Upload
amazon-web-services
View
105
Download
1
Tags:
Embed Size (px)
Citation preview
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Networking: New Capabilities for Amazon Virtual Private Cloud
Mark RylandChief Architect, [email protected]
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
New capabilities for Amazon VPC
• VPC endpoints– Generic capability– First VPCE available is for S3
• VPC Flow Logs– Netflow-like data from elastic network
interfaces
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Problem statement• AWS “abstracted services”[1] generally
have service endpoints on the public address side of an AWS region
• How best to reach those endpoints from inside your VPC?
[1] “AWS Security Best Practices” whitepaper, Nov 2013, p. 7
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Reaching public endpointsPublic IPs and IGW
Pros• Highly available• Horizontally scalable• Can restrict dest. ports/
CIDRs
Cons• Public IPs; security
controls are limited• Can reach entire S3
service
NAT/PAT server(s)
Pros• Central control• All protocols
Cons• Availability risks• Scaling hard, limited• Lots of work to manage• Security limitations
similar to use of IGW
Proxy server(s)
Pros• Central control• Can scale fairly well• Many security options
Cons• Availability risks• Lots of work to manage
and scale• Works only with
HTTP/S
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
VPC endpoints to the rescue• No need for public IP addresses, NAT/PAT,
or proxies• Highly available; no SPOF• Practically infinite horizontal scalability• Rich security controls
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Rich security controls• New route entry
– As many endpoints per VPC as you like, but maximum one assigned route per subnet
• New logical destination address for security group outbound traffic rules– Thus, instance-level control through security
groups
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Rich security controls (cont.)• Policies on VPC endpoints
– Logically, resource policies (not IAM policies)– Constrain principals, actions, destination buckets, paths
within buckets
• S3 bucket policies – Constrain source VPCs, VPC endpoints, both
• All policies ANDed together (IAM, VPC endpoints, S3)
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
VPC endpoint policy example{ "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"] } ]}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
S3 bucket policy example #1{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ]}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
S3 bucket policy example #2{ "Version": "2012-10-17", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"], "Condition": { "StringNotEquals": { "aws:sourceVpc": "vpc-111bbb22" } } } ]}
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
VPC Flow Logs• Longstanding ask: greater visibility into
VPC network behavior– Specifically, what about those security group
and network ACL DENY cases?
• VPC Flow Logs provide the answer
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
VPC Flow Logs (cont.)• Enabled at the ENI, subnet, or VPC level• Traffic data surfaced as “flow log records” per ENI• Exposed as CloudWatch Log groups and streams• Data accumulated and published to CW Logs at ~10
minute intervals• Normal CloudWatch Logs groups/streams with all
related features– For example, new CloudWatch Logs -> Amazon Kinesis
stream integration
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Flow Log record (text, space-delimited)Field Descriptionversion The VPC Flow Logs version.account-id The AWS account ID for the Flow Log.interface-id The ID of the network interface for which the log stream applies.srcaddr The source IP address. The IP address of the network interface is always its private IP address.dstaddr The destination IP address. The IP address of the network interface is always its private IP address.srcport The source port of the traffic.dstport The destination port of the traffic.protocol The IANA protocol number of the traffic. For more information, go to Assigned Internet Protocol Numbers.packets The number of packets transferred during the capture window.bytes The number of bytes transferred during the capture window.start The time, in Unix seconds, of the start of the capture window.end The time, in Unix seconds, of the end of the capture window.action The action associated with the traffic: ACCEPT: The recorded traffic was permitted by the security group or
network ACLs.REJECT: The recorded traffic was not permitted by the security groups or network ACLs.
log-status The logging status of the flow log:OK: Data is logging normally to CloudWatch Logs.NODATA: There was no network traffic to or from the network interface during the capture window.SKIPDATA: Some flow log records were skipped during the capture window.
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Example recordsSSH traffic allowed
RDP traffic denied2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 49761 3389 6 1 231 1439530000 1439530060 REJECT OK
2 123456789010 eni-abc123de 172.168.1.12 172.168.1.11 20641 22 6 20 4249 1438530010 1438530070 ACCEPT OK
Version number
AWS account number
ENI identifier
Source address
Destin
ation address
Source port
Destin
ation port
Protocol number
Total p
ackets in flow
Sun, 02 Aug 2015 15:40:10 GMT
Sun, 02 Aug 2015 15:41:10 GMT
ActionLog status
Total b
ytes in flow
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
VPC networking• Continually advancing the state of the art• Focused on improving control and visibility• Integration with third-party monitoring and
management tools• Key element of the AWS increasingly
powerful security suite
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015