Securing AWS KiranKuppa MaitreyaRanganath

Securing AWS
Leverage AWS security best practices to reduce your risk.
Kiran Kuppa Maitreya Ranganath

Solutions Architect Solutions Architect
Amazon Web Services Amazon Web Services
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
What to expect from this Session
• Security and Compliance in AWS
• AWS Assurance Programs
• AWS Security Enablers
• Security by Design
• DevSecOps
Why - Modernize Technology Governance
The majority of technology governance relies predominantly on administrative and
operational security controls with LIMITED technology enforcement.
Automation is needed to dominate governance through technology enablement.
Assets
Risk
Vulnerability Threat
Why is this important?
Confidentiality Integrity Availability
Modern day IT environments present challenges to managing security and meeting

compliance requirements due to the volume of data that needs to be safeguarded and
increasing complexity around how users connect to data.
A reliable security approach is needed to ensure data is protected and available to

authorized users and systems.
5
Security is Job Zero
Over A Million Active Customers and Every Imaginable Use Case
1500+ 3600+
11,200+
190 Governme Education
Nonprofit
Countries nt Institution
s
Agencies s
6
Requirements from every industry
Everyone’s Systems and Applications

• Nothing better for the
entire community than a
Financial Health Care Government
tough set of customers…
Requirements Requirements Requirements
Global Infrastructure
The most sensitive workloads run on AWS
“We determined that security in AWS is superior to our on-premises data center
across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
“The fact that we can rely on the AWS security posture to boost our own
security is really important for our business. AWS does a much better job at
security than we could ever do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“With AWS, DNAnexus enables enterprises worldwide to perform genomic

analysis and clinical studies in a secure and compliant environment at a scale not
previously possible.”
— Richard Daly, CEO DNAnexus
Security and Compliance in AWS
Security Of the Cloud and Security In the Cloud
AWS foundational security applies to every customer
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
•
Auditor
SOC 2 Type II and public SOC 3 report AWS is responsible for
• ISO 27001 Certification the security OF the
• Certified PCI DSS Level 1 Service Provider Cloud
• FedRAMP Authorization
• HIPAA and MPAA capable
Experts auditors test and validate 360° of the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
10
Keys to cloud security
Visibility Auditability Controllability
• Cloud goes beyond the traditional elements of security and adds…
• Agility
• Automation
Who owns Security in a Cloud Environment?
AWS Shared Security Responsibility
Security is Shared and Classified by Ownership
Infrastructure Platform Abstracted

Services Services Services
AWS Shared Responsibility:
for Infrastructure Services
Customer Data
Customer
Platform & Application Management
Managed by
IAM
Operating system, network, and firewall configuration customers
Data Confidentiality Data Integrity Data Availability

Encryption at-rest / Access control, Version HA, DR/BC, Resource Scaling
in-transit, authentication control, Backups
Foundation
AWS IAM
Endpoints
Services Compute Storage Networking

Managed by
AWS
AWS
AWS Global
Infrastructure Regions Availability Edge
Zones Locations
Infrastructure Services – Example Amazon EC2
• Customer
• AWS
• Customer Data
• Network, Compute, Storage • Customer Application
• AWS Global Infrastructure • Operating System
• AWS Endpoints • Network & Firewall (VPC)
• Customer Identity & Access Mgmt
• AWS Identity & Access Mgmt
(Users, Groups, Roles, Policies)
• High-Availability / Scaling
• Instance Management
• Data Protection
(In-transit, At-rest, Backup)
for Platform Services
Customer Data
Customer
IAM
Client-side data encryption & data Network traffic protection
Configuration
integrity authentication encryption / integrity / identity Managed by
Firewall
customers
Operating system & Network Configuration
AWS IAM
Foundation
Compute Storage Databases Networking
Endpoints
Services
AWS
Managed by AWS
AWS Global
Availability Edge
Infrastructure Regions
Zones Locations
Platform Services – Example RDS
• AWS • Customer
• Network, Compute, Storage • Customer Data

• AWS Global Infrastructure • Firewall (VPC)
• AWS Endpoints • Customer Identity & Access Mgmt
(DB Users, Table Permissions)
• Operating System
• Instance Management
(Users, Groups, Roles, Policies)
• Platform / Application
(Aurora, MS SQL, Oracle, MySQL, PostgreSQL)
• Data Protection
(In-transit, At-rest, Backup)
for Abstracted Services
Customer Data Managed by

customers
Client-side data encryption, data integrity and authentication
Client-side data encryption provided by platform (protection of data at-rest)
AWS IAM
Network traffic encryption provided by platform (protection of data in-transit)
Operating system, network, and firewall configuration
Foundation
Endpoints
Services Compute Storage Databases Networking

