Architecting security & governance across your AWS environment Mark… · AWS IAM & SC Policies Developer Sandbox Dev Pre-Prod Team/GroupAccounts Security Core AWS Organizations Master

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT

Architecting security & governance across your AWS environment, protected by an integrated AWS Identity and Access Management

Marcus FritscheAWS Global Solutions [email protected]

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

SUMMIT

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Security, Access & Resource Boundary

API Limits/ThrottlingBilling Separation

AWS Account


SUMMIT


Account models

One Account

1,000s of Accounts

YourAccounts


SUMMIT

Why one account isn’t enough

BillingMany Teams;

Different Access

Security /

Compliance Controls

Business Process Isolation

(Apps, SaaS)


SUMMIT


Guardrails NOT Blockers Auditable Flexible

Automated Scalable Self-service

Goals for a mult i -account environment


SUMMIT

Account access & security considerations

Baseline Requirements

Lock

Enable !!!

Federate

Define and map

Establish

Identify


SUMMIT


What AWS accounts do we need for our secure, compliant mul t i -account env i ronment ?

SecurityShared

ServicesBilling-Admin

Dev ProdSandbox

OtherPre-Prod

/QA

Organizations Account

Log Archive Network


SUMMIT

AWS Organizations Master


Network Path

Data Center

No connection to

Data Center

Service control policies

Consolidated billing

Volume discount

Minimal resources

Limited access (e.g. restrict

AWS-Orgs role)


SUMMIT

Core accounts - OU

Core Accounts


Network Path

Data Center

Foundational

Building Blocks

Once per organization

Have their own

development life cycle

(dev/qa/prod)


SUMMIT

Log archive account

Core Accounts


Log Archive

Network Path

Data Center

Amazon S3 bucket(Versioned, Restricted,

MFA delete)

CloudTrail logs

Security logs

Single source of truth

Limited access &

alarm on user login


SUMMIT

Security account

Core Accounts


Log Archive

Network Path

Data Center

Optional data center

connectivity

Security tools and audit

GuardDuty Master,

FW-Manager

Cross-account read/write

Automated Tooling

Limited access

Security


SUMMIT

Shared services account

Security

Core Accounts


Log Archive

Network Path

Data Center

Connected to DC

DNS

LDAP/Active Directory

Shared Services VPC

Deployment tools

Golden AMIs

Pipeline

Scanning infrastructure

Inactive instances

Improper tags

Snapshot lifecycle

Monitoring

Limited access (IT-Ops)

Shared

Services


SUMMIT

Network account

Security

Core Accounts


Shared

Services

Log Archive

Network Path

Data Center

Networking services

AWS Direct Connect (DX)

AWS DX Gateway

TGW, Shared VPC,

AWS Client VPN

Limited access

Managed by network team

Network


SUMMIT

Developer sandbox (OU & SBX-accounts)

Security

Core Accounts


Shared

ServicesNetwork

Log Archive

Network Path

No connection to DC

Innovation space

Fixed spending limit

Autonomous

Experimentation

Developer

Sandbox

Developer Accounts


SUMMIT

Team/group accounts - OU

Developer

Sandbox

Security

Core Accounts


Shared

ServicesNetwork

Log Archive

Network Path

Developer Accounts Data Center

Based on level of needed

isolation

Match your development

lifecycle

Think Small

Team/Group Accounts


SUMMIT

Dev

Developer

Sandbox

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive

Network Path


Develop and iterate

quickly

Collaboration space

Stage of SDLCDev


SUMMIT

Pre-production

Developer

Sandbox

Dev

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive

Network Path


Connected to Data Center

Production-like

Staging

Testing Automated

Deployment

Pre-Prod


SUMMIT

Production

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive

Network Path


Connected to Data Center

Production applications

Promoted from Pre-Prod

Limited access (RO-only?)

Automated Deployments

Prod


SUMMIT

Team Shared Services

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive Prod

Network Path


Grows organically

Shared to the team

Product-specific common

services

Data lake

Common tooling

Common services

Team Shared

Services


SUMMIT

Multi-account approach

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive Prod

Team Shared

Services

Network Path


Orgs: Account management

Log Archive: Security logs

Security: Security tools, AWS Config rules

Shared services: Directory, limit monitoring

Network: Direct Connect

Dev Sandbox: Experiments, Learning

Dev: Development

Pre-Prod: Staging

Prod: Production

Team Shared Service: Team Services, Data

Lake, common Cognito, …


SUMMIT

AWS Landing Zone structure - BasicAWS Organizations

Shared Services Log Archive Security

Organizations Account

• Account Provisioning

• Account Access (SSO)

Shared Services Account

• Active Directory

• Log Analytics

Log Archive

• Security Logs

Security Account

• Audit / Break-glass


SUMMIT

The AWS Landing Zone solution

An easy-to-deploy solution that automates the setup

of new AWS multi-account environments

Based on AWS best

practices and

recommendations

Initial security

and governance

controls

Baseline accounts

and account

vending machine

Automated

deployment


SUMMIT

Account vending machine

AWS Service Catalog

Account Vending Machine (via AWS Service Catalog)

• Account creation factory

• User Interface to create new accounts

• Account baseline versioning

• Launch constraints

Creates/updates AWS account

Apply account baseline stack sets

Create network baseline

Apply account security control policy

Account VendingMachine

AWS Organizations

Security

AWS

Log ArchiveAWS

Shared Services

AWS

AWS

New AWS


SUMMIT

The AWS Landing Zone solution

An easy-to-deploy solution that automates the setup

of new AWS multi-account environments

Based on AWS best

practices and

recommendations

Initial security

and governance

controls

Baseline accounts

and account

vending machine

Automated

deployment

SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.


