AWS Deck Template
Account Separation and Mandatory Access Control on AWS
Dave WalkerSpecialist Solutions Architect, Security and
Compliance16/03/16
Mandatory Access Control?Contrast with Discretionary Access
Controlu/g/o / rwx file permissionsUnder the control of the file
ownerMAC is a function of core system policyImmutable to all system
users; sometimes also invisible to themincluding rootEpitomised in
SELinux, descended from Orange Book B1 systemsSometimes extended to
do multilevel / cross-domain security
Mandatory Access Control?SELinux on AWSRHEL, Ubuntu, SuSE, etc
AMIs(Dont forget FreeBSD and other Community AMIs)First native MAC
service on AWS: Glacier Vault LockSet a Policy and fix it in
placeEven the account owner cant change it, until its time lock
expiresDesigned to meet SEC Books and Records requirements (Rule
17a-4(f))Also FINRA Rule 4511, CFTC Regulation 1.31How can we make
more services behave similarly?Cross-account access gets us
close!
S3 SubtletiesVersioningMFA DeletePut these together, and you get
something which looks a lot like an append-only object
storeconsider evidential integrity and weightConsider adding
lifecycle policies to rotate into Vault-Locked GlacierGood for
long-term log retention
S3 SubtletiesCloudTrail, Config, CloudWatch Logs, ELB logs, VPC
Flow LogsMake them write-only for production / resource accountsNo
means to read or list bucket contentsMake them read-only for audit
accountsThough audit user activities may need to be written to logs
tooPotentially to a different log locationCreate a separate Logging
account and apply cross-account sharing:
S3 SubtletiesS3 write-only cross-account sharingShare write-only
(no reading or listing of contents) from owner account via bucket
policyWriter accounts have IAM permissions to write
aka "how to manage your logging buckets, continued".
If you share your versioned, MFA-delete bucket write-only across
accounts from a dedicated Audit acct to Production, Staging, etc,
then the policy on the bucket and the contents are both invisible
and immutable to the account it's being shared with, even its root
user - and having spent about half my working life in a multilevel,
cross-domain, modified Bell-LaPadula world, this amounts to
Mandatory Access Control.
You can also set SELinux up in properly constrained Enforcing
Mode on EC2 - you could set up user-data at instance launch time to
call a script to generate keys and then go into Enforcing mode, if
you need to simulate TPM functionality. There may be better ways of
doing this, as CloudHSM can be called from Java as well as PKCS#11
- get creative!6
S3 Subtleties: Log Bucket Policy, Part 1(Actual policy wont fit
here, but):Start with the cross-account bucket policy for writing
CloudTrail logs, at
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing-AWS-CloudTrail-Log-Files-Between-Accounts
Scenario 1Add the Sid + Effect + Principal + Action + Resource
aggregate objects from the bucket policy for Config, at
http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
, applying the same principlesAdd s3:GetBucketLocation permissions,
to handle cross-Region logs(we want to log from all Regions to 1
bucket)Add the following for CloudWatch Logs:
S3 Subtleties: Log Bucket Policy, Part 2 { "Sid": "Cross-account
write allow for CloudWatch Logs, mediated by control below",
"Effect": "Allow", "Principal": ] "AWS":
"arn:aws:iam::Writer-Account-ID:root,], "Action":["s3:
PutObject","S3: GetBucketLocation"], "Resource":"arn: aws:
s3:::myorg-logbucket//AWSLogs/*" }, { "Sid":"Control to require
full control grant on write", "Effect":"Deny",
"Principal":["AWS":"arn: aws:iam::Writer-Account-ID:root, ],
"Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":
"arn:aws:s3:::myorg-logbucket//AWSLogs/*", "Condition": {
"StringNotEquals": { "s3:"bucket-owner-full-control" } }}
S3 Subtleties: Log Bucket Policy, Part 3Audit users (in another
account) will need read-only access to your log bucket; see
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing-AWS-CloudTrail-Log-Files-Between-Accounts
, again (Scenario 2)
Good to do via a Role which has to be explicitly assumed; again,
see the URL above
S3 Subtleties: Log Bucket Policy and IAMPoint CloudTrail and
Config in other accounts to our log bucket for writing, when
setting these accounts up IAM policy to add to each log-generating
account to allow cross-account writing:{ "Version": "2012-10-17",
"Statement": [ { "Sid": Cross-account Write", "Effect": "Allow",
"Action": [ "s3:PutObject, s3:GetBucketLocation ], "Resource": [
"arn:aws:s3:::myorg-logbucket" ] } ]}
Detailed Billing: Sample
