AWS Deck Template

Account Separation and Mandatory Access Control on AWS

Dave WalkerSpecialist Solutions Architect, Security and Compliance16/03/16

Mandatory Access Control?Contrast with Discretionary Access Controlu/g/o / rwx file permissionsUnder the control of the file ownerMAC is a function of core system policyImmutable to all system users; sometimes also invisible to themincluding rootEpitomised in SELinux, descended from Orange Book B1 systemsSometimes extended to do multilevel / cross-domain security

Mandatory Access Control?SELinux on AWSRHEL, Ubuntu, SuSE, etc AMIs(Dont forget FreeBSD and other Community AMIs)First native MAC service on AWS: Glacier Vault LockSet a Policy and fix it in placeEven the account owner cant change it, until its time lock expiresDesigned to meet SEC Books and Records requirements (Rule 17a-4(f))Also FINRA Rule 4511, CFTC Regulation 1.31How can we make more services behave similarly?Cross-account access gets us close!

S3 SubtletiesVersioningMFA DeletePut these together, and you get something which looks a lot like an append-only object storeconsider evidential integrity and weightConsider adding lifecycle policies to rotate into Vault-Locked GlacierGood for long-term log retention

S3 SubtletiesCloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow LogsMake them write-only for production / resource accountsNo means to read or list bucket contentsMake them read-only for audit accountsThough audit user activities may need to be written to logs tooPotentially to a different log locationCreate a separate Logging account and apply cross-account sharing:

S3 SubtletiesS3 write-only cross-account sharingShare write-only (no reading or listing of contents) from owner account via bucket policyWriter accounts have IAM permissions to write

aka "how to manage your logging buckets, continued".

If you share your versioned, MFA-delete bucket write-only across accounts from a dedicated Audit acct to Production, Staging, etc, then the policy on the bucket and the contents are both invisible and immutable to the account it's being shared with, even its root user - and having spent about half my working life in a multilevel, cross-domain, modified Bell-LaPadula world, this amounts to Mandatory Access Control.

You can also set SELinux up in properly constrained Enforcing Mode on EC2 - you could set up user-data at instance launch time to call a script to generate keys and then go into Enforcing mode, if you need to simulate TPM functionality. There may be better ways of doing this, as CloudHSM can be called from Java as well as PKCS#11 - get creative!6

S3 Subtleties: Log Bucket Policy, Part 1(Actual policy wont fit here, but):Start with the cross-account bucket policy for writing CloudTrail logs, at https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1Add the Sid + Effect + Principal + Action + Resource aggregate objects from the bucket policy for Config, at http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html , applying the same principlesAdd s3:GetBucketLocation permissions, to handle cross-Region logs(we want to log from all Regions to 1 bucket)Add the following for CloudWatch Logs:

S3 Subtleties: Log Bucket Policy, Part 2 { "Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below", "Effect": "Allow", "Principal": ] "AWS": "arn:aws:iam::Writer-Account-ID:root,], "Action":["s3: PutObject","S3: GetBucketLocation"], "Resource":"arn: aws: s3:::myorg-logbucket//AWSLogs/*" }, { "Sid":"Control to require full control grant on write", "Effect":"Deny", "Principal":["AWS":"arn: aws:iam::Writer-Account-ID:root, ], "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::myorg-logbucket//AWSLogs/*", "Condition": { "StringNotEquals": { "s3:"bucket-owner-full-control" } }}

S3 Subtleties: Log Bucket Policy, Part 3Audit users (in another account) will need read-only access to your log bucket; see https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)

Good to do via a Role which has to be explicitly assumed; again, see the URL above

S3 Subtleties: Log Bucket Policy and IAMPoint CloudTrail and Config in other accounts to our log bucket for writing, when setting these accounts up IAM policy to add to each log-generating account to allow cross-account writing:{ "Version": "2012-10-17", "Statement": [ { "Sid": Cross-account Write", "Effect": "Allow", "Action": [ "s3:PutObject, s3:GetBucketLocation ], "Resource": [ "arn:aws:s3:::myorg-logbucket" ] } ]}

