network security & access control in aws - · pdf filenetwork security & access...
TRANSCRIPT
![Page 1: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ian Massingham, Technical Evangelist
Network Security & Access Control in AWS
@IanMmmm
![Page 2: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/2.jpg)
AWS Account Security
Day One Governance
![Page 3: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/3.jpg)
Account Governance – New Accounts
AWS Config
AWS CloudTrail
InfoSec’s Cross-
Account Roles
AWS Account Credential
Management(“Root Account”)
Federation
AWS Account Ownership
AWS Account Contact
Information
AWS Sales and Support
Relationship
Baseline Requirements
![Page 4: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/4.jpg)
Account Governance – Existing Accounts
AWS Account Ownership
AWS Account Contact
Information
AWS Sales and Support
Relationship
Baseline Requirements
AWS Config
AWS CloudTrail
InfoSec’s Cross-
Account Roles
FederationAWS Account
Credential Management
(“Root Account”)
![Page 5: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/5.jpg)
AWS Identity & Access ManagementOverview of Core Principles
![Page 6: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/6.jpg)
AWS Identity & Access Management
IAM Users IAM Groups IAM Roles
![Page 7: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/7.jpg)
Policy specification basics
JSON-formatted documentsContain a statement (permissions) that specifies:
• Which actions a principal can perform
• Which resources can be accessed
{ "Statement":[{
"Effect":"effect","Principal":"principal","Action":"action", "Resource":"arn","Condition":{
"condition":{ "key":"value" }
}}
]}
PrincipalAction Resource Condition
You can have multiple statements and each statement is comprised of PARC.
![Page 8: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/8.jpg)
Managing your policies
![Page 9: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/9.jpg)
IAM policies• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles• AWS managed policies: Created and maintained by AWS• Customer managed policies: Created and maintained by you
• Up to 5K per policy• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role• You can limit who can attach which managed policies
• Inline policies (older way)• You create and embed directly in a single user, group, or role• Variable policy size (2K per user, 5K per group, 10K per role)
![Page 10: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/10.jpg)
Resource-based policies
IAM policies live with:• IAM users• IAM groups• IAM roles
Some services allow storing policy with resources:
• S3 (bucket policy)• Amazon Glacier (vault policy)• Amazon SNS (topic policy)• Amazon SQS (queue policy)• AWS KMS (key policy)
{"Statement": {"Effect": "Allow","Principal": {"AWS": "111122223333"},"Action": "sqs:SendMessage","Resource":
"arn:aws:sqs:us-east-1:444455556666:queue1"}
}
![Page 11: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/11.jpg)
AWS CloudTrail
![Page 12: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/12.jpg)
Introduction to AWS CloudTrailStore/
Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS services
around the world..
CloudTrail is continuously recording API
calls
S3 Bucket
CloudTrailRedshift VPC
CloudWatch
SDK AWS CLI
AWS ManagementConsole
![Page 13: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/13.jpg)
Use cases enabled by CloudTrail
IT and security administrators can perform security analysis
IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change
DevOps engineers can troubleshoot operational issues
IT Auditors can use log files as a compliance aidSecurity at Scale: Logging in AWS White Paper
![Page 14: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/14.jpg)
Encrypted CloudTrail log files using SSE-KMS
By default, CloudTrail encrypts log files using S3 server side encryption
Additional layer of security for your log files by encrypting with your KMS key
Application logic for ingesting and processing log files stays the same
S3 will decrypt on your behalf if your credentials have decrypt permissions
![Page 15: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/15.jpg)
Encrypting your log files using SSE KMSEncrypted CloudTraillog files
Step 4: S3 GetObject API call
Step 5: Decrypted CloudTrail log files
Step 1: Create or use an existing KMS Key and apply policy
Step 2: Grant decryptaccess to log readers
Step 3: Specify KMS key to CloudTrail
![Page 16: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/16.jpg)
CloudTrail log file integrity validation
Validate that a log file has not been changed since CloudTrail delivered the log file to your S3 bucket
Detect whether a log file was deleted or modified or unchanged
Use the tool as an aid in your IT security, audit and compliance processes
![Page 17: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/17.jpg)
AWS Config
![Page 18: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/18.jpg)
AWS Config
• Get inventory of AWS resources• Discover new and deleted resources• Record configuration changes continuously• Get notified when configurations change
![Page 19: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/19.jpg)
NormalizeRecordChanging Resources
AWS ConfigDeliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
![Page 20: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/20.jpg)
AWS Config
![Page 21: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/21.jpg)
AWS Config
![Page 22: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/22.jpg)
Config Rules (preview)
• Set up rules to check configuration changes recorded• Use pre-built rules provided by AWS• Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
![Page 23: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/23.jpg)
NormalizeRecordChanging Resources
AWS Config & Config RulesDeliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
Rules
![Page 24: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/24.jpg)
AWS Config – Rules (example – instances must be tagged with a DataClassification)
![Page 25: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/25.jpg)
AWS Network Security –Global NetworkingBuilding a Robust Internet Architecture
