BEST PRACTICES FOR SECURITY AT SCALE - AWS · A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

BEST PRACTICES FOR SECURITY AT SCALE

Angus McAllister, Solutions Architect, Amazon Web Services30 October 2017

Agenda• Security as a Risk Management Process• Risk Management Methodology• Reducing risk by using the AWS cloud• Sources of Best Practices• A Bad Day• Best of the Best Practices

– Identity and Access Management– Logging and Monitoring – Infrastructure Security– Data Protection

• Click, Script, Commit • Tools and Automation

Securing Information – Managing Risk

• Why are we doing this, again?• Information an increasingly valuable asset• Security of that information under increasing threat:

• Confidentiality• Integrity• Availability

• Arms race to stay ahead of threats – very challenging• How can any but the largest organisations afford this?

Risk Management Primer – a Methodology• Prioritise risks through Threat Modelling:

1. Identify Information Assets2. Identify Bad Actors, motivations and means of attack3. Estimate likelihood of each attack succeeding4. Quantify impact of a successful attack5. Calculate risks: probability * impact6. Rank risks in descending order

• Implement counter-measures for subset of risks• Estimate cost of each• Establish equilibrium of residual risk

Risks CostsResidRisks

Reducing Risk by using Cloud• AWS has sufficient scale to secure resources effectively• Operating model shares benefits with all customers• Security risks can be better managed using cloud• Shared Responsibility Model for security:

• AWS is responsible for security of the cloud• Customers responsible for security in the cloud

• Multiple risk categories transferred to party best placed to manage them: AWS

• Frees up resources to counter more risks

Sources of Best PracticesAWS Security Best

PracticesNational Cyber-Security Centre (NCSC) Cloud

Security Principles

148 detailed recommendations for configuration and auditing covering:• “AWS Foundations” with 52

checks aligned to AWS Best Practices

• “AWS Three-Tier Web Architecture” with 96 checks for web applications

Whitepaper with 44 best practices including:• Identity and Access Management

(10 best practices)• Logging and Monitoring (4)• Infrastructure Security (15)• Data Protection (15)

14 principles to abide by for consuming cloud services:• Elaboration of each principle to

expand understanding• AWS White Paper: “Using AWS

in the context of NCSC UK’s Cloud Security Principles” with detailed recommendations

Center for Internet Security (CIS) Benchmarks

CIS Benchmarks: What, Why, Check, Fix

A is for “Andy” and B is for “Bill”

Andy follows best practices Bill does NOT follow best practices

:-) :-(

Bill

’s B

ad D

ay

S3 Bucket “Website Images”

Web Server InstanceInternet

Internet Gateway

Bill

S3 Bucket “Data

Backup”

Internal Data Service

AWS Account

S3 Bucket “Data

Backup”

Internal Data ServiceBad Person



AWS Account

Internet Gateway

1 2

3 4

5

Bill

’s B

ad D

ayBill

1Access the vulnerable web application

2 Pivot to the data service

3 Delete the website image files

4Change permissions to the data backup

5 Download the data backup



AWS Account

Internet Gateway

Bill

’s B

ad D

ayBill

No web application protection

2 One account

3 No segmentation

4 All permissions granted

5 Sensitive data not encrypted

1

6 No logging, monitoring, alerting

… now let’s help Andy have a great day! :-)

Andy S3 Bucket “Data

Backup”


Best of the Best Practices: Identity and Access Mgmt1) Use multiple AWS accounts to reduce blast radius

2) Use limited roles and grant temporary security credentials

3) Federate to an existing identity service

AWS Best Practices Paper

CIS Foundation Benchmark


CIS Web-Tier Benchmark


NCSC Cloud Security Principle


Production Staging

Temporary Security

CredentialsIAM IAM

MFA tokenAWS Directory

ServiceIAM Roles

AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification.

IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource.

Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users.




