how to design a least privilege architecture in aws

©2020 SANSTM Institute | www.sans.org Sponsored by:

Sponsored by

How to Design a Least Privilege Architecture in AWS


Today’s Speakers

• Dave Shackleford – SANS Analyst

• Sagar Khasnis – AWS Partner Solutions Architect

2


Today’s Agenda

• Least Privilege Overview

• Identity and Access Management

• Network Segmentation for Access Control

• Cloud Security Posture Management

• A Least Privilege Use Case

• Next Steps

• Solutions in AWS Marketplace

• Customer Success

3


• Consistently implementing least privilege as a best practice has been a challenge:– The ability to determine the appropriate “least privilege”

for a given use case is surprisingly complex issue.

– It is easier to allocate more privileges than to limit access.

– The range of permissions and privilege models varies widely between environments and applications/services.

• Even successful least privilege implementations tend to shift and drift over time.

Least Privilege Overview

4


• Security professionals are rethinking the approach to least privilege security concepts for the public cloud.

• Some key factors to address:– Vanishing perimeter – Application workloads – Trust relationships

• Three pillars of cloud least privilege:– Identity and access management– Network access/segmentation– Cloud security posture management

Least Privilege Concepts in the Cloud

5


• One of the most important aspects of cloud security is identity and access management (IAM).

• Defining roles, enabling strict access models and limiting the resources available to users and systems is a critical step in enabling a sound cloud security strategy overall.

• Use IAM for enveloping assets, allowing you to create least privilege architectures with affinity policies in place.

Identity and Access Management

6


• IAM users are associated with credentials for making API calls to interact with cloud services and exist only within the cloud environment itself.

– Directory services like AD can be mapped into groups/roles.

• New IAM users have no permissions (Deny All).

• IAM users can represent any asset/resource.

– Once you create service-oriented users, place them in defined groups and assign privileges.

IAM: User Relationships

7


• For service interactions within the environment, cloud security teams should focus on defining specific roles:

– AWS services

– Cross-account access

– Federation

– Identity providers (IdPs)

IAM: Service Relationships

8


• There are several distinct types of identity-focused least privilege orientation for cloud deployments and infrastructure: – First, there should be a focus on any privileged users that need

access to the cloud environment for administration, engineering and security-focused tasks.

– The second major type of least privilege access model that all organizations need to consider is associated with deployment pipelines and associated systems and services.

– The third major type of least privilege focus is mapping user, service and application relationships wholly contained within the cloud environment.

– Finally, privileges should be carefully reviewed for accounts accessing other accounts’ services when a multi-account strategy is in place.

Least Privilege IAM for Cloud

9


• Organizations need to successfully map cloud user and service relationships to create the most restrictive privilege models needed.

– AWS Access Advisor shows AWS services allowed by the assigned IAM policy, policies assigned that grant specific permissions and last access times.

– AWS IAM Access Analyzer, a feature within AWS Identity and Access Management (IAM), performs a more thorough analysis of privilege models in use.

IAM Relationship Mapping

10


• As an isolation and segmentation technique, each account is a completely isolated set of resources that can be configured to access resources in other accounts.

• AWS Organizations is a service that organizations can use to define policies and guardrails to apply across multiple AWS accounts. – With AWS Organizations, you can create service

control policies (SCPs) that really govern the use of other IAM policies.

Least Privilege: AWS Accounts

11


• Setting up and configuring multi-account architecture has long been considered challenging and complicated, especially for large organizations.

• A sample multi-account framework to start from, called a “Landing Zone,” has been in place for years.

• A new service called AWS Control Tower can automatically deploy a multi-account starting architecture. – Create and implement defensive guardrails like AWS Config

monitoring rules, infrastructure-as-code definitions in AWS CloudFormation, strict identity policies that restrict permissions and privileges across accounts, etc.

Multi-Account Architecture

12


• The second major component of a traditional least privilege design model is network segmentation that is closely aligned with a specific type of system or workload, often termed microsegmentation.

• A least privilege concept of network segmentation strives to prevent would-be attackers from using unapproved network connections to compromise systems, move laterally from a compromised application or system, or perform any illicit network activity regardless of environment.

Least Privilege: Networking

13


• The first category of focus for any cloud network isolation and segmentation should be the core network zone associated with cloud accounts.– In AWS, this is known as the virtual private cloud (VPC), and

this can contain any number of distinct network subnets.

• AWS has two built-in types of network access and isolation controls: security groups and network access control lists (network ACLs). – Use security groups and network ACLs to control traffic into

and out of network deployments.

Microsegmentation with Cloud-Native Controls

14


Security Groups NACLs

Apply to instances Operate on VPC subnets

Only support Allow rules (layered on a

default Deny)

Support both allow and deny rules

Are stateful Are not stateful

Are considered in their entirety before

traffic is allowed

Are processed in numerical order

Must be associated with an instance

to apply

Apply automatically to all instances

in a subnet

Security Groups vs. NACLs

15


• To segment and control traffic at the application layer, or define policies focused more on application details and protocols, a third-party solution likely makes more sense.

• Most major cloud providers offer enterprise-class solutions that are capable of providing more granular policies and monitoring.

• Today’s next-generation firewall (NGFW) platforms are often used to provide network intrusion detection and prevention, traffic inspection and behavioral monitoring, and centralized configuration and administration.