Detailed Billing: Sample RecordsItemDescriptionUsageStartDateUsageEndDateUsageQuantityCurrencyCodeCostBeforeTaxCreditsTaxAmountTaxTypeTotalCost$0.000 per GB - regional data transfer under the monthly global free tier01.04.14 00:0030.04.14 23:590.00000675USD0.000.00.000000None0.000000$0.05 per GB-month of provisioned storage - US West (Oregon)01.04.14 00:0030.04.14 23:591.126.666.554USD0.560.00.000000None0.560000First 1,000,000 Amazon SNS API Requests per month are free01.04.14 00:0030.04.14 23:5910.0USD0.000.00.000000None0.000000First 1,000,000 Amazon SQS Requests per month are free01.04.14 00:0030.04.14 23:594153.0USD0.000.00.000000None0.000000$0.00 per GB - EU (Ireland) data transfer from US West (Northern California)01.04.14 00:0030.04.14 23:590.00003292USD0.000.00.000000None0.000000$0.000 per GB - data transfer out under the monthly global free tier01.04.14 00:0030.04.14 23:590.02311019USD0.000.00.000000None0.000000First 1,000,000 Amazon SNS API Requests per month are free01.04.14 00:0030.04.14 23:5988.0USD0.000.00.000000None0.000000$0.000 per GB - data transfer out under the monthly global free tier01.04.14 00:0030.04.14 23:593.3E-7USD0.000.00.000000None0.000000

Linked AccountsConsolidate daily Detailed Billing logs into one bucket, for all accountsNow put it all together

The Base Account Structure

AWS Account

Root AccountNo Access KeysMFA EnabledRaise Alert on Login

IAM MasterNo Access KeysMFA EnabledRaise Alert on LoginDefine IAM PoliciesEnable IAM Managers (User or Role)Have Passwd PolicyEnforce Passwd RotationHave Acct Questions set upHave Info eMail set up

IAM ManagerNo Access KeysMFA EnabledCreate IAM Users/Groups/RolesUse Pre-Defined Policies

The Larger Picture

BILLING

S3 Holder

CloudTrailConfigCW Logs

S3 Holder

BILLCloudTrail

IAMUser

IAM UserAssumeRole

IAM UserAssumeRole

IAM UserAssumeRole

Resources

IAM ROLE

IAM ROLE

IAM ROLE

Backup Data

Backup

S3 Holder

Audit

Display RightsSTS{ "Version": "2012-10-17", "Statement": [ { "Sid": STS-Only", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "*" ] } ] }

14

Theres One More Account to Consider(and it wont fit on the diagram) Service CatalogueAlso has cross-account capabilityRepository for CloudFormation templates, golden AMIsadd latest database backups and other necessary datasets, and you have an Intellectual Property Holding AccountSomething to copy cross-Region for DRSee http://aws.amazon.com/servicecatalog/faqs/ for cross-account access

Raising AlertsRaise (through CloudTrail, watched by a Lambda function triggered on bucket writes) an Alert (through, eg, SNS) if:Any accounts root user logs inAny IAM-Master account logs inBilling/CloudTrail accounts have another S3 Bucket created IAM-User generates any new AWS resourceIAM-User generates any CloudTrail events other than assume-role and console loginIAM-User logs in to any Resource Accounts (besides IAM-Manager)Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)

LogsmetricsalertsactionsAWS Config

CloudWatch / CloudWatch LogsCloudWatch alarmsAWS CloudTrail

Amazon EC2 OS logs

Amazon VPC Flow Logs

Amazon SNS

email notification

HTTP/S notification

SMS notifications

Mobile push notificationsAPI calls from most services

Monitoring data from AWS servicesCustom metrics

17

Also:Federate from IAM-User to another IdPFilter on LDAP DN elements; ou=, dc=Result: no PII in IAM!See page 20 of https://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdfSet account and contact details to an email alias and a PABX hunt group, and arrange with your AM to have your billing invoiced to your company accountsno PII in your AWS accountunless you explicitly need to process PII in your AWS environment

Other ResourcesRe:Invent 2015: Wrangling Security Events in the Cloud (SEC308)https://www.youtube.com/watch?v=uc1Q0XCcCv4Further ways to enable service configuration immutabilityEssentially, config-correcting Lambda functions

Account Separation and Mandatory Access Control on AWS

Dave WalkerSpecialised Solutions Architect, Security and Compliance28/01/16