RecordsItemDescriptionUsageStartDateUsageEndDateUsageQuantityCurrencyCodeCostBeforeTaxCreditsTaxAmountTaxTypeTotalCost$0.000
per GB - regional data transfer under the monthly global free
tier01.04.14 00:0030.04.14
23:590.00000675USD0.000.00.000000None0.000000$0.05 per GB-month of
provisioned storage - US West (Oregon)01.04.14 00:0030.04.14
23:591.126.666.554USD0.560.00.000000None0.560000First 1,000,000
Amazon SNS API Requests per month are free01.04.14 00:0030.04.14
23:5910.0USD0.000.00.000000None0.000000First 1,000,000 Amazon SQS
Requests per month are free01.04.14 00:0030.04.14
23:594153.0USD0.000.00.000000None0.000000$0.00 per GB - EU
(Ireland) data transfer from US West (Northern California)01.04.14
00:0030.04.14 23:590.00003292USD0.000.00.000000None0.000000$0.000
per GB - data transfer out under the monthly global free
tier01.04.14 00:0030.04.14
23:590.02311019USD0.000.00.000000None0.000000First 1,000,000 Amazon
SNS API Requests per month are free01.04.14 00:0030.04.14
23:5988.0USD0.000.00.000000None0.000000$0.000 per GB - data
transfer out under the monthly global free tier01.04.14
00:0030.04.14 23:593.3E-7USD0.000.00.000000None0.000000
Linked AccountsConsolidate daily Detailed Billing logs into one
bucket, for all accountsNow put it all together
The Base Account Structure
AWS Account
Root AccountNo Access KeysMFA EnabledRaise Alert on Login
IAM MasterNo Access KeysMFA EnabledRaise Alert on LoginDefine
IAM PoliciesEnable IAM Managers (User or Role)Have Passwd
PolicyEnforce Passwd RotationHave Acct Questions set upHave Info
eMail set up
IAM ManagerNo Access KeysMFA EnabledCreate IAM
Users/Groups/RolesUse Pre-Defined Policies
The Larger Picture
BILLING
S3 Holder
CloudTrailConfigCW Logs
S3 Holder
BILLCloudTrail
IAMUser
IAM UserAssumeRole
IAM UserAssumeRole
IAM UserAssumeRole
Resources
IAM ROLE
IAM ROLE
IAM ROLE
Backup Data
Backup
S3 Holder
Audit
Display RightsSTS{ "Version": "2012-10-17", "Statement": [ {
"Sid": STS-Only", "Effect": "Allow", "Action": [ "sts:AssumeRole"
], "Resource": [ "*" ] } ] }
14
Theres One More Account to Consider(and it wont fit on the
diagram) Service CatalogueAlso has cross-account
capabilityRepository for CloudFormation templates, golden AMIsadd
latest database backups and other necessary datasets, and you have
an Intellectual Property Holding AccountSomething to copy
cross-Region for DRSee http://aws.amazon.com/servicecatalog/faqs/
for cross-account access
Raising AlertsRaise (through CloudTrail, watched by a Lambda
function triggered on bucket writes) an Alert (through, eg, SNS)
if:Any accounts root user logs inAny IAM-Master account logs
inBilling/CloudTrail accounts have another S3 Bucket created
IAM-User generates any new AWS resourceIAM-User generates any
CloudTrail events other than assume-role and console loginIAM-User
logs in to any Resource Accounts (besides
IAM-Manager)Resource-Account has IAM-Users assigned (besides
IAM-Master/IAM-Manager)
LogsmetricsalertsactionsAWS Config
CloudWatch / CloudWatch LogsCloudWatch alarmsAWS CloudTrail
Amazon EC2 OS logs
Amazon VPC Flow Logs
Amazon SNS
email notification
HTTP/S notification
SMS notifications
Mobile push notificationsAPI calls from most services
Monitoring data from AWS servicesCustom metrics
17
Also:Federate from IAM-User to another IdPFilter on LDAP DN
elements; ou=, dc=Result: no PII in IAM!See page 20 of
https://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdfSet
account and contact details to an email alias and a PABX hunt
group, and arrange with your AM to have your billing invoiced to
your company accountsno PII in your AWS accountunless you
explicitly need to process PII in your AWS environment
Other ResourcesRe:Invent 2015: Wrangling Security Events in the
Cloud (SEC308)https://www.youtube.com/watch?v=uc1Q0XCcCv4Further
ways to enable service configuration immutabilityEssentially,
config-correcting Lambda functions
Account Separation and Mandatory Access Control on AWS
Dave WalkerSpecialised Solutions Architect, Security and
Compliance28/01/16
![Multiple Bank Account Form V2 - Edelweiss MF · [III] DELETION OF BANK ACCOUNT(S) MANDATORY REQUIREMENT Cancelled original cheque or self certified copy of blank cheque or self certified](https://img.pdfslide.us/doc/110x75/5f7ad3a705cf974e2f6764c2/multiple-bank-account-form-v2-edelweiss-mf-iii-deletion-of-bank-accounts-mandatory.jpg)
![ACCOUNT OPENING KIT - Nomura Holdings OPENING KIT PART I – MANDATORY DOCUMENTS [Execution/ For Your Information (FYI)] Sr. No Document Brief](https://img.pdfslide.us/doc/110x75/5b0dde767f8b9a952f8e2749/account-opening-kit-nomura-opening-kit-part-i-mandatory-documents-execution.jpg)
