Cloudifying your Security Operations on AWS

1. Cloudifying your Security Operations on AWS
Presented by Patrick Hannah
VP of Engineering, CloudHesive

2. Introduction
• Who am I?
• What’s my background?
• What do I hope to get out of the
presentation?
• How am I using cloud services?
• Why did I pick the cloud services that I am
using?

3. What are we going to talk about?
• Overview
• Shared Responsibility Model
• Getting Started
• Securely Operating in AWS
• Continuous Monitoring
• Conclusion

4. Overview of AWS
• Regional footprints, some with special use cases (GovCloud,
China)
• Access to services via a Web Based Console (customizable via
AWS Service Catalog) or Programmatically (CLI/API/SDK) using
credentials with granular role assignment (Identity & Access
Management)
• Access to E-Mail, Chat and Phone support via AWS Support and
proactive recommendations via Trusted Advisor
• Access to third party products and services via AWS Marketplace
• Access to itemized billing via AWS Billing and Cost Management
• Access to infrastructure monitoring via Amazon CloudWatch
• Access to an audit trail via AWS CloudTrail and configuration
change history via AWS Config

5. Overview of AWS Infrastructure Services
• Networking
– Amazon VPC – Software Defined Network
– AWS Direct Connect – Dedicated WAN Connectivity
– Elastic Load Balancing – Load Balancing
– Amazon Route 53 – DNS
– Amazon CloudFront – Content Delivery Network
• Compute
– Amazon EC2 – Virtualized Servers
• Storage & Content Delivery
– Amazon S3 – Object Storage
– Amazon EBS – Block Storage
– Amazon EFS – NFS Storage
– Amazon Glacier – Long Term Object Storage
– AWS Import/Export/Snowball – Bulk Import/Export of data to disk
• Database
– Amazon RDS – Managed RDBMS
– Amazon DynamoDB – Managed NoSQL
– Amazon ElastiCache – Managed In Memory Cache
– Amazon Redshift – Managed Data Warehouse
– Amazon Elasticsearch Service – Managed ElasticSearch
– Amazon EMR – Managed Big Data platform
– Amazon CloudSearch – Managed Indexer

6. Overview of AWS Enterprise, Security and Automation Services
• Enterprise Applications
– Amazon AppStream – Managed Application Publishing
– Amazon WorkSpaces – Managed Desktop Publishing
– Amazon WorkDocs – Managed Document Sharing
– Amazon WorkMail – Managed Enterprise E-Mail
– Amazon SES – Managed SMTP Gateway
– AWS Directory Service – Managed Directory Service (Active Directory
Compatible)
• Security & Identity
– AWS CloudHSM – Dedicated HSM Appliances
– AWS KMS – Managed Data-At-Rest Encryption
– Amazon Inspector – Managed Application Security Scanner
– AWS WAF – Managed Web Application Firewall
– AWS IAM – User Credential Management
• Automation
– Auto Scaling – Managed Infrastructure Scaling
– AWS Elastic Beanstalk – Managed Application Deployment
– AWS CloudFormation – Infrastructure Configuration Management
– AWS CodeCommit – Managed Repository
– AWS CodeDeploy – Managed Software Deployment
– AWS CodePipeline – Managed Continuous Delivery Service
– AWS OpsWorks – Infrastructure + Software Configuration
Management

7. Overview of AWS Managed (Abstracted) Services
• Amazon EC2 Container Service – Managed
Docker Container Deployment
• Amazon API Gateway – Managed API Gateway
• AWS Lambda – Managed Application Container
• Amazon Cognito – Data Persistence for Mobile
Devices
• Amazon SNS – Managed Notification Service
• Amazon Elastic Transcoder – Managed
Transcoding Service
• Amazon SQS – Managed Queue Service
• Amazon SWF – Managed Workflow Service
• Amazon Kinesis – Managed Data Pipeline
(Streaming)
• AWS Data Pipeline – Managed Data Pipeline
(Bulk)

8. AWS Shared Responsibility Model

9. AWS Account
• Setup AWS Accounts
• Balance the number of AWS Accounts with actual need
• Setup General Distribution Lists and Register your AWS Accounts with
them
• Setup more specific distribution lists for Billing, Security and Support on
each account
• These distribution lists shouldn’t be on a domain hosted on AWS
• Keep them generic enough to prevent guessing
• Limit usefulness of Root Account

10. IAM
• Customize the IAM users sign-in link but don’t use something
predictable
• Create Users in Main Account/Leverage roles to manage other
Accounts
• Follow Standard Best Practices
• Manage user policies at group level (where it makes sense)
• Use managed policies as a starting point but evaluate them for fit
• Utilize conditions for more granular control
• Validate Roles and Policies

11. Asset Management
• Enable Billing Alerts
• Enable Billing Reports
• Implement a Tagging Policy
– name: Matches Hostname
– env: Matches Environment
– role: Matches Role
– owner: The name of the resource (typically an instance) that
utilizes other resources (such as EBS Volumes)
– managed: Who manages the asset
• Enable Billing Tags

12. VPC and Subnets
• How many VPCs?
– All Environments or one per Environment
– Shared Services
– Management Services
• How many Subnets?
– Public Subnets for Internet Routable Services
– Private Subnets for Non-Internet Routable Services
– Subnets for Abstracted/Managed Services (ELB, etc.)
– Subnets for consistent IP Addressing
– Ensure you take into account how an instance with multiple ENIs
may behave

13. ACLs and Security Groups
• Follow best practices
– Be Smart
– Controlling outbound traffic is just as important as controlling inbound traffic
– Don’t forget about RDS DB Security Groups
– Watch out for /0
• Use Security Groups and ACLs where they make sense
– ACLs and Security Groups (along with IAM) can help incorporate policies
requiring separation of duties
– Security Groups are stateful, have a default deny and no processing order
– ACLs are stateless, have multiple denies (or no denies at all) and have a
processing order
• Devise a Security Group Scheme
– Environment?
– Role?
– ENIs?

