AWS_Security_Essentials

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Herman Mak, Solutions Architect
AWS Security Essentials
March 8, 2019

Schedule
1. AWS Security Model
2. AWS Compliance and Security
3. AWS Security Technologies and Services

Security is Job Zero at AWS
Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL

Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model: for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Mgmt
Protocols
API
Calls

Infrastructure Service Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:for Container Services
Managed by
Managed by
Client-Side Data encryption
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Mgmt
Protocols
API
Calls

Infrastructure Service Example – RDS
• Foundational Services –
Networking, Compute, Storage
• Platform / Application
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability
• Data Protection (Transit, Rest,
Backup)
• Scaling
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Abstract Services Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
APIEndpoints
AWSIAM
API Calls

• Foundational Services
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
Infrastructure Service Example – S3

Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services

What is Identity Management?
“…the management of individual principals, their
authentication, authorization, and privileges
…with the goal of increasing security and productivity
while decreasing cost, downtime and repetitive tasks.”
(Wikipedia)

AWS Principals
• Access to specific services.
• Access to console and/or APIs.
• Access to Customer Support (Business and Enterprise).
IAM Users, Groups and Roles
• Access to specific services.
• Access to console and/or APIs.
Temporary Security Credentials
• Access to all subscribed services.
• Access to billing.
• Access to console and APIs.
• Access to Customer Support.
Account Owner ID (Root Account)

AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources for your users.
Username/
User
Manage groups
of users
Centralized Access
Control
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
• X.509 certificate
• Access/Secret Keys
• Multi-factor Authentication (MFA)
Optional Configurations:

Assurance Programs

AWS Artifacts - Compliance reports
Provides customers with an easier process to obtain AWS compliance
reports with self-service, on-demand access via the console

• Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
AWS Responsibilities
Physical Security of Data Center

From this
To This
One last thing about data sanitization

AWS Global Infrastructure
20 Regions – 60 Availability Zones – 160 Points of presence Regions and Availability Zones
US East
N. Virginia (6)
Ohio (3)
US West
N. California (3)
Oregon (3)
Asia Pacific
Mumbai (2)
Seoul (2)
Singapore (3)
Sydney (3)
Tokyo (4)
Osaka-Local (1)
Canada
Central (2)
China
Beijing (2)
Ningxia (3)
Europe
Frankfurt (3)
Ireland (3)
London (3)
Paris (3)
Stockholm (3)
South America
São Paulo (3)
GovCloud (US)
US-East (3)
US-West (3)
New Region (coming soon)
Bahrain, Cape Town, Hong Kong SAR, Milan

VPC = Virtual Private Cloud
Your virtual data center on AWS
Block of IPs that define your
network (typically RFC 1918)
Can span multiple AZs
Default VPCs
VPC
Availability Zone A Availability Zone B
VPC CIDR: 10.1.0.0 /16

Range of IPs in your VPC IP
range
Lives inside an AZ
Can provide security at the
subnet or network level with
access control lists (ACLs)
Can route at the subnet level
Default VPC subnets
VPC subnet
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16

IGW = Internet gateway
Enables your instances to
connect to the Internet
Default VPC includes an IGW
Internet gateway
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints

Contains a set of rules, called
routes, that are used to determine
where network traffic is directed
Subnets have one route table
Controls routing for the subnet to
the IGW and VGW
A route table can belong to many
subnets
Route table
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
Internet Gateway
VPC CIDR: 10.1.0.0 /16
InternetAWS Public
API Endpoints
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 igw

VGW = virtual private gateway
A VPG is the logical construct
representing the VPN endpoint to
terminate connections from your
on-premises network
It is also the endpoint for Direct
Connect
VGW and VPN connection
Subnet
Availability Zone A
Subnet
Availability Zone B
10.1.1.0/24 10.1.10.0/24
VPC CIDR: 10.1.0.0 /16
Internal
User
VGW
Customer Gateway
Corporate Data Center
VPN over
the Internet

NACL = network access control
list
An optional layer of security that
acts as a firewall for a subnet
A numbered list of rules that we
evaluate in order
ACLs are stateless and have
separate inbound and outbound
rules
Network access control list
VPC CIDR: 10.1.0.0 /16
EC2 EC2
VPC Subnet with ACL VPC Subnet with ACL
VPC Subnet with ACL

A security group acts as a virtual
firewall for your EC2 instance
An EC2 instance can have up to
five security groups
Security groups act at the
instance level, not the subnet
level
Security groups are stateful
Security group
Subnet: 10.1.1.0/24
VPC CIDR: 10.1.0.0 /16
Subnet: 10.1.10.0/24
EC2
Security Group
EC2

VPC security
controls
EC2
Instance 1
10.1.1.6
Route
Table
Route
Table
Internet
Gateway
Virtual Private
Gateway
Virtual Router
VPC 10.1.0.0/16
EC2
Instance 2
10.1.1.7
EC2
Instance 3
10.1.10.20

Security Groups = stateful firewall
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)

Web Layer
Application Layer
Database Layer
Only 80 and 443 open
to Internet
Open access only to Web
Layer and ssh open to
management bastion
By default, all ports are
closed
Amazon EC2
Security Group
Firewall
Multi-tier architecture using Security Groups

Network ACLs = Stateless Firewall Rules
English translation: Allow all traffic in
Can be applied on a subnet basis

What is DDoS Attack?
Distributed Denial Of Service

Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
Volumetric DDoS attacks
Congest networks by flooding them with more
traffic than they are able to handle (e.g., UDP
reflection attacks)
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)

