AWS is architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. When using AWS, not only are infrastructure headaches removed, but so are many of the security issues that come with them.

1. AWS Security Best Practices &
Design Patterns
Bill Shinn
Principal Security Solutions Architect

2. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials

3. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials

4. AWS lets customers choose where their content goes
Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC
(Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
US-EAST (Virginia)
SOUTH AMERICA (Sao
Paulo)
GOV CLOUD
ASIA PAC
(Sydney)

5. Take advantage of high availability in every Region
Availability Zone
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC
(Tokyo)
ASIA PAC (Bejing)
ASIA PAC
(Singapore)
US-WEST (Oregon)
US-EAST (Virginia)
SOUTH AMERICA (Sao
Paulo)
GOV CLOUD
ASIA PAC
(Sydney)

6. Use edge locations to serve content close to your customers
Edge Locations
Seattle
Los Angeles (2) Jacksonville
Dallas(2)
St.Louis
Miami
Palo Alto
London(2)
Ashburn(2)
Newark
New York (2)
Dublin
Amsterdam
Stockholm
Frankfurt(2)
Paris(2)
Singapore(2)
Tokyo
Hong Kong
Sao Paulo
South Bend
San Jose
Osaka
Milan
Sydney
Mumbai
Chennai

7. Amazon EC2 Instance Isolation
Customer 1
Customer 2 Customer n …
Physical Interfaces
Hypervisor
Virtual Interfaces
…
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups

8. Web Tier
Application Tier
Database Tier
Only specific ports
open to the Internet
Staff can limit app tier
access to a
bastion/management tier
Sync with on-premises
All other Internet ports
blocked by default
database
Amazon EC2
Security Group
Firewall
VPC Security Groups

9. VPC Network Security Controls

10. VPC Hybrid Architecture

11. Defense-in-Depth Architecture
Corporate Data center
Internet
Existing
Perimeter
Internet
Gateway
AWS Direct
Connect
VPN Security Stack
Customer
GW

12. DB Tier App Tier Web Tier Protect Tier
Route Table
IAM
NACL
Internet
Gateway
VPN
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Network Protection

13. DB Tier App Tier Web Tier Protect Tier
IAM
Internet
Gateway
VPN
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Instance
Auto Scaling
Host Security
Software
SSH Keys
Managed
Encryption
AMIs
Bastion Host Bootstrapping
CloudFront
Load Distro
Penetration
Testing
Instance Protection

14. DB Tier App Tier Web Tier Protect Tier
IAM
Internet
Gateway
VP
N
Internet
Existing
Perimeter
Security
Stack
Corporate
Data center
VPN
AWS
DX CGW
Database
Oracle TDE
MySQL, MS-SQL
SSL
Oracle NNE
Redshfit
Cluster
Encryption
RDS Auto
Minor Patching
SQL SSL
Clients
DynamoDB,
SimpleDB SSL
EMR Job Flow
Roles
Database Protection

15. DB App Web Protect
In-line Threat Management:
Bastion Host
Protect Tier Bastion

16. DB App Web Protect
In-line Threat Management:
IPS/IDS NAT HA
EIP
1
EIP
2
IPS NAT Layer
EIP
3
EIP
4
App Layer
IPS NAT Layer
App Layer
Availability Zone A Availability Zone B

17. DB Tier App Tier Web Tier Protect Tier
IAM
S3
CloudFront
Route Table
NACL
Internet
Gateway
Internet
Existing
Perimeter
Security
Stack
VPN Corporate
Data center
VPN
AWS
DX CGW

18. End Users/Students/Researchers Internet
VPC CIDR 10.10.0.0/16
Gateway
AZ A AZ B
VPC Public Subnet 10.10.1.0/24 VPC Public Subnet 10.10.2.0/24
Public ELB
Autoscaling
Web Tier
Internal ELB
Autoscaling
Application Tier
VPC Private Subnet 10.10.3.0/24 VPC Private Subnet 10.10.4.0/24
RDS
Master
RDS
Standby
Snapshots
VPC Private Subnet 10.10.5.0/24 VPC Private Subnet 10.10.6.0/24
Web App Hosting
in VPC
Multi-AZ RDS
Data Tier
Existing
Datacenter
VPN Connection
Virtual
Private
Gateway
Customer
Gateway
Or
Direct Connect
Network
Partner
Location
Administrators &
Campus Users
Static/
Streaming
Content
CloudFront
S3

