This document summarizes a presentation given by Jason Chan on AWS security from a practitioner's perspective. The presentation covered AWS credentials and identifiers, AWS services, actions and resources, and controlling network traffic. It provided an overview of AWS security and some recommendations, but did not aim to be a comprehensive security guide or primer on general cloud security issues.
2. Jason Chan
• Cloud Security Architect @ Netflix
• Previously:
• Most recently led security team at VMware
• Primarily security consulting at @stake, iSEC
Partners
• Some presentations at:
• http://www.slideshare.net/netflix
3. Agenda
• Goals and non-goals
• AWS on one slide
• Netflix in the cloud
• AWS security: Overview
• AWS security: Gotchas
• AWS security: Recommendations
• Takeaways
12. AWS on a Slide
“The cloud lets its users
focus on delivering
differentiating business
value instead of wasting
valuable resources on the
undifferentiated heavy
lifting that makes up most
of IT infrastructure.”
- Werner Vogels (AWS
CTO)
August 25, 2009, ‘All Things
13. AWS on a Slide
“The cloud lets its users
focus on delivering
differentiating business
value instead of wasting
valuable resources on the
undifferentiated heavy
lifting that makes up most
of IT infrastructure.”
- Werner Vogels (AWS
CTO)
August 25, 2009, ‘All Things
28. AWS Credentials and
Identifiers
Account Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
29. AWS Credentials and
Identifiers
Account Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
Resource Identifier
Amazon Resource Name (ARN) Unique resource identifier:
arn:aws:sns:us-east-1:1234567890123456:mytopic
30. AWS Credentials and
Identifiers
Account Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
Resource Identifier
Amazon Resource Name (ARN) Unique resource identifier:
arn:aws:sns:us-east-1:1234567890123456:mytopic
Sign-In Credentials
Main Account E-Mail/PW Console access
IAM Account Name/PW Console access
MFA Token HW/SW token for additional security
31. AWS Credentials and
Identifiers
Account Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
Resource Identifier
Amazon Resource Name (ARN) Unique resource identifier:
arn:aws:sns:us-east-1:1234567890123456:mytopic
Sign-In Credentials
Main Account E-Mail/PW Console access
IAM Account Name/PW Console access
MFA Token HW/SW token for additional security
Access Credentials
Access Keys REST API
X.509 Certificates SOAP API, EC2 tools
Key Pairs CloudFront, EC2
32. AWS Credentials and
Identifiers
Account Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
Resource Identifier
Amazon Resource Name (ARN) Unique resource identifier:
arn:aws:sns:us-east-1:1234567890123456:mytopic
Sign-In Credentials
Main Account E-Mail/PW Console access
IAM Account Name/PW Console access
MFA Token HW/SW token for additional security
Access Credentials
Access Keys REST API
X.509 Certificates SOAP API, EC2 tools
Key Pairs CloudFront, EC2
http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
34. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
35. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
36. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
37. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
38. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
39. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
40. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
41. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
42. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
43. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
44. AWS Services, Actions,
and Resources
Service Action Resource
Get Object,
S3 Bucket, Object
Delete Bucket
Terminate Instances,
EC2 Instance, AMI, EBS Volume
Associate Address
AWS policies can be applied to actions and resources.
Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
54. Controlling Network
Traffic in AWS
App Server TCP 3306 DB Server
Cisco Configuration
permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
55. Controlling Network
Traffic in AWS
App Server TCP 3306 DB Server
Cisco Configuration
permit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
AWS Configuration
ec2-authorize db -P tcp -p 3306 -s app
56. Security Groups & ACLs
Cross- Dynamic
Type Stateful Ingress Egress EC2 VPC
Account Membership
EC2 Security
Y Y N Y N Y N
Group
VPC Security
Y Y Y N Y N Y
Group
DB Security
Y Y N Y Y Y Y
Group
VPC Network
N Y Y N Y N/A N/A
ACL
57. Security Groups & ACLs
Cross- Dynamic
Type Stateful Ingress Egress EC2 VPC
Account Membership
EC2 Security
Y Y N Y N Y N
Group
VPC Security
Y Y Y N Y N Y
Group
DB Security
Y Y N Y Y Y Y
Group
VPC Network
N Y Y N Y N/A N/A
ACL
58. Security Groups & ACLs
Cross- Dynamic
Type Stateful Ingress Egress EC2 VPC
Account Membership
EC2 Security
Y Y N Y N Y N
Group
VPC Security
Y Y Y N Y N Y
Group
DB Security
Y Y N Y Y Y Y
Group
VPC Network
N Y Y N Y N/A N/A
ACL
59. Security Groups & ACLs
Cross- Dynamic
Type Stateful Ingress Egress EC2 VPC
Account Membership
EC2 Security
Y Y N Y N Y N
Group
VPC Security
Y Y Y N Y N Y
Group
DB Security
Y Y N Y Y Y Y
Group
VPC Network
N Y Y N Y N/A N/A
ACL
63. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
64. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
65. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
66. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
• AWS services also have throttling (i.e. max RPS)
67. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
• AWS services also have throttling (i.e. max RPS)
• Beware of self DoS via automation and autoscaling
68. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
• AWS services also have throttling (i.e. max RPS)
• Beware of self DoS via automation and autoscaling
• NOTE: http://aws.amazon.com/contact-us/ for
limit increase requests
69. AWS Limits
• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
• AWS services also have throttling (i.e. max RPS)
• Beware of self DoS via automation and autoscaling
• NOTE: http://aws.amazon.com/contact-us/ for
limit increase requests
• NOTE: Track limits and inspect error messages
72. EC2 IP Addresses
• Each instance has two IPs - private and public
# ec2-metadata
...
