The Department of Defense's Secure Cloud Computing Architecture (SCCA) guidance provides DoD mission owners the security requirements for building a DoD compliant and secure application environment in the cloud. This session will review the DoD Cloud Security Requirements Guide and the DoD SCCA pillars and how they apply to AWS services. We will demonstrate how to build a DoD SCCA environment through automation and configuration management tools as well as discuss how to document security controls implementations. We will answer common questions, such as: how do we connect to a DoD Cloud Access Point? How do we implement a least privilege access control model? And how do we automate security event notifications and remediate issues? This session is designed for both technical and information assurance professionals that want to understand the process to move DoD systems into AWS, secure them, and get them accredited. Learn More: https://aws.amazon.com/government-education/
2. • AWS has achieved FedRAMP HIGH in the AWS GovCloud (US)
Region
• DoD Provisional Authorizations (PA) for IL4 under the DoD Cloud
Security Requirements Guidance
• DoD PA for IL5 – Soon!
• Connectivity to DODIN on both the East Coast and West Coast
• NIPRNET/DREN-connected Amazon Virtual Private Clouds since 2014
AWS accreditations and authorizations in DoD
3. DoD Secure Cloud Computing Architecture
• DoD Secure Cloud Computing
Architecture (SCCA) Functional
Requirements Document (FRD)
• Released March 9, 2017
• Replaces the Draft CAP FRD
• Provides implementation flexibility
• Freedom to architect and manage
as a shared services enclave
4. DoD SCCA component functional requirements
Virtual Data Center Security Stack (VDSS)
Provides network and application security capabilities, such as an
application-aware firewall and/or intrusion prevention system.
Virtual Data Center Management Stack (VDMS)
Provides system support services for mission owner environments
(AD/LDAP, DNS, Patch Repos). Potentially CSSP offerings as well.
Trusted Cloud Credential Manager (TCCM)
An individual or entity appointed by the Authorizing Official to establish
policies for controlling privileged user access to connect Virtual Private
Clouds to DISN and for administrating cloud services.
Cloud Access Point (CAP)
Provides network access to the cloud and boundary protection of DISN from
the cloud.
5. DoD SCCA FRD recommended leveraged services model
Virtual Data Center Security Stack (VDSS)
Leveraged network and application security services:
• WAF - application-aware firewall
• Network intrusion prevention/detection system
• Network firewall w/ full packet capture
• Network flow logs
Virtual Data Center Management Stack (VDMS)
Leveraged infrastructure management support services:
• ACAS / Vulnerability scanning
• HBSS / Endpoint protection
• AD / LDAP / SSO / OCSP
• DHCP / DNS / NTP
• Patching services
• Log management
6. Moving 3-tier web app to AWS
Amazon Virtual Private Cloud (VPC)
AWS Region Production data center
WEB
APP
DB
WEB
LB
FW
COOP data center
WEB
APP
DB
WEB
LB
FW
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
AZ Data Center
Subnet VLAN
EC2 instance Server/VM
Security group FW
ELB Load Balancer
7. Architectural features & AWS services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon VPC
• Your private network within AWS
AWS security groups (SG)
• Host firewalls
• Network isolation at the host
AWS network ACLs (NACL)
AWS routing tables
• Network isolation at subnet
Multi-Availability Zones (AZs)
AWS Elastic Load Balancing (ELB)
AWS Auto Scaling Groups (ASG)
• High availability & failover
• Elasticity & scalability
• Synchronous replication capable
8. AWS storage & database services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon Simple Storage Service (S3)
• Highly durable object store
Amazon Elastic Block Store (EBS)
• Durable high speed storage for your servers
• 1:1 – EBS:Server/Instance
Amazon Elastic File System (EFS)
• Durable high-speed shared files system
• 1:Many – EFS:Servers/Instances
Amazon Relational Database Service (RDS)
• Fully managed database service
9. AWS log management & automation services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
Amazon CloudWatch
• CloudWatch Logs – AWS, O/S, & app logs
• CloudWatch Alarms – monitoring & alerting
AWS CloudTrail
• Collection & logging of all AWS API calls
AWS Config
• Point-in-time snapshots of AWS configuration
AWS CloudFormation
• Define & deploy configuration as code
10. AWS supporting services
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
VPG
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Log management, analysis, & alerting
• AWS CloudTrail
• Amazon CloudWatch
• Amazon VPC Flow Logs
Configuration management & visibility
• AWS Config
• AWS Management Console
Backup
• Amazon Simple Storage Service (S3)
• Amazon Glacier
Identity and access management
• AWS Identity and Access Management
(IAM)
11. Production data center
Review your existing infrastructure components
WEB
APP
DB
WEB
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Backup
COOP data center
WEB
APP
DB
WEB
LB
SERVICES
AD or LDAP
NTP & DNS
Bastion Host
HBSS (AV)
ACAS (VS)
LOG MGMT
SIEM
Backup
FW
FW
In addition to
application & networking
requirements, we need to
address these services!
