19
Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Embed Size (px)

Citation preview

Page 1: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

Page 2: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

©Cyber-Ark Software Ltd. | cyberark.com 2

Table of Contents

Securing the Enterprise’s Cloud Assets 3

Amazon Web Services and CyberArk 4

Securing the Enterprise’s AWS Environments with CyberArk Privileged Account Security 6

Overview 6

1. Identifying and Securing Cloud Assets 7

Discovery of AWS Assets 7

Securing and Monitoring Interactive Access to the AWS Management Console and APIs 8

Securing and Monitoring Access to AWS EC2 Instances 10

2. Automating Provisioning Processes 12

Managing AWS API Keys 12

Provisioning Processes 13

AWS Auto Scaling of Applications and Securing Credentials 16

3. Automating Deployment of the CyberArk Environment 16

Accept 17

Summary 18

Page 3: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 3

Securing the Enterprise’s Cloud AssetsEnterprises embark on a cloud journey for a variety of reasons – some companies are native cloud, or “all-in” cloud

from the start. More typically, while an increasing number of enterprises have embraced “Cloud-First” strategies, and in

some cases “Automation-First” strategies, large enterprises migrate segments of their

business over time to the cloud.

Large enterprises may initially adopt cloud to support on-demand computing for

applications, such as big data analytics which may require significant compute and

storage resources, but only intermittently. Other enterprises are driven by cost

savings, in some cases entirely eliminating the need to operate physical data centers,

and gaining increased efficiency. Others are driven at least in part by the increased

availability of their applications and the overall reliability of cloud-based solutions.

But, cloud has a lot more to offer than cost savings. Enterprises with the highest

levels of cloud adoption, typically, not only completely re-architect their applications,

but also take advantage of automation to streamline their entire development and

deployment process. They adopt DevOps processes and continuous integration (CI)

and continuous delivery/deployment (CD) pipelines with the objective of more nimbly

meeting customer and business needs.

Regardless of where enterprises are in their cloud journey, CyberArk’s goal is to enable enterprises to protect their

cloud assets by providing powerful solutions for securing privileged accounts and credentials at each stage of the

journey. Most important, with CyberArk enterprises can consistently enforce security policies regardless of their

different compute environments, delivery pipelines and automation tools. Additionally, CyberArk’s cloud automation

tools simplify and accelerate the deployment of CyberArk solutions in the public cloud.

Robust security is a critical requirement for organizations. However, in recent years, questioning the security of cloud

environments has become less of a concern to large enterprises as they recognize that with the right approach, cloud

environments can be highly secure.

But it is critical to recognize that security in the cloud is a shared responsibility between the public cloud vendor and

the enterprise. AWS goes to great efforts to ensure the security OF the cloud infrastructure, including the compute,

storage and networking resources as well as the physical infrastructure. However, each of the public cloud vendors

are very clear that security in the cloud is a shared responsibility, and that the enterprise, as the application owner, is

responsible for protecting their applications, data, the OS and other enterprise infrastructure, as well as other assets

running IN the cloud. So in summary, everything above the hypervisor or equivalent layer is the responsibility of the

enterprise.

CyberArk’s goal is to

enable enterprises to

protect their cloud

assets by providing

powerful solutions for

securing privileged

accounts and

credentials at each

stage of the journey.

Page 4: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 4

Customer Data

Global Infrastructure / Regions | Physical Infrastructure

Customer /Enterprise

Security INthe Cloud

Security OFthe Cloud

Applications AccessMgmtIdentity

OS Network Firewall

Compute Storage Networking

Client SideEncryption

NetworkProtection

Server SideEncryption Public

CloudManagement

Console

Cloud Security is a Shared Responsibility

Additionally, when organizations use any public cloud vendor, including AWS, the organization accesses the entire cloud

infrastructure through the cloud vendor’s management console – for AWS this is the AWS Management Console. The

console is accessed by both human users and scripts, APIs and other non-human users.

This management console is incredibly powerful and holds the “keys to the cloud kingdom,” even more so than for the

on-premises admin consoles. For example, the management console enables set up and configuration of the entire cloud

infrastructure – allocating resources, setting up applications and compute instances, and determining the regions and

Availability Zones that the apps run in. The console is also used to set up all the security parameters, enabling which users

have access, their level of access, etc. It also handles all the billing, and is used to make purchases from the AWS

Marketplace. The console is clearly a very attractive target for attackers and must be protected at all costs.

