Embed Size (px)
Citation preview
Shiva NSolutions Architect
AWS Security & DevSecOps
SECURITY IS JOB ZERO
Every customer gets exactly the same service from AWS
GxPISO 13485AS9100ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
AWS is responsible for the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCu
stom
ers
Customers have their choice of
security configurations IN
the Cloud
AWS is responsible for the security OF
the Cloud
Customers decide how to implement their own security policies
Availability Zone A
Resilient applications architecture
Customer content backups, archives and continuity solutions
Resilient infrastructure configurations
Customer resilience and recovery processesCu
stom
ers
Customers control how they
manage continuity and
recovery
AWS builds resilient services and features to help customers
Customers control their own continuity, resilience and recovery
Availability Zone B
AWS business resiliency processes
Customer content, transactions and data-stores
NIST 800-53PCI-DSS
AWS managed and audited controls
Customers control how they manage their own risks
SOC 2SOC 1 ISO 27001
Other AWS service featuresLogging
AWS provided, customer configured and managed controls
Key management
Virtual Private Cloud
Customer provided and managed controls
Technology risks
Customer risk appetite and desired control environment
Sourcing risksBusiness risks Security risks Compliance
IDaMEncryptionClassification Monitoring
ITSMGovernanceSecurity policy Operations
Malware
Risk management
Customers decide on the appropriate controls and manage and monitor the effectiveness of those controls
Customers take reliance on AWS control reports
SECURITY IS VISIBILITY AND AUDITABILITY
How often do you map your network?
WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
You are making API calls...
On a growing set of services around
the world…
AWS CloudTrail is continuously recording API
calls…
And delivering log files to you
AWS CLOUDTRAIL
RedshiftAWS CloudFormation
AWS Elastic Beanstalk
AWS Config
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
SECURITY IS CONTROL
CONTROL OF YOUR CONTENT
You are in control of privacy
Choose an AWS Region and AWS will not replicate it elsewhere unless you choose to do so
Control format, accuracy and encryption any way that you choose
Control who can access content
Control content lifecycle and disposal
Customers retain full ownership and control of their content
US-WEST (Oregon)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
US-WEST (N. California)
SOUTH AMERICA (Sao
Paulo)
US-EAST (Virginia)
AWS GovCloud (US)
ASIA PAC (Sydney)
ASIA PAC (Singapore
)
CHINA (Beijing)
EU-CENTRAL (Frankfurt)
Your data stays where you put it
12 AWSRegions
ASIA PAC (Seoul)
CONTROL WHO CAN DO WHAT WITH AWS IDENTITY AND ACCESS MANAGEMENT
Control access and segregate duties everywhere
With AWS IAM you get to control who can do what in your AWS environment and from where
Fine-grained control of your AWS cloud with two-factor authentication
Integrated with your existing corporate directory using SAML 2.0 and single sign-on
AWS account owner
Network management
Security management
Server management
Storage management
CONTROL OF YOUR NETWORK
Create your own private, isolated section of the AWS cloudAv
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
AWS Virtual Private Cloud • Provision a logically
isolated section of the AWS cloud
• You choose a private IP range for your VPC
• Segment this into subnets to deploy your compute instances
AWS network security• AWS network will prevent
spoofing and other common layer 2 attacks
• You cannot sniff anything but your own EC2 host network interface
• Control all external routing and connectivity
You can connect resiliently and in private to your own datacentres
YOUR AWS ENVIRONMENT
AWS Direct
ConnectYOUR
PREMISES
Digital Websites
Big Data Analytics
Dev and Test
Enterprise Apps
AWS Internet
VPN
CONTROL YOUR COMPUTE
Launch instance EC2
AMI catalogue
Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure instance
Configure your environment as you likeYou get to apply your existing security policyCreate or import your own ‘gold’ images• Import existing VMs to AWS or save your own
custom imagesChoose how to build your standard host security environment
Apply your existing host controls and configurations
First class security and compliancestarts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
AWS Key Management Service
One-click Encryption
Centralized key management (create, delete, view, set policies)
Enforced, automatic key rotation
Visibility into any changes via CloudTrail
Encryption key management and compliance made easy
Device managed and monitored by AWS, you fully control the keys
Increase performance for applications that use HSMs for key storage or encryption
