AWS & Infra HardeningMay 17, 2016

Maqbul Khan Sr. Technical Consultant, Minjar

A product by

Our Request

On Mute Mode till Q/A Last 15 minutes of Webinar

Agenda

Access, Authorization & RevokeAWS Account SecurityNetwork SecurityInfrastructure SecuritySecurity AuditLock down your production: No Man’s Land

Minjar- Cloud Automation and Solutions for AWS

AWS Architectures, Managed Cloud , DevOps, CloudOps

Botmetric – Intelligent Cloud Platform for AWS Cost Management, Infrastructure Audit and DevOps Automation for AWS Cloud; Sold as a SaaS Product

About Us

AWS & Infrastructure Hardening

What is AAR?

To make sure access inventory is maintainedEvery access has been given upon authorizationAccess has to be revoked immediately when there is no need

Why do we need AAR?

Different organizations have different departments, teams and their partners

Access, Authorization & Revoke

Lets take a scenario:A organization has an AWS account and infrastructureAnd possible teams:

On-shore IT TeamOff-shore Development teamManaged Service CloudOps / DevOps Team

So how do we manage and secure AWS account and Infrastructure?

Access, Authorization & Revoke

AWS AccountAWS Console AccessDifferent AWS services

InfrastructureServersDatabases

Access, Authorization & Revoke

How do we make sure our AWS account is secured?

• Users• Roles• Groups• Policies

AWS Account Security

AWS Account Security

UsersEnable MFADon’t create access key & secret key if requiredCheck when was the last access activity performed by the user?

Review Access Keys and Secret KeysRemove old keys which users don’t accessIf users are not using access keys / secret keys, it is recommended to remove

Enable API protection on the resourcesRotate keys every certain period of time

AWS Account Security

AWS Account Security

AWS Account SecurityRolesFor resources Use switch roles

GroupsCreate different groups by different permissions for different teams and add them to those groups

i.e. Development teams need only access to specific resourcesCreate a group for dev teamCreate policy using tag

Lets look at the example…

AWS Account SecurityExample

Network Security

Create secured VPC designUse private & public subnetUse of multiple VPCs to create single entry pointEnable VPC flow logsNetwork ACLSecurity Groups

Infrastructure Security

Some of primary AWS Services which we strongly recommend using:

Enable CloudTrailKeep logs in your primary account

VPC Flow logsKeep logs in your primary account

Use AWS ConfigUseful tool

Use CloudWatchKeeps all resources metrics and can be used for logs management as well

Infrastructure Security

So how do we really protect our underlying infrastructure?Using Jumpbox

Allow access to only specific IPs to be accessibleKeep your infrastructure in private subnet i.e.

EC2 instancesRDS instances

Enable Multi-factor authentication on SSHUse public keys over private keys: Avoid sending pem keys over the email. Using public key is safer.

Avoid using common users: ec2-user, root, ubuntu, centosCreate unique credentials for each user

Infrastructure Security

Infrastructure SecurityAdditional securityUse Client VPN connectivityUse Site to site VPNEnable ELB logsMove your server logs to centralized location i.e. CloudWatch

Secure logsAuth logsApplication logs

Enable general logs on RDSEnable S3 logs

Security Audit

How do we do security audit?Do not rely on humanMake your audit automated as much possiblePerform weekly/monthly/quarterly audit on your infrastructure

Security Audit

What shall we audit?IAMRemove users who are no more part of the teamDisable users who are no more activeMake sure MFA is enabled on each userRemove old keysEnable API protection on the resourcesAvoid granting access to all resourcesEnable MFA on root accountDo not use access key on root account

Security Audit

What shall we audit?Infrastructure accessDisable ssh access of the users who are not activeRotate private key of EC2 server on regular basisMake sure MFA is enabled on each userMake sure access is given on as needed basisSSH port is not open to 0.0.0.0/0ELB logs are enabledELB data transfer happens on secured communication

Production: No Man’s LandWhy we must lock down the production?

That is where your data is storedThat is where your customer’s data is storedIt must be secured and should not be accessible by everyone

So how do we work with production?How do we do the deployments?How do we troubleshoot the problem?How do we make database changes?How do we maintain our infrastructure?

AUTOMATION

Thou shalt relax and ask questions :)

Signup for a 14-day free trialwww.botmetric.com

Follow us on Twitter, LinkedIn, Facebook to catch the latest updates from Botmetric

Maqbul KhanSr. technical Consultant, Minjar