AWS
Managed by
AWS Global AWS
Availability Edge
Infrastructure Regions
Zones Locations
Abstracted Services – Example S3
• AWS • Customer
• Network, Compute, Storage • Customer Data
• AWS Global Infrastructure • Data Protection
(In-transit, At-rest)
• AWS Endpoints
• Platform / Application (Users, Groups, Roles, Policies)
• Data Protection (In-transit, At-rest)
19
Part of your compliance work is done
Customer
Facilities Network configuration

Physical security Security groups
Compute infrastructure OS firewalls Secure, compliant workloads
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
+ Operating systems
Application security
Service configuration
=
Hardened service endpoints Account management
Rich IAM capabilities Authorization policies
Customers get to choose the right level of security for their business.
As an AWS customer you can focus on your business and not be distracted by the muck.
20
Does This Mean All Workloads Running on AWS are

Automatically Compliant?
21
What does this mean for you?
▪ Customers benefit from an environment built for the most security sensitive organizations
▪ AWS manages and validates testing against more than 3000 security controls so you don’t have to
▪ You get to define the right security controls for your workload sensitivity
▪ You always have full ownership and control of your data
AWS Security & Compliance Resources
23 Comprehensive security and compliance profile
Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks
DoD SRG DNB [Netherlands] CIS
FedRAMP EAR CLIA
FIPS EU Model Clauses CJIS
IRAP EU Data Protection Directive CMS EDGE
ISO 9001 FERPA CMSR
ISO 27001 GLBA CSA
ISO 27017 HIPAA FDA
ISO 27018 HITECH FedRAMP TIC
MLPS Level 3 IRS 1075 FISC
MTCS ITAR FISMA
PCI DSS Level 1 My Number Act [Japan] G-Cloud
SEC Rule 17-a-4(f) Privacy Act [Australia] GxP (FDA CFR 21 Part 11)
SOC 1 Privacy Act [New Zealand] IT Grundschutz
SOC 2 PDPA - 2010 [Malaysia] MITA 3.0
SOC 3 PDPA - 2012 [Singapore] MPAA
UK Cyber Essentials U.K. DPA - 1988 NERC
VPAT / Section 508 NIST
EU-US Privacy Shield PHR
Spanish DPA Authorization UK Cloud Security Principles
Inherit global security and compliance controls
25
PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS)
▪AWS is Level 1 compliant (highest level).
▪Validated by an authorized independent QSA.
▪You can run applications on our PCI-compliant technology infrastructure for storing,
processing, and transmitting credit card information in the cloud.
AWS PCI Package

▪Attestation of Compliance (AoC)
▪PCI responsibility summary
Description of the in-scope services
Customer implementation considerations
Overview of shared responsibility
AWS security and compliance resources
▪ AWS Artifact
▪ Introduction to AWS Security
▪ AWS Security Overview
▪ AWS Security Best Practices
▪ AWS Risk & Compliance
▪ Security at Scale Whitepapers
▪ Customer penetration testing requests
▪ Security Partner Solutions
▪ Request more information by contacting us
• aws.amazon.com/security
aws.amazon.com/compliance
AWS Security Enablers
Manage, secure and audit the use of AWS services
AWS Identity and Access Management (IAM)
• Centrally manage users and user permissions in AWS
▪ Manage users, groups, roles, and policies.

▪ Define which AWS resources users can access.
▪ Federate with other Identity Providers (IdP)
AWS Organizations
▪ Centrally manage groups of AWS accounts

▪ Simplified creation of new AWS accounts
▪ Logically group AWS accounts for management convenience
▪ Apply Service control policies (SCP)
▪ Simplified billing
▪ Control individual account permissions at scale
▪ All organization management activity is logged in AWS CloudTrail
▪ An AWS account can be a member of only one organization
▪ Console, SDK, and CLI support for all management tasks
30
Multiple VPCs vs Multiple Accounts
Development Staging Production Regulated (PCI)

Virtual Private Cloud Virtual Private Cloud Virtual Private Cloud Virtual Private Cloud
Virtual Private Cloud Virtual Private Cloud

Virtual Private Cloud Virtual Private Cloud

AWS Account AWS Account AWS Account AWS Account
31
Strategies for Using Multiple AWS Accounts
▪ Separation of production, development and testing environments

▪ Multiple autonomous departments
▪ Centralized security management with multiple autonomous independent project
32
Multiple Accounts AND Multiple VPCs

▪ Account provisioning
▪ Security oversight
Account Billing
Boundary ▪ VPC configuration
Administrative
▪ IAM configuration
▪ Development / approval of
Network templates
Boundary Connectivity
virtual private cloud ▪ AMI creation / management
▪ Shared Services
Central Governance
AWS Account ▪ Monitoring / Logging
App 1 App App 1 App App 1 App App 1 App

X X X X

AWS Account AWS Account AWS Account AWS Account
Compute & Network Security
Amazon VPC
▪ Virtual network dedicated to your AWS account.