14. VPC Logs, CloudTrail, Config, CloudWatch Logs
• VPC Logs
– Enable VPC logs on critical ENIs or Subnets
• Public Facing
• NAT Instance ENI
– Enable on the entire VPC if needed
• CloudTrail
– Don’t forget to enable in each account and each region
– Use an S3 bucket in the Main account
– Use SSE-KMS to encrypt logs (logs are generally redacted)
• Config
– Don’t forget to enable in each account and each region
– Use an S3 bucket in the Main account
• CloudWatch Logs
– Batch export to S3 bucket in the Main account
– Forward CloudWatch Logs to Kinesis Stream in Main Account

15. Secure storage of Logs on S3
• Ensure Permissions to CloudTrail and Config log buckets are
sufficiently restrictive
• Enable access logging (write it to another bucket)
• Enable notifications unexpected activities
• Enable MFA Delete
• Setup a lifecycle rule to transition to Glacier
• Setup a Vault Lock rule in Glacier to protect access to the data

16. Using Managed/Abstracted Services
• AWS has DoS/DDoS mitigation capabilities but it’s a shared
responsibility
• Follow VPC Recommendations
• Utilize additional AWS services
– Route53 (front end DNS request)
– CloudFront (front end web/application server requests)
– WAF (application layer firewall
– ELB (acts like a reverse proxy/distributes load)
– ASG (scales up as load increases)
• Some of these services allow logging to S3
– Use an S3 bucket in the Main Account

17. Provisioning EC2 Instances
• Launch instance with IAM roles
• Encrypt data at rest using KMS or a third party solution (like ours)
• Encrypt data in flight
• Collect instance logs using CloudWatch logs
• Ensure Active Directory Domain Controllers are using an external NTP
server
• Assume the instance will fail at some point
• Utilize a directory service for authentication – use key pairs once and
throw them away (additional thoughts on administrative access are on
the next slide)

18. Administration of EC2 Instances
• Utilize an SSH Bastion, RDP Proxy or AWS Workspaces for
Administration
– Authenticate an existing directory service (if you have one) or
utilize AWS’
– Don’t forget the security of these hosts – same rules apply
• Use a secure means of sharing data
• Automate instead of administrate

19. AWS Continuous Monitoring Services
• Trusted Advisor – Top Security Recommendations
• Config Rules – Pre-built and custom best practice rules
• Inspector – Application level vulnerability scanning
• AWS

20. Continuous Monitoring Ideas
• Identify users who have not logged in in the last quarter
• Identify users who have disabled accounts
• Identify users who have not rotated passwords in the last quarter
• Identify users who have passwords out of compliance
• Identify credentials that cannot be accounted for
• Identify weak security group entries and ones that cannot be accounted
for
• Identify public AMI, Snapshot and S3 items and ones that cannot be
accounted for
• Identify shared AMI, Snapshot and S3 items and ones that cannot be
accounted for
• Identify expiring certificates on ELB
• Did someone use the root credentials?
• Did someone unexpected access (successfully or otherwise) S3 Logs
or CloudWatch logs?

21. Conclusion and Some Advice
• First place to start is collecting the data
• Once you collect the data you can build a baseline
• Once you build a baseline you can identify anomalies
• There are many tools on the market can help

22. Further Learning
• AWS Security: https://aws.amazon.com/security
• AWS Security Blog: https://blogs.aws.amazon.com/security/
• AWS Documentation
– http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-
endpoints.html
– http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPN_CloudHu
b.html
– http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/S
ubscriptions.html
– http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/S
3Export.html
– https://docs.aws.amazon.com/IAM/latest/UserGuide/walkthru_cross-
account-with-roles.html
– https://aws.amazon.com/articles/2781451301784570
– https://www.dropbox.com/s/hizoeicmgf4iha5/DDoS_White_Paper_June201
5.pdf
• IAM Best Practices: https://evidentio.squarespace.com/blog/2015/2/12/top-10-
aws-security-best-practices-1-disable-root-account-api-access-key
• Realtime Alerting: https://cloudonaut.io/monitor-your-aws-account-to-detect-
suspicious-behavior-in-real-time/
• CloudTrail in Kibana: https://github.com/AppliedTrust/traildash

23. Florida Meetups
• http://www.meetup.com/aws-user-group-miami/
• http://www.meetup.com/Miami-AWS-Users-Group/
• http://www.meetup.com/South-Florida-Amazon-
Web-Services-Meetup/
• http://www.meetup.com/awsflorida/
• http://www.meetup.com/AWS-User-Groups-of-
Florida-Jacksonville/

24. Q&A
• Questions?

25. Question 1
• What’s the difference between a Security Group and
ACL?

26. Question 2
• What’s the difference between a Public and Private
Subnet (AWS Definition)?

27. Question 3
• What AWS services you can use for continuous
monitoring?

28. Question 4
• What AWS services can you use to help mitigate a
DoS/DDoS attack?

29. THANK YOU!
Want a copy of this presentation?
sales@cloudhesive.com
http://www.cloudhesive.com