AWS Security: A Practitioner’s Perspectivefiles.meetup.com/1751034/sf-aws-ug-jachan.pdfTrafﬁc in AWS App Server TCP 3306 DB Server Cisco Conﬁguration permit tcp host 1.1.1.1

AWS Security: A Practitioner’s Perspective

Jason [email protected]

San Francisco AWS Users Group April 17, 2012

Wednesday, April 18, 12

mailto:[email protected]


Jason Chan

• Cloud Security Architect @ Netflix

• Previously:

• Most recently led security team at VMware

• Primarily security consulting at @stake, iSEC Partners

• Some presentations at:

• http://www.slideshare.net/netflix


http://www.slideshare.net/netflix


Agenda

• Goals and non-goals

• AWS on one slide

• Netflix in the cloud

• AWS security: Overview

• AWS security: Gotchas

• AWS security: Recommendations

• Takeaways


Non-Goals

• Primer on general cloud security issues

• AWS how-to

• Comprehensive guide to AWS security

• Info on designing for high-availability


AWS Overview


AWS on a Slide

“The cloud lets its users focus on delivering differen4a4ng business value instead of was4ng valuable resources on the undifferen)ated heavy li0ing that makes up most of IT infrastructure.”-‐ Werner Vogels (AWS CTO)

August 25, 2009, ‘All Things Digital


Netflix in the Cloud


Datacenter(Capacity(

37x Growth 1/10 - 1/11

Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html

Netflix API: Growth in Requests


Netflix Deployed on AWS

Content&

Video&Masters&

EC2&

S3&

CDN&

Logs&

S3&

EMR&Hadoop&

Hive&

Business&Intelligence&

Play&

DRM&

CDN&RouAng&

Bookmarks&

Logging&

WWW&

SignEup&

Search&&

Movie&Choosing&

RaAngs&

API&&

Metadata&

Device&Config&

TV&Movie&Choosing&

Social/Facebook&

CS&

InternaAonal&CS&Lookup&

DiagnosAcs&and&AcAons&

Customer&Call&Log&

CS&AnalyAcs&

2009 2009 2010 2010 2010 2011

EC2, S3, SQS, SDB, VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES


AWS Security OverviewShared Responsibility

AWS Credentials and IdentifiersServices, Actions, and Resources

Controlling Network TrafficAWS Security-Related Services


Shared Responsibility

http://aws.amazon.com/security/

YOU

AWS




AWS Credentials and Identifiers

Access CredentialsAccess Credentials

Access Keys REST API

X.509 Certificates SOAP API, EC2 tools

Key Pairs CloudFront, EC2

Sign-In CredentialsSign-In Credentials

Main Account E-Mail/PW Console access

IAM Account Name/PW Console access

MFA Token HW/SW token for additional security

Account IdentifiersAccount Identifiers

Account ID 12 digit identifier

Canonical User ID Used for S3 permissioning

Resource IdentifierResource Identifier

Amazon Resource Name (ARN) Unique resource identifier:arn:aws:sns:us-east-1:1234567890123456:mytopic

http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html




AWS Services, Actions, and Resources

Service Action Resource

S3Get Object,

Delete BucketBucket, Object

EC2Terminate Instances, Associate Address

Instance, AMI, EBS Volume

AWS policies can be applied to actions and resources. Compatibility is service-dependent.

http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html




Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}

Which actions?

Allow or deny?Which resource?

To whom does the policy apply?

http://awspolicygen.s3.amazonaws.com/policygen.html

Any conditions? (optional)

Which service?




Controlling Network Traffic in AWS

App Server DB ServerTCP 3306

Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306

AWS Configurationec2-authorize db -P tcp -p 3306 -s app


Security Groups & ACLs

Type Stateful Ingress Egress EC2 VPC Cross-Account

Dynamic Membership

EC2 Security Group

Y Y N Y N Y N

VPC Security Group

Y Y Y N Y N Y

DB Security Group

Y Y N Y Y Y Y

VPC Network ACL

N Y Y N Y N/A N/A


AWS Security-Related Services

• Identity and Access Management (IAM)

• Multi-Factor Authentication (MFA)

• Security Token Service (STS)

• Virtual Private Cloud (VPC)


AWS Security GotchasAWS Limits

IP Addresses in EC2Elastic Load Balancing Security

S3 Policies and Object OwnershipAWS Resource Logging

Delivering Credentials to Instances


AWS Limits• “Because the cloud is infinite if your requirements

are moderate”

• Many AWS services have a variety of limits

• Some of which are easily discoverable

• AWS services also have throttling (i.e. max RPS)

• Beware of self DoS via automation and autoscaling

• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests

• NOTE: Track limits and inspect error messages


http://aws.amazon.com/contact-us/

http://aws.amazon.com/contact-us/

EC2 IP Addresses

• Each instance has two IPs - private and public

# ec2-metadata

...

local-hostname: ip-10-245-134-152.ec2.internal

local-ipv4: 10.245.134.152

...

public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com

public-ipv4: 72.44.52.70

...


EC2 IP Addresses

• Name resolution depends on client location

# ec2-metadata -o

local-ipv4: 10.245.134.152

# dig +short ec2-72-44-52-70.compute-1.amazonaws.com

10.245.134.152

# dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com

72.44.52.70


EC2 IP Addresses• Both public and private IPs are dynamic

• Elastic IPs can be used for persistent public IPs

• Within a region, instances use their private IPs

• Across regions & for Internet traffic, the public IP is used

• NOTE: Traffic to the public IP/EIP:

• Incurs regional data transfer costs

• Is less performant in-region

• Does not preserve source security group info


Elastic Load Balancers• Service availability and

traffic balancing across EC2 instances

• Stable DNS for publicly-facing services

• Alias to the ELB DNS CNAME

• SSL termination, session stickiness, etc.

