AWS provides security capabilities and services to provide control over your AWS resources, how they are accessed, who can access them, and what privileges they are allowed. Access Management, Identity management, change control, and auditing can all be achieved both at a macro and granular level. In this session we’ll explore services such as AWS Identity Access Management (IAM), AWS CloudTrail, Amazon Directory Service and Amazon Inspector, so that you understand how use them effectively to manage user privilege and access. We’ll also look at Amazon Virtual Private Cloud (VPC) and how to use it’s features to build security at the network access layer. After this session you should understand and be able to: Configure Users, Groups, and Roles to manage actions, Configure monitoring and logging to audit changes in your system, and Design your AWS network using VPC for security.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, Solutions Architect
April 19, 2016
Network Security and Access
Control within AWS

2. What to expect from the session
• Configure network security using VPC
• Configure users, groups and roles to manage
actions
• Configure monitoring and logging to audit
changes

3. Network security

4. Network security tools
• Amazon VPC
• Subnet
• Security groups
• Network ACLs
• Amazon CloudFront
• Amazon Route 53
• IP tables

5. VPC
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)

6. Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
HTTP GET Beer
TCP(6) Port(80)
srcIP=216.246.16.228

7. VPC (BuildABeer-VPC-1)
Obfuscate
Amazon
Route 53
CloudFront
Users
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB

8. FAIL

9. End run
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB load
balancer
www.foo.com
mail.foo.com
security group (BuildABeer-SG-1)
Public subnet
Mail servers
Private subnet
Elastic Load Balancing
load balancer
security group (BuildABeer-SG-2)
Public subnet
Web servers
Private subnet
ELB load balancer
mail.foo.com
www.foo.com

10. Hide ’n’ go seek
~>nslookup www.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.173
<snip>
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.85
~>nslookup ftp.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
Address: 54.148.117.41
<snip>

11. Layers of defense
VPC (BuildABeer-VPC-1)
users
security group (BuildABeer-SG-1)
Private subnet
Web
servers
Private subnet
ELBSecurity services
(IPS/IDS, WAF,
Firewall)
Public subnet

12. Access denied

13. Access points to AWS
AWS Command Line Interface API AWS Management Console
~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)

14. Who can access resources
• Accounts
• Users
• AWS Identity and Access
Management (IAM) Users
• Federated users
• Groups
• Roles
• Services
IAM role
IAM users
IAM groups
Amazon EC2
Federated user

15. Restricted access best practices
• Do not use the root account
• Create an administrative account
• Enable MFA
• Enforce strong passwords
• Use groups to assign permissions
• Use cross account access for secure logging

16. Managing your policies
• IAM policies
• Managed policies
• Inline policies
• Resource-based policies

17. IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role
• You can limit who can attach which managed policies
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)

18. Beyond IAM
Amazon Directory Services
AD Connector
Customer Identity Broker
AWS Directory
Service
SEC307 A Progressive Journey Through AWS IAM Federation Options
- https://www.youtube.com/watch?v=-XARG9W2bGc

19. Configuring logging and
monitoring

20. Services
• AWS CloudTrail
• AWS Config
• Amazon Inspector
• VPC Flow Logs

21. AWS CloudTrail
us-east-2

22. Introduction to AWS CloudTrail
Store/
archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On a growing
set of AWS
services around
the world..
CloudTrail is
continuously
recording
API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket

23. Use cases enabled by CloudTrail
• IT and security administrators can perform security
analysis
• IT administrators and DevOps engineers can attribute
changes on AWS resources to the identity, time and
other critical details of who made the change
• DevOps engineers can troubleshoot operational issues
• IT auditors can use log files as a compliance aid
• See: Security at Scale: Logging in AWS White Paper

24. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

25. AWS Config

26. AWS Config

27. • Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance guideline Action if noncompliance
All EBS volumes should be encrypted Encrypt volumes
Instances must be within a VPC Terminate instance
Instances must be tagged with
environment type
Notify developer (email, page,
Amazon SNS)
AWS Config Rules

28. AWS Config Rules
(Example—instances must be tagged with a data classification)

29. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support DevOps model
• Automatable by using API actions
• AWS Context Aware
• Static and dynamic telemetry
• Integrated with CI/CD tools
• On-demand pricing model
• CVE and CIS rules packages
• AWS AppSec best practices

30. Rule packages
• CVE (common vulnerabilities and exposures)
• 1000+ rules evaluated
• CIS (Center for Internet Security Benchmarks)
• OS hardening
• Vulnerability
• Patch
• Inventory
• Compliance
• AWS Security best practices
• AppSec learnings

31. VPC Flow Logs

32. Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()

33. Partners

34. Thank you!
aws.amazon.com/security
aws.amazon.com/compliance

35. Remember to complete
your evaluations!
Remember to complete
your evaluations!