Advanced Network Security Segmentation and Access Controls

16


• Consider what types of architectures make the most sense:

– Subnets vs. VPCs and VPC peering

– VPC peering enables organizations to couple distinct VPCs together, allowing assets in one network to talk to assets in another.

• VPC peering is not transitive—that is, it must be specifically allowed for each VPC peered together.

– In this case another type of platform, called a transit gateway, can simplify multi-VPC architectures significantly.

Segmentation/Isolation Best Practices

17


• Cloud security posture management (CSPM) tools can assess the actual control plane of the cloud environments in use for compliance assessment, operational monitoring, DevOps integrations, risk identification and risk visualization.

• Because many cloud platform settings relate to networking and IAM configuration, CSPM continuous monitoring can be invaluable.

Cloud Security Posture Management

18


• For an organization planning on deploying to a platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) cloud environment with a focus on least privilege, there are multiple recommended steps:– Identify roles and responsibilities for team members

requiring access to the cloud infrastructure.

– Determine the type of network access needed.

– Evaluate IAM roles and privilege assignments.

– Monitor the cloud control plane.

A Least Privilege Use Case

19


• A least privilege cloud architecture should include authentication and authorization controls, network access and inspection controls, and monitoring/enforcement controls for both the network and workloads. – To implement a least privilege cloud environment, start with

user and administrative access, followed by multi-account identity management, if applicable.

– From there, focus on network architecture and access control design.

– Once the cloud environment is up and running, a CSPM platform may make sense.

Next Steps

20

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Designing a least privilege

architecture in AWS


AWS services that enable network segmentation

Identify Protect Detect Respond Recover

Amazon

Macie

Investigate

Automate

Snapshot Archive

AWS

Security Hub

AWS

Security Hub

Amazon

Detective

Amazon

GuardDuty

AWS

Organizations

AWS

Control Tower

AWS Well-

Architected

Tool

Amazon Cloud

Directory

Amazon VPC

PrivateLink

AWS Transit

Gateway

AWS Resource

Access

Manager

AWS Identity

and Access

Management

Amazon VPC

AWS Firewall

Manager


Implementing least privilege with AWS IAM Access Analyzer

KMS KeysIAM Roles Lambda

Functions

S3 Buckets SQS Queues

Resource-based policies

Who has access

to what

FindingsAccount


Leveraging VPC Traffic Mirroring for network segmentation

• Enhance monitoring of

traffic patterns and flow

within your environment

• Enable inspection of

inbound and outbound

traffic

AWS Cloud

VPC Internet

gateway

Availability zone

Subnet 10.88.2.0/24

Remote

Administration

Source Instance

eth0

eth1

Availability zone

Subnet 10.88.2.0/24

Destination

Instance

ens5

ens6

Traffic

Mirroring


How are AWS customers leveraging Palo Alto Networks?

Verify all users, devices

and applications

Provide complete

visibility into traffic

through Layer 7

Enforce policies

consistently to aid

segmentation


Western Asset Management mitigates risk

Benefits:

• Full network visibility

• Incident and

misconfiguration

response times reduced

from days to minutes

• Built-in compliance

reporting eliminates

manually sifting through

audit files

With Prisma Cloud by Palo Alto Networks


FNTS achieves secure network segmentation

Benefits:

• Enhanced protection of

inbound, outbound, and

east-west network traffic

• Achieved a single,

consistent management

console across entire

environment

• Gained ability to auto-

scale provisioning and

de-provisioning

Utilizing VM-series firewalls by Palo Alto Networks


Epsilon boosts network visibility and controlLeveraging Aviatrix’s Secure Networking Platform

Benefits:

• Increased visibility and

troubleshooting

• Established profile-based

remote user access

control

• Secured connectivity

between Amazon VPCs

and on-premises

resources


Vonage prevents lateral threatsUsing Edgewise Zero Trust Auto-Segmentation

Benefits:

• Fully automated micro-

segmentation

• Environment can now be

mapped out in 20

minutes vs. 2 months

• Increased lateral

protection across its

networks


Why AWS Marketplace?

Flexible consumption

and contract models

Quick and

easy deployment

Helpful humans

to support you


How can you get started?

Find

A breadth of security

solutions:

Buy

Free trial

Pay-as-you-go

Hourly | Monthly | Annual |

Multi-Year

Bring Your Own License (BYOL)

Seller Private Offers

Channel Partner Private Offers

Through flexible

pricing options:

Deploy

Software as a Service (SaaS)

Amazon Machine Image (AMI)

AWS CloudFormation (Infrastructure as

Code)

Amazon Elastic Container Service (ECS)

Amazon Elastic Kubernetes Service (EKS)

With multiple

deployment options:


Webinar summary

New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.

Current tools? Bring your own license to leverage benefits of AWS Marketplace.

Leverage AWS Services that integrate with your AWS environment and can

enhance your network segmentation capabilities.

Consider combining network segmentation with a least privilege architecture to

boost your security controls in AWS.


Please use GoToWebinar’s Questions tool to submit questions to our panel.

Send to “Organizers” and tell us if it’s for a specific panelist.

Q&A

33


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guest: Sagar Khasnis

34

how to design a least privilege architecture in aws

Documents