Amazon Web Services and CyberArkAmazon Web Services (AWS) is widely recognized as a leading provider of public cloud services, offering organizations

of all sizes a highly reliable, scalable, low-cost infrastructure platform in the cloud. AWS has grown dramatically since

its inception just over 10 years ago, and today, AWS serves several hundreds of thousands of businesses in some 190

countries, and operates data centers around the globe.

For customers, the AWS platform offers a broad and ever-increasing array of capabilities and computing resources,

including various compute and storage resources as well as many other services. For example, the Amazon EC2

(Elastic Compute Cloud), and S3 (Simple Storage Service), are widely used. Within each service there is a broad range

of sub-services available, such as graphics intensive, burstable, high I/O, as well as general purpose compute

resources -- and similarly for storage. Various databases, networking and some basic security services are also offered

as well as tools to build and develop applications.

In addition to internal AWS capabilities, AWS also offers enterprise-focused solutions from third-party vendors like

CyberArk.

Page 5: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 5

AWS is an important partner for CyberArk, and CyberArk’s priority is to help to ensure that large enterprises can more

fully secure and protect their cloud assets running on AWS. CyberArk has worked closely with AWS at the technical

level to ensure that our offerings are optimized for AWS and meet both the AWS architectural requirements, as well as

CyberArk’s Security Fundamentals for Privileged Account Security.

Today, CyberArk serves a growing group of enterprise customers that are using CyberArk solutions to help protect and

secure their cloud assets running on AWS. The configurations and customer needs can vary significantly depending on

the customers’ business objectives. For example, in some cases customers run the primary and disaster recovery

CyberArk vaults on AWS, while in others a hybrid environment is used. CyberArk continues to expand its AWS-

focused capabilities, and today, for example, a complete CyberArk environment can be set up on AWS in a matter of

minutes using CyberArk cloud automation tools.

Additionally, CyberArk has various integrations with AWS. For example, some customers taking advantage of on-

demand computing using AWS Auto Scaling have integrated with CyberArk to help ensure privileged accounts and

credentials are immediately secured when new application instances are created.

CyberArk’s technical teams around the globe have developed deep expertise by working closely with enterprises on

their AWS cloud journey, as they move from evaluation, to deployment and into production. In some cases customers

have shut down their data centers and migrated completely to the cloud, relying on CyberArk solutions to help ensure

the security of their on-premises, hybrid, and “all-in” cloud environments.

CyberArk works with, and offers solutions and guidance to, enterprises at each stage of their cloud journey – from

evaluating security needs during an initial migration to helping ensure the enhanced security of a large enterprise

embracing a “Cloud-First” strategy.

For additional information about AWS refer to https://aws.amazon.com/about-aws/ https://aws.amazon.com/security/

Page 6: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 6

Securing the Enterprise’s AWS Environments with CyberArk Privileged Account SecurityOverview

This document, comprising three sections, describes how enterprises can achieve the highest level of security for their AWS

environments by implementing CyberArk Privileged Account Security Solutions.

1. Identifying and Securing Cloud Assets – Describes how the CyberArk Privileged Account Security Solution discovers

AWS assets and secures them. CyberArk solutions help enterprises ensure that only authorized users are permitted to

access these assets and that all access is monitored and recorded so as to provide a full audit trail.

� Discovering AWS assets via CyberArk Discovery & Audit™ (DNA)

� Securing and monitoring access to the AWS Management Console

� Securing and monitoring access to AWS EC2 instances

� Implementing a Jump Server for accessing the AWS environment

2. Automating Provisioning Processes – Describes how CyberArk solutions can automate provisioning processes, then

replace embedded API keys and allow scripts to run to better protect AWS keys or other credentials.

� Managing AWS API keys

� Provisioning processes

� Auto scaling applications and securing credentials

3. Automating Deployment of the CyberArk Environment – Describes, how by using CyberArk’s cloud automation tools,

the complete CyberArk Privileged Account Security environment can be automatically deployed on AWS in minutes.

