Upload
amazon-web-services
View
394
Download
1
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, Solutions Architect
April 19, 2016
Network Security and Access
Control within AWS
What to expect from the session
• Configure network security using VPC
• Configure users, groups and roles to manage
actions
• Configure monitoring and logging to audit
changes
Network security
Network security tools
• Amazon VPC
• Subnet
• Security groups
• Network ACLs
• Amazon CloudFront
• Amazon Route 53
• IP tables
VPC
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)
Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
HTTP GET Beer
TCP(6) Port(80)
srcIP=216.246.16.228
VPC (BuildABeer-VPC-1)
Obfuscate
Amazon
Route 53
CloudFront
Userssecurity group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB
FAIL
End run
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB load
balancer
www.foo.com
mail.foo.com
security group (BuildABeer-SG-1)
Public subnet
Mail servers
Private subnet
Elastic Load Balancing
load balancer
security group (BuildABeer-SG-2)
Public subnet
Web servers
Private subnet
ELB load balancer
mail.foo.com
www.foo.com
Hide ’n’ go seek~>nslookup www.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.173
<snip>
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.85
~>nslookup ftp.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
Address: 54.148.117.41
<snip>
Layers of defense
VPC (BuildABeer-VPC-1)
userssecurity group (BuildABeer-SG-1)
Private subnet
Web
servers
Private subnet
ELBSecurity services
(IPS/IDS, WAF,
Firewall)
Public subnet
Access denied
Access points to AWS
AWS Command Line Interface API AWS Management Console~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)
Who can access resources
• Accounts
• Users
• AWS Identity and Access
Management (IAM) Users
• Federated users
• Groups
• Roles
• Services
IAM role
IAM users
IAM groups
Amazon EC2
Federated user
Restricted access best practices
• Do not use the root account
• Create an administrative account
• Enable MFA
• Enforce strong passwords
• Use groups to assign permissions
• Use cross account access for secure logging
Managing your policies
• IAM policies
• Managed policies
• Inline policies
• Resource-based policies
IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role
• You can limit who can attach which managed policies
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)
Beyond IAM
Amazon Directory Services
AD Connector
Customer Identity Broker
AWS Directory
Service
SEC307 A Progressive Journey Through AWS IAM Federation Options
- https://www.youtube.com/watch?v=-XARG9W2bGc
Configuring logging and
monitoring
Services
• AWS CloudTrail
• AWS Config
• Amazon Inspector
• VPC Flow Logs
AWS CloudTrail
us-east-2
Introduction to AWS CloudTrail
Store/ archive
Troubleshoot
Monitor and alarm
You are making API
calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously
recording API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket
Use cases enabled by CloudTrail
• IT and security administrators can perform security
analysis
• IT administrators and DevOps engineers can attribute
changes on AWS resources to the identity, time and
other critical details of who made the change
• DevOps engineers can troubleshoot operational issues
• IT auditors can use log files as a compliance aid
• See: Security at Scale: Logging in AWS White Paper
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
AWS Config
AWS Config
• Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance guideline Action if noncompliance
All EBS volumes should be encrypted Encrypt volumes
Instances must be within a VPC Terminate instance
Instances must be tagged with
environment type
Notify developer (email, page,
Amazon SNS)
AWS Config Rules
AWS Config Rules (Example—instances must be tagged with a data classification)
Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevOps model
• Automatable by using API actions
• AWS Context Aware
• Static and dynamic telemetry
• Integrated with CI/CD tools
• On-demand pricing model
• CVE and CIS rules packages
• AWS AppSec best practices
Rule packages
• CVE (common vulnerabilities and exposures)
• 1000+ rules evaluated
• CIS (Center for Internet Security Benchmarks)
• OS hardening
• Vulnerability
• Patch
• Inventory
• Compliance
• AWS Security best practices
• AppSec learnings
VPC Flow Logs
Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()
Partners
Thank you!
aws.amazon.com/security
aws.amazon.com/compliance
Remember to complete
your evaluations!
Remember to complete
your evaluations!