Upload
amazon-web-services
View
121
Download
4
Tags:
Embed Size (px)
DESCRIPTION
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture & service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
Citation preview
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
ARC308
Architecting for End-to-End Security in the
Enterprise
Hart Rossman, Principal Security Consultant
Bill Shinn, Principal Security Solutions Architect November 14, 2013
A Typical Enterprise
Security Journey:
1. Integrate AWS into the
Enterprise Security Strategy
2. Deploy Defense in Depth:
Enterprise Security
Architecture in the Cloud
3. Convert Strategy to Tactics:
Security Playbook
4. Instrument for Operations:
Privilege Isolation, Bastion
Role, and Auditing Role
Enterprise Security Operations
Playbook Operations
Strategy
Architecture
Enterprise Security Planning
Enterprise Security
Strategy
Economics
Strategy
Enterprise Security Operations
Playbook Operations
Strategy
Architecture
Enterprise Security Planning
Security Economies of Scale
• AWS control objectives idempotent across the
entire cloud
• Reduced compliance scope
• Defense in depth layers are variable cost
• Security benefits from automation
Why Update Your Security Strategy for
AWS? • Communicate the CISO’s intent & Concept of
Operations (CONOPS)
• Articulate a vision for the desired end-state
Enterprise Security
Architecture
Capabilities Framework
Defense in Depth Architecture
Enterprise Security Operations
Playbook Operations
Strategy
Architecture
Enterprise Security Planning
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormation
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
AWS Certifications
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
AW
S
Cert
ific
atio
ns
Lifecycle Rules
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormation
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
SSH Keys
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Security Groups
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
IAM Users, Groups & Roles
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
MS-SQL TDE
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Redshift CloudHSM Support
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormation
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Amazon CloudTrail
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter Amazon Elastic MapReduce &
Amazon Redshift
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Security Operations Center
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormation
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Network
AWS Internet
Security
ELB SSL
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Security
Groups
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Network
AWS Internet
Security
ELB SSL
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Security
Groups
Resource Tagging
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
Se
cu
rity
Op
era
tio
ns
Cen
ter
Network
AWS Internet
Security
ELB SSL
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Security
Groups
AWS Support
Security Capabilities Framework • Policies and Standards
• Threat Intelligence Anticipate
• Access Control
• Network Architecture
• Active Response Deter
• IDS
• Log analysis
• Alerting
• Security Operations Center
Detect
• Incident Response to Compromise Respond
• Disaster Recovery/BCP
• Known Good State
• Forensics Recover
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormation
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Geographic
Diversity
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Snapshots & Replication
Mo
nit
ori
ng
CloudWatch
SNS
Notifications
AWS Abuse
Notifications
Trusted Advisor
EMR, Redshift
Analytics
S3, CloudFront
Access Logs
AWS
CloudTrail
App Logs
DB Logs
OS Logs
Ma
na
ge
me
nt
Network
AWS Internet
Security
ELB SSL
Security
Groups
VPC VPN
Gateway
VPC Subnets
VPC NACLs
VPC Routing
Tables
Direct
Connect
Storage & Content
S3 ACLs,
Bucket
Policies
S3, Glacier
SSE
S3 MFA
Delete
Lifecycle
Rules
Client-Side
Encryption
S3, Glacier,
CloudFront
SSL
S3 Object
Metadata
Storage
Gateway SSL
CloudFront
Signed URLs
EBS Volume
Encryption
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor
Patching
SQL SSL
Clients
DynamoDB,
SimpleDB
SSL
EMR Job Flow
Roles
Org
aniz
e,
Deplo
y,
& M
anage
SSL API, CLI,
Console
Access Policy
Language
CloudHSM
CloudFormatio
n
Resource
Tagging
Snapshots &
Replication
Route 53
IAM Users,
Groups &
Roles
IAM MFA
Server
Certificates
IAM + STS
Federation
IAM Password
Policy
Auth
enticate
& A
uth
orize
Log,
Audit,
& A
naly
ze
Monitor
& A
lert
Go
vern
ance
AW
S S
ecurity
& C
om
plia
nce
AW
S
Cert
ific
atio
ns
People
AW
S S