SUMMIT

AWS Organizations (enable all Features Mode)

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core Accounts


Shared

ServicesNetwork

Log Archive ProdTeam Shared

Services

Developer Accounts

Single AWS

Account

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security

Core AccountsAWS Organizations Master

Shared

ServicesNetwork


Services

Developer Accounts


SUMMIT

AWS IAM & AWS Organizations

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security


Shared

ServicesNetwork


Services

Developer Accounts

Single AWS

Account

* IAM Policies * SCPs (Service Control Policies)

* Manage ARN * Manage APIs

* Start from DENIED * Start from ALLOWED

* Assigned to Roles & Groups * Assigned to OUs and AWS Accounts

* Not for Root credentials, AWS Support,

CloudFront, Alexa, ...


SUMMIT

AWS IAM & SC Policies

Developer

Sandbox

Dev Pre-Prod

Team/Group Accounts

Security


Shared

ServicesNetwork


Services

Developer Accounts

Single AWS

Account

• Choose a service

• Define actions for the service

• Apply resources for actions

• Specify condition for actions

• Effect: Deny or Allow

• Choose a service

• Define actions for the service

• Apply resource = “*”


SUMMIT

AWS IAM Policies

• JSON-formatted set of instructions

which define permission

• Contain a statement (permissions)

that specifies:

• which actions a principal can

perform

• which resources can be

accessed

{

"Statement":[{

"Effect":"effect",

"Principal":"principal", who

"Action":"action", what

"Resource":"arn", where

"Condition":{ if

"condition":{

"key":"value" }

}

}

]

}


SUMMIT

AWS IAM Policy: Resource & Conditions

• Resources & Services

Defined uniquely by an Amazon Resource Name (ARN)

• Contain a statement (permissions) that specifies:

• which actions a principal can perform

• which resources can be accessed

arn:aws:service:region:account:resource…


SUMMIT

IAM-Policies & SCPs

IAM

Policies

Organizations

SCP =Effective

right

Group

User

Role

Account

OU

∩

intersection

Service

User


SUMMIT

SCPs & IAM-Policies to protect

Organizations

. SCP

Identity-

based

policy

Effective

permission

12

3 Allow: S3:*

Allow: EC2:*

SCP

Allow: SQS:*

Allow: EC2:*

IAM permissions


SUMMIT

Permissions Boundaries for IAM Entities (User or Role)

Set the maximum permissions that an identity-based policy can

grant to an IAM entity.

The entity can perform only the

actions that are allowed by both its identity-based policies and its

permissions boundaries.


SUMMIT

Organizations SCPs

Organizations

. SCP

Permissions

boundary

Identity-

based

policy

Effective

permission

1

2 3

4

5

6 7


SUMMIT

Resource-based Policies

Resource-

based policy

Permissions

boundary

Identity-

based

policy

Effective

permission

1

2 3

4

5

6 7


SUMMIT

Session Policies

Session

policy

Permissions

boundary

Identity-

based

policy

Effective

permission

1

2 3

4

5

6 7


SUMMIT

IAM Policies - Evaluation Logic


SUMMIT

AWS Organizations (Cross account access)

Dev Pre-Prod

Security

Core Accounts


Shared

ServicesNetwork

ProdTeam Shared

Services

Developer Accounts

Log Archive

Team/Group Accounts


SUMMIT

AWS Organizations (No Cross account access)

Dev Pre-Prod

Security

Core Accounts


Shared

ServicesNetwork

ProdTeam Shared

Services

Developer Accounts

Log Archive

Team/Group Accounts

• Log Archive

• Security

• Backups

• PCI


SUMMIT

Access Best Practice

• Restrict Root and Master Account Access

• Monitor activities as Root and in the Org. Master

• Use consolidated User Management / SAML

• Use principal of “Least privilege” (Role-based Access)

• Assign SCPs to OUs and test with dedicates Ous

• Avoid “whitelisting” and “blacklisting”


SUMMIT

Next steps – Action required

• Build YOUR AWS account segmentation strategy

• Setup AWS Landing Zone / Control Tower

• Search train your Policy Ninja

• Iterate on SCPs and IAM Policies - automated using scripts!!!

• Use AWS Security Audits & WARs to check and challenge!

?? What did I said, you should not forget?


SUMMIT

Next steps – Action required

• Build YOUR AWS account segmentation strategy

• Setup AWS Landing Zone / Control Tower

• Search train your Policy Ninja

• Iterate on SCPs and IAM Policies - automated using scripts!!!

• Use AWS Security Audits & WARs to check and challenge!

• Enable

SUMMIT


… and contact me at [email protected]

Marcus Fritsche


SUMMIT

How GuardDuty Works

Threat intel,

ML/AI

Anomaly

Detection

Amazon

GuardDuty

SIEM

And/OrRESPOND

HIGH

MEDIUM

LOW

Findings

VPC flow logs

DNS Logs

CloudTrail

Events

Data

Sources

Reconnaissance

Instance

Compromise

Account

Compromise

Threat Detection

Types


SUMMIT

AWS Config

Continuously tracks resource configuration changes

Evaluates the configuration against policies defined using AWS Config rules

Alerts you if the configuration is noncompliant with your policies using Amazon SNS and Amazon CloudWatch Events

AWS Config = Continuous Configuration Auditor

Changing resources AWS Config

Notifications

API access

History, snapshot

Normalized

AWS Config rules


SUMMIT

Security and Compliance is a shared responsibility

Documents

Architecting security & governance across your AWS environment Mark… · AWS IAM & SC Policies Developer Sandbox Dev Pre-Prod Team/GroupAccounts Security Core AWS Organizations Master