Page 7: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 7

1. Identifying and Securing Cloud Assets Discovery of AWS Assets

In a dynamic, constantly changing environment where EC2 instances spin up and down regularly, it is not only hard for

administrators to keep track of the current servers and their key pairs, but also challenging to determine, from a security

perspective, which are most vulnerable and need to be prioritized. Additionally, when administrators need to delegate

permissions and create new IAM (Identity and Access Management) users for different roles in the organization, it can be

challenging to track and identify the users who can mistakenly cause harm, such as the privileged users of the AWS

Management Console.

So before starting a privileged account security project, it is important to assess the risk and understand the status of the

privileged accounts across the complete, and likely dynamic, cloud environment. Understanding these risks is a

foundational step to help build an effective program to mitigate these risks.

CyberArk’s Discovery and Audit™ (DNA) utility is designed to scan privileged accounts from different sources, such as

Active Directory, Linux systems, and AWS environments. Note, DNA is an agentless scanner that leverages the AWS API to

access the AWS console and discover privileged IAM users and their access keys.

DNA discovers existing EC2 instances, no matter what their state, which indicates the potential number of local privileged

accounts. If AWS Inspector is also used, DNA’s integration with AWS Inspector enables the security risk on each of the

EC2 instances to be determined. Additionally, when provided with proper credentials, DNA can be used to scan the EC2

instances for privileged accounts, CyberArk Application Identity Manager™ accounts and access keys.

DNA also detects AWS EC2 Key pairs that are used to encrypt-decrypt EC2 instance login information. This information

enables DNA to track the number of entities that can potentially create EC2 instances.

The following example demonstrates how DNA provides privilege risk assessment to an AWS environment.

Page 8: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 8

Securing and Monitoring Interactive Access to the AWS Management Console and APIs

AWS administrators use the AWS Management Console or API access (e.g., PowerShell) to interactively administer

the AWS platform. Unauthorized or uncontrolled access to the console or through APIs could lead to shutdown of the

entire cloud environment, data exfiltration, etc. The risk of these and other serious breaches make it essential for

enterprises to secure and monitor any and all potential access paths.

For example, unsecured access to the AWS Management Console may lead to the following security risks:

� Takeover of the administrator endpoint and hijacking of credentials used to access the cloud administrative interfaces.

� Lack of controls may allow insiders, as well as attackers, to mistakenly or maliciously access the cloud administrative interfaces and cause damage.

� Lack of sufficient monitoring of cloud administrative access prevents security teams from analyzing the impact of a human error or breach.

AWS Identity and Access Management (IAM) enables organizations to securely control user access to AWS services

and resources. Using IAM, teams can create and manage AWS users and groups and use permissions to allow or

deny access to AWS resources (similarly to role-based access in Active Directory). CyberArk recommends that

organizations use AWS Identity and Access Management (IAM) to securely control user access to AWS services and

resources.

Specifically these AWS privileged accounts should be on-boarded into the CyberArk Vault, so that access to cloud

administrative interfaces are controlled and monitored, as detailed below.

By defining AWS privileged users in the CyberArk solution (directly or through Active Directory) and using CyberArk

Privileged Session Manager™ to access the AWS Management Console, organizations can take steps to prevent

users from knowing the password they use to access the AWS Management Console and, more important, reduce

the risk of these sensitive passwords reaching the user’s potentially compromised endpoint when they connect.

Additionally, when using CyberArk Privileged Session Manager, the system is designed to prevent the user from

logging in without auditing and recording user activity during the session. The privileged user’s password can also be

scheduled to automatically rotate.

The following chart shows a controlled session for accessing the AWS Management Console.

Page 9: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 9

Whenever a maintenance activity needs to be done on AWS production instances and AWS CLI (Command Line

Interface), or PowerShell access is required by an IT administrator, CyberArk Privileged Session Manager will open the

CLI or PowerShell console without the user seeing or knowing the AWS access and secret key.

CyberArk Privileged Session Manager can be further leveraged for delegating AWS permissions by integrating with

AWS Security Token Service (STS) to automatically generate a role-based and/or policy-based temporary session for

the AWS Management Console or for API access.

