Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BEST PRACTICES FOR SECURITY AT SCALE
Angus McAllister, Solutions Architect, Amazon Web Services30 October 2017
Agenda• Security as a Risk Management Process• Risk Management Methodology• Reducing risk by using the AWS cloud• Sources of Best Practices• A Bad Day• Best of the Best Practices
– Identity and Access Management– Logging and Monitoring – Infrastructure Security– Data Protection
• Click, Script, Commit • Tools and Automation
Securing Information – Managing Risk
• Why are we doing this, again?• Information an increasingly valuable asset• Security of that information under increasing threat:
• Confidentiality• Integrity• Availability
• Arms race to stay ahead of threats – very challenging• How can any but the largest organisations afford this?
Risk Management Primer – a Methodology• Prioritise risks through Threat Modelling:
1. Identify Information Assets2. Identify Bad Actors, motivations and means of attack3. Estimate likelihood of each attack succeeding4. Quantify impact of a successful attack5. Calculate risks: probability * impact6. Rank risks in descending order
• Implement counter-measures for subset of risks• Estimate cost of each• Establish equilibrium of residual risk
Risks CostsResidRisks
Reducing Risk by using Cloud• AWS has sufficient scale to secure resources effectively• Operating model shares benefits with all customers• Security risks can be better managed using cloud• Shared Responsibility Model for security:
• AWS is responsible for security of the cloud• Customers responsible for security in the cloud
• Multiple risk categories transferred to party best placed to manage them: AWS
• Frees up resources to counter more risks
Sources of Best PracticesAWS Security Best
PracticesNational Cyber-Security Centre (NCSC) Cloud
Security Principles
148 detailed recommendations for configuration and auditing covering:• “AWS Foundations” with 52
checks aligned to AWS Best Practices
• “AWS Three-Tier Web Architecture” with 96 checks for web applications
Whitepaper with 44 best practices including:• Identity and Access Management
(10 best practices)• Logging and Monitoring (4)• Infrastructure Security (15)• Data Protection (15)
14 principles to abide by for consuming cloud services:• Elaboration of each principle to
expand understanding• AWS White Paper: “Using AWS
in the context of NCSC UK’s Cloud Security Principles” with detailed recommendations
Center for Internet Security (CIS) Benchmarks
CIS Benchmarks: What, Why, Check, Fix
A is for “Andy” and B is for “Bill”
Andy follows best practices Bill does NOT follow best practices
:-) :-(
Bill
’s B
ad D
ay
S3 Bucket “Website Images”
Web Server InstanceInternet
Internet Gateway
Bill
S3 Bucket “Data
Backup”
Internal Data Service
AWS Account
S3 Bucket “Data
Backup”
Internal Data ServiceBad Person
S3 Bucket “Website Images”
Web Server InstanceInternet
AWS Account
Internet Gateway
1 2
3 4
5
Bill
’s B
ad D
ayBill
1Access the vulnerable web application
2 Pivot to the data service
3 Delete the website image files
4Change permissions to the data backup
5 Download the data backup
S3 Bucket “Website Images”
Web Server InstanceInternet
AWS Account
Internet Gateway
Bill
’s B
ad D
ayBill
No web application protection
2 One account
3 No segmentation
4 All permissions granted
5 Sensitive data not encrypted
1
6 No logging, monitoring, alerting
… now let’s help Andy have a great day! :-)
Andy S3 Bucket “Data
Backup”
Internal Data Service
Best of the Best Practices: Identity and Access Mgmt1) Use multiple AWS accounts to reduce blast radius
2) Use limited roles and grant temporary security credentials
3) Federate to an existing identity service
AWS Best Practices Paper
CIS Foundation Benchmark
AWS Best Practices Paper
CIS Web-Tier Benchmark
AWS Best Practices Paper
NCSC Cloud Security Principle
CIS Foundation Benchmark
Production Staging
Temporary Security
CredentialsIAM IAM
MFA tokenAWS Directory
ServiceIAM Roles
AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification.
IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource.
Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users.
NCSC Cloud Security Principle
NCSC Cloud Security Principle
S3 Bucket “Website Images”
InternetInternet Gateway
1
Andy
Web Server Instance
S3 Bucket “Data
Backup”
Internal Data Service
Temporary Security
Credentials
IAM
MFA token
AWS Directory Service
Iden
tity
and
Acc
ess
Man
agem
ent
AWS Account AWS AccountAWS Account
Best of the Best Practices: Logging and Monitoring4) Turn on logging in all accounts, for all services, in all regions
5) Use the AWS platform’s built-in monitoring and alerting features
6) Use a separate AWS account to fetch and store copies of all logs
AWS Best Practices Paper
CIS Foundation Benchmark
AWS Best Practices Paper
CIS Foundation Benchmark
AWS Best Practices Paper
CIS Foundation Benchmark
AWSConfig
Amazon CloudWatchAWS
CloudTrailCloudWatch
Alarms
Production Security
The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatchcollects and tracks metrics and monitors log files.
Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity.
Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.
NCSC Cloud Security Principle
NCSC Cloud Security Principle
NCSC Cloud Security Principle
Temporary Security
Credentials
IAM
S3 Bucket “Website Images”
S3 Bucket “Database Backup”
MFA token
Internet
AWS Account AWS Account
Internet Gateway
2Andy
AWSConfig
Amazon CloudWatchAWS
CloudTrailAWS Directory
Service
Logg
ing
and
Mon
itorin
g
Web Server Instance
Internal Data Service
Best of the Best Practices: Infrastructure Security7) Create a threat prevention layer using AWS edge services
8) Create network zones with Virtual Private Clouds (VPCs) and security groups
9) Manage vulnerabilities through patching and scanning
Use the 70 worldwide points of presence in the AWS edge network to provide scalability, protect from denial of service attacks, and protect from web application attacks.
Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy.
Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment.
AWS WAFAWS ShieldAmazon CloudFront
AWS Best Practices Paper
CIS Web-Tier Benchmark
AWS Best Practices Paper
CIS Web-Tier Benchmark
AWS Best Practices Paper
CIS Foundation Benchmark
Security Group
Amazon Inspector
NCSC Cloud Security Principle
NCSC Cloud Security Principle
NCSC Cloud Security Principle
Infr
astr
uctu
re S
ecur
ity
AWS WAF
AWS Shield
S3 Bucket “Website Images”
Amazon CloudFront
InternetInternet Gateway
3Andy
Web Server Instance
Security Group Security Group
Amazon Inspector
S3 Bucket “Data
Backup”
Internal Data Service
Temporary Security
Credentials
IAM
MFA token
AWSConfig
Amazon CloudWatchAWS
CloudTrailAWS Directory
ServiceAWS Account AWS Account
Best of the Best Practices: Data Protection10) Encrypt data at rest(with occasional exceptions)
11) Use server-side encryption with provider managed keys
12) Encrypt data in transit(with no exceptions)
AWS Best Practices Paper
CIS Foundation Benchmark
AWS Best Practices Paper
CIS Foundation Benchmark
AWS Best Practices Paper
CIS Foundation Benchmark
AWS KMS Data Encryption Key
AWS KMS Amazon S3 Amazon CloudFront
Internet Gateway SSL / TLS /
HTTPS
Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public.
AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS.
Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.
NCSC Cloud Security Principle
NCSC Cloud Security Principle
NCSC Cloud Security Principle
AWS WAF
AWS KMS
AWS Shield
S3 Bucket “Website Images”
Amazon CloudFront
AWS KMSData
Encryption Key
InternetInternet Gateway
Andy
Amazon Inspector
S3 Bucket “Data
Backup”
Dat
a Pr
otec
tion
Security Group
Web Server Instance
Internal Data Service
Temporary Security
Credentials
IAM
MFA token
AWSConfig
Amazon CloudWatchAWS
CloudTrailAWS Directory
ServiceAWS Account AWS Account
4
Security Group Security Group
AWS WAF
AWS KMS
AWS Shield
Temporary Security
Credentials
IAM
S3 Bucket “Website Images”
Amazon CloudFront
MFA token
Web Server Instance
AWS KMSData
Encryption Key
Internet
AWS Account AWS Account
Security Group Security Group
Internet Gateway
Andy
AWSConfig
Amazon CloudWatchAWS
CloudTrailAmazon
InspectorAWS Directory
Service
S3 Bucket “Data
Backup”
Internal Data Service
Bes
t Pra
ctic
es
Now its time to move from the
WHAT
HOWto the
Three Speeds
Crawl Walk Run
Three Levels
64-bit Mario 8-bit Mario 16-bit Mario
Three Stages
Zero Pro Hero
Three Stages
Click Script Commit
Three Stages of Cloud Security Maturity
Stage One “Click”
Manual Best Practices
Static Workloads
Release 1x per month
Stage Two “Script”
Automated Controls
Evolving Workloads
Release 1-10x per month
Stage Three “Commit”
Continuous Security
Agile Workloads
Release 10-100x per month
… DevSecOps / RuggedOps?
Tools and AutomationAmazonInspector
Amazon CloudWatch Events
AWSConfig Rules
An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs.
A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.
AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)
Prepare your UmbrellaBefore it Rains
ResourcesAWS
Security BestPractices White Paperhttp://bit.ly/AWSBest
CIS AWS SecurityFoundationsBenchmark
http://bit.ly/AWSCIS
CIS AWS Three-Tier Web
Architecture Benchmarkhttp://bit.ly/AWSCIS3T
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!