▪ Logically isolated from other virtual networks in the AWS.
▪ You choose the IP address range for your VPC.
▪ Can span multiple Availability Zones.
35
Amazon VPC Security
• VPC Security Groups (mandatory)
▪ Instance level, stateful
▪ Supports ALLOW rules only VPC
▪ Default deny inbound, allow outbound
▪ Use as “whitelist” – least privilege
• VPC NACLs (optional)
▪ Subnet level, stateless
▪ Supports ALLOW and DENY NACLs
▪ Default allow all Instance
▪ Use as “guardrails” Subnet
• Changes audited via AWS CloudTrail Security Group
36
VPC Flow Logs
▪ Agentless
▪ Enable per ENI, per subnet, or per VPC
▪ Logged to AWS CloudWatch Logs
▪ Create alarms from log data
Accept
or reject
Interface Source IP Source port Protocol Packets
AWS
account
Destination IP Destination port Bytes Start/end time
37
AWS DDoS Shield
• Standard Protection • Advanced Protection
• For protection against most common DDoS • For additional protection against larger and more
attacks, and access to tools and best practices to sophisticated attacks, visibility into attacks, and
build a DDoS resilient architecture on AWS. 24X7 access to DDoS experts for complex cases.
Paid service that provides additional,

Available to ALL AWS customers at No
comprehensive protections from large and
Additional Cost
sophisticated attacks
38
Attack notification and reporting

• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports
Attack monitoring
and detection
39
AWS Shield Advanced cost protection

• AWS absorbs scaling cost due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancer
• Application Load Balancer
• Amazon Route 53
0
4
AWS WAF
41
AWS WAF – Layer 7 application protection
IP reputation HTTP floods Scanners and

lists probes
Bots and Cross-site

SQL injection
scrapers scripting
Use AWS WAF to Mitigate OWASP’s Top 10 Web Application
Logging and Monitoring
43
AWS CloudTrail
• Track changes made to your AWS resources
• Records all API calls made on your account
• Enabled on a per-region basis
Integration with 3rd party solutions (ex. Splunk)
• Benefits:
What is recorded?
▪ Resource change tracking ✓ The identity of the API caller
▪ Security analysis ✓ The time of the API call
▪ Demonstrate Compliance ✓ The request parameters
✓ The response elements
44
Amazon CloudWatch
• AWS managed service providing a reliable, scalable, and flexible monitoring
solution that you can start using within minutes.
• You no longer need to set up, manage, and scale your own monitoring
systems and infrastructure.
▪ CloudWatch - monitor AWS resources and applications you run on AWS in real time
▪ CloudWatch Events - send system events from AWS resources to AWS Lambda functions,
Amazon SNS topics, streams in Amazon Kinesis, and other target types
▪ CloudWatch Logs - monitor, store, and access your log files from Amazon EC2 instances, AWS
CloudTrail, or other sources
45
Amazon Simple Notification Service (SNS)

• A web service that is easy to set up, operate, and send notifications.
• Publish messages from an application and immediately deliver them to subscribers or other applications.
▪ Messages published to topic.
▪ Topic subscribers receive message.
Subscriber
SQS
HTTP/S
Email
Publisher
SMS
SNS Topic Mobile Push
Lambda
Amazon Macie
• Amazon Macie is an AI-powered security service that helps you prevent data loss by
automatically discovering, classifying, and protecting sensitive data stored in AWS.
• Amazon Macie uses machine learning to recognize sensitive data such as personally
identifiable information (PII) or intellectual property, assigns a business value, and provides
visibility into where this data is stored and how it is being used in your organization.
• Amazon Macie continuously monitors data access activity for anomalies, and delivers alerts
when it detects risk of unauthorized access or inadvertent data leaks.
Amazon Guard Duty
• Threat detection service
• Continuously monitors for malicious or unauthorized behavior to help you

protect your AWS accounts and workloads.
• Monitors for activity such as unusual API calls or potentially unauthorized

deployments that indicate a possible account compromise.
• Detects potentially compromised instances or reconnaissance by attackers.
Encryption Services
49 AWS Key Management Service (KMS)
Managed service to securely create, control, rotate, and use encryption keys.
Customer Master
Key(s)
Data Key 1 Data Key 2 Data Key 3 Data Key 4
Amazon Amazon EBS Amazon

