SlideShare ist ein Scribd-Unternehmen logo

Implementing the Top 10 AWS Security Best Practices

Sebastian Taphanel CISSP-ISSEP
Sebastian Taphanel CISSP-ISSEP

Hard Lessons Learned from defending Adobe Creative Cloud on AWS! Insight into implementing a solid Security Architecture based on a mutual conversation between DevOps and SecOps!

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Copyright © 2016 evident.io1 IMPLEMENTING THE TOP 10 AWS SECURITY BEST PRACTICES Justin Lundy, Co-Founder / CTO Sebastian Taphanel CISSP-ISSEP, Federal Solutions Architect 6 April 2016
Copyright © 2016 evident.io2 When we gave developers the power to create infrastructure, security became their responsibility, too. Security *IS* a Shared Responsibility
Copyright © 2016 evident.io3 AWS Shared Security Responsibility Model
Copyright © 2016 evident.io4 Top 10 AWS Security Best Practices 1. Disable root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Dampen DDoS with Complementary Servcies 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. Enable CloudTrail Logging & Encryption http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices
Copyright © 2016 evident.io5 • Do this first • You can’t get a log file if you don’t turn it on • Consolidate logs • Set up S3 Lifecycle • Only enable one global region • Encrypt everywhere • S3 • EBS • SSL • Rest • Flight • Not only at night… #0 - ENABLE CLOUDTRAIL LOGGING & ENCRYPTION
Copyright © 2016 evident.io6 • “Root” account has no restrictions • Create administrative IAM users • Use Roles for EC2 (#4) • Make sure billing and contact questions are filled out • Bonus: Set up MFA on root and throw away the key! #1 - DISABLE ROOT ACCOUNT API ACCESS KEY
Copyright © 2016 evident.io7 #2 - ENABLE MFA TOKENS EVERYWHERE • Provide an additional factor to the authentication step • MFA is assigned to root account and IAM users • Can be assigned to roles • Physical or virtual • Virtual has choices (Google Authenticator, Authy, etc.)
Copyright © 2016 evident.io8 • How many people have the keys to your kingdom? • Not just people - apps • Review IAM policies on Users, Groups and Roles • Remember #1 • Consider Identity Federation #3 - REDUCE NUMBER OF IAM USERS WITH ADMIN
Copyright © 2016 evident.io9 • Do your EC2 instances need to contact other AWS Services? • AWS SDKs and aws-cli support EC2 Roles • Reduced attack surface area • Secure DevOps on EC2 • Create an EC2 specific role • Assign a specific policy to that role • Launch an EC2 instance with that role • Easy to test with aws-cli on EC2 #4 - USE ROLES FOR EC2
Copyright © 2016 evident.io10 • Programs should operate using the least amount of privilege to get the job done • IAM can get very granular • Works in tandem with #4 on EC2 • Should be applied to all automated workflows, too • Very specific IAM policies - only allow what you mean • IAM managed policies make this easier • Use the IAM policy generator and policy simulator to help #5 - LEAST PRIVILEGE
Copyright © 2016 evident.io11 • Compromised access keys are very annoying and can cost your business dearly • IAM users should have keys rotated every 90 days minimum • Mostly useful for when Roles for EC2 won’t work in automated workflows • Sample process: • Track age of Access Keys • Create new key • Supply key to automation process • Test • Deactivate old key #6 - ROTATE ALL THE KEYS REGULARLY
Copyright © 2016 evident.io12 • Similar to EC2 Roles • Can be used in place of privileged IAM user Access Keys • Temporary credentials • Allows for 3rd parties such as Evident.io to access your AWS accounts more securely • Extended version of AssumeRole allows for Identity Federation #7 - USE IAM ROLES WITH STS ASSUME ROLE temporary security credential
Copyright © 2016 evident.io13 • AutoScaling allows you to increase number of EC2 instances automatically • More instances means site stays up • Small price to pay for site reliability • You may need a temporary increase in EC2 limits • You may need to temporarily increase desired number of instances in ASG • Work with AWS, they may be able to help you on the network edge • Add CloudFront Content Distribution • Add WAF Rate Blacklisting w/Lambda #8 - DAMPEN DDOS WITH COMPLEMENTARY SERVICES
Copyright © 2016 evident.io14 • Unless you really mean it • Like leaving the door wide open • EC2 IP address range is a favorite for scanners • Monitor Security Groups regularly (HINT: Evident.io can help) • Affects not just EC2 instances, but: • ELBs • RDS Database Servers • ElastiCache Clusters • EMR Nodes • and others… #9 - DO NOT ALLOW ALL IN SECURITY GROUPS
Copyright © 2016 evident.io15 • Open S3 buckets a favorite for trolling for API Access Keys • Check your Bucket ACLs regularly • Watch for all grantees, including AuthenticatedUsers • Check your Bucket Policies regularly #10 - WATCH READABLE AND LISTABLE S3 BUCKETS For more content on AWS security and compliance best practices check out the Evident.io blog at blog.evident.io
Copyright © 2016 evident.io16 EVIDENT SECURITY PLATFORM (ESP) FOR AWS A cloud-native solution that automates key cloud security processes and enables consistent enforcement of security policies, best practices and compliance requirements across an organization’s AWS cloud infrastructure. Continuous Visibility and Monitoring 24x7 monitoring, configuration checking & risk-based threat analysis of all AWS Accounts, Services & Regions. Actionable Intelligence Rapid response and guided remediation of security alerts detected by ESP. Security Automation & Integration Manage compliance and automate security policy enforcement across the entire AWS infrastructure.
Copyright © 2016 evident.io17 How It Works
Copyright © 2016 evident.io18 Closing Thoughts: • Compliance ≠ Secure • Think about Residual Risk! • Keep up! Your opposition is.. • Fail Early. Fail Often. • Embrace change • Cloud Security is a full contact (TEAM) sport! • A wise person seeks the counsel of many… • Shoutout to Justin Lundy / John Martinez / John Robel
Copyright © 2016 evident.io19 Online CloudSec Resources http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ https://acloud.guru/learn/aws-certified-solutions-architect-associate https://www.isc2.org/ccsp/default.aspx https://azure.microsoft.com/en-us/blog/topics/security/ https://cloud.google.com/security/ …?
Copyright © 2016 evident.io20 Q & A - ANY QUESTIONS?
THANKS FOR PARTICIPATING! SEBASTIAN TAPHANEL: SEBASTIAN@EVIDENT.IO HTTPS://WWW.LINKEDIN.COM/IN/SEBASTIANTAPHANEL