AWS Shield Standard protections
Layer 3/4 protection
ü Protect from most common attacks
(SYN/UDP Floods, Reflection Attacks,
etc.)
ü Automatically detect & mitigate
ü Built into AWS services
Layer 7 protection
ü AWS WAF for Layer 7 DDoS attack
mitigation
ü Self-service & pay-as-you-go

AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection

AWS WAF – Layer 7 application protection
HTTP floods Scanners and
probes
SQL injection
Bots and
scrapers
IP reputation
lists
Cross-site
scripting
AWS WAF Security Automations
https://aws.amazon.com/answers/security/aws-waf-security-automations/

AWS Trusted Advisor – Real time guidance
Security configuration checks of your AWS environment:
• Open ports
• Unrestricted access
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor auth
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer config

AWS Trusted Advisor Demo

CloudWatch Logs – Centralization of logs
CloudWatch Logs provides a centralized service to
absorb, store, analyze, and take action on a variety
of log sources.
• Operating system logs
• Webserver logs
• Application logs
Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events

VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject

VPC Flow Logs – CloudWatch Alarms

VPC Flow Logs
• Amazon
Elasticsearch
Service
• Amazon
CloudWatch
Logs
subscriptions

Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your S3
buckets, no matter how those API calls were made
Who did what and when and from where (IP address)
• CloudTrail/Config support for many AWS services and growing -
includes EC2, EBS, VPC, RDS, IAM and RedShift
• Edge/CDN, WAF, ELB,VPC/Network FlowLogs
• Easily Aggregate all log information
• CloudWatch Alarms
Out of the box integration with log analysis tools from AWS
partners including Splunk, AlertLogic and SumoLogic
Full visibility and logging features

AWS CloudTrail example

Amazon
CloudWatch
Amazon
Lambda
Amazon SNS
Automate actions on events

AWS Config
Managed service for tracking AWS inventory and configuration, and configuration
change notification.
AWSConfig
EC2
VPC
EBS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshooting Discovery

AWS Config Demo

Data Encryption At-Rest
AWS CloudHSM AWS Key Management Service

Key handling questions for any solution
Where are keys generated and stored?
• Hardware you own?
• Hardware the cloud provider owns?
Where are keys used?
• Client software you control?
• Server software the cloud provider controls?
Who can use the keys?
• Users and applications that have permissions?
• Cloud provider applications you give permissions?
What assurances are there for proper security around keys?

Options for using encryption in AWS
Client-side encryption
• You encrypt your data before data submitted to service
• You supply encryption keys OR use keys in your AWS account
• Available clients:
• S3, EMR File System (EMRFS), DynamoDB, AWS Encryption SDK
Server-side encryption
• AWS encrypts data on your behalf after data is received by service
• 19 integrated services including S3, Snowball, EBS, RDS, Amazon Redshift, WorkSpaces,
Amazon Kinesis Firehose, CloudTrail

AWS Key Management Service (AWS KMS)
• Managed service that simplifies creation, control, rotation,
deletion, and use of encryption keys in your applications
• Integrated with many AWS services for server-side encryption
• Integrated with AWS service clients/SDKs
• S3, EMRFS, DynamoDB, AWS Encryption SDK
• Integrated with CloudTrail to provide auditable logs of key usage
for regulatory and compliance activities
• Available in all commercial regions except China

AWS KMS is fully integrated with AWS IAM

AWS KMS integration with AWS services
* Supports only AWS managed KMS keys

Bring Your Own Key
Import encrypted key material
under the KMS CMK key ID;
set optional expiration period
Import
Your key material
protected in KMS
Download a public
wrapping key
KMS
Download
RSA public key
Create customer master key
(CMK) container
Empty CMK container
with unique key ID
KMS
Creates
Export your key material
encrypted under the public
wrapping key Your key
management
infrastructure
Export
Your 256-bit key
material encrypted
under KMS public key

AWS CloudHSM
• Dedicated access to HSM appliances
• HSMs located in AWS data centers
• Managed and monitored by AWS
• Only you have access to your keys
and operations on the keys
• HSMs are inside your Amazon VPC,
isolated from the rest of the network
• Setup right from the console
CloudHSM
AWS administrator—
Manages the appliance
You—Control keys and
crypto operations
Amazon VPC

AWS CloudHSM
Available in multiple AWS regions worldwide
Compliance
• Included in AWS PCI DSS and SOC compliance packages
• FIPS 140-2 level 3 (AWS CloudHSM)
• FIPS 140-2 level 2 (AWS CloudHSM Classic)
Typical use cases
• Electronic invoicing and document signing
• Use with Amazon Redshift and RDS for Oracle
• Integrate with third-party software (Oracle, Microsoft SQL Server,
Apache, SafeNet, OpenSSL)
• Build your own custom applications

Key handling solutions from AWS Marketplace
• Browse, test, and buy encryption and key management solutions
• Pay by the hour, monthly, or annually
• Software fees added to AWS bill
• Bring Your Own License

AWS Marketplace Security Partners
Logs and
monitoring
Identity and Access
control
Configuration &
Vulnerability Analysis
Protección de
datos
Infrastructure security

AWS Marketplace Demo

Thank You
Herman Mak
Solutions Architect
Twitter: @hermanmakHK
Github: hermanmak
Submit your Feedback to get
25$ AWS Credit

AWS_Security_Essentials

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS_Security_Essentials

Similar to AWS_Security_Essentials (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS_Security_Essentials