The CyberArk solution integrates with AWS STS to allow an administrator to configure accounts with specific AWS

roles and/or policies. Once connected to the AWS Management Console or for API access, end users will assume

that specific AWS role and policy and will be able to perform only authorized operations on the AWS platform.

Sessions can be recorded and set up so as to only be valid for a certain period of time. In addition, all active sessions

can be monitored by security teams in real time, and even terminated in case of suspected misusage or potential

attack.

AWS Users IT Infrastructure

AWS Admin

CyberArk Portal

AWS Management

Console

Instances

User authenticates to CyberArk Portal

1Request temporary AWSaccess credentials

2

Receive temporaryAWS token

3

User receives temporary role-basedaccess

4

AmazonSecurity Token

Service

* * * * *

Page 10: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 10

Lastly, it is known that in most cases the entry point of an attack is the endpoint, and once an attacker (or an insider)

manages to take over an endpoint, the attacker will look for privileged credentials in order to move laterally. In the case

of cloud administrative consoles, the cached AWS console credentials and browser session are targets. Therefore, it is

also essential to protect the endpoint themselves, and make sure that the browser caches and credential stores are

protected. CyberArk Endpoint Privilege Manager™ is designed to allow organizations to secure credential stores on

the endpoint (including browsers), in addition to removing redundant admin rights and usage of unwanted applications.

Summary and benefits:

� Control interactive access to cloud console

� Secure and vault AWS root and IAM privileged account

� Automatic password rotation of AWS root and IAM privileged accounts

� Establish access workflows to AWS privileged accounts (e.g., approval, ticketing, strong authentication)

� Provide isolation of interactive cloud sessions and prevent credentials from reaching the endpoint

� Monitor cloud privileged sessions

� Delegate AWS root access and leverage AWS STS integration

� •Secure credentials on endpoints accessing AWS consoles

Securing and Monitoring Access to AWS EC2 Instances

Protecting and controlling access to machines (instances) deployed on AWS is an important security requirement. Once a

privileged account is securely stored in the Vault, IT admins can access the AWS instance using CyberArk Privileged

Session Manager without exposing the privileged account credentials (root, administrator, etc.) or SSH keys. This seamless

access improves ease of use for admins, as well as security for the organization.

For example, CyberArk Privileged Session Manager is designed to securely obtain the privileged account password from

the CyberArk Enterprise Password Vault® and transparently open an RDP session to the target Windows machine while

recording the full session in the background and providing detailed audit records of users’ activities. The connections

secured by Privileged Session Manager can be established through the intuitive web portal (Password Vault Web Access,

PVWA) or directly from any client application or tool used for connecting to Windows servers, allowing IT administrators to

maintain their standard workflows while benefiting from isolation and monitoring of the privileged activity.

The CyberArk Privileged Session Manager SSH Proxy will do the same for Linux-based machines by transparently passing

the privileged account password, SSH key or any other credentials. End users continue working with their native clients

(e.g., Putty, SSH console) to connect to target systems, preventing a change to the existing workflow, while maintaining

high security and audit levels.

CyberArk Privileged Session Manager helps organizations ensure that all accesses to the AWS instances are passed

through the organization’s security workflow (for example, a request for specific approval may be required for any access to

sensitive instances), and also protect against credential theft by malware and key loggers that can potentially infect the

client machines.

Page 11: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 11

Here is an example of how user “Mike” can initiate an SSH session to an AWS Linux machine using the Privileged Session

Manager SSH Proxy. “Mike” types the command with his username, the target machine user name, target machine

address and the SSH proxy address. “Mike” will need to authenticate himself to the Vault (which he could do using his

Active Directory credentials, personal SSH key or alternatively via two-factor authentication). In this example, once

authenticated, if “Mike” is authorized to access the target AWS server, the proxy will invoke the session by transparently

transferring the SSH private key to the target machine. Note that in addition to being able to connect to the remote

machine without exposing the private key, “Mike” is also being monitored and recorded. Every activity “Mike” does on the

target machine, including commands and keystrokes typed, will be recorded and audited. The captured audit is securely

stored in the vault to help prevent “Mike” or any other user from tampering with the audit trail and destroying evidence.