Internet

ELB

Instance Instance Instance


Elastic Load Balancers• ELB intercepts and forwards traffic

• Traffic loses source IP

• Client IP is accessible via X-Forwarded For

• Backend instances must allow traffic from the ELB

• Traffic from ELB == Traffic from Internet

• Without additional (non security group) filtering, ELBs should only be used for public use cases

• NOTE: VPC ELBs can use security groups for limiting access


• S3 bucket similar to container, object similar to a file

• Access control can be applied via bucket policy, bucket ACL, and object ACLs

• NOTE: Objects only inherit bucket-level permissions if written by bucket owner

• Default ACL is “object creator: full control”

• Objects written by non bucket owner are inaccessible by bucket owner

• Use “x-amz-acl” header on write to fix permissions

S3 Policies and Object Ownership


AWS Resource Logging

• AWS APIs and resources are publicly (Internet) accessible

• So, your management interfaces, file store, databases, etc. are publicly addressable

• Preventing access is generally possible through policy configuration

• NOTE: AWS provides no capability for logging or auditing resource access


Delivering Credentials to EC2 Instances

• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)

• Access to resources will generally require credentials

• Secure delivery and storage of credentials becomes difficult with scale and automation

• Some ideas:

• http://shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html


http://shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html






AWS Security Recommendations

Systematic Approach to AWS SecurityShared ResponsibilityAWS Management

AWS Security Features and ServicesResource Security

Operations Security


Systematic Approach to AWS Security

• Understand shared responsibility model

• Management of AWS

• AWS security features and services

• AWS resource security

• Secure AWS operations


SharedResponsibility• Analyze what each side

provides in terms of security controls

• Understand legal/contractual aspects

• Make plans to bridge any gaps

https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Frameworkhttp://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html


https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework




AWS Management• No longer any reason to not use IAM

• Enable:

• IAM

• MFA (for account and IAM accounts)

• Create groups and assign permissions appropriate for organizational model

• Consider using separate top-level accounts for compartmentalization


AWS Security Features and Services

• Understand security features, limitations, and options of the features you use

• S3 - encryption, MFA delete, versioning

• EC2 - dedicated instances, disabling API termination

• Consider VPC based on use cases and requirements


AWS Resource Security

• Review access requirements for AWS resources

• S3 buckets, SimpleDB domains, SQS queues

• Apply resource policies to control access appropriately

• Use policy conditions to enhance security

• SourceIP, CurrentTime, SecureTransport


Secure AWS Operations

• Understand security group/ACL differences

• Design and implement according to architectural requirements

• Actively manage and monitor accounts and credentials


Other Recommendations

• Tools like boto are useful for security monitoring and analysis

• Keep an eye on:

• http://aws.typepad.com/

• @jeffbarr

• AWS Endpoints: http://docs.amazonwebservices.com/general/latest/gr/rande.html

• EC2 IP Ranges: https://forums.aws.amazon.com/forum.jspa?forumID=30


http://aws.typepad.com/

http://aws.typepad.com/

http://docs.amazonwebservices.com/general/latest/gr/rande.html




https://forums.aws.amazon.com/forum.jspa?forumID=30




Takeaways

• AWS provides an array of services that allow you to construct and operate large scale web services in a self-service, pay as you go model

• The cloud operating model requires you to understand the security responsibilities of both provider and consumer

• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use


Thanks!Questions?

[email protected]




Backup Slides


Cloud and Platform Engineering

•  Orchestra*on,.build.and.deployment.Engineering'Tools'

• Monitoring,.consul*ng,.Simian.Army.Cloud'Solu0ons'

•  24/7.site.reliability.CORE''

•  Core.shared.components.and.libraries.Pla5orm'Engineering'

•  Applica*on,.engineering,.and.opera*onal.Security'

•  Cassandra,.SDB,.RDS.Cloud'Database'Engineering'

•  Tes*ng,.op*miza*on,.cost.Cloud'Performance'

•  Overall.design.paFerns.Cloud'Architecture'


Netflix PaaS• Supports all AWS regions

and availability zones

• Supports multiple AWS accounts

• One-click deployment and load balancing across three datacenters

• Cross-region and account data replication and archive

• Dynamic and fine-grained security

• Automatic scaling to thousands of instances

• Monitoring for millions of metrics

• Base server and client

• I18n, L10n, geo IP routing





Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html

• Centralized framework for cloud security monitoring and analysis

• Leverages AWS APIs and common security tools


http://techblog.netflix.com/2011/07/netflix-simian-army.html

http://techblog.netflix.com/2011/07/netflix-simian-army.html

Security Monkey

• Certificate monitoring

• Security group monitoring

• Exposed instances/applications

• Web application vulnerability scanning

• Upcoming:

• Policy analysis (firewall, user, S3, etc.)


References

• http://www.slideshare.net/netflix

• http://techblog.netflix.com

• https://cloudsecurityalliance.org/


http://www.slideshare.net/adrianco

http://www.slideshare.net/adrianco

https://cloudsecurityalliance.org

https://cloudsecurityalliance.org

Documents

AWS Security: A Practitioner’s Perspectivefiles.meetup.com/1751034/sf-aws-ug-jachan.pdfTrafﬁc in AWS App Server TCP 3306 DB Server Cisco Conﬁguration permit tcp host 1.1.1.1