AWS provides security capabilities and services to provide control over your AWS resources, how they are accessed, who can access them, and what privileges they are allowed. Access Management, Identity management, change control, and auditing can all be achieved both at a macro and granular level.
In this session we’ll explore services such as AWS Identity Access Management (IAM), AWS CloudTrail, Amazon Directory Service and Amazon Inspector, so that you understand how use them effectively to manage user privilege and access. We’ll also look at Amazon Virtual Private Cloud (VPC) and how to use it’s features to build security at the network access layer. After this session you should understand and be able to: Configure Users, Groups, and Roles to manage actions, Configure monitoring and logging to audit changes in your system, and Design your AWS network using VPC for security.
2. What to expect from the session
• Configure network security using VPC
• Configure users, groups and roles to manage
actions
• Configure monitoring and logging to audit
changes
9. End run
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB load
balancer
www.foo.com
mail.foo.com
security group (BuildABeer-SG-1)
Public subnet
Mail servers
Private subnet
Elastic Load Balancing
load balancer
security group (BuildABeer-SG-2)
Public subnet
Web servers
Private subnet
ELB load balancer
mail.foo.com
www.foo.com
13. Access points to AWS
AWS Command Line Interface API AWS Management Console
~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)
14. Who can access resources
• Accounts
• Users
• AWS Identity and Access
Management (IAM) Users
• Federated users
• Groups
• Roles
• Services
IAM role
IAM users
IAM groups
Amazon EC2
Federated user
15. Restricted access best practices
• Do not use the root account
• Create an administrative account
• Enable MFA
• Enforce strong passwords
• Use groups to assign permissions
• Use cross account access for secure logging
16. Managing your policies
• IAM policies
• Managed policies
• Inline policies
• Resource-based policies
17. IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role
• You can limit who can attach which managed policies
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)
18. Beyond IAM
Amazon Directory Services
AD Connector
Customer Identity Broker
AWS Directory
Service
SEC307 A Progressive Journey Through AWS IAM Federation Options
- https://www.youtube.com/watch?v=-XARG9W2bGc
22. Introduction to AWS CloudTrail
Store/
archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On a growing
set of AWS
services around
the world..
CloudTrail is
continuously
recording
API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket
23. Use cases enabled by CloudTrail
• IT and security administrators can perform security
analysis
• IT administrators and DevOps engineers can attribute
changes on AWS resources to the identity, time and
other critical details of who made the change
• DevOps engineers can troubleshoot operational issues
• IT auditors can use log files as a compliance aid
• See: Security at Scale: Logging in AWS White Paper
24. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
27. • Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance guideline Action if noncompliance
All EBS volumes should be encrypted Encrypt volumes
Instances must be within a VPC Terminate instance
Instances must be tagged with
environment type
Notify developer (email, page,
Amazon SNS)
AWS Config Rules
29. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevOps model
• Automatable by using API actions
• AWS Context Aware
• Static and dynamic telemetry
• Integrated with CI/CD tools
• On-demand pricing model
• CVE and CIS rules packages
• AWS AppSec best practices
30. Rule packages
• CVE (common vulnerabilities and exposures)
• 1000+ rules evaluated
• CIS (Center for Internet Security Benchmarks)
• OS hardening
• Vulnerability
• Patch
• Inventory
• Compliance
• AWS Security best practices
• AppSec learnings
32. Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()