1. Dave Walker, Specialist Solutions Architect,
Security and Compliance
23/05/17
Accelerating your Business with
Security
2. What to expect from the session
• Existing Multi-Account Strategies, and Multi-Account
Planning
• Organizations
• Compliance and Scoping (and Artifact)
• EC2 Systems Manager
• DDoS and Mitigation with Shield
5. The Story So Far
MASCOT
• fully role- and identity-managed implementation from
ProServe
• Presented at Re:Invent 2016 SAC319
(https://www.youtube.com/watch?v=pqq39mZKQXU ),
SAC320 (https://www.youtube.com/watch?v=xjtSWd8z_bE )
• Bertram Dorn's work from 2014
• similar structure, but a number of differences
• https://youtu.be/CNSaJs7pWjA
• Neither covers Organizations (yet)
• MASCOT had some coverage for KMS
6. What Needs Segregating from What?
Obvious cases first:
• Read access to Billing and Log records from everyone,
except Auditors and Security
• ...and even then, access should be limited to appropriate cases
• consider evidential weight
• Prod from Dev, Test and Staging
• remember Knight Capital?
• also "bug ringfencing"
• Compliance in-scope from out-of-scope
• auditors need to see a hard scope boundary
• you will want to keep in-scope as small as possible
• use both AWS Accounts and VPCs for this
7. Less obvious cases:
• Look at your org chart and body of policies
• Consider how Separation of Duty and Need to Know operate
• both in and between departments
• Within org charts, policy, compliance scoping, and the
need to ringfence dev accounts where bugs could
impact API access, lies the answers to "how many
• AWS Organizations
• KMS CMKs
• AWS accounts
...do I need?"
What Needs Segregating from What?
11. What do customers want to do?
Use AWS
account
boundaries for
isolation.
Centrally
manage
policies across
many accounts.
Delegate
permissions,
but maintain
guardrails.
See combined
view of all
charges.
12. Introducing AWS Organizations
Control AWS service
use across accounts
Policy-based management for multiple AWS accounts.
Consolidate billingAutomate AWS
account creation
13. Typical Use Cases
Control the use of AWS services to help
comply with corporate security and
compliance policies.
• Service Control Policies (SCPs) help you
centrally control AWS service use across
multiple AWS accounts.
• Ensure that entities in your accounts can use
only the services that meet your corporate
security and compliance policy
requirements.
14. Automate the creation of AWS accounts for
different resources.
• API driven AWS account creation.
• Use APIs to add the new account to a group
and attach service control policies.
• Use API response to trigger additional
automation (eg deploy CloudFormation
template)
Typical Use Cases
15. Create different groups of accounts for
development and production resources.
• Organise groups into a hierarchy.
• Apply different policies to each group.
• Alternatively, group according to lines-of-
business or other desired dimensions.
Typical Use Cases
16. Key Features
• Policy framework for multiple AWS accounts.
• Group-based account management.
• Account creation and management APIs.
• Consolidated billing for all AWS accounts in your
organization.
• Enable Consolidated Billing Only or All Features.
17. How is Organizations different from IAM?
• Create groups of AWS accounts with AWS
Organizations.
• Use Organizations to attach SCPs to those groups to
centrally control AWS service use.
• Entities in the AWS accounts can only use the AWS
services allowed by both the SCP and the AWS IAM
policy for the account.
18. How to get started?
• Revisit or create your account segmentation strategy.
• Decide which type of organization is right for you.
• Organize your AWS accounts according to it.
• Test & begin to apply SCPs slowly.
• Iterate on SCPs to achieve your desired state.
19. Pricing & Availability
• Available at no additional charge.
• Global service.
• Accessed through endpoint in N. Virginia region.
20. Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are
accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection
between the SCP and assigned IAM permissions
• Necessary but not sufficient
• IAM policy simulator is SCP aware
22. Best practices – AWS Organizations
1. Monitor activity in the master account using CloudTrail
2. Do not manage resources in the master account
3. Manage your organization using the principal of “Least privilege”
4. Use OUs to assign controls
5. Test controls on single AWS account first
6. Only assign controls to root of organization if necessary
7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization
8. Create new AWS accounts for the right reasons
28. Amazon EC2 Systems Manager
• Announced at Re:Invent 2016
• See sessions WIN401
(https://www.youtube.com/watch?v=Eal9K0aGLYI ) and
WIN402
(https://www.youtube.com/watch?v=L5TglwWI5Yo )
29. Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
Track
Shared
Capabilities
31. Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimised for cloud
• Self-hosting requires additional overhead
32. Inventory
Introducing Inventory
• End-to-end inventory collection (EC2/on-premises/Workspaces)
• Linux / Windows
• Powerful query syntax
• Extensible inventory schema
• Integrated with AWS services
33. Inventory – System Diagram
SSMAgent
EC2
Windows
Instance
SSMAgent
EC2
Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
EC2 Inventory
SSM document
Inventory
Store
EC2 Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs
35. Inventory – Configuration
Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory
36. Inventory – Custom Inventory Type
Custom Inventory Collection
• Extensible: record any attribute for a given instance
• On-premise Examples: rack location, BIOS version, firewall
settings
Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom
inventory files to a predefined path
2. API: Use PutInventory API
37. Inventory Manager
Query
• Search by inventory attribute
• Partial and inverse searches
• eg "Windows 2012 r2 instances running SQL Server 2016
where Windows Update KB112342 is not installed"
Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify
39. State Manager
• Maintain consistent state of instances
• Reapply to keep instances from drifting
• Easily view status of configuration changes
• Define schedule – ad hoc, periodic
• Track aggregate status for your fleet
40. State Manager – Getting started
• Document: Author your intent
• Target: Instances or tag queries
• Association: Binding between a document and a
target
• Schedule: When to apply your association
• Status: Check the state of your association at an
aggregate or instance level
41. Creating an Association
aws ssm create-association
--document-name WebServerDocument
--document-version $DEFAULT
--schedule-expression cron(0 */30 * * * ? *)
--targets “Key=tag:Name;Values=WebServer”
--output-location "{ "S3Location": { "OutputS3Region": “us-east-1",
"OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" } }“
Configures all instances that match the tag query and reapplies every
30 minutes
43. CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
AMIs
Send Build Report to Dev
Stop everything if build failed
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Repo
CloudFormation
Templates for Environment
Generate
45. Automation – What we heard
Automation pain point: AMI building
• Triggers: patching, hardening, application bake-in
• Never-ending
• Time consuming, especially when builds fail
• Overhead of maintaining build service
46. Automation
Introducing Automation
• Simplified automation solution
• Perfect for AMI updates, instance deployment & config
• Pro-active event notifications
• AWS optimized (EC2 Run Command, AWS Lambda, AWS
CloudTrail, IAM, and Amazon CloudWatch integrations)
47. Automation – Getting Started
1. Create an
automation
document
2. Run automation 3. Monitor your
automation
48. Automation - Documents
Input & output parameters
• Create default values, or assign at run-time
• Parameter Store integration
• System Variables (DATE, DATE_TIME, REGION,
EXECUTION_ID)
Demo examples
Document
Parameter Name
Default Value
sourceAMIid “{{ssm:sourceAMI}}”
targetAMIname “patchedAMI-{{global:DATE_TIME}}”
50. Automation – IAM Setup
1. Create a Service Role for Automation
• Permission for Automation service to operate in your account
2. Attach PassRole policy to user’s account
3. Launch instances with SSM role (AmazonEC2RoleforSSM)
53. Parameter Store
• Centrally store and find configuration data
• Repeatable, automatable management (e.g. SQL
connection strings, passwords, cryptographic keys)
• Granular access control – view, use and edit values
• Encrypt sensitive data using your own AWS KMS keys
54. Parameter Store – Getting started
• Parameter: Key-value pair
• Secure Strings: Encrypt sensitive parameters with your
own KMS or default account encryption key
• Reuse: In Documents and easily reference at runtime
across EC2 Systems Manager using {{ssm:parameter-
name}}
• Access Control: Create an IAM policy to control access
to specific parameter
58. Types of DDoS attacks
Volumetric DDoS attacks
Congest networks by flooding them with
more traffic than they are able to handle
(e.g., UDP reflection attacks)
59. Types of DDoS attacks
State-exhaustion DDoS attacks
Abuse protocols to stress systems like
firewalls, IPS, or load balancers (e.g., TCP
SYN flood)
60. Types of DDoS attacks
Application-layer DDoS attacks
Use well-formed but malicious requests to
circumvent mitigation and consume
application resources (e.g., HTTP GET, DNS
query floods)
61. DDoS attack trends
Volumetric State exhaustion Application layer
65%
Volumetric
18%
State exhaustion
18%
Application layer
63. Challenges in mitigating DDoS attacks
Difficult to enable
Complex set-up Provision bandwidth
capacity
Application re-architecture
64. DDoS protections built into AWS
Integrated into the AWS global infrastructure
Always-on, fast mitigation without external routing
Redundant Internet connectivity in AWS data centers
65. DDoS protections built into AWS
Protection against most common
infrastructure attacks
SYN/ACK Floods, UDP Floods,
Refection attacks etc.
