PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
PurpleBox Cloud Services
Amazon AWS Security
Geek Week 2016Tuesday, August 9th
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
PurpleBox Overview
PurpleBox Cloud
● Consulting and Cloud Migration● Managed Cloud Services● Cloud Security Services● Amazon AWS Consulting Partner● Certifications:
○ AWS Certified Solution Architect○ AWS Certified SysOps Admin
PurpleBox Security
● Vulnerability Management● Security Assessments● PenTesting● Web Application Security● Security Compliance and GRC● Security Monitoring/SIEM/IDS/IPS
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
16+ years in IT Security
Big4, Security/Cloud Software Vendor, MSSP
Specialties:
● Security Strategy, Operations, Architecture, and Program Management● Threat and Vulnerability Management● Web Application Security● Amazon AWS Security
Nihat Guven
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
● Shared Responsibility Model● Network Security● Identify and Access Management● Encryption● Logging and Monitoring
Agenda
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Shared Responsibility Model
YouYou get to define your controls IN the Cloud
AWS takes care of the security OF the Cloud
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Shared Responsibility Model
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Security OF AWS
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Security OF AWS
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Security OF AWS
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Security IN the cloud
You retain full ownership and control of your content
● Choose the AWS Region and AWS will not replicate it elsewhere unless you choose to do so.
● Control format, accuracy, and encryption any way that you choose.● Control who can access content.● Control content lifecycle and disposal.
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Data Location - You decide
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Network Security Basics - still relevant!
● Segmentation● Least Privileges● Defense in Depth● Minimize Attack Surface
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
VPC-East (us-east-1) 10.10.0.0/16
AZ A AZ DAZ B
10.10.1.0/24
10.10.2.0/24
10.10.3.0/24
SG-DMZ
SG-Internal
SG-Internal
RT-DefaultRT-Internet
IGW
NAT Gateway
10.10.11.0/24
10.10.12.0/24
10.10.13.0/24
SG-DMZ
SG-Internal
SG-Internal
NAT Gateway
10.10.21.0/24
10.10.22.0/24
10.10.23.0/24
SG-DMZ
SG-Internal
SG-Internal
NAT Gateway
Example
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Example
Segmentation- Multiple AWS Accounts- Single AWS Account with VPC- Subnets- Routing Tables- ACL- VPC Peering across Regions
Least Privileges- Security Groups at each level- Internet to IGW / Elastic Load Balancer- IGW/ELB to DMZ- DMZ to Internal Subnets- Only specific ports allowed
Defense in Depth- Network Level (VPC, SG, ACL)- OS level (Windows/Linux) - Service Level (Policies)- Monitoring
Minimize Attack Surface- Console Access- API/CLI Access- Single dns name/ip - Inbound HTTP/HTTPS Only- Management through Bastion Host - SSH only
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS Identity and Access Management (IAM)
▪ Enables you to control who can do what in your AWS account
▪ Splits into users, groups, roles, and permissions
▪ Control▪ Centralized
▪ Fine-grained - APIs, resources, and AWS Management Console
▪ Security▪ Secure (deny) by default
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
1. Create individual users. Benefits▪ Unique credentials▪ Individual credential rotation▪ Individual permissions▪ Simplifies forensics
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
1. Create individual users.
2. Grant least privilege.Benefits▪ Less chance of people making mistakes▪ Easier to relax than tighten up▪ More granular control
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
Benefits▪ Easier to assign the same permissions to
multiple users▪ Simpler to reassign permissions based on
change in responsibilities▪ Only one change to update permissions for
multiple users
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
4. Restrict privileged access further with conditions.
Benefits▪ Additional granularity when defining
permissions▪ Can be enabled for any AWS service API▪ Minimizes chances of accidentally
performing privileged actions
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
What if you wanted to restrict access to a time frame and IP address range?
Allows a user to access a resource under the following conditions:▪ The time is after 12:00 P.M. on 10/8/2015 AND▪ The time is before 3:00 P.M. on 10/8/2015 AND▪ The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
All of these conditions must be met in order for the statement to evaluate to TRUE.
