aws lunch and learn - security
DESCRIPTION
Amazon Web Services Lunch and Learn session: How Security works on AWS and how you can architect for itTRANSCRIPT
How Security Works in AWS &
How You Can Architect For It
Markku Lepistö
Principal Technology Evangelist @markkulepisto
AWS Cloud Security
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
Visibility – In the AWS cloud, see your entire infrastructure at the click of a
mouse – Can you map your current network?
Defense in Depth
Multi-level security • Physical security of the data centers • Network security • System security • Data security DATA
Gain access to a world-class security team
Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards So AWS has world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other AWS customers
Build everything on a constantly improving security baseline
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
Client-‐side Data Encryp2on
Server-‐side Data Encryp2on
Network Traffic Protec2on
Pla<orm, Applica2ons, Iden2ty & Access Management
Opera2ng System, Network & Firewall Configura2on
Customer content Cu
stom
ers
Let AWS do the heavy lifting for you
Customers are responsible for
their security and compliance IN
the Cloud
AWS is responsible for the security OF
the Cloud
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
Your own accredita2on
Meet your own security objectives
Your own cer2fica2ons
Your own external audits
Customer scope and effort is
reduced
Better results through focused
efforts
Built on AWS
consistent baseline controls
Custom
ers
AWS Region US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
You can stay onshore in any location that you need to
You can choose to keep all your content onshore in any AWS region of YOUR choice • AWS makes no secondary use of customer content • Managing your privacy objectives any way that you want • Keep data in your chosen format and move it, or delete it, at any
time you choose • No automatic replication of data outside of your chosen AWS
Region • Customers can encrypt their content any way they choose
You always have full ownership and control
You can improve your security with the AWS cloud
Every solution can be resilient and fault tolerant
AWS operates scalable, fault tolerant services Build resilient solu2ons opera2ng in mul2ple datacenters AWS helps simplify ac2ve-‐ac2ve resilient solu2ons
All AWS facili2es are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every AWS facility managed to the same global standards
AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
Every network has fine-grained security built-in Av
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
You control your VPC address range • Your own private, isolated
section of the AWS cloud • Every VPC has a private IP
address space you define • Create your own subnets and
control all internal and external connectivity
AWS network security • AWS network will prevent
spoofing and other common layer 2 attacks
• Every compute instance gets multiple security groups - stateful firewalls
• Every subnet gets network access control lists
You can create multi-tier architectures every time VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump host
10.0.4.0/24
EC2 App Log
EC2 Web
Load balancing
Firewall every single compute instance VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers will accept Port 80 from load balancers”
“App servers will accept Port 8080
from web servers”
“Allow SSH access only from from Jump Hosts”
Log
EC2 Web
Load balancing
Enable network access control on every subnet VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
“Deny all traffic between the web server subnet and the database
server subnet”
Load balancing
Control every Internet connection VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Internet Gateway
Control Internet routing • Create Public subnets and
Private subnets
• Implement DMZ architectures as per normal best practices
• Allocate static Elastic IP addresses or use AWS-managed public IP addresses
Load balancing
Connect in private to your existing datacentres VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Use Internet VPNs or use AWS Direct
Connect
Your premises
Load balancing
You can route to the Internet using your gateway VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Use Internet VPNs or use AWS Direct
Connect
Your premises
Load balancing
Create flexible multi-VPC hybrid environments
Your organisation
Project Teams Marketing
Business Units Reporting
Digital / Websites
Dev and Test
Redshift EMR
Analytics
Internal Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/Backup
Every website can absorb attacks and scale out
Amazon S3
Distributed attackers
Customers
Customers
Route53
Singapore region CloudFront
Your VPC
WAF WAF WAF WAF
ELB ELB
ELB ELB
App App App App
Auto Scaling
Auto Scaling
Auto Scaling
Auto Scaling
Encrypt your Elas2c Block Store volumes any way you like
• AWS na2ve EBS encryp2on for free with a mouse-‐click
• Encrypt yourself using free u2li2es, plus Trend, SafeNet and other partners for high-‐assurance key management solu2ons
Amazon S3 offers either server or client-‐side encryp2on
• Manage your own keys or let AWS do it for you RedshiT has one-‐click disk encryp2on as standard
• Encrypt your data analy2cs
• You can supply your own keys
RDS supports transparent data encryp2on (TDE)
• Easily encrypt sensi2ve database tables
You can encrypt your sensitive information everywhere
DBA
Tamper-resistant customer controlled hardware security modules within your VPC • Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified • No access from Amazon administrators who manage and
maintain the appliance • High availability and replication with on-premise HSMs
Reliable & Durable Key Storage • Use for transparent data encryption on self-managed
databases and natively with AWS Redshift • Integrate with applications using Java APIs and AWS
SDKs • Integration with marketplace disk-encryption and SSL
You can store your encryption keys in AWS CloudHSM
You can use your own HSMs if you want
Your premises
Applications
Your HSM NAT CloudHSM NAT CloudHSM
Volume, object, database encryption
Signing / DRM / apps
EC2
SYNC
EBS
S3
Amazon S3
Amazon Glacier
You can enforce consistent security on your hosts
Launch instanc
e EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
You control the configura2on of your EC2 compute instances and can configure and harden opera2ng environments to your own specs Use host-based protection software • Apply best-practice top 5 mitigation strategies! Think about how you will manage administrative users • Restrict access as much as possible Build out the rest of your standard security environment • Connect to your existing services, e.g. SIEM
Old World – Static, Fixed Systems
DB1 DB2
App1 App2
Web1 Web2
SW1 SW2
LB1 LB2
“Cloud applications have amorphous, polymorphic
attack surfaces.”
