aws security strategy
TRANSCRIPT
![Page 1: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/1.jpg)
AWS Security StrategyEnterprise Security on AWS
Teri Radichel, Cloud Architect | WatchGuard Technologies | @teriradichel
![Page 2: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/2.jpg)
The CIO of the 5th largest bank in the US says they can be more secure in AWS than in their own data center.
Possible?
![Page 3: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/3.jpg)
About That Internet Thing…
You are already using shared infrastructure.
How do you secure it?
![Page 4: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/4.jpg)
Security Policy
Yours.Do you know what it says?Does everybody follow it?
AWS.https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
![Page 5: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/5.jpg)
What’s In Your Network?
Do you really know?
![Page 6: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/6.jpg)
Automated Configuration
AWS facilitatesautomated infrastructure and applicationdeployment via code stored in source control
![Page 7: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/7.jpg)
Automated Event-Driven SecurityAWS makes it easier to automatically react to events that trigger a security response
![Page 8: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/8.jpg)
Points of Discovery and Reaction• Knowns:• Prevent from entering environment• Detect and roll back on entry into environment
• Unknowns:• Baseline normal behavior• React to anomalies – alerts, investigation
![Page 9: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/9.jpg)
Recommendations…• Best Practices• Lessons Learned• Ideas• Tools
![Page 10: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/10.jpg)
Follow IAM Best Practices
![Page 11: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/11.jpg)
Follow Evident IO Best Practices
![Page 12: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/12.jpg)
The Right PeopleCowboy has no well thought out plan or expertise
Mr. No Kills Innovation.He is not open to new ideas.
Analysis Paralysis Kills Productivity
Engineers = expertise + well-designed solutions based on available data
![Page 13: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/13.jpg)
Deployment PipelineDevOps, security, developer and QA teams should all use the same process for AWS deployments.
Add Security Controls at this checkpoint.
Facilitates inventory, audit and compliance.
CICD – Continuous Integration, Continuous Deployment
![Page 14: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/14.jpg)
Automate Everything
From The Start.
![Page 15: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/15.jpg)
Security Automation• Automate Biggest Risks ~ Verizon Data Breach Report• Automated Deployments – CloudFormation, SDKs
- Consider Immutable Infrastructure where possible
• Automated Compliance – AWS Config, AWS Inspector• Automated Security Operations – AWS WAF, 3rd Party Tools• Custom automation – roll your own• Automated Intrusion Detection – Proof of Concept Framework:https://github.com/tradichel/AWSSecurityAutomationFramework
![Page 16: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/16.jpg)
![Page 17: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/17.jpg)
Other Options for SSH and Access Secret Key• IAM Roles for Users and AWS Resources• Cross Account Roles• Active Directory Integration• STS – temporary credentials• Use MFA where possible• Consider CLI, Console and Instance Logins• If using keys, train users that keys are passwords and treat as such
![Page 18: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/18.jpg)
Encryption on AWS• KMS - AWS Key Management Service• CloudHSM - Single Tenant Hardware Security Module• Bring Your Own Key – import from your own key manager or HSM• AWS Certificate Manager - SSL/TLS for encryption in transit
![Page 19: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/19.jpg)
5. Plan Network Carefully.
Internet Access AWS Only AWS to Corporate
security group
security group
security group
security group
security group
security group
Routes: Enforce Traffic Flow. Subnets: Larger. Security Groups: Whitelist.
![Page 20: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/20.jpg)
Avoid ThisSo many holes in your network and running so many agents that you no longer know what is traversing your network anymore and network security is pointless.
![Page 21: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/21.jpg)
Avoid ThisSubnets with almost nothing in them has the potential to exhaust your IP space.
It also becomes unwieldy to manage numerous subnets and security groups.
Use security groups for application specific rules.
![Page 22: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/22.jpg)
Architect for the CloudAvoid Lift and Shift
Costs will be higher
Doesn’t leverage AWS
Possible Security Issues
Fix it later…right.
If you do...keep it in a separate account.
![Page 23: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/23.jpg)
Scalable Dev Ops
![Page 24: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/24.jpg)
Use Process Controls
Technology can’t make your toast. Yet. Use process controls when needed.
![Page 25: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/25.jpg)
Have a Sandbox Account
Tightly secure other accounts. Match production or purpose built.
![Page 26: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/26.jpg)
![Page 27: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/27.jpg)
AWS Monitoring Tools• VPC Flow Logs ~ like Netflow for VPC, not real time• CloudTrail ~ Monitor actions taken on AWS• CloudWatch ~ Any kind of logs, cannot be altered if properly secured• 3rd Party Tools
![Page 28: AWS Security Strategy](https://reader035.vdocuments.site/reader035/viewer/2022062400/5880d7f61a28ab9c3a8b6657/html5/thumbnails/28.jpg)
Teri Radichel, Cloud ArchitectWatchGuard Technologies ~ We are hiring!@teriradichel
Security Certifications and Papers:Http://www.giac.org/certified-professional/teri-radichel/140127
Thank you!