Empfohlen

Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
AWS Re:Invent - Securing HIPAA Compliant Apps in AWSAWS Re:Invent - Securing HIPAA Compliant Apps in AWS
AWS Re:Invent - Securing HIPAA Compliant Apps in AWSControl Group
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Federation
FederationFederation
FederationAmazon Web Services
 

Empfohlen

Serverless - minimizing the attack surface
Serverless - minimizing the attack surfaceServerless - minimizing the attack surface
Serverless - minimizing the attack surfaceAvi Shulman
 
AWS Re:Invent - Securing HIPAA Compliant Apps in AWS
AWS Re:Invent - Securing HIPAA Compliant Apps in AWSAWS Re:Invent - Securing HIPAA Compliant Apps in AWS
AWS Re:Invent - Securing HIPAA Compliant Apps in AWSControl Group
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Federation
FederationFederation
FederationAmazon Web Services
 
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Amazon Web Services
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security Amazon Web Services
 
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloudAptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloudAptible
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennaivinoth kumar
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...Karl Ots
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Cloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack MitigationCloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack MitigationAmazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Achieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated MarketsAchieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated MarketsAmazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token ServiceBlazeclan Technologies Private Limited
 
Federation
Federation Federation
Federation Amazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack SecurityAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWSAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Amazon Web Services
 
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloudAptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloudAptible
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennaivinoth kumar
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!Karl Ots
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...Karl Ots
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Cloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack MitigationCloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack MitigationAmazon Web Services
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS OrganizationsAmazon Web Services
 
Achieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated MarketsAchieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated MarketsAmazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveJason Chan
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsAmazon Web Services
 

Was ist angesagt? (20)

Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
Voice of the Customer: Moving to a secure house in the cloud with cutting-edg...
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloudAptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
Aptible, AWS, and Telepharm: Architecting HIPAA compliance for the cloud
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
 
TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!TechDays Finland 2020: Azuren tietoturva haltuun!
TechDays Finland 2020: Azuren tietoturva haltuun!
 