-Jason Chan Director of Engineering,
Cloud Security Netflix
What’s not there is not a hole
Install Only the Packages You Use
YOUR CODE
CORE SERVICES
3rd PARTY LIBRARIES
OPERATING SYSTEM Bare minimum, Just-enough-OS
Install & run only the services you use
Install only the libraries you use Upgrade
& Patch ALL
Continuously
Each app tier has only its own code
« Cloud Instance is an implementation of a known, good state »
Dr Rich Wolski, UCSB
AMI AMI AMI
YOUR CODE
CORE SERVICES
3rd PARTY LIBRARIES
OPERATING SYSTEM
YOUR CODE
CORE SERVICES
3rd PARTY LIBRARIES
OPERATING SYSTEM
YOUR CODE
CORE SERVICES
3rd PARTY LIBRARIES
OPERATING SYSTEM
Pre-baked Image Base OS Image + Orchestration
3rd Party Configuration Mgmt & Orchestration Tools
AWS OpsWorks AWS CloudForma+on
AWS Elas+c Beanstalk
DevOps framework for applica+on lifecycle management and
automa+on
Templates to deploy & update infrastructure
as code
Automated resource management – web apps made easy
DIY / On Demand DIY, on demand
resources: EC2, S3, custom AMI’s, etc.
Control Convenience
AWS Services for Application Lifecycle Management
Validate All Inputs
Your Code
Never Assume Input Validity Strict Checks and Discard
API / Interface /
Port
Control access and segregate duties everywhere
With AWS IAM you get to control who can do what in your AWS environment and from where Fine-‐grained control of your AWS cloud with two-‐factor authen2ca2on Integrated with your exis2ng corporate directory using SAML 2.0 and single sign-‐on
AWS account owner
Network management
Security management
Server management
Storage management
Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were made
Who did what and when and from what IP address • Support for many AWS services and growing - includes
EC2, EBS, VPC, RDS, IAM and RedShift • Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic
Get consistent visibility of logs that you can monitor
You get to do all of this in DEVELOPMENT TESTING PRE-PRODUCTION LIVE
Read AWS security whitepapers, tips and good practices • http://blogs.aws.amazon.com/security • http://aws.amazon.com/compliance • http://aws.amazon.com/security • Risk and compliance, best practices, audit guides and
operational checklists to help you before you go live • Workshop solu2ons with an AWS solu2ons architect, including me! • Get free trials of security from AWS Partners on the AWS marketplace Sign up for AWS premium support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment
Further info and how to get AWS support
SHOW ME ALREADY !
DEMOS
1. Use IAM & Multi-Factor Authentication to login to AWS 2. Create new Amazon VPC in Singapore 3. IPSEC VPN connect Tokyo office with Singapore VPC 4. Customize EC2 Instance with minimal footprint, secure config 5. Control Security Groups
VPN Tunnels
Customer VPN Gateway
Desktop
VPC - Singapore • VPC CIDR Network: 10.100.0.0/16 • VPC Subnet 1: 10.100.0.0/23 • VPC Subnet 2: 10.100.2.0/23 • VPN Type: Dynamic BGP
Office – Tokyo • Office Network: 10.96.24.0/21 • VPN Gateway IP: 54.92.27.101
Our First Virtual Private Cloud
Application Server
Availability Zone B Availability Zone A
Contact Your AWS Account Manager
To discuss your use cases & opportunities to
try AWS services
Follow us on at @AWSCloudSEAsia
Join the AWS User Group at Facebook.com – search ‘AWS User Group Singapore’
Thank you
Markku Lepistö – Principal Technology Evangelist @markkulepisto