enhanced security and compliance with aws

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Enhanced Security and Compliance with AWS

Brad Dispensa - AWSJustin Lundy - Evident.io


familiar security model

validated and driven by customers’ security experts

benefits all customers

PEOPLE & PROCESS

SYSTEM

NETWORK

PHYSICAL

Security is job zero


physical infrastructure

hardware

hypervisor

guest operating system

logical security

data and application

software firewalls/IDS/AV

customer control andcustomer responsibility

AWS control andAWS responsibility


Key AWS certifications and assurance programs

certifications and accreditations for workloads that matter

AWS CloudTrail – AWS API call logging for governance & compliance

stores data in S3 or archive to Amazon Glacier

log and review user activity


• You benefit from an environment built for the most security-sensitive organizations

• AWS manages 1800+ physical security controls so you don’t have to• You get to define the right security controls for your workload

sensitivity• You always have full ownership and control of your data• You are responsible for logical security configuration of the AWS

services you use above the hypervisor

What this means


Economies of scale: World-class teams• Where would some of the world’s best security

experts like to work?• They want to work on huge challenges with huge

impact!• AWS has highly leveraged, world-class teams watching

your back!


{ "Version": "2012-10-17", "Statement": [ { "Sid": ”xxxxxxx", "Effect": "Allow", "Action": [ "ec2:*" ], "Condition": { "StringEquals": { "ec2:ResourceTag/User": "Developer" } }, "Resource": [ "arn:aws:ec2:us-west-2:1234567890:instance/*" ] } ]}


[ec2-user@ip-172-31-7-156 ~]$ aws kms encrypt --region us-west-1 --key-id arn:aws:kms:us-west-1:1234567890:key/6a39053e-17b8-4b35-83ca-xxxxxxxx --plaintext "Secret information" --query CiphertextBlob --output text| base64 --decode > encoded

[ec2-user@ip-172-31-7-156 ~]$ cat encoded

0a0_0Z?G`?He.0M? ??r?>?? ׅ????x?L?mZ?G?? ֮?E??M? ??r?>?? ׅ???p0n*?H?? \?N?5????-f??-2???.1$N,???0??2?T?@>??\??CA?Kz??U


[ec2-user@ip-172-31-7-156 ~]$ aws kms decrypt --region us-west-1 --ciphertext-blob fileb://encoded --output text --query Plaintext |base64 –decodeSecret information


[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp encoded s3://wwps-dc-demo/encodedupload: ./encoded to s3://wwps-dc-demo/encoded[ec2-user@ip-172-31-7-156 ~]$ aws s3 cp s3://wwps-dc-demo/encoded secret-stuffdownload: s3://wwps-dc-demo/encoded to ./secret-stuff


[ec2-user@ip-172-31-7-156 ~]$ aws s3 ls --region us-west-1 s3://wwps-dc-demo

A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied


You get to control who can do what in your AWS environment as well as when and from where

Fine-grained control of your AWS cloud with multi-factor authentication

Integrate with your existing Active Directory directory using federation and single sign-on

AWS account owner

network management

security management

server management

storage management

Control access and segregate duties everywhere


• Native encryption across services for free– Amazon S3, EBC, Amazon RDS, Amazon Redshift

– End-to-end SSL/TLS

• Scalable key management– AWS Key Management Service provides scalable, low-cost key management

– AWS CloudHSM provides hardware-based, high assurance key generation,

storage, and management

• Third-party encryption options– Trend Micro, SafeNet, Vormetric, Hytrust, Sophos, etc.

