Weitere ähnliche Inhalte Ähnlich wie Top 10 AWS Security and Compliance best practices (20) Kürzlich hochgeladen (20) Top 10 AWS Security and Compliance best practices2. • Faisal Jawaid
Dir of Product Management
Security & Compliance
• Ahmed Khan
AWS Partner Manager – Strategic Sales
Meet Our Speakers
3. Agenda
How we selected TOP 10?
Recent AWS breaches – Lesson learned
TOP 10 AWS BEST PRACTICES
Cloudnosys Security Platform for AWS
Q& A
4. How we choose Top 10 Best Practice?
© 2017 - Cloudnosys | Security, Compliance, Cost.
5. • The Center for Internet Security is a non-profit entity that harnesses the power
of a global IT community to safeguard private and public organizations against
cyber threats.
• CIS AWS Benchmarks – 44 AWS Controls
• CIS provides prescriptive guidance for configuring security options for a subset
of Amazon Web Services with an emphasis on foundational, testable, and
architecture agnostic settings.
• CIS - OS hardening & AWS Configurations
Center for Internet Security – CIS Controls
© 2017 - Cloudnosys | Security, Compliance, Cost.
6. © 2017 - Cloudnosys | Security, Compliance, Cost.
AWS Misconfigurations = Breach!
Company AWS
Service @
Fault
Breach Details
S3 –Public,
IAM
4 Million exposed. SQL database dumps, code, access logs,
customer billings address and phone numbers by BroadSoft. (TPRM)
IAM, SG,
MFA
Administrative consoles of AWS were not password protected, for
Aviva and Gemalto, leading hackers to mine Bit Coin on their EC2
instances.
S3 -Public,
IAM
Viacom AWS Misconfiguration exposes Entire IT Infrastructure,
including passwords, access and secret keys for their corporate AWS
account.
S3, MFA,
IAM
Dow Jones AWS misconfigurations left sensitive customer financial
data exposed.
S3 –Public,
IAM
Accenture AWS misconfiguration exposes 40,000 plaintext
passwords. Verizon AWS exposed via Third Party (TPRM)
7. ● Cannot humanly scan thousands of
Configurations
● Need Automation & New tooling
● Implement a Third Party Risk Management
program for the cloud that includes contract
language for 44 CIS Controls.
Missing Link in AWS Cloud Security
© 2017 - Cloudnosys | Security, Compliance, Cost.
8. Cloud Security *IS* now a
Shared Responsibility
• Developers now have the Power to
create and change infrastructure
• Cloud Security does not stop at Log analysis
OWASP (Pen Testing), nor OS Hardening
• Compliance is very costly - Need automation
© 2017 - Cloudnosys | Security, Compliance, Cost.
9. Security is Shared Responsibility
YOU
© 2017 - Cloudnosys | Security, Compliance, Cost.
10. Sacred Top 10 AWS Best Practices
• Faisal Jawaid
Dir of Product Management
Security & Compliance
© 2017 - Cloudnosys | Security, Compliance, Cost.
11. #1 Enable CloudTrail
AWS CloudTrail is a service that enables governance,
compliance, operational auditing, and risk auditing of your
AWS account.
CloudTrail provides event history of your AWS account
activity, including actions taken through the AWS
Management Console, AWS SDKs, command line tools, and
other AWS services.
• Enable and log to one region.
• Enable Encryption.
5% of Customers know and have enabled CloudTrail.
© 2017 - Cloudnosys | Security, Compliance, Cost.
12. #2 Disable Root API Access and Secret Keys
An API key are credentials passed in by computer programs
calling an application programming interface (API) to identify the
calling program, its developer, or its user to the Web site.
• The “Root” account has access to everything! Not
restricted.
• For Administrative Tasks, create users with Admin rights.
• Update billing and contact information
that would be required to recover the account.
1 in 3 customers have root API access keys enabled!
© 2017 - Cloudnosys | Security, Compliance, Cost.
13. #3 Enable Multi Factor Authentication
MFA is an extra layer of security that requires not only a
password and username but also something that only, and only,
that user has on them.
• MFA is available to all IAM users,
including the root account.
• MFA options are Token Based and Text
Message – SMS based.
• Token based options include hardware
Devices, and virtual software options,
such as Google Authenticator, etc.
© 2017 - Cloudnosys | Security, Compliance, Cost.
14. #4 Review permissions, strengthen access.
AWS Identity and Access Management (IAM) enables you
to securely control access to AWS services and resources
for your users. Using IAM, you can create and manage AWS
users and groups, and use permissions to allow and deny
their access to AWS resources.
• Review IAM policies on Users, Groups and Roles.
Does your user really need access to all of these services?
• Do your Third Party Applications need all of these
permissions?
• How many people have unrestricted access?
• Use the IAM policy generator and policy simulator for assistance.
© 2017 - Cloudnosys | Security, Compliance, Cost.
15. #5 Use IAM Roles
An IAM Role is an IAM entity that defines a set of permissions
for making AWS service requests. IAM roles are not associated
with a specific user or group. Instead, trusted entities assume
roles, such as IAM users, applications, or AWS services such as
EC2.
• Diminished attack surface area
• A Role does not have credentials
(password or keys) associated with it.