local-hostname: ip-10-245-134-152.ec2.internal
local-ipv4: 10.245.134.152
...
public-hostname:
ec2-72-44-52-70.compute-1.amazonaws.com
public-ipv4: 72.44.52.70
...
78. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
79. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
80. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
81. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
• NOTE: Traffic to the public IP/EIP:
82. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
• NOTE: Traffic to the public IP/EIP:
• Incurs regional data transfer costs
83. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
• NOTE: Traffic to the public IP/EIP:
• Incurs regional data transfer costs
• Is less performant in-region
84. EC2 IP Addresses
• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
• NOTE: Traffic to the public IP/EIP:
• Incurs regional data transfer costs
• Is less performant in-region
• Does not preserve source security group info
85. Elastic Load Balancers
• Service availability and
traffic balancing across EC2 Internet
instances
• Stable DNS for publicly-
facing services
ELB
• Alias to the ELB DNS
CNAME Instance Instance Instance
• SSL termination, session
stickiness, etc.
89. Elastic Load Balancers
• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
90. Elastic Load Balancers
• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
• Backend instances must allow traffic from the ELB
91. Elastic Load Balancers
• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
• Backend instances must allow traffic from the ELB
• Traffic from ELB == Traffic from Internet
92. Elastic Load Balancers
• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
• Backend instances must allow traffic from the ELB
• Traffic from ELB == Traffic from Internet
• Without additional (non security group) filtering, ELBs should
only be used for public use cases
93. Elastic Load Balancers
• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
• Backend instances must allow traffic from the ELB
• Traffic from ELB == Traffic from Internet
• Without additional (non security group) filtering, ELBs should
only be used for public use cases
• NOTE:VPC ELBs can use security groups for limiting access
95. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
96. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket
ACL, and object ACLs
97. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket
ACL, and object ACLs
• NOTE: Objects only inherit bucket-level permissions if
written by bucket owner
98. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket
ACL, and object ACLs
• NOTE: Objects only inherit bucket-level permissions if
written by bucket owner
• Default ACL is “object creator: full control”
99. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket
ACL, and object ACLs
• NOTE: Objects only inherit bucket-level permissions if
written by bucket owner
• Default ACL is “object creator: full control”
• Objects written by non bucket owner are
inaccessible by bucket owner
100. S3 Policies and Object
Ownership
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket
ACL, and object ACLs
• NOTE: Objects only inherit bucket-level permissions if
written by bucket owner
• Default ACL is “object creator: full control”
• Objects written by non bucket owner are
inaccessible by bucket owner
• Use “x-amz-acl” header on write to fix permissions
103. AWS Resource Logging
• AWS APIs and resources are publicly (Internet)
accessible
• So, your management interfaces, file store,
databases, etc. are publicly addressable
104. AWS Resource Logging
• AWS APIs and resources are publicly (Internet)
accessible
• So, your management interfaces, file store,
databases, etc. are publicly addressable
• Preventing access is generally possible through
policy configuration
105. AWS Resource Logging
• AWS APIs and resources are publicly (Internet)
accessible
• So, your management interfaces, file store,
databases, etc. are publicly addressable
• Preventing access is generally possible through
policy configuration
• NOTE: AWS provides no capability for
logging or auditing resource access
107. Delivering Credentials
to EC2 Instances
• AWS becomes more valuable when leveraging
multiple services (e.g. EC2 + SQS, S3, etc.)
108. Delivering Credentials
to EC2 Instances
• AWS becomes more valuable when leveraging
multiple services (e.g. EC2 + SQS, S3, etc.)
