Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Architecting security & governance across your AWS environment, protected by an integrated AWS Identity and Access Management
Marcus FritscheAWS Global Solutions [email protected]
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security, Access & Resource Boundary
API Limits/ThrottlingBilling Separation
AWS Account
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account models
One Account
1,000s of Accounts
YourAccounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Why one account isn’t enough
BillingMany Teams;
Different Access
Security /
Compliance Controls
Business Process Isolation
(Apps, SaaS)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Guardrails NOT Blockers Auditable Flexible
Automated Scalable Self-service
Goals for a mult i -account environment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Account access & security considerations
Baseline Requirements
Lock
Enable !!!
Federate
Define and map
Establish
Identify
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What AWS accounts do we need for our secure, compliant mul t i -account env i ronment ?
SecurityShared
ServicesBilling-Admin
Dev ProdSandbox
OtherPre-Prod
/QA
Organizations Account
Log Archive Network
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Organizations Master
AWS Organizations Master
Network Path
Data Center
No connection to
Data Center
Service control policies
Consolidated billing
Volume discount
Minimal resources
Limited access (e.g. restrict
AWS-Orgs role)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Core accounts - OU
Core Accounts
AWS Organizations Master
Network Path
Data Center
Foundational
Building Blocks
Once per organization
Have their own
development life cycle
(dev/qa/prod)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Log archive account
Core Accounts
AWS Organizations Master
Log Archive
Network Path
Data Center
Amazon S3 bucket(Versioned, Restricted,
MFA delete)
CloudTrail logs
Security logs
Single source of truth
Limited access &
alarm on user login
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Security account
Core Accounts
AWS Organizations Master
Log Archive
Network Path
Data Center
Optional data center
connectivity
Security tools and audit
GuardDuty Master,
FW-Manager
Cross-account read/write
Automated Tooling
Limited access
Security
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Shared services account
Security
Core Accounts
AWS Organizations Master
Log Archive
Network Path
Data Center
Connected to DC
DNS
LDAP/Active Directory
Shared Services VPC
Deployment tools
Golden AMIs
Pipeline
Scanning infrastructure
Inactive instances
Improper tags
Snapshot lifecycle
Monitoring
Limited access (IT-Ops)
Shared
Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Network account
Security
Core Accounts
AWS Organizations Master
Shared
Services
Log Archive
Network Path
Data Center
Networking services
AWS Direct Connect (DX)
AWS DX Gateway
TGW, Shared VPC,
AWS Client VPN
Limited access
Managed by network team
Network
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Developer sandbox (OU & SBX-accounts)
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive
Network Path
No connection to DC
Innovation space
Fixed spending limit
Autonomous
Experimentation
Developer
Sandbox
Developer Accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Team/group accounts - OU
Developer
Sandbox
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive
Network Path
Developer Accounts Data Center
Based on level of needed
isolation
Match your development
lifecycle
Think Small
Team/Group Accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Dev
Developer
Sandbox
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive
Network Path
Developer Accounts Data Center
Develop and iterate
quickly
Collaboration space
Stage of SDLCDev
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Pre-production
Developer
Sandbox
Dev
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive
Network Path
Developer Accounts Data Center
Connected to Data Center
Production-like
Staging
Testing Automated
Deployment
Pre-Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Production
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive
Network Path
Developer Accounts Data Center
Connected to Data Center
Production applications
Promoted from Pre-Prod
Limited access (RO-only?)
Automated Deployments
Prod
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Team Shared Services
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive Prod
Network Path
Developer Accounts Data Center
Grows organically
Shared to the team
Product-specific common
services
Data lake
Common tooling
Common services
Team Shared
Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Multi-account approach
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive Prod
Team Shared
Services
Network Path
Developer Accounts Data Center
Orgs: Account management
Log Archive: Security logs
Security: Security tools, AWS Config rules
Shared services: Directory, limit monitoring
Network: Direct Connect
Dev Sandbox: Experiments, Learning
Dev: Development
Pre-Prod: Staging
Prod: Production
Team Shared Service: Team Services, Data
Lake, common Cognito, …
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Landing Zone structure - BasicAWS Organizations
Shared Services Log Archive Security
Organizations Account
• Account Provisioning
• Account Access (SSO)
Shared Services Account
• Active Directory
• Log Analytics
Log Archive
• Security Logs
Security Account
• Audit / Break-glass
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Account vending machine
AWS Service Catalog
Account Vending Machine (via AWS Service Catalog)
• Account creation factory
• User Interface to create new accounts
• Account baseline versioning
• Launch constraints
Creates/updates AWS account
Apply account baseline stack sets
Create network baseline
Apply account security control policy
Account VendingMachine
AWS Organizations
Security
AWS
Log ArchiveAWS
Shared Services
AWS
AWS
New AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
The AWS Landing Zone solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS best
practices and
recommendations
Initial security
and governance
controls
Baseline accounts
and account
vending machine
Automated
deployment
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Organizations (enable all Features Mode)
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
Log Archive ProdTeam Shared
Services
Developer Accounts
Single AWS
Account
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core AccountsAWS Organizations Master
Shared
ServicesNetwork
Log Archive ProdTeam Shared
Services
Developer Accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS IAM & AWS Organizations
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core AccountsAWS Organizations Master
Shared
ServicesNetwork
Log Archive ProdTeam Shared
Services
Developer Accounts
Single AWS
Account
* IAM Policies * SCPs (Service Control Policies)
* Manage ARN * Manage APIs
* Start from DENIED * Start from ALLOWED
* Assigned to Roles & Groups * Assigned to OUs and AWS Accounts
* Not for Root credentials, AWS Support,
CloudFront, Alexa, ...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS IAM & SC Policies
Developer
Sandbox
Dev Pre-Prod
Team/Group Accounts
Security
Core AccountsAWS Organizations Master
Shared
ServicesNetwork
Log Archive ProdTeam Shared
Services
Developer Accounts
Single AWS
Account
• Choose a service
• Define actions for the service
• Apply resources for actions
• Specify condition for actions
• Effect: Deny or Allow
• Choose a service
• Define actions for the service
• Apply resource = “*”
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS IAM Policies
• JSON-formatted set of instructions
which define permission
• Contain a statement (permissions)
that specifies:
• which actions a principal can
perform
• which resources can be
accessed
{
"Statement":[{
"Effect":"effect",
"Principal":"principal", who
"Action":"action", what
"Resource":"arn", where
"Condition":{ if
"condition":{
"key":"value" }
}
}
]
}
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS IAM Policy: Resource & Conditions
• Resources & Services
Defined uniquely by an Amazon Resource Name (ARN)
• Contain a statement (permissions) that specifies:
• which actions a principal can perform
• which resources can be accessed
arn:aws:service:region:account:resource…
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
IAM-Policies & SCPs
IAM
Policies
Organizations
SCP =Effective
right
Group
User
Role
Account
OU
∩
intersection
Service
User
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
SCPs & IAM-Policies to protect
Organizations
. SCP
Identity-
based
policy
Effective
permission
12
3 Allow: S3:*
Allow: EC2:*
SCP
Allow: SQS:*
Allow: EC2:*
IAM permissions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Permissions Boundaries for IAM Entities (User or Role)
Set the maximum permissions that an identity-based policy can
grant to an IAM entity.
The entity can perform only the
actions that are allowed by both its identity-based policies and its
permissions boundaries.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Organizations SCPs
Organizations
. SCP
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Resource-based Policies
Resource-
based policy
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Session Policies
Session
policy
Permissions
boundary
Identity-
based
policy
Effective
permission
1
2 3
4
5
6 7
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
IAM Policies - Evaluation Logic
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Organizations (Cross account access)
Dev Pre-Prod
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
ProdTeam Shared
Services
Developer Accounts
Log Archive
Team/Group Accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Organizations (No Cross account access)
Dev Pre-Prod
Security
Core Accounts
AWS Organizations Master
Shared
ServicesNetwork
ProdTeam Shared
Services
Developer Accounts
Log Archive
Team/Group Accounts
• Log Archive
• Security
• Backups
• PCI
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Access Best Practice
• Restrict Root and Master Account Access
• Monitor activities as Root and in the Org. Master
• Use consolidated User Management / SAML
• Use principal of “Least privilege” (Role-based Access)
• Assign SCPs to OUs and test with dedicates Ous
• Avoid “whitelisting” and “blacklisting”
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Next steps – Action required
• Build YOUR AWS account segmentation strategy
• Setup AWS Landing Zone / Control Tower
• Search train your Policy Ninja
• Iterate on SCPs and IAM Policies - automated using scripts!!!
• Use AWS Security Audits & WARs to check and challenge!
?? What did I said, you should not forget?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Next steps – Action required
• Build YOUR AWS account segmentation strategy
• Setup AWS Landing Zone / Control Tower
• Search train your Policy Ninja
• Iterate on SCPs and IAM Policies - automated using scripts!!!
• Use AWS Security Audits & WARs to check and challenge!
• Enable
SUMMIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
… and contact me at [email protected]
Marcus Fritsche
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
How GuardDuty Works
Threat intel,
ML/AI
Anomaly
Detection
Amazon
GuardDuty
SIEM
And/OrRESPOND
HIGH
MEDIUM
LOW
Findings
VPC flow logs
DNS Logs
CloudTrail
Events
Data
Sources
Reconnaissance
Instance
Compromise
Account
Compromise
Threat Detection
Types
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
AWS Config
Continuously tracks resource configuration changes
Evaluates the configuration against policies defined using AWS Config rules
Alerts you if the configuration is noncompliant with your policies using Amazon SNS and Amazon CloudWatch Events
AWS Config = Continuous Configuration Auditor
Changing resources AWS Config
Notifications
API access
History, snapshot
Normalized
AWS Config rules
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT
Security and Compliance is a shared responsibility