Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
©2020 SANSTM Institute | www.sans.org Sponsored by:
Sponsored by
How to Design a Least Privilege Architecture in AWS
©2020 SANSTM Institute | www.sans.org Sponsored by:
Today’s Speakers
• Dave Shackleford – SANS Analyst
• Sagar Khasnis – AWS Partner Solutions Architect
2
©2020 SANSTM Institute | www.sans.org Sponsored by:
Today’s Agenda
• Least Privilege Overview
• Identity and Access Management
• Network Segmentation for Access Control
• Cloud Security Posture Management
• A Least Privilege Use Case
• Next Steps
• Solutions in AWS Marketplace
• Customer Success
3
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Consistently implementing least privilege as a best practice has been a challenge:– The ability to determine the appropriate “least privilege”
for a given use case is surprisingly complex issue.
– It is easier to allocate more privileges than to limit access.
– The range of permissions and privilege models varies widely between environments and applications/services.
• Even successful least privilege implementations tend to shift and drift over time.
Least Privilege Overview
4
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Security professionals are rethinking the approach to least privilege security concepts for the public cloud.
• Some key factors to address:– Vanishing perimeter – Application workloads – Trust relationships
• Three pillars of cloud least privilege:– Identity and access management– Network access/segmentation– Cloud security posture management
Least Privilege Concepts in the Cloud
5
©2020 SANSTM Institute | www.sans.org Sponsored by:
• One of the most important aspects of cloud security is identity and access management (IAM).
• Defining roles, enabling strict access models and limiting the resources available to users and systems is a critical step in enabling a sound cloud security strategy overall.
• Use IAM for enveloping assets, allowing you to create least privilege architectures with affinity policies in place.
Identity and Access Management
6
©2020 SANSTM Institute | www.sans.org Sponsored by:
• IAM users are associated with credentials for making API calls to interact with cloud services and exist only within the cloud environment itself.
– Directory services like AD can be mapped into groups/roles.
• New IAM users have no permissions (Deny All).
• IAM users can represent any asset/resource.
– Once you create service-oriented users, place them in defined groups and assign privileges.
IAM: User Relationships
7
©2020 SANSTM Institute | www.sans.org Sponsored by:
• For service interactions within the environment, cloud security teams should focus on defining specific roles:
– AWS services
– Cross-account access
– Federation
– Identity providers (IdPs)
IAM: Service Relationships
8
©2020 SANSTM Institute | www.sans.org Sponsored by:
• There are several distinct types of identity-focused least privilege orientation for cloud deployments and infrastructure: – First, there should be a focus on any privileged users that need
access to the cloud environment for administration, engineering and security-focused tasks.
– The second major type of least privilege access model that all organizations need to consider is associated with deployment pipelines and associated systems and services.
– The third major type of least privilege focus is mapping user, service and application relationships wholly contained within the cloud environment.
– Finally, privileges should be carefully reviewed for accounts accessing other accounts’ services when a multi-account strategy is in place.
Least Privilege IAM for Cloud
9
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Organizations need to successfully map cloud user and service relationships to create the most restrictive privilege models needed.
– AWS Access Advisor shows AWS services allowed by the assigned IAM policy, policies assigned that grant specific permissions and last access times.
– AWS IAM Access Analyzer, a feature within AWS Identity and Access Management (IAM), performs a more thorough analysis of privilege models in use.
IAM Relationship Mapping
10
©2020 SANSTM Institute | www.sans.org Sponsored by:
• As an isolation and segmentation technique, each account is a completely isolated set of resources that can be configured to access resources in other accounts.
• AWS Organizations is a service that organizations can use to define policies and guardrails to apply across multiple AWS accounts. – With AWS Organizations, you can create service
control policies (SCPs) that really govern the use of other IAM policies.
Least Privilege: AWS Accounts
11
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Setting up and configuring multi-account architecture has long been considered challenging and complicated, especially for large organizations.
• A sample multi-account framework to start from, called a “Landing Zone,” has been in place for years.
• A new service called AWS Control Tower can automatically deploy a multi-account starting architecture. – Create and implement defensive guardrails like AWS Config
monitoring rules, infrastructure-as-code definitions in AWS CloudFormation, strict identity policies that restrict permissions and privileges across accounts, etc.
Multi-Account Architecture
12
©2020 SANSTM Institute | www.sans.org Sponsored by:
• The second major component of a traditional least privilege design model is network segmentation that is closely aligned with a specific type of system or workload, often termed microsegmentation.
• A least privilege concept of network segmentation strives to prevent would-be attackers from using unapproved network connections to compromise systems, move laterally from a compromised application or system, or perform any illicit network activity regardless of environment.
Least Privilege: Networking
13
©2020 SANSTM Institute | www.sans.org Sponsored by:
• The first category of focus for any cloud network isolation and segmentation should be the core network zone associated with cloud accounts.– In AWS, this is known as the virtual private cloud (VPC), and
this can contain any number of distinct network subnets.
• AWS has two built-in types of network access and isolation controls: security groups and network access control lists (network ACLs). – Use security groups and network ACLs to control traffic into
and out of network deployments.
Microsegmentation with Cloud-Native Controls
14
©2020 SANSTM Institute | www.sans.org Sponsored by:
Security Groups NACLs
Apply to instances Operate on VPC subnets
Only support Allow rules (layered on a
default Deny)
Support both allow and deny rules
Are stateful Are not stateful
Are considered in their entirety before
traffic is allowed
Are processed in numerical order
Must be associated with an instance
to apply
Apply automatically to all instances
in a subnet
Security Groups vs. NACLs
15
©2020 SANSTM Institute | www.sans.org Sponsored by:
• To segment and control traffic at the application layer, or define policies focused more on application details and protocols, a third-party solution likely makes more sense.
