AWS Security Best Practices

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lock it Down: How to Secure Your
Organization's AWS Accounts
Sean Donaghy
Senior Cyber Security Advisor
Canadian Centre for Cyber Security
Communications Security Establishment
Government of Canada
Michael Davie
Security Engineer
Canadian Centre for Cyber Security
Communications Security Establishment
Government of Canada
Geordie Anderson
Security Specialist Solutions Architect
Amazon Web Services

AWS Shared Responsibility Model
Infrastructure Services
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
File System and/or Data
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
CUSTOMERS
MANAGED BY
AMAZON WEB SERVICES
RESPONSIBLE FOR
SECURITY “IN”
THE CLOUD
RESPONSIBLE FOR
SECURITY “OF”
THE CLOUD

Container Services
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
& DATA INTEGRITY
AUTHENTICATION
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK CONFIGURATION
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
FIREWALL
CONFIGURATION

AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
AWSIAM
OPTIONAL – OPAQUE DATA:
0s & 1s (In transit / at rest)
& DATA INTEGRITY AUTHENTICATION
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CUSTOMER DATA
MANAGED BY
CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM
Protection of data in transit
SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM
Protection of data at rest
Abstract Services

AWS CloudTrail
User Action Time
Tim Created 1:30pm
Sue Deleted 2:40pm
Kat Created 3:30pm
Users are
constantly
making API
calls...
On a growing set of
AWS services
around the world…
AWS CloudTrail
is continuously
recording and
logging the API
calls…
Who made the request?
What was requested?
When and from where?
What was the response?

Amazon Virtual Private Cloud (VPC) Flow Logs
• Agentless
• Enable per Elastic Network Interface (ENI), per subnet, or per VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject

$ git clone https://github.com/awslabs/aws-security-benchmark.git
$ cd aws-security-benchmark/aws_cis_foundation_framework
$ python aws-cis-foundation-benchmark-checklist.py
Example: Center for Internet Security (CIS)
Open source software validation for CIS AWS Foundation Framework
Ongoing Benchmark Validation of Infrastructure

Report This Way…

Or This Way…

Or Maybe This Way
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14",
"1.16", "1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3",
"3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Control output format based on downstream data consumer

Other Interesting Open Source Software Options
git-secrets - Prevents you from committing passwords and other sensitive information to a git repository.
aws-security-benchmark - Benchmark scripts mapped against trusted security frameworks.
aws-config-rules - [Node, Python, Java] Repository of sample custom rules for AWS Config
Netflix/security_monkey - Monitors policy changes and alerts on insecure configurations in an AWS account.
Netflix/edda - Edda is a service to track changes in your cloud deployments.
ThreatResponse - Open Source Security Suite for hardening and responding in AWS.
CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more.
Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
Capitalone/cloud-custodian - Rules engine for AWS fleet management.

AWS Systems Manager
RunCommand Session Manager Inventory MaintenanceWindow
Patch Manager Automation Parameter Store Documents

Identify a subset of EC2
resources, and associate
them to a patch baseline
Returns a list of hosts
that are compliant or non-
compliant, triggering
automated patching

AWS Systems Manager
RunCommand

THIS IS A
VELOCIRAPTOR-FREE
WORKPLACE
IT HAS PROUDLY BEEN
DAYS SINCE THE LAST
INCIDENT

Traditional Operating System Access (SSH / RDP)
Client
Amazon EC2
Instance
Production Account
Central permissions,
logging, and alerting
of OS commands is
a challenge
SSH / RDP
X

AWS
CloudTrail
AWS Systems Manager
Run Command
The Power of Run Command
Client
AWS API
Amazon S3
Bucket
Amazon EC2
Instance
Production Account

AWS
CloudTrail
AWS Systems Manager
Run Command
The Power of Run Command –
With a Central Security Account
Client
AWS API
Central Security Account
Amazon S3
Bucket
Amazon S3
Bucket
Amazon EC2
Instance
Production Account
X

AWS Systems Manager
Session Manager
Interactivity – Commands are
executed synchronously in a full
interactive bash (Linux) or PowerShell
(Windows) environment.
Auditability – Commands and
responses can be logged to Amazon
CloudWatch and to an S3 bucket.
Optionally receive an SNS
notification when a new session is
started.
Access Control – Use IAM policies
and users to control access to your
instances, with no need to distribute
SSH keys. Limit access to a desired
time or maintenance window by using
IAM’s Date Condition Operators.