1 [root@localhost ~]# ssh mike@[email protected]@10.0.0.62 mike@ec2-user@[email protected]’s password: 3 Last login: Sun Apr 6 05:10:07 2014 from 10.0.0.74 5 This session is being recorded6 7 The server’s host key is not cached. You have no guarantee that the server is the computer you think

it is.8 Theserver’srsa2keyfingerprintis:9 ssh-rsa 2048 ee:76:92:4b:d1:f2:03:60:db:6e:8f:95:88:83:e0:4510 If you trust this host, enter “y” to add the key to PuTTY’s cache and carry on connecting.11 If you want to carry on connecting just once, without adding the key to the cache, 12 enter “n”.13 If you do not trust this host, press Return to abandon the connection.14 15 Store key in cache? (y/n) y16 Using username “ec2-user”.17 Last login: Sun Apr 6 08:10:28 2014 from 212.143.65.4918 [ec2-user@ip-172-31-17-153 ~]$

Implementing a Jump Server for Accessing the AWS environment

Amazon Virtual Private Cloud (Amazon VPC) enables organizations to provision a logically isolated section of the Amazon

Web Services (AWS) Cloud to launch AWS resources in a virtual network defined by the organization.

Additionally, organizations can create a Virtual Private Network (VPN) connection between the corporate datacenter and

VPC, thereby leveraging the AWS cloud as an extension of the corporate datacenter. By connecting the VPC to the

corporate network, the VPC is hosted behind the corporate firewall.

For security purposes, to reduce the size of the attack surface and secure assets on AWS, a common security best practice

is to limit RDP and/or SSH access to instances through a bastion host or a proxy (jump) server. The server can be located

outside the organization’s firewall or DMZ and used to establish a VPN connection to the AWS cloud, preventing a VPC

connection directly into the organization network. Any allowed access to AWS instances can be restricted to only come

from that proxy server. Also, organizations may only allow outbound communication from the organizational environment

to the AWS cloud.

CyberArk Privileged Session Manager is designed to serve as such a gateway solution, allowing the organization to

achieve this network segregation in a secure way and at a minimal cost. The gateway is designed to be hardened and

audited regularly with tamper-resistant audit logs and session monitoring for audit integrity. It can be configured to be the

only access point to the cloud environment; hence firewall rules can now be more restrictive and manageable since no

other device/user should be accessing the cloud other than the CyberArk Privileged Session Manager gateway.

Page 12: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 12

The CyberArk Privileged Session Manager invokes a ‘shadow’ session to the end device to increase security. This is a

different session than the one the end user is opening from his or her workstation. The system is designed so that any

malware that found its way to the end user workstation cannot propagate to the target server.

2. Automating Provisioning ProcessesManaging AWS API Keys

With automation, organizations are able to leverage the dynamic capabilities of the cloud. Scripts leveraging AWS APIs for

scaling, such as for provisioning new AWS instances or containers, or de-provisioning AWS instances are commonly used

for automation. A best practice is to ensure that requests for AWS resources require credentials so as to ensure

applications, etc. have permission to access the resource. To enable programmatic requests, AWS requires the requesting

application, user, etc. to pass their access keys (an access key and secret access key).

These API keys are typically spread in automation scripts and orchestration servers, sometimes hardcoded in the code itself

or embedded in configuration files. These API keys are actually the keys of the “cloud kingdom,” and could enable

unrestricted access to AWS and allow operations such as stop/start servers, wipe entire workloads or dump content of an

instance. Moreover, these keys are all too frequently static and unchanged, which further increases the risk of key

compromise. Consequently, the risks to the organization of unmanaged API keys is high.

To help ensure the security of automated provisioning processes CyberArk’s approach of securing API keys consists of the

following steps:

� Discover and enumerate the keys using CyberArk Discovery and Audit.

� Onboard and secure these keys in the vault.

� Remove the embedded API keys by using CyberArk Application Identity Manager™ to securely retrieve the API keys

from the AWS scripts, allowing scripts to run without risk of compromised AWS access and secret keys.

Additionally, security administrators can sign the applications and scripts that use the AWS critical credentials to help

prevent tampering. CyberArk Application Identity Manager is designed to strongly authenticate applications to detect

tampering. If the software determines that a signed application has been tampered with it will not give that application the

vaulted credentials.

� Periodically rotate the access keys taking advantage of the CyberArk Enterprise Password Vault.