S3 Object Volume Redshift
Cluster
AWS Cloud HSM
Help meet compliance requirements for data security by using a dedicated Hardware Security Module
appliance with AWS.
• Dedicated, single-tenant hardware device

• Can be deployed as HA and load balanced
• Customer use cases:

• Oracle TDE AWS Administrator –
manages the appliance
• MS SQL Server TDE
• Setup SSL connections
• Digital Rights Management (DRM)
• Document Signing
You – control keys and
AWS crypto operations
CloudHSM
Amazon Virtual Private Cloud
51
KMS vs CloudHSM
KMS CloudHSM
Multi-tenant AWS service Single-tenant HSM
Highly available and durable key Customer-managed durability and

storage and management availability
AWS managed root of trust Customer managed root of trust
Broad support for AWS services Broad third-party app support
Symmetric encryption only Symmetric and asymmetric options
Configuration Management
53
AWS CloudFormation
Allows you to define a “template” which is composed of different
“resources” and then provision that template into repeatable, live, “stacks”.
Infrastructure as Code
54
Why Infrastructure as Code?

• Automates deployment, provisioning, and configuration of the entire infrastructure
▪ Deploy servers, configure networking, assign storage

▪ Manage configuration and access
▪ Track and audit changes
• Embeds security controls and compliance auditing
55
AWS Service Catalog
▪ Centrally manage catalogs of IT services approved for use on AWS

▪ Enables users to quickly deploy approved IT services in a self-service manner
▪ Helps achieve consistent governance and meet compliance requirements
56
AWS Config
▪ Managed service that provides AWS resource inventory, configuration history, and
configuration change notifications.
▪ Provides continuous details on all configuration changes associated with AWS
resources.
▪ Combines with CloudTrail for full visibility into what contributed to the change.
▪ Enables compliance auditing, security analysis, resource change tracking, and
troubleshooting.
AWS Config Rules
Continuously monitors the configuration of existing and new AWS resources to
assess compliance with desired configurations
• Features Benefits
• Flexible rules evaluated continuously and • Continuous monitoring for unexpected changes
retroactively • Shared compliance across your organization
• Dashboard and reports for common goals • Simplified management of configuration changes
• Customizable remediation
• API automation
Amazon Inspector
Security assessment tool analyzing end-to-end application configuration and
activity
• Features • Benefits
• Configuration scanning engine • Common Vulnerabilities and Exposures (CVE)
• Activity monitoring • Network Security Best Practices
• Built-in content library • Authentication Best Practices
• Automatable via API • Operating System Best Practices
• Fully auditable • Application Security Best Practices
Security by Design
Automating Security, Compliance, and Governance in AWS
What is Security by Design (SbD)?
▪ Modern, systematic, security assurance approach

▪ Formalizes AWS account design, automates security
controls, and streamlines auditing
▪ Provides security control built in throughout the AWS IT
management process
Effective security is ubiquitous and automatic…
Security by Design Four Phase Approach
1 2 3 4
Understand your Build a “secure Enforce the use of Perform validation
requirements environment” that fits the templates activities
your requirements
#1: Understand your requirements
Data Classification Data Usage Regulations Security Controls

▪ Data Type ▪ Storage ▪ Governmental ▪ Access
▪ Data Impact ▪ Retention ▪ Organizational ▪ Audit
▪ Data Sensitivity ▪ Processing ▪ Individual ▪ Config Mgmt
▪ Sharing ▪ Contingency Plans
#2: Build a “secure environment”
• What are the different options for securing your environment?
▪ Service selection
▪ Encryption
▪ Network segmentation
▪ User permissions
▪ Authorized OS images
▪ Resource protection
▪ Logging / monitoring
#3: Enforce the use of templates
▪ What if the ONLY choices are “pre-approved templates?