Amazon GuardDuty
Amazon
GuardDutyAmazon VPC
Flow Logs
Amazon EC2
DNS Logs
AWS CloudTrail
Logs
Amazon
CloudWatch
Events
Multiple AWS
Accounts
SECURITY
Threat Intelligence Feeds
Use machine
learning to
continuously
analyze, and
intelligently
detect malicious
or unauthorized
behaviour
AWS Lambda
A fully managed intelligent threat detection service
Global SOC
Downsteam SIEM
Central SecOps
Workflow

Amazon GuardDuty Detections
EC2
RECON
IAM
PHISHING
MALWARE
SPAMBOTS
BOTNETS
BITCOIN
BLACKHOLES
DROP POINTS
DRIVE BY DOWNLOADS
DNS DATA EXFILTRATION
DOMAIN GENERATION ALGORITHM DOMAINS
API INVOKED FROM A MALICIOUS IP
API INVOKED FROM A TOR EXIT NODE
SSH / RDP BRUTE FORCE ATTACK
PORT PROBE FROM A MALICIOUS HOST
OUTBOUND PORT SCANS
UNUSUAL NETWORK CHANGES (SGs, ROUTES, ACLs)
CLOUDTRAIL LOGGING MODIFIED
UNUSUAL IAM CHANGES (USERS, POLICIES)
CLOUDTRAIL LOGGING DISABLED
UNUSUAL RESOURCE PERMISSION CHANGES

Amazon
GuardDuty
Amazon
CloudWatch
Amazon
CloudWatch
Event
AWS
Lambda
Function
Automated Remediation

Amazon CloudWatch Rule

import boto3
import json
def lambda_handler(event, context):
try:
if event['detail']['type'] in [‘Backdoor:EC2/C&CActivity.B!DNS’]:
response =‘<do something here>’
except Exception, e:
print e
Example AWS Lambda Function
Particular Amazon
GuardDuty detection
of interest
Action
to take

Amazon
GuardDuty
Amazon
CloudWatch
Amazon
CloudWatch
Event
AWS
Lambda
Function
Automatic Remediation
Amazon
EC2
Instance

Automatic Remediation –
Re-Think Incident Response
Production
Security Group
Isolation Security Group for Forensic Investigation
(optionally on a completely isolated subnet)
Isolated
Security
Forensics
Tools

VPC Flow Log Monitoring – Automation
Amazon
Simple Notification
Service (SNS)
Amazon
CloudWatch
Logs
Private subnet
Compliance
Application
AWS
Lambda
function
If SSH REJECT > 10,
then…
Custom metric
filter
Filter on all
SSH REJECT
VPC Flow
Log group
Amazon
CloudWatch
Alarm
Identify and block the
Source IP, or even
disconnect source IP
Elastic Network Interface
Auto-cut ticket
with details and
notify admins

Security Threat Management Via IP Ranges
Threat Intel
Feeds
IP-threats.json
Amazon
Simple Notification Service
(SNS) Topic
Amazon S3
Bucket
S3 Event
Notification
publish to
SNS Topic
AWS Lambda
function
Application Load
Balancer (ALB)
Security Group
Subscribe to
SNS Topic
Pull
updated file
Update Security
Group IP ranges

Account A
Central Security Account
Amazon S3
Bucket
1.2.3.4/32
IP-threats.json
UPDATE
Account B
1.2.3.4/32
Account C
1.2.3.4/32
Central IP Threat Management

Governance With AWS Config Rules
Example rules, available out of the box…
AWS Config Rules
• Powerful configuration rule
system
• Define custom rules that can look
for desirable or undesirable
conditions
• Enforce best practices using
automated compliance checks
• Trigger additional alerts or
workflow
CloudTrail enabled
Desired instance types selected
Security groups have restricted SSH
S3 bucket public read / write prohibited
EC2 OS patch levels in compliance
Amazon RDS DB backup enabled
S3 bucket server side encryption enabled
Root credentials MFA enabled
Lambda functions public access prohibited
Amazon RDS storage encrypted
Amazon RDS multi-AZ support enabled
EC2 instances have the required tags