• Most major cloud providers offer enterprise-class solutions that are capable of providing more granular policies and monitoring.
• Today’s next-generation firewall (NGFW) platforms are often used to provide network intrusion detection and prevention, traffic inspection and behavioral monitoring, and centralized configuration and administration.
Advanced Network Security Segmentation and Access Controls
16
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Consider what types of architectures make the most sense:
– Subnets vs. VPCs and VPC peering
– VPC peering enables organizations to couple distinct VPCs together, allowing assets in one network to talk to assets in another.
• VPC peering is not transitive—that is, it must be specifically allowed for each VPC peered together.
– In this case another type of platform, called a transit gateway, can simplify multi-VPC architectures significantly.
Segmentation/Isolation Best Practices
17
©2020 SANSTM Institute | www.sans.org Sponsored by:
• Cloud security posture management (CSPM) tools can assess the actual control plane of the cloud environments in use for compliance assessment, operational monitoring, DevOps integrations, risk identification and risk visualization.
• Because many cloud platform settings relate to networking and IAM configuration, CSPM continuous monitoring can be invaluable.
Cloud Security Posture Management
18
©2020 SANSTM Institute | www.sans.org Sponsored by:
• For an organization planning on deploying to a platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) cloud environment with a focus on least privilege, there are multiple recommended steps:– Identify roles and responsibilities for team members
requiring access to the cloud infrastructure.
– Determine the type of network access needed.
– Evaluate IAM roles and privilege assignments.
– Monitor the cloud control plane.
A Least Privilege Use Case
19
©2020 SANSTM Institute | www.sans.org Sponsored by:
• A least privilege cloud architecture should include authentication and authorization controls, network access and inspection controls, and monitoring/enforcement controls for both the network and workloads. – To implement a least privilege cloud environment, start with
user and administrative access, followed by multi-account identity management, if applicable.
– From there, focus on network architecture and access control design.
– Once the cloud environment is up and running, a CSPM platform may make sense.
Next Steps
20
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Designing a least privilege
architecture in AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that enable network segmentation
Identify Protect Detect Respond Recover
Amazon
Macie
Investigate
Automate
Snapshot Archive
AWS
Security Hub
AWS
Security Hub
Amazon
Detective
Amazon
GuardDuty
AWS
Organizations
AWS
Control Tower
AWS Well-
Architected
Tool
Amazon Cloud
Directory
Amazon VPC
PrivateLink
AWS Transit
Gateway
AWS Resource
Access
Manager
AWS Identity
and Access
Management
Amazon VPC
AWS Firewall
Manager
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implementing least privilege with AWS IAM Access Analyzer
KMS KeysIAM Roles Lambda
Functions
S3 Buckets SQS Queues
Resource-based policies
Who has access
to what
FindingsAccount
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leveraging VPC Traffic Mirroring for network segmentation
• Enhance monitoring of
traffic patterns and flow
within your environment
• Enable inspection of
inbound and outbound
traffic
AWS Cloud
VPC Internet
gateway
Availability zone
Subnet 10.88.2.0/24
Remote
Administration
Source Instance
eth0
eth1
Availability zone
Subnet 10.88.2.0/24
Destination
Instance
ens5
ens6
Traffic
Mirroring
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Palo Alto Networks?
Verify all users, devices
and applications
Provide complete
visibility into traffic
through Layer 7
Enforce policies
consistently to aid
segmentation
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Western Asset Management mitigates risk
Benefits:
• Full network visibility
• Incident and
misconfiguration
response times reduced
from days to minutes
• Built-in compliance
reporting eliminates
manually sifting through
audit files
With Prisma Cloud by Palo Alto Networks
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FNTS achieves secure network segmentation
Benefits:
• Enhanced protection of
inbound, outbound, and
east-west network traffic
• Achieved a single,
consistent management
console across entire
environment
• Gained ability to auto-
scale provisioning and
de-provisioning
Utilizing VM-series firewalls by Palo Alto Networks
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Epsilon boosts network visibility and controlLeveraging Aviatrix’s Secure Networking Platform
Benefits:
• Increased visibility and
troubleshooting
• Established profile-based
remote user access
control
• Secured connectivity
between Amazon VPCs
and on-premises
resources
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vonage prevents lateral threatsUsing Edgewise Zero Trust Auto-Segmentation
Benefits:
• Fully automated micro-
segmentation
• Environment can now be
mapped out in 20
minutes vs. 2 months
• Increased lateral
protection across its
networks
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
Flexible consumption
and contract models
Quick and
easy deployment
Helpful humans
to support you
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find
A breadth of security
solutions:
Buy
Free trial
Pay-as-you-go
Hourly | Monthly | Annual |
Multi-Year
Bring Your Own License (BYOL)
Seller Private Offers
Channel Partner Private Offers
Through flexible
pricing options:
Deploy
Software as a Service (SaaS)
Amazon Machine Image (AMI)
AWS CloudFormation (Infrastructure as
Code)
Amazon Elastic Container Service (ECS)
Amazon Elastic Kubernetes Service (EKS)
With multiple
deployment options:
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webinar summary
New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.
Current tools? Bring your own license to leverage benefits of AWS Marketplace.
Leverage AWS Services that integrate with your AWS environment and can
enhance your network segmentation capabilities.
Consider combining network segmentation with a least privilege architecture to
boost your security controls in AWS.
©2020 SANSTM Institute | www.sans.org Sponsored by:
Please use GoToWebinar’s Questions tool to submit questions to our panel.
Send to “Organizers” and tell us if it’s for a specific panelist.
Q&A
33