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Cloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack MitigationCloud Native DDoS Attack Mitigation
Cloud Native DDoS Attack Mitigation
 
Introduction to AWS Organizations
Introduction to AWS OrganizationsIntroduction to AWS Organizations
Introduction to AWS Organizations
 
Achieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated MarketsAchieving Compliance and Selling to Regulated Markets
Achieving Compliance and Selling to Regulated Markets
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
A guide on Aws Security Token Service
A guide on Aws Security Token ServiceA guide on Aws Security Token Service
A guide on Aws Security Token Service
 
Federation
Federation Federation
Federation
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock Lab
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Architecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi AccountsArchitecting Security and Governance Across Multi Accounts
Architecting Security and Governance Across Multi Accounts
 

Ähnlich wie Implementing the Top 10 AWS Security Best Practices

Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Amazon Web Services
 
AWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityAWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityNutanix Beam
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Amazon Web Services
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationTriNimbus
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)Julien SIMON
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation OverviewAmazon Web Services
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesAhmad Khan
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Amazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 

Ähnlich wie Implementing the Top 10 AWS Security Best Practices (20)

Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017 Security at Scale with AWS - AWS Summit Cape Town 2017
Security at Scale with AWS - AWS Summit Cape Town 2017
 
AWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityAWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure Security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
Hands on Setup and Overview of AWS Console, AWS CLI, AWS SDK, Boto 3
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
Aws tutorial
Aws tutorialAws tutorial
Aws tutorial
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...Security Architecture recommendations for your new AWS operation - Pop-up Lof...
Security Architecture recommendations for your new AWS operation - Pop-up Lof...
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 

Kürzlich hochgeladen

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Implementing the Top 10 AWS Security Best Practices

