The document discusses security at scale on AWS. It covers several topics:
- AWS security controls including over 70 services, 7,710 audit artifacts and 3,030 audit requirements.
- How AWS handles security at scale through automation, ubiquitous logging and encryption, and rapid detection and response times of under 10 minutes on average.
- AWS services that can help with security including IAM, CloudTrail, GuardDuty, and AWS Config rules.
- Reference architectures that show how to scale infrastructure securely including using multiple availability zones and services like Route 53, S3, CloudFront, and Lambda.
6. Security Ownership as Part of DNA
Promotes culture of “everyone is an owner” for security
Makes security stakeholder in business success
Enables easier and smoother communication
Distributed Embedded
8. Technology to Automate Operational Principles
Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
9. How AWS Handles Security at Scale
Work
generator
Corp
S3
Results
processor
SNS
Lambda
(async)
Scan target
Lambda
(sync)
10. How Fast is the Analysis?
• Scan cadence: continual! (not batch)
• Mean time to detect & respond = ~7.5 minutes
• ~5 min for CloudTrail log file to be produced
• ~0 min for scan to begin (on order of seconds!)
• ~0 min scan time (on order of milliseconds!)
• ~2.5 min for results processor to ticket (runs every 5 min*)
• Worst case: ~10 minutes
• Best case: ~5 minutes
11. Autoticketing
• Find and close gaps in security monitoring
• Be highly accurate and actionable
• Deliver results with low latency
12. How we make it even faster?
• Drink our own ale! CloudWatch Events
• Increase result processor run frequency
• It takes < 1 minute per run on average
• Change invocation to run every minute
• New worst case = 1 minute
• MTTD ≤ 1 minute
• (For your own use: see eg https://github.com/capitalone/cloud-
custodian )
13. I wish I was a Solid
State Drive in
someone else’s
Datacentre…
27. Flow Log Record Structure
Event-Version
Account Number
ENI-ID
Source-IP
Destination-IP
SourcePort
Destination-Port
Protocol Number
Number of Packets
Number of Bytes
Start-Time Window
End-Time Window
Action
State
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589
ACCEPT OK
35. Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billingAutomate AWS
account creation
36. Industry Best Practices for
Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security configuration
best practices
provides set-by-step implementation and
assessment procedures
41. More on SCPs
But:
• you don't have to apply an SCP before you populate your account with
assets...
• this lends the idea of "immutable infrastructure" to other services, from
the point of view of the child accounts
• (including Serverless)
• eg:
• S3 websites which can't have their contents changed
• Lambda functions which are invoke-only "black boxes"
• ACM cert / key pairs which can't be deleted
• Prevent CloudTrail, Config ever being turned off
• ...
60. Security + DevOps = DevSecOps
DevOps = Efficiencies that speed up this lifecycle
DevSecOps = Validate building blocks without slowing lifecycle
developers customers
releasetestbuild
plan monitor
delivery pipeline
feedback loop
Software development lifecycle
Security
61. CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy Server
Commit to
Git/masterDev
Get /
Pull
Code
AMIs
Send Build Report to Dev
Stop everything if build failed
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Repo
CloudFormation
Templates for Environment
Generate
69. New Security and Compliance Webinar Series
Getting Started with AWS Security: https://www.brighttalk.com/webcast/9019/256391
AWS Security Checklist: https://www.brighttalk.com/webcast/9019/257297
Automating Security Event Response: https://www.brighttalk.com/webcast/9019/258547
Compliance with AWS – Verifying AWS Security:: https://www.brighttalk.com/webcast/9019/260695
Securing Enterprise Big Data Workloads:
https://www.brighttalk.com/webcast/9019/261911
Architecting Security across Multi-Acct Architectures: https://www.brighttalk.com/webcast/9019/261915
AWS Security Best Practices: https://www.brighttalk.com/webcast/9019/264011
Software Security and Best Practices: https://www.brighttalk.com/webcast/9019/264917
72. Luno
• Bitcoin for everyone, everywhere
• Engineering team in Cape Town
• Offices in London, Cape Town and Singapore
• Customers in Europe, Africa and South-East Asia
• https://www.luno.com
74. Introduction to Bitcoin
• Decentralised digital currency based on cryptography
• Uses a “blockchain” to record transactions on a decentralized ledger
• Uses public-key cryptography to authorise transactions
• Critically: The private key is required to sign transactions. If an attacker accesses a
private key, they can steal the funds attached to it.
75. Challenges
Many Bitcoin companies have been hacked in the past:
• MtGox 2014 $7M stolen
• Bitstamp 2015 $5M stolen
• Bitfinex 2016 $70M stolen
Security is a massive existential priority.
Luno has never been hacked (but not for lack of trying).
76. How to store Bitcoin securely
When you’re securing something as critical as Bitcoin, you can’t trust anyone.
• Key splitting: Require multiple counterparties to sign transactions
• Airgaps: Store keys on computers without internet access
• Physical vaults: Store private keys split between multiple bank vaults and countries
• Multiple people: Design systems so that multiple people are always required to
access keys and approve transactions
• Redundant layers: Have redundant layers so that any attacks on one layer are still
blocked at other layers
77. Security using AWS
• Virtual Private Cloud (VPC): Isolated network, use VPN to access
• Security Groups: Setup fine-grained firewall rules to whitelist network access
between instances
• Identity Access Management (IAM): Fine-grained control over access permissions
for users and API keys
• Elastic Load Balancer (ELB), Cloudfront: Mitigate DDOS by scaling
• AWS Certificate Manager (ACM): Issue SSL certificates for ELBs quickly and easily
• Cloudtrail Logs: Centralized log aggregation
78. Luno architecture
• Microservice architecture
• Docker containers running on
EC2 instances
• Backends are all written in Go
• MySQL instances on RDS
• Cape Town engineering team
Bitcoin
Banks
Load Balancers
(ELB)
VPN
MySQL
(RDS)
Redis
(ElastiCache)
Storage
(S3)
Frontends
(EC2/Docker/Go)
Backends
(EC2/Docker/Go)
Monitoring
(Cloudwatch+Prometheus)
GRPC
VPC
79. Impact of AWS
Implementing the necessary security procedures by leveraging AWS services like security
groups, VPC and IAM is 10x faster than building from scratch.
We’ve passed multiple security audits (Sensepost, Deloitte, MWR, etc) and withstood
many attacks without any successful theft of Bitcoin.
In addition to security, AWS made it easy to scale up as our customer base has grown
globally using services like RDS, ElastiCache, CloudFront and ELB.
80. Luno engineering
Join our talented team to scale systems and security in this fast-growing industry
https://www.luno.com/careers