• Give access, revoke access, when done.
• Delegate access to users, applications or services.
© 2017 - Cloudnosys | Security, Compliance, Cost.
16. #6 Mitigate DDOS on your Assets
AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service that safeguards web applications running on
AWS. AWS Shield provides always-on detection and automatic
inline mitigations that minimize application downtime and latency,
so there is no need to engage AWS Support to benefit from DDoS
protection.
Leverage Services for Advanced Protection:
• Elastic Load Balancer (ELB)
• AutoScaling
• Amazon CloudFront
• Amazon Route 53
© 2017 - Cloudnosys | Security, Compliance, Cost.
17. #7 Rotate Keys Regularly (API and Encryption)
Cryptographic best practices discourage extensive reuse of encryption
keys.
API Access Keys are regularly uploaded to Code versioning systems
such as Github.
• Anyone who has your access key has the same level
of access to your AWS resources that you do.
• IAM users should have keys rotated
every 90 days minimum.
• Enable automatic key rotation for an existing
Customer Master Key (CMK).
© 2017 - Cloudnosys | Security, Compliance, Cost.
18. #8 Use the Simple Token Service for Vendors
The AWS Security Token Service (STS) is a web service that
enables you to request temporary, limited-privilege credentials for
AWS Identity and Access Management (IAM) users or for users
that you authenticate (federated users).
• Can be used in place of privileged
IAM user Access Keys
• Temporary credentials
• Allows for 3rd parties such as
Cloudnosys to access your
AWS accounts more securely (TPRM!)
© 2017 - Cloudnosys | Security, Compliance, Cost.
19. #9 Secure your S3 buckets.
Amazon S3 is object storage built to store and retrieve any amount of data
from anywhere – web sites and mobile apps, corporate applications, and
data from IoT sensors or devices.
• Check your Bucket Access Control Lists regularly
• Watch for all grantees, including Authenticated Users
• Open S3 buckets a favorite for trolling for API Access Keys
© 2017 - Cloudnosys | Security, Compliance, Cost.
20. #10 Don’t leave the front door open
A Security Group acts as a virtual firewall for your instance
to control inbound and outbound traffic. Each instance in
a subnet in your VPC could be assigned to a different set
of security groups.
• Open VPC’s affects:
Amazon Elastic Load Balancing
Amazon RDS
Amazon ElastiCache
Amazon RedShift
• Monitor Security Groups regularly
© 2017 - Cloudnosys | Security, Compliance, Cost.
21. What Next?
• Knowing Top 10 or CIS-44, or 150 control is
not enough
• Writing SOPs and Policies are not enough
• Automation is the new “norm” which drives
enforcement and accountability.
© 2017 - Cloudnosys | Security, Compliance, Cost.
23. Cloudnosys Security Platform
CloudEye Continuously Secure your cloud services and automate
compliance. Over 150+ Cloudnosys best practice rules track and monitor
your AWS services for security and compliance violations. Dashboard and
reports keep you fully informed of any Risks. – Agentless!
• Continuous Security & Compliance Scanning
• Alert on Vulnerabilities
• Audit Reports on Security and Compliance
• Fast Remediation
• Supports PCI-DSS, HIPPA, AWS CIS Benchmark and FISMA
mandates
© 2017 - Cloudnosys | Security, Compliance, Cost.
24. Security and Compliance
Dashboards shows, alerts,
violations and how to remediate
these quickly to mitigate risks.
This is generated on the fly after
scanning for all Cloud Services and
Availability Zones.
© 2017 - Cloudnosys | Security, Compliance, Cost.
Dashboards:
Compliance and Security
25. Reporting: Compliance and Security
Security and Compliance reports shows, alerts, violations and how to
remediate these quickly to avoid any Cyber attacks. This is generated on the
fly after scanning all Cloud Services
© 2017 - Cloudnosys | Security, Compliance, Cost.
26. How It Works
An AWS native cloud solution that automates key cloud security processes and enables consistent
enforcement of security policies, best practices and compliance requirements across an
organization’s AWS cloud infrastructure.
© 2017 - Cloudnosys | Security, Compliance, Cost.
27. © 2017 - Cloudnosys | Security, Compliance, Cost.
28. Sample Cost Savings Report
© 2017 - Cloudnosys | Enterprise Cloud Diagnostics and Remediation.
Cost savings reports
are calculated in
seconds after user
set some schedules
to turn off some
machines on a
schedule.
29. Summary: What we learned today?
• Cloud Security has Shared Responsibility.
• Automation is key to your enterprise success
• Third Party Risk Management – AWS CIS 44 Rule Enforcement
• Make DevOps accountable for security through automation – CI/CD
• Measure your progress through KPIs via Automation
• Learn and enforce AWS CIS-44 Controls for starters
© 2017 - Cloudnosys | Security, Compliance, Cost.
30. Q & A - ANY QUESTIONS?
Type in your questions in chat box now…
Try Cloudnosys
For 14 Days Free
Start monitoring,
optimizing and securing
your AWS.
No Limits evaluation.
© 2017 - Cloudnosys | Security, Compliance, Cost.
Meet us at AWS Invent: info@Cloudnosys.com