A’s
&
Pro
serv
AW
S
Support
Se
cu
rity
Op
era
tio
ns
Cen
ter
Geographic Diversity
Corporate Data Center
Internet
Existing
Perimeter
Security Stack VPN
Internet
Gateway
AWS Direct
Connect Customer
GW
Defense-in-Depth Architecture
Web T
ier
App T
ier
Pro
tect
Tie
r
DB
Tie
r
IAM
Route Table
NACL
Internet
Gateway
VPN Corporate
Data Center
Internet
Existing
Perimeter
Security
Stack
VPN AWS
DX CGW
Network Protection
Web T
ier
App T
ier
Pro
tect
Tie
r
DB
Tie
r
IAM
Internet
Gateway
VPN Corporate
Data Center
Internet
Existing
Perimeter
Security
Stack
VPN AWS
DX CGW
Instance
Auto Scaling Host Security
Software SSH Keys
Managed
Encryption
Bastion Host Bootstrapping
AMIs
CloudFront
Load Distro
Penetration
Testing
Instance Protection
Web T
ier
App T
ier
Pro
tect T
ier
DB
Tie
r
IAM
Internet
Gateway
VP
N
Corporate
Data Center
Internet
Existing
Perimeter
Security
Stack
VPN AWS
DX CGW
Database
Oracle TDE MySQL, MS-
SQL SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor Patching
SQL SSL
Clients
DynamoDB,
SimpleDB SSL
EMR Job Flow
Roles
Database Protection
Web
App
Pro
tect
DB
In-line Threat Management: Bastion Host
Pro
tect T
ier
Bastion
Web
App
Pro
tect
DB
In-line Threat Management: IPS/IDS NAT HA
Availability Zone A Availability Zone B
IPS NAT Layer
EIP
1
EIP
2 EIP
3
EIP
4
App Layer
IPS NAT Layer
App Layer
Web T
ier
App T
ier
Pro
tect T
ier
DB
Tie
r
IAM
S3
CloudFront
Route Table
NACL
Internet
Gateway
VPN Corporate
Data Center
Internet
Existing
Perimeter
Security
Stack
VPN AWS
DX CGW
Security Playbook
Rehearsed actions
Task automation
Document approved configurations
Enterprise Security Operations
Playbook Operations
Strategy
Architecture
Enterprise Security Planning
Why Build a Security Operations
Playbook? • Empower CISO organization to operate their
cloud enterprise securely
• Enable CISO business partners to secure
deployments and manage mission risk
Typical Components
• Overview of the AWS service or enterprise
process
• Requirements/Dependencies
• Workflow
• Exceptions
Sample Entry: Amazon S3
Description
• Amazon S3 provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
Secure Configuration
• Data stored in Amazon S3 is secure by default; only bucket and object owners have access to the Amazon S3 resources they create. For customers who must comply with regulatory standards such as PCI and HIPAA, Amazon S3’s data protection features can be used as part of an overall strategy to achieve compliance.
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Choosing Controls
IAM Access Policy Bucket Policy ACLs Granularity Fine grained Fine grained Coarse grained Purpose Role-based access control
(RBAC) Grant permissions without IAM and
provide cross-account access Grant simple, broad
permissions Application Apply to IAM groups, roles,
users Apply to S3 buckets Apply to buckets and objects
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Mapping ACLs to Policy Actions Bucket ACL Bucket Policy Actions
READ s3:ListBucket, s3:ListBucketVersions, s3:ListBucketMultipartUploads
WRITE s3:PutObject, s3:DeleteObject, s3:DeleteObjectVersion (owner only)
READ_ACP s3:GetBucketAcl
WRITE_ACP s3:PutBucketAcl
FULL_CONTROL (READ + WRITE + READ_ACP + WRITE_ACP)
Object ACL Object Policy Actions
READ s3:GetObject, s3:GetObjectVersion, s3:GetObjectTorrent
READ_ACP s3:GetObjectAcl, s3:GetObjectVersionAcl
WRITE_ACP s3:PutObjectAcl, s3:PutObjectVersionAcl
FULL_CONTROL (READ + READ_ACP + WRITE_ACP)
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Using Access Policy Conditions {
"Id": "S3PolicyId1",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": { }
},
{
"Effect": "Allow",
"Principal": { "AWS": "*" },
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.10.1.0/24"
}
}
}
]
}
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Enforcing SSL
{
"Statement": [
{
"Version": "2012-10-17",
"Principal": "*",
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition":{
"Bool":{
"aws:SecureTransport":"false"
}
}
}
] }
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Enable & Enforce SSE
{
"Version":"2008-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{"AWS":"*"},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
CloudFormation
Template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template for S3 Bucket Policy",
"Resources" : {
"S3BucketCFn" : {
"Type" : "AWS::S3::Bucket",
"DeletionPolicy" : "Retain"
},
"BucketPolicy" : {
"Type" : "AWS::S3::BucketPolicy",
"Properties" : {
"PolicyDocument": {
"Version" : "2012-10-17",
"Id" : "MyPolicy",
"Statement" : [
{
"Sid" : "ContributorAccess",
"Action" : ["s3:GetObject"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"} , "/*"]]},
"Principal" : { "AWS": "*" }
},
{
"Sid" : "ListAccess",