12. How do we address these infrastructure needs? → SCCA
AWS Virtual Private Cloud (VPC)
AWS Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
VPG
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
Web application firewall
Network firewall – Full packet capture
Network intrusion detection/prevention
ACAS – Vulnerability scanning
HBSS – Endpoint protection
AD / SSO / LDAP / OCSP
DNS / NTP / DHCP
Log management / SEIM
Patching services
13. SCCA architecture approach in AWS
GovCloud Region
App Subnet
Availability Zone A
Database Subnet
DMZ Subnet
Web
Server
App
Server
DB
Server
primary
Availability Zone B
Database Subnet
DB
Server
secondary
Web
Server
App
Server
App Subnet
DMZ Subnet
Web
Server
auto scaling group
auto scaling group
security groupsecurity group
synchronous
replication
CND
Direct
Connect
Co-
Location
CAP
CND
DoDIN
IAP
VGW
Mission Owner Virtual Private Cloud (VPC)
Virtual Data Center Security Stack (VDSS)
Availability Zone BAvailability Zone A
Network Firewall Services
Network Intrusion Detection/Prevention Services
Full Packet Capture Services
Web Application Firewall Services
Availability Zone B
ACAS / Vulnerability Scanning Services
HBSS / Endpoint Protection Services
AD / DNS / SSO / OCSP / DCHP Services
Other Shared Services
Availability Zone A
VGW
VGW
Virtual Data Center Management Stack (VDMS)Internet
14. Security is Job Zero for Amazon Web Services
Amazon is responsible for:
• Physical security
• Network security
• Platform security
• People and processes
15. But security in AWS is your job too!
You are responsible for the security of your:
• Amazon machine image
• Operating system
• Applications
• Application credentials
• Access control
• Policies and configuration
16. But security in AWS is your job too!
You are ALSO responsible for YOUR USE of AWS services:
• Selection and application
• Configuration and use
WE are here to HELP with:
• AWS best practices
• Whitepapers and configuration guides
• Training and labs
• Compliance accelerators and templates
Amazon
S3
Amazon
VPC
AWS
CloudTrail
IAM
17. Security IN the Cloud
• Resource visibility
• Identity and access management
• Logging and auditing
• Security through automation
• Network security
• Compliance through automation
21. Identity and access management
• Who has access to your infrastructure?
• What accounts exist on all the various components of
the infrastructure?
22. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM) enables
you to securely control access to AWS services and
resources for your users
Using IAM, you can create and manage AWS users,
groups, and roles
Use permissions (policies) to allow and deny users,
groups, and roles access to AWS resources
23. IAM best practices
• Lock away your AWS account (root) access keys
• Create individual IAM users
• Use groups to assign permissions to IAM users
• Configure a strong password policy for your users
• Enable MFA for privileged users
• Delegate by using roles instead of by sharing credentials
• Rotate credentials regularly
24. IAM best practices
• Grant least privilege with IAM policies
• Use roles for applications that run on Amazon EC2
instances
• Remove unnecessary credentials
• Use policy conditions for extra security
25. Auditing
• Who is accessing your resources and what are they
doing with them?
26. Increase your visibility of what happened in your AWS
environment
• CloudTrail will record API calls and save logs in your S3
buckets, no matter how those API calls were made
• Who did what and when and from what IP address
• Be notified of log file delivery using Amazon Simple Notification
Service
• Support for many AWS services, including EC2, EBS, VPC,
RDS, IAM, AWS STS, and Amazon RedShift
• Aggregate log information into a single S3 bucket
Out-of-the-box integration with log analysis tools from AWS
partners, including Splunk, Alert Logic, and Sumo Logic
Auditing: Use AWS CloudTrail to track API calls
27. Amazon VPC
Amazon Virtual Private Cloud (Amazon VPC)
lets you provision a logically isolated section
of the Amazon Web Services (AWS) Cloud
where you can launch AWS resources in a
virtual network that you define.