  • 1. Copyright © 2016 evident.io1 IMPLEMENTING THE TOP 10 AWS SECURITY BEST PRACTICES Justin Lundy, Co-Founder / CTO Sebastian Taphanel CISSP-ISSEP, Federal Solutions Architect 6 April 2016
  • 2. Copyright © 2016 evident.io2 When we gave developers the power to create infrastructure, security became their responsibility, too. Security *IS* a Shared Responsibility
  • 3. Copyright © 2016 evident.io3 AWS Shared Security Responsibility Model
  • 4. Copyright © 2016 evident.io4 Top 10 AWS Security Best Practices 1. Disable root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Dampen DDoS with Complementary Servcies 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. Enable CloudTrail Logging & Encryption http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices
  • 5. Copyright © 2016 evident.io5 • Do this first • You can’t get a log file if you don’t turn it on • Consolidate logs • Set up S3 Lifecycle • Only enable one global region • Encrypt everywhere • S3 • EBS • SSL • Rest • Flight • Not only at night… #0 - ENABLE CLOUDTRAIL LOGGING & ENCRYPTION
  • 6. Copyright © 2016 evident.io6 • “Root” account has no restrictions • Create administrative IAM users • Use Roles for EC2 (#4) • Make sure billing and contact questions are filled out • Bonus: Set up MFA on root and throw away the key! #1 - DISABLE ROOT ACCOUNT API ACCESS KEY
  • 7. Copyright © 2016 evident.io7 #2 - ENABLE MFA TOKENS EVERYWHERE • Provide an additional factor to the authentication step • MFA is assigned to root account and IAM users • Can be assigned to roles • Physical or virtual • Virtual has choices (Google Authenticator, Authy, etc.)
  • 8. Copyright © 2016 evident.io8 • How many people have the keys to your kingdom? • Not just people - apps • Review IAM policies on Users, Groups and Roles • Remember #1 • Consider Identity Federation #3 - REDUCE NUMBER OF IAM USERS WITH ADMIN
  • 9. Copyright © 2016 evident.io9 • Do your EC2 instances need to contact other AWS Services? • AWS SDKs and aws-cli support EC2 Roles • Reduced attack surface area • Secure DevOps on EC2 • Create an EC2 specific role • Assign a specific policy to that role • Launch an EC2 instance with that role • Easy to test with aws-cli on EC2 #4 - USE ROLES FOR EC2
  • 10. Copyright © 2016 evident.io10 • Programs should operate using the least amount of privilege to get the job done • IAM can get very granular • Works in tandem with #4 on EC2 • Should be applied to all automated workflows, too • Very specific IAM policies - only allow what you mean • IAM managed policies make this easier • Use the IAM policy generator and policy simulator to help #5 - LEAST PRIVILEGE
  • 11. Copyright © 2016 evident.io11 • Compromised access keys are very annoying and can cost your business dearly • IAM users should have keys rotated every 90 days minimum • Mostly useful for when Roles for EC2 won’t work in automated workflows • Sample process: • Track age of Access Keys • Create new key • Supply key to automation process • Test • Deactivate old key #6 - ROTATE ALL THE KEYS REGULARLY
  • 12. Copyright © 2016 evident.io12 • Similar to EC2 Roles • Can be used in place of privileged IAM user Access Keys • Temporary credentials • Allows for 3rd parties such as Evident.io to access your AWS accounts more securely • Extended version of AssumeRole allows for Identity Federation #7 - USE IAM ROLES WITH STS ASSUME ROLE temporary security credential
  • 13. Copyright © 2016 evident.io13 • AutoScaling allows you to increase number of EC2 instances automatically • More instances means site stays up • Small price to pay for site reliability • You may need a temporary increase in EC2 limits • You may need to temporarily increase desired number of instances in ASG • Work with AWS, they may be able to help you on the network edge • Add CloudFront Content Distribution • Add WAF Rate Blacklisting w/Lambda #8 - DAMPEN DDOS WITH COMPLEMENTARY SERVICES
  • 14. Copyright © 2016 evident.io14 • Unless you really mean it • Like leaving the door wide open • EC2 IP address range is a favorite for scanners • Monitor Security Groups regularly (HINT: Evident.io can help) • Affects not just EC2 instances, but: • ELBs • RDS Database Servers • ElastiCache Clusters • EMR Nodes • and others… #9 - DO NOT ALLOW ALL IN SECURITY GROUPS
  • 15. Copyright © 2016 evident.io15 • Open S3 buckets a favorite for trolling for API Access Keys • Check your Bucket ACLs regularly • Watch for all grantees, including AuthenticatedUsers • Check your Bucket Policies regularly #10 - WATCH READABLE AND LISTABLE S3 BUCKETS For more content on AWS security and compliance best practices check out the Evident.io blog at blog.evident.io
  • 16. Copyright © 2016 evident.io16 EVIDENT SECURITY PLATFORM (ESP) FOR AWS A cloud-native solution that automates key cloud security processes and enables consistent enforcement of security policies, best practices and compliance requirements across an organization’s AWS cloud infrastructure. Continuous Visibility and Monitoring 24x7 monitoring, configuration checking & risk-based threat analysis of all AWS Accounts, Services & Regions. Actionable Intelligence Rapid response and guided remediation of security alerts detected by ESP. Security Automation & Integration Manage compliance and automate security policy enforcement across the entire AWS infrastructure.
  • 17. Copyright © 2016 evident.io17 How It Works
  • 18. Copyright © 2016 evident.io18 Closing Thoughts: • Compliance ≠ Secure • Think about Residual Risk! • Keep up! Your opposition is.. • Fail Early. Fail Often. • Embrace change • Cloud Security is a full contact (TEAM) sport! • A wise person seeks the counsel of many… • Shoutout to Justin Lundy / John Martinez / John Robel
  • 19. Copyright © 2016 evident.io19 Online CloudSec Resources http://blog.evident.io/blog/2016/2/10/implementing-the-top-10-aws-security-best-practices https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ https://acloud.guru/learn/aws-certified-solutions-architect-associate https://www.isc2.org/ccsp/default.aspx https://azure.microsoft.com/en-us/blog/topics/security/ https://cloud.google.com/security/ …?
  • 20. Copyright © 2016 evident.io20 Q & A - ANY QUESTIONS?
  • 21. THANKS FOR PARTICIPATING! SEBASTIAN TAPHANEL: SEBASTIAN@EVIDENT.IO HTTPS://WWW.LINKEDIN.COM/IN/SEBASTIANTAPHANEL