InternetInternet Gateway

1

Andy

Web Server Instance

S3 Bucket “Data

Backup”


Temporary Security

Credentials

IAM

MFA token

AWS Directory Service

Iden

tity

and

Acc

ess

Man

agem

ent

AWS Account AWS AccountAWS Account

Best of the Best Practices: Logging and Monitoring4) Turn on logging in all accounts, for all services, in all regions

5) Use the AWS platform’s built-in monitoring and alerting features

6) Use a separate AWS account to fetch and store copies of all logs







AWSConfig

Amazon CloudWatchAWS

CloudTrailCloudWatch

Alarms

Production Security

The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatchcollects and tracks metrics and monitors log files.

Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity.

Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows.




Temporary Security

Credentials

IAM


S3 Bucket “Database Backup”

MFA token

Internet

AWS Account AWS Account

Internet Gateway

2Andy

AWSConfig


CloudTrailAWS Directory

Service

Logg

ing

and

Mon

itorin

g

Web Server Instance


Best of the Best Practices: Infrastructure Security7) Create a threat prevention layer using AWS edge services

8) Create network zones with Virtual Private Clouds (VPCs) and security groups

9) Manage vulnerabilities through patching and scanning

Use the 70 worldwide points of presence in the AWS edge network to provide scalability, protect from denial of service attacks, and protect from web application attacks.

Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy.

Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment.

AWS WAFAWS ShieldAmazon CloudFront







Security Group

Amazon Inspector




Infr

astr

uctu

re S

ecur

ity

AWS WAF

AWS Shield


Amazon CloudFront


3Andy

Web Server Instance

Security Group Security Group

Amazon Inspector

S3 Bucket “Data

Backup”


Temporary Security

Credentials

IAM

MFA token

AWSConfig



ServiceAWS Account AWS Account

Best of the Best Practices: Data Protection10) Encrypt data at rest(with occasional exceptions)

11) Use server-side encryption with provider managed keys

12) Encrypt data in transit(with no exceptions)







AWS KMS Data Encryption Key

AWS KMS Amazon S3 Amazon CloudFront

Internet Gateway SSL / TLS /

HTTPS

Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public.

AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS.

Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection.




AWS WAF

AWS KMS

AWS Shield


Amazon CloudFront

AWS KMSData

Encryption Key


Andy

Amazon Inspector

S3 Bucket “Data

Backup”

Dat

a Pr

otec

tion

Security Group

Web Server Instance


Temporary Security

Credentials

IAM

MFA token

AWSConfig



ServiceAWS Account AWS Account

4


AWS WAF

AWS KMS

AWS Shield

Temporary Security

Credentials

IAM


Amazon CloudFront

MFA token

Web Server Instance

AWS KMSData

Encryption Key

Internet

AWS Account AWS Account


Internet Gateway

Andy

AWSConfig


CloudTrailAmazon

InspectorAWS Directory

Service

S3 Bucket “Data

Backup”


Bes

t Pra

ctic

es

Now its time to move from the

WHAT

HOWto the

Three Speeds

Crawl Walk Run

Three Levels

64-bit Mario 8-bit Mario 16-bit Mario

Three Stages

Zero Pro Hero

Three Stages

Click Script Commit

Three Stages of Cloud Security Maturity

Stage One “Click”

Manual Best Practices

Static Workloads

Release 1x per month

Stage Two “Script”

Automated Controls

Evolving Workloads

Release 1-10x per month

Stage Three “Commit”

Continuous Security

Agile Workloads

Release 10-100x per month

… DevSecOps / RuggedOps?

Tools and AutomationAmazonInspector

Amazon CloudWatch Events

AWSConfig Rules

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.

A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs.

A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config.

AWS re:Invent 2016: “5 Security Automation Improvements You Can Make by Using Amazon CloudWatch Events and AWS Config Rules” (SAC401)

Prepare your UmbrellaBefore it Rains

ResourcesAWS

Security BestPractices White Paperhttp://bit.ly/AWSBest

CIS AWS SecurityFoundationsBenchmark

http://bit.ly/AWSCIS

CIS AWS Three-Tier Web

Architecture Benchmarkhttp://bit.ly/AWSCIS3T

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

THANK YOU!

Documents

BEST PRACTICES FOR SECURITY AT SCALE - AWS · A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take