AWS Summit 2014 Perth - Breakout 3
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Presenter: James Bromberger, Solutions Architect, Amazon Web Services
7. How does AWS get security?
• Physical access is recorded, videoed,
stored, reviewed
• Multi-factor authentication for physical
access
• Segregation of duties: staff with
physical access versus staff with
logical access
And every 90 days…
22. Identity and Access Management
1. Secure your Master account with MFA
2. Create an IAM Group for your Admin team
3. Create IAM Users for your Admin staff, as
members of your Admin group
4. Turn on MFA for these users!
23. Identity and Access Management
New:
• Enhanced password
management
– Expiry
– reuse check
– change on next log in
• Credential Report
33. Identity and Access Management
• Test your policies in
the Policy Simulator!
34. API Credentials
Credentials for talking to AWS APIs via REST:
• ACCESS KEY
– An identifier
• SECRET KEY
– Used to sign requests
– Shouldn’t traverse the network again
• Not retrievable from AWS again – you lose it,
generate a new pair
36. Secure your data in flight
Use SSL / TLS for all your traffic,
just like you do for your API access
ProTip: Validate the SSL Certificate!
37. Secure your data in flight
SSL offload to the Elastic
Load Balancing Service
38. Secure your data in flight
• RDS connections
– MySQL
– PostgreSQL
– Oracle
• Get Public Key from AWS:
https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem
https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem
41. S3 – Server Side Encryption (SSE)
• Available Since 2011
• AES 256-bit
• Totally transparent to
customers
• AWS Key Management
42. S3 – NEW: SSE with customer keys
• Available Since June 2014
• AES 256-bit, but encryption/decryption on AWS
• Customer Key Management
43. S3 – Client-side encryption (CSE)
• Customer key management
• Customer premise encryption/
decryption
• Keys never sent to AWS
• Support in the Java AWS SDK:
AmazonS3EncryptionClient
47. EBS Storage Gateway
• Use encrypted file systems on block storage (EBS, Storage
Gateway…)
– dm-crypt/LUKS
– Windows BitLocker (whole disk), EFS (file level)
– Products from Partners: Trend, Safenet, etc
– and…
48. EBS – NEW: Encrypted Volumes
• Available since May 2014
• AWS’ rigid key management
• Encryption on server
hosting the EC2 instance
• Snapshots of encrypted
volumes also encrypted
– cannot be shared with other
customers
• Only on supported instance
types
50. Redshift
• By Default:
– Full disk encryption
– Uses SSL to talk to S3
• Optionally you can:
– Set S3 backups to be encrypted
– Limit S3 bucket access
– Connect using SSL
– Run within VPC
– Use CloudHSM key store
– Backup access logs to S3
• Redshift retains 1 week
51. Secure your data at rest
CloudHSM: Hardware Security
Modules in the cloud
• Single Tenancy
• Private key material never
leaves the HSM
• AWS provisioned, customer
managed
54. Isolate your services
One application per instance
• Simplify forensics
• Simplify Security Groups
• Swim-lane capacity overloads
• Limit blast radius
55. Isolate your services
Virtual Private Cloud
• Security Groups
– Don’t use 0.0.0.0/0
• Subnet separation of instances with:
– Network ACLs, and IAM policy to prevent changes
– Routing tables, and IAM policy to prevent changes
– No Internet Gateway, and IAM policy to prevent changes
57. VPC Peering
• Connect two VPCs in the
same Region
– No IP address conflicts
• Bridged by routing table
entries (both sides of
peering relationship)
• Offer Accept model
Customer CustomBe rr eAc ieniivtieaste rse qpueeesr tt ofr oBm A
59. CloudTrail
Your staff or scripts
make calls…
on AWS API
endpoints…
CloudTrail logs this
to an S3 bucket…
so you can
review this log
60. CloudTrail
• Who made the API call?
• When was the API call made?
• What was the API call?
• What were the resources that were acted up on in the API call?
• Where was the API call made from?
61. CloudTrail
• May: Includes
CloudFront events
• June: Available in all
standard Regions
• July: Includes ASG
SQS events
• July: Covers AWS
Console sign-in events
{
eventVersion: 1.01,
userIdentity: {
type: IAMUser,
principalId: AIDAJDPLRKLG7UEXAMPLE,
arn: arn:aws:iam::123456789012:Alice,
accountId: 123456789012
},
eventTime: 2014-07-08T17:36:04Z,
eventSource: signin.amazonaws.com,
eventName: ConsoleLogin,
awsRegion: us-east-1,
sourceIPAddress: 10.0.0.1,
userAgent: AWS Console Access,
requestParameters: null,
responseElements: {
ConsoleLogin: Success
},
additionalEventData: {
MobileVersion: No,
LoginTo: https://console.aws.amazon.com/sns,
MFAUsed: Yes
},
eventID: example-even-tide-xamp-123456789012
}
70. James’ Recommendations
Turn on your MFA access for your Root account
Use IAM Users, Groups and Policies
Never use Root Account API keys
Scope limit your policies
71. Visit the Solution Architecture Team today,
Please fill in feedback forms!
Questions on AWS security, risk and
compliance: talk to AWS
James Bromberger
jameseb@amazon.com
@JamesBromberger