Comply with stringent regulatory and contractual requirements for key protection
Industry-standard SafeNet Luna SA devices that are single tenant for you
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can also store your encryption keys in AWS CloudHSM
SECURITY IS HOW QUICKLY YOU CAN REACT AND RESPOND
Ubiquitous logging and monitoring
CloudWatch Logs lets you log everything and monitor events in those logs• Storage is cheap - collect and keep your logs• Store logs durably in write-only storage• Integration with Cloudwatch Metrics and Alarms means you
can continually scan for events you know might be suspicious
IF (detect web attack > 10 in a 1 minute period) ALARM - INCIDENT IN PROGRESSNOTIFY CERT
AUDIT EVERYTHING
Innovations Are For Auditors TooAuditing-centric services and features• AWS Config• AWS Key Management
Service (AWS KMS) • AWS Trusted Advisor
checks• Last AWS sign in
• AWS CloudTrail• IAM Credential Reports• Policies
SECURITY + DEVOPS = DEVSECOPS
Security Automation
• Blocking Before Deployment - prevent a "known bad" from executing in the environment
• Audit and Respond – catch changes that were not approved or compliant
• React - Automated Intrusion Detection and Response Unknown security problems
Get Rugged -- DevSecOps
Com
plia
nce
Ope
ratio
ns
Secu
rity
Ope
ratio
ns
Security
Science
Security
Engineering
OPSSECDEV
AppSec
NEW
NEW
NEW
• Security as Code• Self-Service Testing• Red Team/Blue Team• Inline Enforcement• Analytics & Insights• Detect & Contain• Incident Response• Investigations• Forensics
Security drives Faster Pipelines• Use Code Commit, Code Deploy & Code Pipeline • Push many small changes per day to support fast defect discovery &
remediation• Restack often (Less than 10 days)• High performers have better security
Faster Feedback = Continuous Compliance• Boring: PCI DSS1.1.1 – Approve/Test/Detect firewall
changes• Fun: Scan API + Ingest Config/Cloudtrail, trigger fw
audits and revert unapproved changes
• Boring: PCI DSS2.2 - Develop & Assure configuration standards for all system components.
• Fun: Track known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys.
Faster Feedback = Continuous Compliance• Boring: HIPAA 164.312(a)(2)(iv): Implement a method to encrypt
and decrypt electronic protected health information. • Fun: Enforce encryption of all assets with HIPAA or data
classification tags. Continuous enforcement! (KMS!)
• Boring: NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts.
• Fun: Cloudtrail/Config user attribution of use/abuse.• More Fun: Maps to PCI DSS7.1.3, COBIT DS5.4, ISO17799, and
more!
SECURITY “EVENTS”
1 2 3 4Detect Investigate Protect Communicate
CloudTrail OFF
CloudTrail OFF"userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": “55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null,....
CloudTrail OFF event – Detect
"CloudTrailStopMetricFilter": { "Type": "AWS::Logs::MetricFilter", "Properties": { "LogGroupName": { "Ref" : "LogGroupName" }, "FilterPattern": ”{ ($.eventName = StopLogging) }", "MetricTransformations": [ { "MetricNamespace": "CloudTrailMetrics", "MetricName": "CloudTrailEventCount", "MetricValue": "1" } ] } },
CloudTrail OFF event – Detect
"CloudTrailStoppedAlarm": { "Type": "AWS::CloudWatch::Alarm", "Properties": { "AlarmName" : ”CloudTrailStoppedAlarm", "AlarmDescription" : "Alarms when StopLogging API call is made", "AlarmActions" : [{ "Ref" : "AlarmNotificationTopic" }], "MetricName" : "CloudTrailEventCount", "Namespace" : "CloudTrailMetrics", "ComparisonOperator" : "GreaterThanOrEqualToThreshold", "EvaluationPeriods" : "1", "Period" : "300", "Statistic" : "Sum", "Threshold" : "1" }},
CloudTrail OFF event – Investigate"userIdentity": { "type": "IAMUser", "principalId": "AIDAI5WIMUDR2UZUI62VO", "arn": "arn:aws:iam::000123456789:user/reinvent-sec308", "accountId": "000123456789", "accessKeyId": "AKIAIRAHHRD3PHLUFJLQ", "userName": "reinvent-sec308" }, "eventTime": "2015-09-23T00:41:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-west-2", "sourceIPAddress": "55.55.55.55", "userAgent": "aws-cli/1.7.25 Python/2.7.5 Darwin/13.4.0", "requestParameters": { "name": "CloudTrail-Default" }, "responseElements": null,....
CloudTrail OFF event – Protect
• Deny permissions for CloudTrail in IAM groups or roles
{ "Sid": "Stmt0001", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:StopLogging" ], "Resource": [ "*" ] }
MFA Deactivate Event..... "eventTime": "2015-09-20T18:53:02Z", "eventSource": "iam.amazonaws.com", "eventName": "DeactivateMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55", "userAgent": "signin.amazonaws.com", "requestParameters": { "userName": ”bob", "serialNumber": "arn:aws:iam::000019241430:mfa/bob" }, "responseElements": null, "requestID": "d1a9ebf8-5fc8-11e5-9d8f-1bc7c6757e61",.....