Benefits:

� Provide a complete view of API keys used in the enterprise’s AWS environment

� Secure API keys in the vault, and allow only authorized users / applications to access them

� Remove embedded API keys from scripts

� Assure ongoing rotation of API keys to increase security posture and help meet compliance requirements

Page 13: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 13

Provisioning Processes

When a new instance is provisioned within AWS, whether it is a Windows or Linux machine, it includes unmanaged

privileged accounts. The CyberArk Privileged Account Security Solution exposes an extensive API for storing and securing

these privileged accounts in the digital vault. This API can be integrated with cloud automation/orchestration tools like

Puppet, Chef, etc. as part of the provisioning processes, and assures that the privileged accounts of the newly provisioned

instance, or container, will be securely stored in the vault. The same API can be implemented to remove passwords from

the Vault when the instance is removed.

As noted previously, another common challenge is the elimination of hard coded and visible credentials from applications

and scripts that utilize the AWS API. CyberArk Application Identity Manager can enable developers to remove the

embedded AWS access key and secret key and retrieve them programmatically from the digital vault.

The following shows an example of a PowerShell script that programmatically provisions a new Windows machine on

AWS infrastructure, automatically stores the account credentials in the digital vault using RESTful API calls and starts

managing the administrator account based on the organization security policy. Similar code can be used in Puppet

module, Chef recipe or any other automation tools.

1 ##########################################################

2 # A function to check the instance status

3 ##########################################################

4 function WaitForState ($instanceid, $desiredstate) {

5 while ($true)

6 {

7 $a = Get-EC2Instance -Instance $instanceid

8 $state = $a.Instances[0].State.Name

9 if ($state -eq $desiredstate)

10 {

11 break;

12 }

13 “$(Get-Date) Current State = $state, Waiting for Desired State=$desiredstate”

14 Sleep -Seconds 5

15 }

16 }

17 ##########################################################

18 # Get AWS credentials from CyberArk Vault using CyberArk AIM

19 # Note: Any changes to the script done after the script has been signed to the Vault will cause this call to fail.

20 ##########################################################

21 $CAOutput = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs.AppId=”AWSConnect” /p Query=”Safe=AWS;Object=AWS Keys” /o “PassProps.userName,Password”

22 ##########################################################

23 if ($CAOutput -eq $null){

24 Write-Host “Failed to get AWS Keys from CyberArk Vault”

25 }

26 else {

27 # AWS authentication using access and secret key

28 $AWSAccessKey = $CAOutput.Split(“,”)[0]

29 $AWSSecretKey = $CAOutput.Split(“,”)[1]

30 Initialize-AWSDefaults -AccessKey $AWSAccessKey -SecretKey $AWSSecretKey -Region us-east-1

31

Page 14: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 14

32 #Start creating new instance in AWS…

33 $a = Get-EC2ImageByName -Names WINDOWS_2012_BASE

34 $imageid = $a.ImageId

35 $a = New-EC2Instance -ImageId $imageid -MinCount 1 -MaxCount 1 -InstanceType t1.micro -KeyName “WindowsKey”

36 $instanceid = $a.Instances[0].InstanceId

37 “New Instance is being created: $instanceid”

38 WaitForState $instanceid “Running”

39 $a = Get-EC2Instance -Instance $instanceid

40 $publicDNS = $a.Instances[0].PublicDnsName

41

42 “Wait for the new instance ($instanceid) password to become available”

43 $password = $null

44 # Wait until the password is available. According to AWS this could be up to 30 minutes.

45 # Catch all the exceptions… not a good idea for a production code.

46 # Get key for pwd decryption from CyberArk Vault using CyberArk AIM.

47 $AWSDecryptKey = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs.AppId=”AWSConnect” /p Query=”Safe=AWS;Object=AWS Windows Password Key” /o “Password”

48 $KeyFilePath = “C:\CyberArk\POC\WinPwdKey.pem”

49 $AWSDecryptKey >> “$KeyFilePath”

50 while ($password -eq $null)

51 {

52 try

53 {

54 $password = Get-EC2PasswordData -InstanceId $instanceid -PemFile “$KeyFilePath” -Decrypt

55 }

56 catch

57 {

58 “$(Get-Date) Waiting for PasswordData to be available”

59 Sleep -Seconds 10

60 }

61 }

62 Remove-Item “$KeyFilePath”

63

64 “Got the password... Start creating account in the Vault...”