No additional cost
DDoS mitigation
systems
DDoS Attack
Users
67. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.
68. AWS Shield
AWS Integration
DDoS protection
without infrastructure
changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
Four key pillars…
70. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
71. AWS Shield Standard
Better protection than ever for your applications running on AWS
• Improved mitigations using proprietary BlackWatch systems
• Additional mitigation capacity
• Commitment to continuously improve detection and mitigation
• Still at no additional cost
74. AWS Shield Advanced
Available today in …
US East (N. Virginia) us-east-1
US West (Oregon) us-west-2
EU (Ireland) eu-west-1
Asia Pacific (Tokyo) ap-northeast-1
75. AWS Shield Advanced
Announcing AWS WAF for Application Load Balancer
Application Load BalancerAWS WAF
Valid users
Attackers
X
76. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
77. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
79. Always-on monitoring and detection
Signature based detection
Heuristics-based
anomaly detection
Baselining
80. Always-on monitoring and detection
Detects anomalies based on attributes such as:
• Source IP
• Source ASN
• Traffic levels
• Validated sources
Heuristics-based anomaly detection
81. Always-on monitoring and detection
Continuously baselining normal traffic patterns
• HTTP Requests per second
• Source IP Address
• URLs
• User-Agents
Baselining
82. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
87. Low suspicion attributes
• Normal packet or request header
• Traffic composition and volume is
typical given its source
• Traffic valid for its destination
High suspicion attributes
• Suspicious packet or request headers
• Entropy in traffic by header attribute
• Entropy in traffic source and volume
• Traffic source has a poor reputation
• Traffic invalid for its destination
• Request with cache-busting attributes
Layer 3/4 infrastructure protection
Traffic prioritization based on scoring
88. Layer 3/4 infrastructure protection
• Inline inspection and scoring
• Preferentially discard lower priority (attack) traffic
• False positives are avoided and legitimate viewers are protected
Traffic prioritisation based on scoring
High-suspicion
packets dropped
Low-suspicion
packets retained
89. Layer 3/4 infrastructure protection
• Distributed scrubbing and bandwidth
capacity
• Automated routing policies to absorb large
attacks
• Manual traffic engineering
Advanced routing policies
90. Layer 3/4 infrastructure protection
• Advanced routing capabilities
• Additional mitigation capacity
Additional protections against larger and more sophisticated
attacks
96. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
97. Attack notification and reporting
Attack monitoring
and detection
• Real-time notification of attacks via Amazon CloudWatch
• Near real-time metrics and packet captures for attack forensics
• Historical attack reports
98. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
99. 24x7 access to DDoS Response Team
Critical and urgent priority cases are
answered quickly and routed directly
to DDoS experts
Complex cases can be escalated to
the AWS DDoS Response Team
(DRT), who have deep experience in
protecting AWS as well as
Amazon.com and its subsidiaries
100. 24x7 access to DDoS Response Team
Before Attack
Proactive consultation and
best practice guidance
During Attack
Attack mitigation
After Attack
Post-mortem
analysis
101. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
103. • No commitment
• No additional cost
AWS DDoS Shield: Pricing
• 1 year subscription commitment
• Monthly base fee: $3,000
• Data transfer fees
Data Transfer Price ($ per GB)
CloudFront ELB
First 100 TB $0.025 0.050
Next 400 TB $0.020 0.040
Next 500 TB $0.015 0.030
Next 4 PB $0.010 Contact Us
Above 5 PB Contact Us Contact Us
Standard Protection Advanced Protection
104. For protection against most
common DDoS attacks, and
access to tools and best
practices to build a DDoS
resilient architecture on AWS.
AWS DDoS Shield: How to choose
For additional protection against
larger and more sophisticated
attacks, visibility into attacks,
AWS cost protection, Layer 7
mitigations, and 24X7 access to
DDoS experts for complex cases.
Standard Protection Advanced Protection
105. You get it automatically
AWS Shield: Getting started
Enable via the AWS Console
Standard Protection Advanced Protection
106. The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption on AWS: https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures: https://www.youtube.com/watch?v=8mpTpOXmws8
Security Webinar Series: https://www.brighttalk.com/webcast/9019/260695
https://www.brighttalk.com/webcast/9019/261915
IoT Security:
https://www.brighttalk.com/webcast/9019/229025?utm_campaign=CampaignPage
Helpful Videos