• Access to resources will generally require
credentials
109. Delivering Credentials
to EC2 Instances
• AWS becomes more valuable when leveraging
multiple services (e.g. EC2 + SQS, S3, etc.)
• Access to resources will generally require
credentials
• Secure delivery and storage of credentials
becomes difficult with scale and automation
110. Delivering Credentials
to EC2 Instances
• AWS becomes more valuable when leveraging
multiple services (e.g. EC2 + SQS, S3, etc.)
• Access to resources will generally require
credentials
• Secure delivery and storage of credentials
becomes difficult with scale and automation
• Some ideas:
111. Delivering Credentials
to EC2 Instances
• AWS becomes more valuable when leveraging
multiple services (e.g. EC2 + SQS, S3, etc.)
• Access to resources will generally require
credentials
• Secure delivery and storage of credentials
becomes difficult with scale and automation
• Some ideas:
• http://shlomoswidler.com/2009/08/how-to-keep-
your-aws-credentials-on-ec2.html
115. Systematic Approach to
AWS Security
• Understand shared responsibility model
• Management of AWS
116. Systematic Approach to
AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
117. Systematic Approach to
AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
• AWS resource security
118. Systematic Approach to
AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
• AWS resource security
• Secure AWS operations
119. Shared
Responsibility
• Analyze what each side
provides in terms of
security controls
• Understand legal/
contractual aspects
• Make plans to bridge any
gaps
https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Framework
http://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
123. AWS Management
• No longer any reason to not use IAM
• Enable:
• IAM
124. AWS Management
• No longer any reason to not use IAM
• Enable:
• IAM
• MFA (for account and IAM accounts)
125. AWS Management
• No longer any reason to not use IAM
• Enable:
• IAM
• MFA (for account and IAM accounts)
• Create groups and assign permissions appropriate
for organizational model
126. AWS Management
• No longer any reason to not use IAM
• Enable:
• IAM
• MFA (for account and IAM accounts)
• Create groups and assign permissions appropriate
for organizational model
• Consider using separate top-level accounts for
compartmentalization
128. AWS Security Features
and Services
• Understand security features, limitations,
and options of the features you use
129. AWS Security Features
and Services
• Understand security features, limitations,
and options of the features you use
• S3 - encryption, MFA delete, versioning
130. AWS Security Features
and Services
• Understand security features, limitations,
and options of the features you use
• S3 - encryption, MFA delete, versioning
• EC2 - dedicated instances, disabling API
termination
131. AWS Security Features
and Services
• Understand security features, limitations,
and options of the features you use
• S3 - encryption, MFA delete, versioning
• EC2 - dedicated instances, disabling API
termination
• Consider VPC based on use cases and
requirements
140. Secure AWS
Operations
• Understand security group/ACL differences
• Design and implement according to architectural
requirements
141. Secure AWS
Operations
• Understand security group/ACL differences
• Design and implement according to architectural
requirements
• Actively manage and monitor accounts and
credentials
143. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
144. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
145. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
• http://aws.typepad.com/
146. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
• http://aws.typepad.com/
• @jeffbarr
147. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
• http://aws.typepad.com/
• @jeffbarr
• AWS Endpoints: http://docs.amazonwebservices.com/
general/latest/gr/rande.html
148. Other
Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
• http://aws.typepad.com/
• @jeffbarr
• AWS Endpoints: http://docs.amazonwebservices.com/
general/latest/gr/rande.html
• EC2 IP Ranges: https://forums.aws.amazon.com/
forum.jspa?forumID=30
150. Takeaways
• AWS provides an array of services that allow you to
construct and operate large scale web services in a self-
service, pay as you go model
151. Takeaways
• AWS provides an array of services that allow you to
construct and operate large scale web services in a self-
service, pay as you go model
• The cloud operating model requires you to understand
the security responsibilities of both provider and
consumer
152. Takeaways
• AWS provides an array of services that allow you to
construct and operate large scale web services in a self-
service, pay as you go model
• The cloud operating model requires you to understand
the security responsibilities of both provider and
consumer
• Understanding AWS’ security features and capabilities
and taking a systematic approach to AWS security will
help ensure optimized and secure service use
156. Netflix PaaS
• Supports all AWS • Dynamic and fine-grained
regions and availability security
zones
• Automatic scaling to
• Supports multiple AWS thousands of instances
accounts
• Monitoring for millions of
• One-click deployment and metrics
load balancing across three
datacenters • Base server and client
• Cross-region and account • I18n, L10n, geo IP routing
data replication and archive
http://www.slideshare.net/netflix