65

66 $loginURI = “http://myCyberArkServer.com/PasswordVault/WebServices/auth/cyberark/CyberArkAuthenticationService.svc/logon”

67 $logoffURI = “http://myCyberArkServer.com/PasswordVault/WebServices/auth/cyberark/CyberArkAuthenticationService.svc/logoff”

68 $createAccountURI = “http://myCyberArkServer.com/PasswordVault/WebServices/PIMServices.svc/Account”

69

70 $logonInfo = @{}

71 $logonInfo.username = “myApp”

72 # Get the API login password from CyberArk Vault using CyberArk AIM.

73 $logonInfo.password = C:\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK.exe GetPassword /p AppDescs.AppId=”AWSConnect” /p Query=”Safe=AWS;Object=myAppPwd” /o “Password”

74

75 #account parameters

76 $newAccounts = @{}

77 $newAccount = @{}

78 $newAccount.safe = “AWS”

Page 15: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 15

79 $newAccount.platformID = “WinServerLocal”

80 $newAccount.address = $publicDNS

81 $newAccount.username = “administrator”

82 $newAccount.password = $password

83 $newAccount.accountName = $instanceid

84 #$properties = @”

85 #[

86 # {

87 # “Key”: “Port”,

88 # “Value”: “33369”

89 # }

90 #]

91 #”@;

92 #$newAccount.properties=$properties

93 $newAccounts.account = $newAccount

94

95 #login to the Vault

96 $result = Invoke-RestMethod -Method Post -Uri $loginURI -ContentType “application/json” -Body (ConvertTo-Json($logonInfo))

97 $logonToken = $result.CyberArkLogonResult

98 “Vault login successfully”

99 $headers = @{ “Authorization” = $logonToken }

100

101 #create the account in the Vault

102 $result = Invoke-RestMethod -Method Post -Uri $createAccountURI -headers $headers -ContentType “application/json” -Body (ConvertTo-Json($newAccounts))

103 “Account created successfully”

104

105 #logoff from the Vault

106 $result = Invoke-RestMethod -Method Post -Uri $logoffURI -headers $headers -ContentType “application/json” -Body (ConvertTo-Json($logonInfo))

107 “Vault logoff successfully”

108

109 “finishprovisioninginstanceinAWSandtheprivilegedaccount$instanceid,$publicDNSinCyberArk Vault”

110

111 # Clear AWS credentials

112 Clear-AWSDefaults

113 }

The following shows an example of how to store a Linux account with an SSH key in the digital vault.

1 ./accountuploader -VaultFile /etc/opt/CARKpsmp/vault/vault.ini -CredFile admin.cred -SafeName “AWS” -KeyFile myLinuxKey.pem -DeviceType “Operating System” -PolicyId “UnixSSHKeys” -Address ec2-54-208-95-193.compute-1.amazonaws.com -UserName “ec2-user”

Page 16: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 16

AWS Auto Scaling of Applications and Securing Credentials

AWS Auto Scaling helps maintain application availability and allows scaling EC2 capacity up or down automatically,

ensuring the application is running on the desired number of EC2 instances.

When an application leverages the CyberArk Application Identity Manager Credential Provider (an agent based solution), it

needs to automatically deploy a new agent whenever a new EC2 instance of the application starts. This can be achieved

by an organization installing the Credential Provider software on the Amazon Machine Image (AMI), and registering it to

the vault during runtime when the new instance comes up.

CyberArk provides sample code for integrating with AWS Auto Scaling group via SQS (Simple Queue Service). Any new

instance with the Credential Provider that spawns up is automatically and securely registered in the vault from a central

location.

This integration allows applications running in an Auto Scaling environment to dynamically adjust to their capacity needs,

while maintaining a high level of security by leveraging the CyberArk Digital Vault to access, rotate and secure privilege

credentials according to an organization’s policy.