![Page 26: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/26.jpg)
us-west-2
VPC
us-east-1
sa-east-1
ap-southeast-2
eu-central-1VPCVPC
VPC
VPC VPC
eu-west-1
ap-southeast-1
VPC
VPC
ap-northeast-1
VPC
![Page 27: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/27.jpg)
us-west-2
VPCVPC
Amazon CloudFront, AWS WAF and
Amazon Route 53
eu-central-1VPC
![Page 28: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/28.jpg)
CloudFront - Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP rangeAmazon CloudFront
Region
Amazon S3 bucket
Custom origin
AWS WAF
![Page 29: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/29.jpg)
AWS Network Security - VPCBuilding a Trust Zone architecture
![Page 30: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/30.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
VPC
![Page 31: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/31.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
.1
VPC
.1
.1 .1
.1 .1
![Page 32: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/32.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
Internet
Public Route Table
Destination Target
10.1.0.0/16 Local
0.0.0.0/0 IGW
VPC
![Page 33: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/33.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Public subnet
Private subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
VPC
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
Security Groups
sg_Backend (Backend Security Group)
![Page 34: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/34.jpg)
Security Groups
![Page 35: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/35.jpg)
Security Groups
![Page 36: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/36.jpg)
Security Groups
![Page 37: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/37.jpg)
Security Groups
![Page 38: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/38.jpg)
Network Access Control Lists (NACLs)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
VPC
![Page 39: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/39.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
InternetAnd what if instancesin a private subnetneed to reach outsidethe VPC?
They have no route to the IGW and no public IP address.
VPC
![Page 40: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/40.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
ELB
Web
Back end
ELB
Web
Back end
AWS region
InternetWhy go outside?
VPC • AWS API endpoints
• Regional services
• Third-party services
![Page 41: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/41.jpg)
To NAT, or not to NAT…
• Leave NAT for less bandwidth-critical connectivity
• Don’t bottleneck high-bandwidth-out workloads
• Run high-bandwidth components from public subnets
• Goal is full-instance bandwidth out of VPC
![Page 42: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/42.jpg)
EC2 status checks
StatusCheckFailed_System
StatusCheckFailed_Instance
CloudWatchper-instance metrics:
![Page 43: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/43.jpg)
Amazon CloudWatch alarm actions
Instancestatus check fails?
REBOOT
Systemstatus check fails?
RECOVER
Instance ID
Instance metadata
Private IP addresses
Elastic IP addresses
EBS volume attachments
Instance retains:
![Page 44: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/44.jpg)
A few things to remember…
• Recover action only applies to system status checks
• Limited to C3, C4, M3, R3, and T2 instance types
• Cannot use local instance store
• Cannot be dedicated instances
• Use EC2ActionsAccess AWS Identity and Access Management (IAM) role
Amazon EC2 Auto Recovery
![Page 45: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/45.jpg)
Amazon EC2Auto Recovery
Set your failed check threshold
Choose 1-minute periodand statistic minimum
Choose recover action
Metric = StatusCheckFailed_System
CloudWatchConsole
![Page 46: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/46.jpg)
Amazon EC2Auto Reboot
Choose reboot action
Metric = StatusCheckFailed_Instance
CloudWatchConsole
![Page 47: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/47.jpg)
Availability Zone A
Private subnet
Public subnet
Private subnet
Availability Zone B
Private subnet
Public subnet
Private subnet
Web
Back end
Web
Back end
AWS region
Internet
NAT
VPC
NAT
Average tested recovery time:~ 1 to 4 minutes
Could be shorter or longer depending on nature of failure
HA NATwith
EC2 Auto Recovery+ Auto Reboot
![Page 48: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/48.jpg)
Pick a NAT, any NAT
Amazon Linux NAT Amazon Machine Image (AMI)
![Page 49: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/49.jpg)
AWS region
Internal application to VPC
Public-facingweb app
Internalcompanyapp
VPN connection
VPCVPC
Customer network
![Page 50: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/50.jpg)
Availability Zone A
Private subnet Private subnet
AWS region
Virtual Private
Gateway
VPN connection
Intranetapp
Intranetapp
Availability Zone B
Internal customers
Private Route Table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
VPC
Internal application to VPC
Customer network
![Page 51: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/51.jpg)
But apps want to leverage…
Amazon S3
…as a primary data store
![Page 52: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/52.jpg)
Availability Zone A
Private subnet Private subnet
AWS region
Virtual Private
Gateway
VPN connection
Intranetapp
Intranetapp
Availability Zone B
You really don’t want to do this:
Amazon S3
Internet
Customer border router
Customer VPN
Internet
VPC
Customer network
![Page 53: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/53.jpg)
Availability Zone A
Private subnet Private subnet
AWS region
Virtual Private
Gateway
Intranetapp
Intranetapp
Availability Zone B
So do this instead:
Amazon S3
VPC
VPN connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust accesscontrol
Customer network
![Page 54: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/54.jpg)
“Currently, we support endpoints for connections with Amazon S3 within the same region only. We'll add support for other AWS services later.”