28. Use cases enabled by VPC
Extending DODIN: Bring your own NIPRNET/DREN IP space
into AWS
Communicate with other Amazon VPCs: Use VPC peering to
communicate across the AWS network infrastructure
Layered security: Use subnets, route tables, and NACLs to
control access to your resources
29. • VPC adds network access control lists (ACLs):
• (Optional) layer of security that acts as a stateless firewall for
controlling traffic in and out of a subnet
• Port/protocol defined with Action (Allow/Deny)
• Security groups
• Stateful virtual firewall applied to an instance (e.g., EC2, ELB)
• Traffic must be explicitly specified by protocol, port, and
security group
• Can reference other security group(s) in Inbound Source
and/or Outbound Destination
• OS Firewall (e.g., iptables) may be implemented
• Completely user-controlled security layer
• Granular access control of discrete hosts
• Logging network events
EC2
OS Firewall
AWS Security Group
Inbound
traffic
VPC Network ACLs
Region
VPC defense in depth for the endpoint
30. VPC Flow Logs
• See all of the traffic
at your instances
• Visibility into effects of
security group rules
• Troubleshooting network
connectivity
• Ability to analyze traffic
• At VPC, subnet, and ENI
level
33. DoD IL4/5 Web Application Reference Architecture
Co-Location
CAP/
BCD
Direct
Connect
DODIN
NIPRNET
Admin
Access
Static Web
Content,
Logs, and
Snapshots
Region
Virtual
Private
Gateway
VDMS/CSSP Enclave
HBSS
Server
CSSP Managed
ACAS
Server
User
Access
Private S3 Access
MISSION VLAN(S)
IAP
CAP/CSSP
Internal
Routing
VDSS
Pub Pub
Priv Priv
Priv Priv
Internet
Web
Applica
tion
P
u
b
P
u
b
P
r
i
v
P
r
i
v
P
r
i
v
P
r
i
v
Web
Applica
tion
P
u
b
P
u
b
P
r
i
v
P
r
i
v
P
r
i
v
P
r
i
v
AWS –DoD Mission Owner
DoD Mission Owner Application
BCD Managed
34. Security through automation
• Is your infrastructure configured the way you intended?
• Can you verify it is still configured the way you intended?
35. Security through automation
Programmable infrastructure means that infrastructure can
for the first time be scripted, code-reviewed, and checked
into a source control system
– “Infrastructure as code” taken seriously can massively improve
security posture
– SDL (secure development lifecycle) now applies to infrastructure
36. AWS CloudFormation
AWS CloudFormation gives developers and
systems administrators an easy way to create
and manage a collection of related AWS
resources, provisioning and updating them in
an orderly and predictable fashion.
37. Use cases enabled by CloudFormation
• Security templates: Start with a known good security
configuration
• Infrastructure management: Manage collections of
resources as stacks
• Audit: Compare what you do have to what you should
have
38. Compliance through automation
• How can you get your System ATO faster?
• Answer: Develop automation around your system build,
artifact generation, and documentation.
• Are their any reference architectures available to
automate the build of the DOD SCCA and
documentation process?
• Answer: Yes!
39. How Does AWS make this easy?
The Enterprise Accelerator Compliance Quick Start
https://aws.amazon.com/quickstart
44. Deployment options
AWS Management Console
CLI deployment
− Deployment scripts included with package
AWS Service Catalog (where available)
− As a Service Catalog “Product”
45. Enlighten IT
DoD Tactical – Enterprise
“Big Data” Analytics in
AWS
Finding unique needles within piles of needles since 2012
46. Mission speed cyber security
Deployed three Big Data Platform (BDP) Analytic Clouds in two days
• Used Enlighten’s Rapid Analytic Deployment and Management Framework
(RADMF.com) to speed the deployment
Utilize S3 and Amazon Glacier (COOP) storage environments
Utilize EMR for PCAP processing
Currently running 50+ analytics and data visualization capabilities
Ingested 50+ mission data types
Utilize AWS Snowball Edge for secure data transport from mission site
Received 300 TB of mission data in less than 90 days, on track for 1
PB
47. Accreditation success
Mission need drove accreditation timeline
Utilized existing accreditation packages where applicable
• BDP’s DIACAP ATO being converted to RMF
• AWS GovCloud FedRamp High
Adapted to DAO’s requests
• VPCs
• Security controls around PCAP
• Whitelist IP access
• Continuous monitoring (log file analysis)
Completed SSP & CONOPS within two weeks