AWS Config Compliance Dashboard

Amazon S3
Bucket
Amazon
CloudWatch
AWS Config Rule
AWS Lambda
function
AWS Config – Automated Remediation
Check Amazon S3
bucket compliance –
no public read/write
Set Amazon S3 Bucket
ACL to private
Auto-cut ticket
with details, and
notify admins

IAM Access Advisor

SELECT useridentity.sessioncontext.sessionIssuer.userName
as uid, eventsource, eventname
FROM cloudtrail_logs
WHERE useridentity.sessioncontext.sessionIssuer.userName
= ‘target-name’
GROUP BY
useridentity.sessioncontext.sessionIssuer.userName,
eventsource, eventname
Query CloudTrail Data Using Amazon Athena

https://github.com/Netflix-Skunkworks/aardvark
https://github.com/Netflix/Repokid
Interesting Open Source Software Solutions

Montreal

Restrict an IAM Role to a Region
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs",
"ec2:DescribeInstances", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "rds:Describe*", "iam:ListRolePolicies",
"iam:ListRoles", "iam:GetRole", "iam:ListInstanceProfiles", "iam:AttachRolePolicy", "lambda:GetAccountSettings" ],
"Resource": "*" },
{ "Effect": "Allow",
"Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "rds:CreateDBCluster", "lambda:CreateFunction",
"lambda:InvokeFunction" ],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": ”ca-central-1"}} }, {
"Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account-id:role/Please-use-a-specific-role" } ]
}

Master
Account
Member
Account 1
Member
Account 2
Member
Account 3
Member
Account 4
Enterprise
OU
Division 1
OU
Division 2
OU
AWS Organizations – Service Control Policies (SCP)
SCP SCP SCP SCP
SCP SCP
SCP
IAM IAM IAM IAM

AWS Landing Zone Solution
An easy-to-deploy solution that automates the setup
of new AWS multi-account environments
Based on AWS
best practices and
recommendations
Initial security and
governance
controls
Baseline
accounts and
account vending
machine
Automated
deployment
For more details, visit:
https://aws.amazon.com/answers/aws-landing-zone

AWS Landing Zone Structure
Amazon S3
Bucket
AWS
Code
Pipeline
AWS
Organizations
AWS SSO
AWS
CloudFormation
AWS Service
Catalog
AWS Systems
Manager
Core
Organizational
Unit
Central Services Account Central Logging Account Central Security Account
AWS Master Account
Account
Baseline
Network
Baseline
Active
Directory
Log
Reporting
Account
Baseline
Central Log
Aggregation
Account
Baseline
Security
Cross-Account
Roles
Central single
sign-on
(SSO)
Active
Directory,
and log
analytics
Central
CloudTrail
and AWS
Config logs
Break-glass
cross-
account
access
Account
vending
machine for
new account
creation

Amazon S3
Bucket
AWS
Code
Pipeline
AWS
Organizations
AWS SSO
AWS
CloudFormation
AWS Service
Catalog
AWS Systems
Manager
Core
Organizational
Unit
Central Services Account Central Logging Account Central Security Account
AWS Master Account
Account
Baseline
Network
Baseline
Active
Directory
Log
Reporting
Account
Baseline
Central Log
Aggregation
Account
Baseline
Security
Cross-Account
Roles

Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Central billing, security,
governance, logging,
authentication, and core
services
Automated account scaling

Supplement
active security
events with
automation
Summary
Implement a
multi-account
strategy, with
guard rails
Autocorrect /
remediate
violations where
possible
Ongoing
benchmark
validation of
infrastructure

CERRID #######
PAGE 57
UNCLASSIFIED
CERRID #######
57
UNCLASSIFIED
AWS Public Sector Conference
29 October 2018
Sean Donaghy – Sr. Cyber Security Advisor
Mike Davie – Cyber Security Engineer
1

CERRID #######
PAGE 58
UNCLASSIFIED
CCCS Role in Government of Canada Cloud Security
Sean Donaghy
2

