AWS provides security capabilities and services to provide control over your AWS resources, how they are accessed, who can access them, and what privileges they are allowed. Access Management, Identity management, change control, and auditing can all be achieved both at a macro and granular level. In this session we’ll explore services such as AWS Identity Access Management (IAM), AWS CloudTrail, Amazon Directory Service and Amazon Inspector, so that you understand how use them effectively to manage user privilege and access. We’ll also look at Amazon Virtual Private Cloud (VPC) and how to use it’s features to build security at the network access layer. After this session you should understand and be able to: Configure Users, Groups, and Roles to manage actions, Configure monitoring and logging to audit changes in your system, and Design your AWS network using VPC for security.
2. What to expect from the session
• Configure network security using VPC
• Customer – Irdeto – PCI Compliant Architecture
• Configure users, groups and roles to manage actions
• Configure monitoring and logging to audit changes
5. Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Security
Group
Subnet 10.0.1.0/24
Routing Table
Network ACL
Security
Group
Virtual Private Gateway Internet Gateway
Lockdown at
instance level
Isolate network
functions
Lockdown at
network level
Route restrictively
Router
Availability Zone A Availability Zone B
13. Access Control: Restricting Origin Access
Amazon S3
Origin Access Identity (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensures performance benefits to all
customers
Custom Origin
Block by IP Address
Pre-shared Secret Header
• Whitelist only CloudFront
• Protects origin from overload
• Ensures performance benefits to all customers
35. Access points to AWS - API
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)
37. Who can access resources
• Accounts
• Users
• AWS Identity and Access
Management (IAM) Users
• Federated users
• Groups
• Roles
• Services
IAM role
IAM users
IAM groups
Amazon EC2
Federated user
38. Restricted access best practices
• Do not use the root account
• Create an administrative account
• Enable MFA
• Enforce strong passwords
• Use groups to assign permissions
• Use cross account access for secure logging
39. IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
43. Introduction to AWS CloudTrail
Store/archive
Troubleshoot
Monitor and alarm
You are
making API
calls...
On AWS services
around the
world..
CloudTrail is
continuously
recording
API calls
Amazon Elastic
Block Store
(Amazon EBS)
Amazon S3
bucket
44. AWS CloudTrail
Record CloudFront API calls history for:
• Security analysis
• Resource change tracking
• Compliance auditing
CloudWatch Alarm
CloudTrailCloudFront
Distribution Updates
45. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
47. • Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• Custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance guideline Action if noncompliance
All EBS volumes should be encrypted Encrypt volumes
Instances must be within a VPC Terminate instance
Instances must be tagged with
environment type
Notify developer (email, page,
Amazon SNS)
AWS Config Rules
49. Amazon Inspector
• Vulnerability Assessment Service
• Automatable by using API actions
• AWS Context Aware
• Static and dynamic telemetry
• Integrated with CI/CD tools
• CVE and CIS rules packages
• AWS AppSec best practices
50. VPC Flow Logs: See all your traffic
Visibility into effects of Security
Group rules
Troubleshooting network
connectivity
Ability to analyze traffic
51. Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()