Information Security in AWS - Dave Walker

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dave Walker, Specialist Solutions Architect, Security and Compliance
25/01/17
Information Security in AWS

About the Presenter
• Worked in IT for 24 years
• ...of which 18 have been in security
• project-based
• Telcos, Utilities, Retail, Financial Services, Public Sector...
• Design, Implementation, Invention, Incident Response,
Standards Contribution
• Also been looking carefully at Cloud security for 5 years
• ...and been working at AWS for the last 2

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

AWS Shared Responsibility Model – More
Detail
Will one model work for all services?
Infrastructure
Services
Container
Services
Abstract
Services

Network Traffic Protection
Encryption / Integrity / Identity
AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Mgmt
Protocols
API
Calls

Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Operating System, Network Configuration
Customer content
Customers
for Container Services Managed by
Managed by
Client-Side Data encryption
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Mgmt
Protocols
API
Calls

Example – RDS
• Foundational Services –
Networking, Compute, Storage
• Platform / Application
• High Availability (in part)
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability (in part)
• Data Protection (Transit, Rest,
Backup)
• Scaling
Customers
RESPONSIBILITIES

AWS Global
Availability Zones
Edge Locations
Customer content
Customers
for Abstract Services
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
APIEndpoints
AWSIAM
API Calls

• Foundational Services
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
Example – S3

Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services

AWS Global
Availability Zones
Edge Locations
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications

Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security innovation
on-prem
Start on base of accredited services
Functionally necessary – high watermark of
requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all workload
scenarios
Security innovation drives broad compliance
on AWS

What this means
You benefit from an environment built for the most security
sensitive organisations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity

Compliance: How to work with AWS Certifications
• “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in
a compliant deployment
• …but it won’t be usable for a purpose which touches sensitive data
• See Re:Invent sessions, especially "Navigating PCI Compliance in the
Cloud”,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr
1KZpdzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model
• “we do our bit at AWS, but you must also do your bit in what you build
using our services”
• Our audit reports make it easier for our customers to get approval
from their auditors, against the same standards
• Liability can’t be outsourced…

Compliance: How to work with AWS Certifications
• Time-based Subtleties:
• PCI, ISO: point-in-time assessments
• SOC: assessment spread over time, therefore more rigorous assessment
of procedures and operations
• (AWS Config allows you to make a path between these, for your own
auditors)
• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit
report, can this be designed around?
• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…
• Metadata is typically “out”

SOC 1
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect,
Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB,
Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon
RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon
SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import /
Export, Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Datacentre management, talks about KMS for key management and
encryption at rest, discusses Engineering bastions
• Downsides:
• None

SOC 2
• Availability:
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon
DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR,
Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift,
Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS
Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon
Workspaces
• Sensitive data:
• N/A
• Risk assessment considerations, management visibility and process,
organisational structure
• Downsides:
• None

PCI-DSS
• Availability:
• Scope:
• Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct
Connect, Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB,
Amazon SimpleDB, Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail,
AWS CloudHSM, Amazon SQS, Amazon CloudFront, AWS CloudFormation, AWS Elastic
Beanstalk, AWS KMS, Amazon ECS, AWS WAF
• Sensitive data:
• CVV, PAN
• Forensics cooperation, breach disclosure, explaining Shared
Responsibility in depth; also Hypervisor-based instance separation
assurance
• Downsides:
• None (since the August 2015 update, when KMS was added)

ISO 27001
• Availability:
• Certificate is public at
http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of
Applicability is normally not available externally
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS
Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS
Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS,
Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS
Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs,
Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• N/A
• A broad-ranging “backstop” and important “tick box item” – ISMS considerations
• Downsides:
• No detailed audit report available

ISO 27018
• Availability:
• Certificate available at
https://d0.awsstatic.com/certifications/iso_27018_certification.pdf
• Scope:
• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS
Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS
Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS,
Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS
Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs,
Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:
• PII
• Assurance of protection of PII in AWS environments
• Downsides:
• No detailed audit report available

Others (and Resources):
• ISO 27017: Cloud security recommended practices
• ISO 9001: Quality control (Handbook available under NDA)
• UK G-Cloud / NCSC Security Principles, gov.uk “Cyber Essentials”:
• See me  and our whitepaper at
https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_U
K_Cloud_Security_Principles.pdf
• IT-Grundschutz: Workbook at
https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschu
tz_TUV_Certification_Workbook.pdf
• MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch
with AWS Specialist Security and Compliance SAs there as needed,
there are also some whitepapers.
• EU Data Protection Guidance:
https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Prot
ection_Whitepaper.pdf

Other Resources:
• CSA CAIQ: See Risk and Compliance whitepaper at
https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Co
mpliance_Whitepaper.pdf
• Santa Fe Group SIG (available under NDA)
• ...or see my sessions on Control Mapping

Agreements:
• Click-through
• Enterprise
• EU Data Processor
• available to all customers
• includes commitment to maintain ISO 27001 or
successor certification, in perpetuity
• Pentest authorisation

“Familiar functions, made Cloud scale”:
• IAM: “RBAC writ large”
• Fine-grained privilege
• Further access controls
• Source IP
• Time of day
• Use of MFA
• Region affected (a work in progress; works for EC2, RDS)
• Data Pipeline: “Cron writ large”
• (…and now, CloudWatch Events =
“cron for Lambda”)

Asset Management, Logging and Analysis:
• “What the API returns, is true”
• CloudTrail, Config, CloudWatch Logs
• “Checks and balances”
• S3 append-only, MFA delete
• SNS for alerting
• Easy building blocks for Continuous Protective Monitoring
AWS
Config
AWS CloudTrail CloudWatch

Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notifications
API calls
from most
services
Monitoring
data from
AWS services
Custom
metrics

Information Security in AWS - Dave Walker

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Information Security in AWS - Dave Walker

Similar to Information Security in AWS - Dave Walker (20)

More from East Midlands Cyber Security Forum

More from East Midlands Cyber Security Forum (7)

Recently uploaded

Recently uploaded (20)

Information Security in AWS - Dave Walker