Encrypt your sensitive information


EC2

template catalog running instance your instance

hardening

audit and logging

vulnerability management

malware and HIPS

whitelisting and integrity

user administration

operating system

Configure and harden EC2 instances to your own specs

Use host-based protection software

Manage administrative users

Enforce separation of duties and least privilege

Connect to your existing services (for example, SIEM), patching

Enforce consistent security on servers


virtual private cloud

Availability Zone

security group

user


Your organization

project teams marketing

business units reporting

digital/websites

dev and test Amazon Redshift EMR Analytics

internal enterprise apps

Amazon S3

Amazon Glacier

storage/backup

Create flexible, resilient, segmented environments


Understand configuration changes

• Automate IT asset inventory

• Discover and provision cloud services

• Audit and troubleshoot configuration changes in the cloud


Full visibility of your AWS environment• CloudTrail will record access to API calls and save logs in your S3 buckets, no

matter how those API calls were made

Who did what and when and from where (IP address)• CloudTrail support for a growing list of AWS services, including EC2, EBS, VPC, RDS,

IAM, and Amazon Redshift• Easily aggregate all log information

Out-of-the-box integration with log analysis tools from AWS partners, including Splunk, AlertLogic, and SumoLogic

Monitoring: Get consistent visibility of logs


• Performs a series of security configuration checks of your AWS environment:

• Open ports• Unrestricted access• IAM use• CloudTrail logging• S3 bucket permissions• Multi-factor authentication• Password policy• DB access risk• DNS records• Load balancer config

Getting some help – Trusted Advisor


• Performs a larger series of security configuration checks of your AWS environment:

• Open ports, unrestricted access• IAM use, encryption, policy, users• CloudTrail logging• S3 bucket permissions• Multi-factor authentication• Password policy• DNS records• Load balancer config• Route53 config• Credential rotation• Over 100 security checks vs. Trusted

Advisor’s 12• Custom signature flexibility

Getting even more help – Evident.io

Evident dashboard


Evident helps organizations of all sizes proactively manage information security risk and compliance of their entire global AWS infrastructure configuration, on a continuous basis.

We aim to be the de-facto platform for enhanced AWS security.

About Evident.io

AWS Summit SF 2015


- Continuous monitoring of AWS security configuration- Enhanced visibility across AWS accounts- Guided information security risk mitigation- Rapid Evident activations in <= 10 minutes- Custom signatures in Ruby or JavaScript- custom

alert suppressions- Third-party integrations with popular apps

About the Evident security platform

Custom signature – CIS-hardened AMI for Ubuntu example


Evident native integrations

SQS Slack PagerDuty

HipChat JIRA


AWS:- facilities- physical security- physical infrastructure- network infrastructure- virtualization infrastructure

AWS shared responsibilities - expandedCustomer:- operating system security- patch management- application configuration management- identity and access management- security groups, network ACLs- VPC configuration - S3 bucket policies- IAM roles, policies, users, groups- EBS, S3, RDS encryption- for large environments, thousands to millions of logical controls to monitor


- business disruption- financial losses- loss of privacy- reputational damage- loss of client confidence- legal penalties- impaired growth- loss of life

Potential risks


- angry employees- dishonest employees- criminals- governments- terrorists- press- competitors- hackers- Mother Nature

Potential threats


- software bugs- broken processes- ineffective controls- hardware flaws- unauthorized changes- legacy systems- inadequate BCP- human error- misconfiguration

Potential vulnerabilities


1. Disable root API access key and secret key.2. Enable MFA tokens everywhere.3. Reduce number of IAM users with admin rights.4. Use roles for EC2.5. Least privilege: limit what IAM entities can do with strong/explicit policies.6. Rotate all the keys regularly.7. Use IAM roles with STS AssumeRole, where possible.8. Use Auto Scaling to handle traffic spikes.9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it.10. Watch world-readable/listable S3 bucket policies.

(Based on our experience with Incident Response, top 10 to implement ASAP.)

Top 10 AWS security best practices


“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”

-Tom Soderstrom, CTO, NASA JPL


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


enhanced security and compliance with aws

Technology

aws government

nonprofit symposium

aws responsibility

aws cloudtrail aws api

aws services

key aws certifications

enhanced security

logical security data