CERRID #######
PAGE 59
UNCLASSIFIED
What is the Canadian Centre for Cyber Security?
The Cyber Centre is the Government of Canada’s single unified source of expert advice, guidance,
services and support on cyber security for government, critical infrastructure owners and operations, the
private sector and the Canadian public.
3

CERRID #######
PAGE 60
UNCLASSIFIED
Pillars of CCCS Cloud Security Program
Advice and Guidance
• Advice &
Guidance on the
secure use of
cloud
• Examples of
secure
Infrastructure as
Code
• Consultation with
CSP clients
Assessment
• Vendor
Engagement
• Cloud Service
Provider Security
Assessment
• Supply Chain
Integrity (SCI)
• Residual Risks
Cyber Defence
• Develop
capabilities for GC
workloads in
cloud
• Leverage existing
investment in
analytics and
cyber defence
4

CERRID #######
PAGE 61
UNCLASSIFIED
CSP Assessment Program
 Intended to assess each enterprise cloud service provider and their ability
to handle Government of Canada information:
● Unclassified to Protected A Data.
● Protected B Data.
 Program utilizes:
● An Onboarding process for interested CSPs
● Tailored Cloud Security Controls Profiles for Low and Moderate levels of information
sensitivity - can be applied by both government and industry.
● A Cloud Assessment Framework/Methodology (ITSM.50.100)
 Completed Assessments provide information to help departments validate
a CSP’s ability to meet the security control profile for GC information
security requirements as they procure Public cloud services.
5

CERRID #######
PAGE 62
UNCLASSIFIED
Cloud Advice and Guidance Publications
 The CCCS will be publishing various Cloud Security Publications:
● CSP Assessment Process
● Cloud IT Risk Management Process
● Cloud Security Profiles
● Cloud Defence in Depth
● Cloud Encryption Strategies
● Monitoring of Cloud Services
● Business Continuity Planning
● Access Control (Public, Private/Community and Hybrid Cloud)
● Secure Design/Implementation/Hardening of client IaaS/PaaS
Keep an eye on our Publications page: https://www.cyber.gc.ca/en/publications
6

CERRID #######
PAGE 63
UNCLASSIFIED
The Fundamentals of Cloud Security
7

CERRID #######
PAGE 64
UNCLASSIFIED
CSE/CIC/AWS Cybersecurity Research Effort
Mike Davie
8

CERRID #######
PAGE 65
UNCLASSIFIED
CSE-CIC-IDS2018 Dataset
 Collaborative effort between CSE, UNB, and AWS
 Communications Security Establishment
● Noted lack of high-quality, public data for cybersecurity tests (still a lot of KDD 1999…)
● Drafted problem book  A problem that we would like solved
● Contracted work to UNB
 Canadian Institute for Cybersecurity (University of New Brunswick)
● Previous work in dataset generation (2012, 2017)
● Generated new dataset to CSE requirements
● 500 users, realistic attacks, labelled data, feature extraction
 Amazon Web Services
● Provided cloud infrastructure for virtual environment
● $80k USD academic grant of AWS credit
● Free public hosting on Open Data portal
9

CERRID #######
PAGE 66
UNCLASSIFIED
CSE-CIC-IDS2018 Dataset
AWS Open Data Portal
https://registry.opendata.aws/cse-cic-ids2018/
Documentation
https://www.unb.ca/cic/datasets/ids-2018.html
ARN
arn:aws:s3:::cse-cic-ids2018
10

CERRID #######
PAGE 67
UNCLASSIFIED
Questions/More info?
Get in touch with our Contact Centre
Communiquez avec notre centre d’appel
1-833-CYBER-88 or/ou 613-949-7048
contact@cyber.gc.ca
Or check out our web site:
www.cyber.gc.ca
11

Thank You
Please rate my session.
https://amzn.to/ottawa-sessions
Track: Technical
Session: 10:00 AM - Lock It Down: How to Secure Your Organization's AWS
Accounts
How did we do?
https://amzn.to/ottawa-summit

AWS Security Best Practices

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie AWS Security Best Practices

Ähnlich wie AWS Security Best Practices (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

AWS Security Best Practices

Hinweis der Redaktion