▪ Templates guarantee ALL configurations comply with your organization’s
security standards
#4: Perform Validation Activities
• 100% Audit-Ready
▪ Environments deployed from templates are audit-ready
▪ Rules defined within the templates are the baseline for comparison
• 100% Audit Coverage
▪ Auditing itself is configured and enabled via template
▪ Auditing it performed continuously and in real-time
▪ Properly scoped permissions prevent and detect attempts to tamper with
or disable auditing
100% • 100% Visibility

▪ Audit information captures the state of all deployed resources
• 100% Remediation
▪ Non-compliant resources are flagged and alerts are generated
▪ These alerts can be used to trigger actions such as quarantining the
offending resource
Security by Design Deployment
AWS Template
CloudFormation AWS
Constrained
Admins Service Catalog
Permissions Users
Amazon
VPC
Amazon AWS AWS

CloudWatch CloudTrail Config
67
Impact of Security by Design

▪ Creates forcing functions that cannot be overridden by users
▪ Establishes reliable operation of controls
▪ Enables continuous and real-time auditing
▪ Represents the technical scripting of your governance policy
• Result
• Automated environment enabling enforcement of security and compliance
polices and a functionally reliable governance model.
68
Automated Countermeasure Examples
69
Application DoS - Random searches

Access logs to S3
1
Amazon
S3 Lambda parses logs
2
Amazon
Good
CloudFront
users
Counts requests per
3
minute from same IP
4 AWS
Lambda
AWS WAF IP added to Auto
Bad Block rule
guys 6
Notification
Amazon
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM SNS
70
Brute force login on SSH bastion

SSH access logs
1
Amazon
CloudWatch
2 Alarm triggered
Good users SSH

3
NACL deny rule created AWS
Lambda
DMZ Subnet
Bad guys
Notification Amazon
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM SNS
71
Unintended IAM access granted

IAM API Events
2
Amazon
CloudWatch
Events
3 Deliver event upon rule matc
Console
Devs 4
Revoke IAM access if user

not in Admins group AWS
Lambda
AWS CLI
Elevated
Privileges
5
1
SDK
Notification Amazon
SNS
DevSecOps
Thank you!
Q&A

Securing AWS KiranKuppa MaitreyaRanganath

Uploaded by

Copyright:

Available Formats

Securing AWS KiranKuppa MaitreyaRanganath

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Securing AWS KiranKuppa MaitreyaRanganath

Uploaded by

Copyright:

Available Formats

Securing AWS

Leverage AWS security best practices to reduce your risk.

Kiran Kuppa Maitreya Ranganath

Automation is needed to dominate governance through technology enablement.

Confidentiality Integrity Availability

Modern day IT environments present challenges to managing security and meeting

A reliable security approach is needed to ensure data is protected and available to

Security is Job Zero

Over A Million Active Customers and Every Imaginable Use Case

Requirements from every industry

Everyone’s Systems and Applications

Requirements Requirements Requirements

“With AWS, DNAnexus enables enterprises worldwide to perform genomic

Security Of the Cloud and Security In the Cloud

Compute Storage Database Networking

AWS Global Infrastructure

Regions Availability Zones Edge Locations

Keys to cloud security

Visibility Auditability Controllability

• Cloud goes beyond the traditional elements of security and adds…

Security is Shared and Classified by Ownership

Infrastructure Platform Abstracted

Data Confidentiality Data Integrity Data Availability

Services Compute Storage Networking

Platform & Application Management

Operating system & Network Configuration

• Network, Compute, Storage • Customer Data

Customer Data Managed by

Client-side data encryption provided by platform (protection of data at-rest)

Platform & Application Management

Operating system, network, and firewall configuration

Services Compute Storage Databases Networking

Part of your compliance work is done

Facilities Network configuration

Does This Mean All Workloads Running on AWS are

What does this mean for you?

AWS PCI Package

• Centrally manage users and user permissions in AWS

▪ Manage users, groups, roles, and policies.

▪ Centrally manage groups of AWS accounts

Development Staging Production Regulated (PCI)

Virtual Private Cloud Virtual Private Cloud

Development Staging Production Regulated (PCI)

Strategies for Using Multiple AWS Accounts

▪ Separation of production, development and testing environments

Multiple Accounts AND Multiple VPCs

App 1 App App 1 App App 1 App App 1 App

Development Staging Production Regulated (PCI)

▪ Virtual network dedicated to your AWS account.

▪ Default allow all Instance

▪ Use as “guardrails” Subnet

• Changes audited via AWS CloudTrail Security Group

VPC Flow Logs

Destination IP Destination port Bytes Start/end time

AWS DDoS Shield

• Standard Protection • Advanced Protection

Paid service that provides additional,

Attack notification and reporting

AWS Shield Advanced cost protection

AWS WAF – Layer 7 application protection