Date post: | 13-Feb-2017 |
Category: |
Technology |
Upload: | botmetric |
View: | 190 times |
Download: | 1 times |
AWS & Infra HardeningMay 17, 2016
Maqbul Khan Sr. Technical Consultant, Minjar
A product by
Our Request
On Mute Mode till Q/A Last 15 minutes of Webinar
Agenda
Access, Authorization & RevokeAWS Account SecurityNetwork SecurityInfrastructure SecuritySecurity AuditLock down your production: No Man’s Land
Minjar- Cloud Automation and Solutions for AWS
AWS Architectures, Managed Cloud , DevOps, CloudOps
Botmetric – Intelligent Cloud Platform for AWS Cost Management, Infrastructure Audit and DevOps Automation for AWS Cloud; Sold as a SaaS Product
About Us
AWS & Infrastructure Hardening
What is AAR?
To make sure access inventory is maintainedEvery access has been given upon authorizationAccess has to be revoked immediately when there is no need
Why do we need AAR?
Different organizations have different departments, teams and their partners
Access, Authorization & Revoke
Lets take a scenario:A organization has an AWS account and infrastructureAnd possible teams:
On-shore IT TeamOff-shore Development teamManaged Service CloudOps / DevOps Team
So how do we manage and secure AWS account and Infrastructure?
Access, Authorization & Revoke
AWS AccountAWS Console AccessDifferent AWS services
InfrastructureServersDatabases
Access, Authorization & Revoke
How do we make sure our AWS account is secured?
• Users• Roles• Groups• Policies
AWS Account Security
AWS Account Security
UsersEnable MFADon’t create access key & secret key if requiredCheck when was the last access activity performed by the user?
Review Access Keys and Secret KeysRemove old keys which users don’t accessIf users are not using access keys / secret keys, it is recommended to remove
Enable API protection on the resourcesRotate keys every certain period of time
AWS Account Security
AWS Account Security
AWS Account SecurityRolesFor resources Use switch roles
GroupsCreate different groups by different permissions for different teams and add them to those groups
i.e. Development teams need only access to specific resourcesCreate a group for dev teamCreate policy using tag
Lets look at the example…
AWS Account SecurityExample
Network Security
Create secured VPC designUse private & public subnetUse of multiple VPCs to create single entry pointEnable VPC flow logsNetwork ACLSecurity Groups
Infrastructure Security
Some of primary AWS Services which we strongly recommend using:
Enable CloudTrailKeep logs in your primary account
VPC Flow logsKeep logs in your primary account
Use AWS ConfigUseful tool
Use CloudWatchKeeps all resources metrics and can be used for logs management as well
Infrastructure Security
So how do we really protect our underlying infrastructure?Using Jumpbox
Allow access to only specific IPs to be accessibleKeep your infrastructure in private subnet i.e.
EC2 instancesRDS instances
Enable Multi-factor authentication on SSHUse public keys over private keys: Avoid sending pem keys over the email. Using public key is safer.
Avoid using common users: ec2-user, root, ubuntu, centosCreate unique credentials for each user
Infrastructure Security
Infrastructure SecurityAdditional securityUse Client VPN connectivityUse Site to site VPNEnable ELB logsMove your server logs to centralized location i.e. CloudWatch
Secure logsAuth logsApplication logs
Enable general logs on RDSEnable S3 logs
Security Audit
How do we do security audit?Do not rely on humanMake your audit automated as much possiblePerform weekly/monthly/quarterly audit on your infrastructure
Security Audit
What shall we audit?IAMRemove users who are no more part of the teamDisable users who are no more activeMake sure MFA is enabled on each userRemove old keysEnable API protection on the resourcesAvoid granting access to all resourcesEnable MFA on root accountDo not use access key on root account
Security Audit
What shall we audit?Infrastructure accessDisable ssh access of the users who are not activeRotate private key of EC2 server on regular basisMake sure MFA is enabled on each userMake sure access is given on as needed basisSSH port is not open to 0.0.0.0/0ELB logs are enabledELB data transfer happens on secured communication
Production: No Man’s LandWhy we must lock down the production?
That is where your data is storedThat is where your customer’s data is storedIt must be secured and should not be accessible by everyone
So how do we work with production?How do we do the deployments?How do we troubleshoot the problem?How do we make database changes?How do we maintain our infrastructure?
AUTOMATION
Thou shalt relax and ask questions :)
Signup for a 14-day free trialwww.botmetric.com
Follow us on Twitter, LinkedIn, Facebook to catch the latest updates from Botmetric
Maqbul KhanSr. technical Consultant, Minjar