3. Automating Deployment of the CyberArk EnvironmentSimplicity and agility are fundamental requirements in cloud migration, and IT, security and DevOps leaders want to use

automation tools to rapidly and securely deploy and run CyberArk Privileged Account Security solutions so as to help

protect the enterprise’s cloud assets. Specifically, they want to use automation tools so they can rapidly deploy CyberArk to

help control, automate, audit and analyze the privileges and credentials associated with their AWS Management Consoles

as well as the credentials and passwords used by their applications, data and other assets in their AWS environments.

Using CyberArk cloud automation tools, in just a few minutes, with a single click, administrators can automatically deploy

and establish the complete CyberArk Privileged Account Security environment in their previously configured AWS

environment, so that it is quickly available to start securing the enterprise’s cloud assets.

The standard deployment architecture leverages AWS Privileged Account Security best practices, including separate AWS

Availability Zones for the primary and disaster recovery vaults, as well as a using a dedicated AWS account for the

CyberArk solution, thus ensuring that the vaults are both independent from each other, and the cloud assets being

secured. The cloud automation tools include CyberArk AMIs (Amazon Machine Images) and CloudFormation templates.

Of course automating the deployment of the CyberArk environment is just part of the story. Additionally, CyberArk provides

a reference architecture which describes the recommendations and best practices for a CyberArk Privileged Account

Security environment, which is based on the most common use cases. This covers for example the guidance and best

practices on where and how to place the different CyberArk components within the enterprise’s overall AWS cloud

architecture.

The standard CyberArk environment can be quickly deployed in minutes and can support a broad range of workflows and

configurations. Alternatively, for customers with more demanding requirements, customers can customize and build their

own AMIs using the automation building blocks from CyberArk.

In each case, automation, reference architectures and agile deployment approaches can help accelerate privileged

account projects to secure the enterprise’s cloud-based assets.

Page 17: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 17

The following shows a screenshot of CyberArk’s CloudFormation template “User Interface” for setting up a Privileged Account

Security environment:

Accept

Page 18: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

Securing the Enterprise’s Cloud Assets on Amazon Web Services (AWS)

©Cyber-Ark Software Ltd. | cyberark.com 18

SummaryCyberArk solutions enable enterprises to protect their cloud assets by providing powerful solutions for securing

privileged accounts and credentials at each stage of their cloud journey. CyberArk offers several powerful integrations

with AWS so an organization can increase the security of its cloud assets, including integration with AWS Security

Token Service, and AWS Inspector.

CyberArk’s cloud automation tools also simplify and accelerate the deployment of CyberArk solutions in the public

cloud, enabling enterprises to set up the complete CyberArk environment in just a few minutes.

Another important consideration, for protecting an enterprise’s cloud assets, is that a significant number of

organizations don’t use just one cloud provider, but for various reasons use multiple cloud providers – business

flexibility, multiple business lines, prior acquisitions, geographic coverage, etc. Additionally, enterprises may have

legacy, on-premises or hybrid environments, in which case the same IT administrators may be accessing and

managing multiple compute, DevOps tools, and automation environments. CISOs and IT leaders typically want, as a

best practice, to be able to enforce the same security policies across the entire enterprise regardless of their compute

environments, delivery pipelines and automation tools.

Admin Consoles Management Consoles

Compute Environments

DevOps Tools

PrivateCloud

IaaS / PaaSSaaS (Software as a Service)

On Premises

Admin Consoles(DevOps Tools)

Consistent Enterprise-Wide Security Policies

Single Vault Enables Consistent Enforcement of Security Policies

To implement this best practice, enterprises typically want to manage user credentials and access permissions with a

single solution.

Whether your organization has fully embraced cloud or is just starting the journey, it is essential to implement robust

privilege management policies to protect your cloud assets. CyberArk has the solutions, resources and cloud expertise

to help an enterprise protect and secure the “keys to your cloud kingdom”.

For additional information visit cyberark.com/cloud

Page 19: Securing the Enterprise’s Cloud Assets on Amazon Web ...lp.cyberark.com/rs/cyberarksoftware/images/wp... · Securing the Enterprise’s Cloud Assets 3 ... Securing the Enterprise’s

©CyberArk Software Ltd. | cyberark.com

©Copyright 1999-2017 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk Software.

CyberArk®, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., 5.17. Doc # 160

CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to change without notice.

THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE. IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.