aws security fundamentals: dos and don’ts
TRANSCRIPT
![Page 1: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/1.jpg)
1
![Page 2: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/2.jpg)
Confidential
February 24, 2015
Speaker: Avishai WoolAlgoSec CTO & Co-Founder
![Page 3: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/3.jpg)
POLL
3
![Page 4: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/4.jpg)
• Introduction to Amazon AWS
• The AWS Firewall
• Configuring AWS Firewall Security Groups
• Auditing and Best Practices for AWS
4
Agenda
![Page 5: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/5.jpg)
Confidential
Introduction to Amazon AWS
![Page 6: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/6.jpg)
• Rent servers• Compute boxes (EC2)
• Storage (S3)
• Networking
• Low cost
• Outsourced – No IT department
• Elastic (power-up/shut-down lots of servers fast)
• Web UI, and programmable web-service API
What Amazon Provides
6
![Page 7: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/7.jpg)
Amazon Technology
7
![Page 8: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/8.jpg)
• Amazon guarantees customer/customer separation
• But what about filtering policy (firewalls) for:
• Internet <-> Amazon-server,
• Amazon-server <-> Datacenter
• Amazon-server <-> Amazon-server
• Amazon’s solution: “AWS firewall”
• Free (price included in the server cost)
• Embedded in infrastructure
What About Security?
8
![Page 9: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/9.jpg)
Amazon Technology
9
![Page 10: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/10.jpg)
Connecting Amazon Network to Corporate
10
vGW: • Router +• VPN endpoint
![Page 11: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/11.jpg)
Confidential
The AWS Firewall
![Page 12: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/12.jpg)
• A key concept in AWS is “Security Group”
• A Security Group is a list of rules
• Comparable to a Check Point “Policy” or Cisco “Access List”
• Has a name
• A Security Group is associated with an instance:
• Like a “host-based firewall”
Security Groups – Basics
12
![Page 13: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/13.jpg)
13
![Page 14: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/14.jpg)
14
![Page 15: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/15.jpg)
Zoom into Rules: Where is the Destination?
15
![Page 16: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/16.jpg)
• Consists of 2 lists of rules: Inbound and Outbound
• One side of the rule is implicitly “me”
• Inbound rules: from <Somewhere> to “me” with service S
• Outbound rules: from “me” to <Somewhere> with service S
• “my” IP address is not listed in the rule
• Result: the security group can be associated with any instance without any modification
Security Groups – Details
16
![Page 17: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/17.jpg)
17
Inbound Rules
![Page 18: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/18.jpg)
18
Outbound Rules
![Page 19: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/19.jpg)
• All rules are “PASS” rules
• Not an oversight but a deliberate feature
• Rules do not perform NAT
• The instance can have public and private IP addresses
• AWS infrastructure takes care of this
• The order of rules inside a Security Group does not matter
19
Security Groups – More Details
![Page 20: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/20.jpg)
A Security Group can be associated with many instances
An instance can be associated with many Security Groups!
• This is a unique AWS innovation
Why this works:
• All rules are PASS rules
• The order of security groups on an instance does not matter
Security Groups and Instances: Many to Many
20
![Page 21: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/21.jpg)
![Page 22: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/22.jpg)
Confidential
Challenges and Tips
![Page 23: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/23.jpg)
• Only a single subnet per rule• No named network objects• No network object groups
• Only a single service (protocol+port range) per rule• No named service objects• No service object groups
• No comments per rule• No per-rule hit counting or logging• No “next-generation firewall” capabilities
Current Policy Management Limitations
23
![Page 24: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/24.jpg)
Things to think about
• Modularity
• Make it understandable
• Directionality
How to Organize the Policy?
24
![Page 25: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/25.jpg)
• Create separate Security Groups for instances that have the same function:
• Web servers
• Database servers
• Etc…
• Create Security Groups for “default” or “infrastructure” services
• Separate per operating system (Linux/Windows/…)
Modular Policy Design
25
![Page 26: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/26.jpg)
![Page 27: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/27.jpg)
27
• SSH access to command line (Linux)• NTP to synchronize clocks• ICMP to allow network troubleshooting (ping)• Etc…
![Page 28: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/28.jpg)
• Web Access etc…
![Page 29: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/29.jpg)
Keep it understandable:
• Which policy protects a particular instance?
KISS principle: Keep It Simple…
Pitfall: Too many Security Groups per Instance
29
Security Groups per Instance
1-2 Simple
3 Borderline
4 or more Complicated
![Page 30: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/30.jpg)
How to view the policy on an instance
![Page 31: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/31.jpg)
31
![Page 32: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/32.jpg)
• Understandable – as long as policy is simple• Not too many rules (without scrolling)• Not too many Security Groups (without many columns)
![Page 33: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/33.jpg)
• By default a Security Group allows anything in the outbound direction:
• any service
• to any IP address
• Instance creation wizard does not suggest changing the default
Pitfall: Insecure Outbound Rules
33
![Page 34: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/34.jpg)
“View Rules” popup does not show the outbound rules
![Page 35: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/35.jpg)
Tip: Edit the Security Group Outbound tab and add rules:• NTP only to specific time server• DNS lookups only via specific name server• Etc…
![Page 36: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/36.jpg)
Confidential
Other AWS Best Practices
![Page 37: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/37.jpg)
• Keys to the kingdom: the AWS web interface
• Power instances on/off
• Change filtering policy and access controls
Tip: Protect the access with more than just a password!
Authentication
37
![Page 38: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/38.jpg)
![Page 39: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/39.jpg)
![Page 40: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/40.jpg)
• Instead of a simple password
• Use a smartphone app (“Google Authenticator”)
• Provides a time-varying password
MFA: Multi-Factor Authentication
40
![Page 41: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/41.jpg)
• CloudWatch: Health monitoring and log server
• CloudTrail: Audit log for API calls
• 3rd party change tracking: AlgoSec
System Logs and Audit Trail
41
![Page 42: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/42.jpg)
![Page 43: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/43.jpg)
![Page 44: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/44.jpg)
• Send API call activity to CloudTrail• View log via S3
![Page 45: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/45.jpg)
• Extends On-Premise Visibility to the Cloud
• Centrally manage on-premisefirewalls policies alongside Amazon security groups
• Monitor changes to Amazon Security Groups for unified auditing and troubleshooting
45
AlgoSec: Unified Policy Management
![Page 46: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/46.jpg)
![Page 47: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/47.jpg)
Infographic: Managing Security Policies Across Hybrid Cloud
Environments: Visibility is Obscured by Clouds
47
AttachmentsResearch: Examining Security Policy Management in Hybrid Cloud Environments
eBook: Security Policy Management in the Data Center for Dummies
![Page 48: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/48.jpg)
Q&ALearn more algosec.comLearn even more blog.algosec.comSeeing is believing algosec.com/demoContact us/slides [email protected]
48
![Page 49: AWS Security Fundamentals: Dos and Don’ts](https://reader036.vdocuments.site/reader036/viewer/2022062419/55a58b441a28ab3d488b4575/html5/thumbnails/49.jpg)
Confidential
Thank you