Condition example
"Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2015-10-08T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2015-10-08T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}}
AND
OR
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Policy variables
▪ Predefined variables based on service request context• Existing keys (aws:SourceIP, aws:CurrentTime, etc.)• Principal-specific keys (aws:username, aws:userid, aws:principaltype)• Provider-specific keys (graph.facebook.com:id, www.amazon.com:user_id)• SAML keys (saml:aud, saml:iss)• And more
▪ Benefits• Simplifies policy management• Reduces the need for hard-coded, user-specific policies
▪ Use case• Easily set up user access to “home folder” in Amazon S3
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition":
{"StringLike": {"s3:prefix":["home/${aws:username}/*"]}
} }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ]}
The anatomy of a policy with variablesVersion is required
Variable in conditions
Variable in resource ARNs
Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
1. Create individual users.
2. Grant least privilege.
3. Manage permissions with groups.
4. Restrict privileged access further with conditions.
5. Enable AWS CloudTrail to get logs of API calls.
Benefits▪ Visibility into your user activity by
recording AWS API calls to an Amazon S3 bucket
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
6. Configure a strong password policy.
7. Rotate security credentials regularly.
8. Enable multi-factor authentication(MFA) for privileged users.
Benefits▪ Ensures your users and your data are
protected▪ Protect API/CLI access▪ Supplements username and password to
require a one-time code during authentication
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS IAM Best Practices
9. Use IAM roles to share access.
10. Use IAM roles for Amazon EC2 instances.
11. Reduce or remove use of root.
Benefits▪ No need to share security credentials▪ No need to store long-term credentials▪ Use cases
▪ Cross-account access▪ Intra-account delegation▪ Federation
▪ Assign least privilege to the application▪ AWS SDKs/CLI fully integrated▪ Reduce potential for misuse of credentials
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Top 11 IAM best practices
1. Users – Create individual users.
2. Permissions – Grant least privilege.
3. Groups – Manage permissions with groups.
4. Conditions – Restrict privileged access further with conditions.
5. Auditing – Enable AWS CloudTrail to get logs of API calls.
6. Password – Configure a strong password policy.
7. Rotate – Rotate security credentials regularly.
8. MFA – Enable MFA for privileged users.
9. Sharing – Use IAM roles to share access.
10. Roles – Use IAM roles for Amazon EC2 instances.
11. Root – Reduce or remove use of root.
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Encrypt your sensitive information
Native encryption across services for free▪ Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift▪ End-to-end SSL/TLS
Scalable key management▪ AWS Key Management Service (KMS) ▪ AWS CloudHSM
Third-party encryption options▪ Trend Micro, SafeNet, Vormetric, HyTrust, Sophos, etc.
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Log and Monitor
What can you answer using a CloudTrail event?
▪ Who made the API call?
▪ When was the API call made?
▪ What was the API call?
▪ Which resources were acted upon in the API call?
▪ Where was the API call made from and made to?
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions Benefits▪ Also tracks unused regions▪ Can be done in single configuration step
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
Benefits▪ Ensure log-file integrity▪ Validated log files are invaluable in security
and forensic investigations▪ Built using industry standard algorithms:
SHA-256 for hashing and SHA-256 with RSA for digital signing
▪ AWS CloudTrail will start delivering digest files on an hourly basis
▪ Digest files contain hash values of log files delivered and are signed by CloudTrail
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
3. Encrypted logs
Benefits▪ By default, CloudTrail encrypts log files
using S3 server-side encryption (SSE-S3)▪ You can choose to encrypt using AWS KMS
(SSE-KMS)▪ S3 will decrypt on your behalf if your
credentials have decrypt permissions
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions2. Enable log file
validation3. Encrypted logs4. Integrate with Amazon
CloudWatch Logs
Benefits▪ Simple search▪ Configure alerting on events
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
AWS CloudTrail best practices
1. Enable in all regions
2. Enable log file validation
3. Encrypted logs
4. Integrate with Amazon CloudWatch Logs
5. Centralize logs from all accounts
Benefits▪ Configure all accounts to send logs to a
central security account▪ Reduce risk for log tampering▪ Can be combined with S3 CRR▪ Include dev/stage accounts!
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Resources
● https://aws.amazon.com/security/● https://aws.amazon.com/compliance/● https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf● https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
PurpleBox, Incwww.prplbx.com
+1 (770) 421-5808
Pu
rple
Box
, In
c. M
arke
tin
g - C
lou
d -
Sec
uri
ty©
2016
All
Rig
hts
Res
erve
d
Nihat GuvenCloud and Security Services
Thank You!