MFA Deactivate Event – Protect
• Use AWS Identity & Access Management to require MFA
http://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users
Unapproved AMI event – Detect
• Compare launched EC2 instances against a whitelist.
• What is a good method to compare against a whitelist?
Building a “Lambda Responder”
CloudTrail S3
Lambda
Lambda
SNS
Rate Based Blacklisting
Users
CloudFront
Static FilesS3
Bucket
CloudFrontAccess LogS3 Bucket
WAF
Elastic LoadBalancing
Amazon Lambda
Web Servers
CloudWatch
Amazon RDS
DDoS
X
AWS managed Config rules1. All EC2 instances must be inside a VPC.2. All attached EBS volumes must be encrypted, with KMS ID.3. CloudTrail must be enabled, optionally with S3 bucket, SNS topic and
CloudWatch Logs.4. All security groups in attached state should not have unrestricted
access to port 22. 5. All EIPs allocated for use in the VPC are attached to instances.6. All resources being monitored must be tagged with specified tag
keys:values.7. All security groups in attached state should not have unrestricted
access to these specific ports.
Community contributed Config Rules1. Ensure an IAM password policy exists.2. Ensure IAM password policy requires a minimum number of characters.3. Ensure IAM password policy sets maximum password age.4. Ensure IAM password policy requires an uppercase character.5. Ensure IAM password policy requires a lowercase character.6. Ensure IAM password policy requires a number.7. Ensure IAM password policy requires a symbol.8. Ensure IAM password policy prevents password reuse.9. Ensure EC2 Instances have desired tenancy10. Ensure CloudTrail is enabled in all regions.11. Ensure IAM User Access Key Rotation12. Ensure Access Key Disabled on Root Account13. Ensure MFA Enabled on Root Account14. Ensure IAM User has MFA Enabled15. Ensure CloudTrail Log Validation is Enabled in All Regions16. Ensure AWS Config is Enabled in All Regions17. Ensure all EC2 Instances are of a Given Type18. Ensure fewer resources than provided count for a Given Type19. Ensure VPC Flow Logs is enabled.
https://github.com/awslabs/aws-config-rules/
ARE YOU WELL SECURED?
Well secured questions…• CloudFormation
– Credentials are not embedded in the templates, includes passwords for other non-AWS systems
– Followed best practices from the services in use– Enforced stack policy to prevent stack updates– Version controlled and secure CloudFormation template store
• CloudTrail – All accounts and regions log into a single consolidated S3 bucket– Versioning and MFA delete enforced on the CloudTrail S3 bucket to ensure that files cannot be
removed or tampered with?– Enable CloudTrail log file integrity validity Use Server-side encryption with AWS KMS-managed
keys(SSE-KMS)– Log retention period defined in accordance with policy and local laws.– SIEM tool integrated to process CloudTrail logs– S3 bucket policy defined for read-only access from trusted accounts, only via IAM assume-role
method
cfn-nagaws-cf-checker
Well secured questions…• EBS
– Create encrypted volumes with customer managed KMS key– Use IAM resource level tags to restrict deletion events– Automated EBS snapshot schedule defined– EBS snapshots only shared with trusted accounts– Encrypt OS and data volumes as appropriate– Enforce tagging
• EC2– Approved AMI used to deploy EC2 instance– SSH private key is secured, androtation strategy is in place– SSH access only granted to EC2 instances which require remote access; – Users authenticated to OS using MFA– Credentials not hardcoded in the user data or inside source code– Use IAM Roles– Third party security measures are deployed, e.g. HIDS/HIPS– Patch management process defined,– Tagging practices are followed to allow resource level IAM controls to be implemented– Automated build creation process in place for creation of approved AMI
Graffiti Monkey
JanitorMonkey
Well secured questions…• IAM
– Access to AWS for users is via enterprise federation rather than AWS IAM users– Use of AWS root account credential is monitored – IAM user have both Password and Access Key credentials only where absolutely required– Attach Policies to IAM groups instead of IAM Users
• VPC– Appropriate separation of VPC's and Subnets– Restricted protocols and appropriate IP source addresses for Internet facing security groups– Default security group not used and does not allow any traffic– No direct admin access to internet facing resources, bastion host used to access.– Use multiple security groups per instance to segregate between different traffic types– Ensure that total number of rules across all security groups is less than 50– Monitor security group changes using AWS Config and AWS CloudTrail to determine what was changes and by
who– VPC flow logs ingested to CloudWatch logs and further processing is in place appropriately– Appropriate IAM controls in place to control who can manage security group and NACL configuration vs assign
to resources– Leverage VPC endpoints for services which provide them, e.g. S3, DynamoDB
Recommended Reading
• https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
• https://www.sans.org/reading-room/whitepapers/incident/balancing-security-innovation-event-driven-automation-36837
THANK YOUANY QUESTIONS?
