The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.
6. AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA:
0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY AUTHENTICATION
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM
Protection of data in transit
SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM
Protection of data at rest
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
File System and/or Data
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
FIREWALL
CONFIGURATION
Shared responsibility model
Infrastructure
services
Containers
services
Abstract services
7. Set a standard to follow
1. Map your infrastructure against control frameworks
1. NIST
2. PCI
3. CIS Benchmark
4. CJIS
5. HIPAA
8. CIS example
Example: OSS validation for CIS AWS Foundation Framework
$ git clone https://github.com/awslabs/aws-security-benchmark.git
$ cd aws-security-benchmark/aws_cis_foundation_framework
$ python aws-cis-foundation-benchmark-checklist.py
12. Or maybe just this
{"Failed":["1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9", "1.10", "1.11", "1.14", "1.16",
"1.22", "1.23", "2.2", "2.4", "2.5", "2.6", "2.6", "2.8", "3.1", "3.2", "3.3", "3.4", "3.5",
"3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "etc"]}
Control output based on consumer of data and post-processing of result
13. Goals
Supplement active security events with automation
• Automation doesn’t sleep, eat, or need coffee in the morning
Prevent bad configurations before they are implemented
Autocorrect / remediate violations where possible
Daily / instant benchmark validation of infrastructure
• Validate against industry frameworks
• Extend to remediation
14. OSS code to learn from
git-secrets – Prevents you from committing passwords and other sensitive information to a git repository
aws-security-benchmark – Benchmark scripts mapped against trusted security frameworks
aws-config-rules – [Node, Python, Java] Repository of sample custom rules for AWS Config
Netflix/security_monkey – Monitors policy changes and alerts on insecure configurations in an AWS account
Netflix/edda – Edda is a service to track changes in your cloud deployments
ThreatResponse – Open Source Security Suite for hardening and responding in AWS
CloudSploit – Capturing things like open security groups, misconfigured VPCs, and more
Stelligent/Cfn_nag – Looks for patterns in CloudFormation templates that may indicate insecure infrastructure
Capitalone/cloud-custodian – Rules engine for AWS fleet management
15.
16.
17. Amazon EC2 Systems Manager
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter Store Documents
18.
19. Amazon EC2 Systems Manager
Run Command State Manager Inventory Maintenance Window
Patch Manager Automation Parameter Store Documents
32. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
33. VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Compliance
app
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Logs group
CloudWatch
alarm
Source IP
41. Availability Zone A
Private subnet Private subnet
AWS Region
Virtual
Private
Gateway
VPN
connection
Intranet
app
Intranet
app
Availability Zone B
Internal customers
Private route table
Destination Target
10.1.0.0/16 Local
Corp CIDR VGW
VPC
Internal application to VPC
Customer
network
42. Availability Zone A
Private subnet Private subnet
AWS
Region
Virtual
Private
Gateway
VPN
connection
Intranet
app
Intranet
app
Availability Zone B
You really don’t want to do this:
Amazon
S3
Internet
Customer
border router
Customer VPN
Internet
VPC
Customer
network
43. Availability Zone A
Private subnet Private subnet
AWS
Region
Virtual
Private
Gateway
Intranet
app
Intranet
app
Availability Zone B
So do this instead:
Amazon
S3
VPC
VPN
connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust access
control
Customer
network
45. AWS PrivateLink
Share AWS, customer and
partner services privately
between VPCs and
on-premises networks
Secure. Scalable. Reliable.
On-Premises
Resources
Service VPC
Network
Load-
Balancer
AWS
Direct
Connect
Client VPC 1
Client VPC 2
Client VPC 3
VPC Endpoint
VPC
Endpoint
VPC
Endpoint
46.
47. AWS Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying offending changes
52. AWS CloudTrail
Web service that records AWS API calls for your account and delivers logs
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176
55. select
useridentity.sessioncontext.sessionIssuer.userNa
me as uid, eventsource, eventname
from cloudtrail_logs
Where
useridentity.sessioncontext.sessionIssuer.userNa
me = ‘target-name’
GROUP BY
useridentity.sessioncontext.sessionIssuer.userNa
me, eventsource, eventname
Query cloud trail data for the target user or role with
Athena
64. Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground-up to support DevSecOps
• Automatable via APIs
• Integrates with CI/CD tools
• On-Demand Pricing model
• Static & Dynamic Rules Packages
• Generates Findings
76. OCP supported in Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection
between the SCP and assigned IAM permissions
• Must be used in unison with IAM policy
• IAM policy simulator is SCP aware
81. GuardDuty account relationships
• Adding accounts to the services is simple and done via the console or API
• Invites accepted from an account will be designated as “Member” accounts. The requestor
will be the “Master” account
Member
account
……. .
1
Member
account
1000 (max)
Master account
Can do the following to all accounts:
• Generate sample findings
• Configure and view/manage findings
• Suspend guardduty service
• Upload and manage trusted IP and threat
IP lists (coming soon!)
Can only disable own account. Member accounts
must all be removed first and by the member
account
Member Account actions and
visibility is limited to the member
account
Each Account Billed Separately.
97. Control AWS provisioning (cost, security, governance)
self-service portal – one-stop shop
Standardized deployments
Version control for AWS users
Enforce governance and compliance proactively
Integrate with ITSM tools
Centrally manage IT service lifecycle
Use cases
Why use an AWS Service Catalog?