From the Amazon VPC User Guide:
VPC endpoints
$ aws ec2 describe-vpc-endpoint-servicesSERVICENAMES com.amazonaws.us-west-2.s3
![Page 55: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/55.jpg)
Creating S3 VPC endpointaws ec2 create-vpc-endpoint
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-2.s3
--route-table-ids rtb-2ae6a24f rtb-61c78704
Private subnet
VPCRoute Table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
Prefix List for S3 us-west-2 VPCE
![Page 56: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/56.jpg)
Creating S3 VPC endpointaws ec2 create-vpc-endpoint
--vpc-id vpc-40f18d25
--service-name com.amazonaws.us-west-2.s3
--route-table-ids rtb-2ae6a24f rtb-61c78704
Public subnet
VPCRoute Table
Destination Target
10.1.0.0/16 Local
0.0.0.0 IGW
Prefix List for S3 us-west-2 VPCE
![Page 57: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/57.jpg)
Prefix listsaws ec2 describe-prefix-lists
PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3
CIDRS 54.231.160.0/19
• Logical route destination target
• Dynamically translates to service IPs
• S3 IP ranges change over time
• S3 prefix lists abstract change
![Page 58: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/58.jpg)
Prefix lists
… and use them in security groups!
![Page 59: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/59.jpg)
Private subnet
Controlling VPC access to Amazon S3
IAM policy on VPCE:
VPC
{"Statement": [
{"Sid": "vpce-restrict-to-backup-bucket","Principal": "*","Action": ["s3:GetObject","s3:PutObject”
],"Effect": "Allow","Resource": ["arn:aws:s3:::backups-reinvent2015",
"arn:aws:s3:::backups-reinvent2015/*"]}
]}
Backups bucket?
![Page 60: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/60.jpg)
Private subnet
Controlling VPC access to Amazon S3
S3 bucket policy:
VPC
Fromvpce-bc42a4e5?
{"Statement": [
{"Sid": "bucket-restrict-to-specific-vpce","Principal": "*","Action": "s3:*","Effect": "Deny","Resource": ["arn:aws:s3:::backups-reinvent2015",
"arn:aws:s3:::backups-reinvent2015/*"],"Condition": {"StringNotEquals": {"aws:sourceVpce": "vpce-bc42a4e5”
}}
}]
}
![Page 61: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/61.jpg)
Controlling VPC access to Amazon S3
Recap on security layers:
1. Route table association
2. VPCE policy
3. Bucket policy
4. Security groups with prefix list
Private subnet
VPC1.
2.
3.
4.
![Page 62: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/62.jpg)
Private subnet Private subnet
AWS region
Intranetapps
Complianceapp
Endpoints in action
VPC
Compliance Backups
VPCE1 VPCE2
Private subnet
Intranetapps
![Page 63: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/63.jpg)
Private subnet Private subnet
AWS region
Intranetapps
Complianceapp
Endpoints in action
VPC
Compliance Backups
VPCE1 VPCE2
Private subnet
Intranetapps
Private subnet Private subnet
Private subnet
![Page 64: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/64.jpg)
VPC Flow Logs
![Page 65: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/65.jpg)
VPC Flow Logs• Agentless• Enable per ENI, per subnet, or per VPC• Logged to AWS CloudWatch Logs• Create CloudWatch metrics from log data• Alarm on those metrics
AWSaccount
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or reject
![Page 66: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/66.jpg)
VPC Flow Logs: Automation
Amazon SNS
CloudWatchLogs
Private subnet
Complianceapp
AWS Lambda
If SSH REJECT > 10, then…
ElasticNetwork Interface
Metric filter
Filter on all SSH REJECTFlow Log group
CloudWatch alarm
Source IP
![Page 67: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/67.jpg)
VPC Flow Logs
![Page 68: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/68.jpg)
VPC Flow Logs
![Page 69: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/69.jpg)
https://aws.amazon.com/blogs/aws/new-amazon-elasticsearch-service/
VPC Flow Logs
• Amazon ElasticsearchService (ES)
• AmazonCloudWatchLogssubscriptions
• Kibana
![Page 70: Network Security & Access Control in AWS - · PDF fileNetwork Security & Access Control in AWS ... AWS Network Security - VPC Building a Trust Zone architecture. Availability Zone](https://reader033.vdocument.in/reader033/viewer/2022051405/5a78a21c7f8b9a7b698ddbdf/html5/thumbnails/70.jpg)
Refreshment BreakPlease be back for 15:10