19. Internet
Route 53 Gateway
AZ A AZ B
SG: ELBSecurityGroup
VPC Public Subnet 10.40.1.0/24 Public ELB in
VPC Public Subnet 10.40.2.0/24
TCP mode w/ Proxy Protocol
SG:
HAProxySecurityGroup
HAProxy tier – if needed, session state
managed via client-side cookie inserted by
HAProxy. HAProxy nodes route to web server
where user session exists, regardless of
which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in
S3, retrieved by CloudFormation at system
launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for,
and JSESSION cookie (appsession) for sticky
sessions via hashtable if needed.
HAProxy/
Public
SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
VPC Private Subnet 10.40.3.0/24 VPC Private Subnet 10.40.4.0/24
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
SG: WebSecurityGroup
HAProxy tier performs backend encryption
between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by
CloudFormation at system launch using
entitlements of IAM role for EC2.
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24

20. Internet
Route 53 Gateway
AZ A AZ B
SG: HAProxySecurityGroup
HAProxy tier – if needed, session state
managed via client-side cookie inserted by
HAProxy. HAProxy nodes route to web server
where user session exists, regardless of
which HAProxy instance ELB directs client to.
SSL termination/re-encryption. Keys stored in
S3, retrieved by CloudFormation at system
launch using entitlements of IAM role for EC2.
Support for Proxy Protocol, x-forwarded-for,
and JSESSION cookie (appsession) for sticky
sessions via hashtable if needed.
HAProxy/
Public
SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
HAProxy/P
ublic SSL
VPC Public Subnet 10.40.3.0/24 VPC Public Subnet 10.40.4.0/24
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
Tomcat/P
rivate
SSL
SG: WebSecurityGroup
HAProxy tier performs backend encryption
between HAProxy nodes and Tomcat nodes.
Keys stored in S3, retrieved by
CloudFormation at system launch using
entitlements of IAM role for EC2.
VPC Private Subnet 10.40.5.0/24 VPC Private Subnet 10.40.6.0/24

21. VPC Best Practices
Leverage existing governance
• Address space allocation
• Internet access policies
• Management of routing protocol and route advertisements
IAM policies for VPC actions
• Separation of duties
• Authentication & authorization enforcement
Network Filtering
• Use security groups for stateful network packet filtering
• Use stateless network ACLs for separation of duties and coarse-grained
management
Connecting VPCs
• Hub and Spoke using Direct Connect
• VPN Hub and Spoke
• VPC Peering

22. EC2 Resource Permissions
Assign permissions to EC2 Resources
Instance
Snapshot
Volume
Combine with existing permissions and policies based on EC2 Actions
to create extremely fine-grained polices for managing AWS resources.
Leverage Tagging and attribute-driven conditions
Tags such as “Production” or “AppName”
Overlay organizational structure such as cost centers or departments
Require dedicated tenancy as a condition
Additional EC2 resources and conditions added through 2014.

23. 1. Network Security Best Practices
2. Security Design Patterns
3. Reducing the Use of Long-term, Privileged Credentials

24. Agile Network Architecture
Update and change private network
addressing, subnets, route tables and
administrative control of network functions
to move systems and applications in
response to vulnerabilities, regulatory
changes, project partnerships, etc.
Security
Groups
Use named security groups to logically
control access between systems of like
trust or based on data classification.
Security attributes of system move with
the system independent of network
location. Relocate systems via API call to
address changing threat environment.
Amazon VPC
+

25. Non-Persistent Platforms
Auto-scaling groups will ensure that
capacity is predictable while you rotate
out portions of the environment. You can
also swap out the base AMI in an auto-scaling
launch configuration with a freshly
patched one, then progressively kill off
stale instances.
Changing the paradigm of what a target
or attack surface looks like. Automation
around Amazon Machine Image creation
and bootstrapping with tools like AWS
OpsWorks, Amazon Elastic Beanstalk,
Chef or Puppet means you can constantly
lay down a moving target.
Amazon Auto-scaling
Groups
AWS Elastic
Compute Cloud
+

26. Standardized Environments & Change Detection
AWS SDKs
Interrogate and describe entire
environment with Java, Python, .NET,
Ruby, PHP or other SDKs. Detect change
in standardized environment
programmatically and integrate with
existing asset and SIEM workflows.
Use CloudFormation to create an
environment that mirrors your security
standards. One API call results in
hardened AMIs with base security
controls installed, predictable firewall and
network configuration, and appropriately
defined access and roles.
+
AWS
CloudFormation

27. Instance Identity
Security token service generates unique
credentials and constantly rotates an
additional token.
Identity and Access Management roles for
EC2 instances provide entitlements to the
instance itself. Credentials are presented
through a RESTful meta-data service
accessible only on the local host.
Credentials can be leveraged by apps
that need to call AWS APIs, retrieve data
from S3, etc. Native integration with SDKs
and CLI tools.
Security Token Service
+
Identity
Management

28. Consolidated API Logging
Log archival solution for life-cycle
management.
CloudTrail provides increased visibility
into your user activity by recording AWS
API calls. Integration with Amazon SNS
and ecosystem partners facilitates
analytics.
Provides logging up and down the stack
in one place (storage, networking,
instances, identity).
Amazon S3 + Glacier
+
AWS CloudTrail