and compliance of their entire global AWS infrastructure configuration, on a continuous basis.
We aim to be the de-facto platform for enhanced AWS security.
About Evident.io
AWS Summit SF 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
- Continuous monitoring of AWS security configuration- Enhanced visibility across AWS accounts- Guided information security risk mitigation- Rapid Evident activations in <= 10 minutes- Custom signatures in Ruby or JavaScript- custom
alert suppressions- Third-party integrations with popular apps
About the Evident security platform
Custom signature – CIS-hardened AMI for Ubuntu example
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Evident native integrations
SQS Slack PagerDuty
HipChat JIRA
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS:- facilities- physical security- physical infrastructure- network infrastructure- virtualization infrastructure
AWS shared responsibilities - expandedCustomer:- operating system security- patch management- application configuration management- identity and access management- security groups, network ACLs- VPC configuration - S3 bucket policies- IAM roles, policies, users, groups- EBS, S3, RDS encryption- for large environments, thousands to millions of logical controls to monitor
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
- business disruption- financial losses- loss of privacy- reputational damage- loss of client confidence- legal penalties- impaired growth- loss of life
Potential risks
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
- angry employees- dishonest employees- criminals- governments- terrorists- press- competitors- hackers- Mother Nature
Potential threats
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
- software bugs- broken processes- ineffective controls- hardware flaws- unauthorized changes- legacy systems- inadequate BCP- human error- misconfiguration
Potential vulnerabilities
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
1. Disable root API access key and secret key.2. Enable MFA tokens everywhere.3. Reduce number of IAM users with admin rights.4. Use roles for EC2.5. Least privilege: limit what IAM entities can do with strong/explicit policies.6. Rotate all the keys regularly.7. Use IAM roles with STS AssumeRole, where possible.8. Use Auto Scaling to handle traffic spikes.9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.10. Watch world-readable/listable S3 bucket policies.
(Based on our experience with Incident Response, top 10 to implement ASAP.)
Top 10 AWS security best practices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015