"Action" : ["s3:ListBucket"],
"Effect" : "Allow",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"}]]},
"Principal" : { "AWS": "*" }
},
{
"Sid" : "EnforceSSL",
"Action" : ["s3:*"],
"Effect" : "Deny",
"Resource" : { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "S3BucketCFn"}, "/*"]]},
"Principal" : { "AWS": "*" },
"Condition" : { "Bool": {"aws:SecureTransport": false}}
}
]
},
"Bucket" : {"Ref" : "S3BucketCFn"}
}
}
},
"Outputs" : {
"BucketName" : {
"Value" : { "Ref" : "S3BucketCFn" },
"Description" : "Name of newly created S3 bucket"
}
}
}
Creates an S3 bucket with a
randomized name with the following
permissions:
• Allow anyone to LIST the
bucket
• Allow anyone to GET objects
• Require SSL encryption in
transit
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Keys, Delimiters, and Tags
Using Keys and Delimiters
• S3 tags should not be used to configure
permissions to resources
• Instead, use keys and delimiters as described in
the previous section to emulate “folder-level
permissions”
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Operations
Privilege Isolation & Roles
Refresher
IAM Role – Bastion Host
IAM Role – Auditing Role
49
Enterprise Security Operations
Playbook Operations
Strategy
Architecture
Enterprise Security Planning
Privilege Isolation AWS Account
IAM User/Group/Role
Region
Amazon VPC
Security Group
API Call
Resource
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
IAM / Security Token Service
• STS AssumeRole
• Valid token for one hour
• Returns access key ID, secret access key, and security token
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Privilege Isolation / Resources
Resource Permissions by Service (by API call)
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html
• Amazon DynamoDB (tables and indexes)
• AWS Elastic Beanstalk (application, applicationversion, solutionstack)
• Amazon EC2 (instance, security group, dhcp options, nacl, route table, gateways, volumes)
• Amazon Glacier (vault)
• AWS IAM (signing credentials, group, …)
• Amazon Redshift (cluster, parameter group, security group, snapshot, subnet group)
• Amazon RDS
• Amazon Route53 (hosted zone)
• Amazon S3 (bucket)
• Amazon SNS (topic)
• Amazon SQS (queue)
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
IAM Roles / EC2
• Role
• Instance Profile
• Identity for the instance itself
• Available to all application and users on host
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
IAM Roles / Instance Metadata
Service
• Entitlements of credentials => IAM role
• Short-life & expiration of credentials provided by STS
• Managed rotation
• No stored credentials!
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Bastion Host Configuration
• Eliminates need for individual IAM credentials
• Reduces or eliminates need for federation
• Combine with auditing of shell commands
• Control access by host / purpose
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Security Auditing Configuration
• Read-only access to AWS assets
• Census picture of all assets (feed scanning & SIEM reconciliation)
• RDS & Redshift query and connection auditing
• Change detection of vital objects
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Security Auditing / EC2 Read-only Policy {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
Security Auditing / RDS Read-only Policy {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBInstances",
"rds:DescribeDBLogFiles",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DownloadDBLogFilePortion"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"streq": {
"rds:db-tag/environment": [
"prod",
"dr"
]
}
}
}]}
Overview of the AWS service or
enterprise process
Requirements/Dependencies
Workflow Exceptions
What to do after re:Invent • Update security strategy and vision
• Map AWS features to strategic initiatives
• Integrate AWS into your security operations
• Document privilege isolation architecture
• Begin transition to IAM roles for EC2
• Enable IAM auditing role
References
• Updated Security Best Practices Whitepaper http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
• AWS Compliance Center https://aws.amazon.com/compliance
• AWS Security Center
https://aws.amazon.com/security
• AWS Security Blog http://blogs.aws.amazon.com/security/
Re:Invent Related Sessions • Come talk security with AWS - Thursday, 4-6pm in the Toscana 3605
room
• SEC308 Auto-Scaling Web Application Security and AWS - Thursday, 4:15pm
• SEC402 Intrusion Detection in the Cloud -Thursday, 5:30pm
• SEC304 Encryption and Key Management in AWS - Friday 9:00am
• SEC306 Implementing Bulletproof HIPAA Solutions on AWS - Friday, 11:30am
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
ARC308