Splunk Live - Security Best Practices for AWS

Shaun Norris – Head of Solu2ons Architecture -‐ ASEAN

Security Best Prac2ces for AWS

Old World

Large upfront capital investment

Basic compute and storage only

Responsible for feature upgrades

Slow to get new capabilities

Low, variable cost

Broad and deep platform

New features arrive daily

Ready to use

Some AWS Customers in Singapore.

What we will cover today

1.  Understanding shared responsibility for security

2.  Using AWS global reach and availability features

3.  Building a secure virtual private cloud

4.  Using AWS IdenBty and Access Management

5.  ProtecBng your content on AWS

6.  Building secure applicaBons on AWS

(and how Splunk can help)

Security best prac2ces for AWS







Every customer has access to the same security capabili2es AWS maintains a formal control environment •  SOC 1 (SSAE 16 & ISAE 3204) Type II (was SAS70) •  SOC 2 Type 1 •  ISO 27001 CerBficaBon •  CerBfied PCI DSS Level 1 Service Provider •  FedRAMP (FISMA), ITAR, FIPS 140-‐2 •  HIPPA and MPAA capable

Founda2on Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge Loca2ons

Founda2on Services




Client-‐side Data EncrypBon

Server-‐side Data EncrypBon

Network Traffic ProtecBon

Pla[orm, ApplicaBons, IdenBty & Access Management

OperaBng System, Network & Firewall ConfiguraBon

Customer content

Custom

ers

•  Culture of security and conBnual improvement

•  Ongoing audits and assurance

•  ProtecBon of large-‐scale service endpoints

•  Customers configure AWS security features

•  Get access to a mature vendor marketplace

•  Can implement and manage their own controls

•  Gain addiBonal assurance above AWS controls

Security is a shared responsibility between AWS and our customers

Founda2on Services




Your compliant soluBons

Custom

ers

•  Culture of security and conBnual improvement

•  Ongoing audits and assurance

•  ProtecBon of large-‐scale service endpoints

You can build end-‐to-‐end compliance, cer2fica2on and audit

Your cerBficaBons

Your external audits and a_estaBons

•  Achieve PCI, HIPAA and MPAA compliance

•  CerBfy against ISO27001 with a reduced scope

•  Have key controls audited or publish your own independent a_estaBons

Let AWS take care of the heavy liNing for you

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Applications

Proper service configuration

AuthN & acct management

Authorization policies

+ =Customer

Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.

Customers retain ownership of their intellectual property and content •  Customers manage their privacy objecBves how they choose to •  Select the AWS geographical Region and no automaBc replicaBon elsewhere •  Customers can encrypt their content, retain management and ownership of keys and implement addiBonal controls to protect their content within AWS

The security of our services and customers is key to AWS •  Security starts at the top in Amazon with a dedicated CISO and strong cultural focus

•  Dedicated internal teams constantly looking at the security of our services •  AWS support personnel have no access to customer content

Customers retain full ownership and control of their content





4.  Using AWS IdenBty and Access Management Features



Region

ASIA PAC (Sydney)

AWS lets customers choose where their content goes

Availability Zone

Take advantage of high availability in every Region

Build your solu2on for con2nuous, resilient opera2ons

Scalable, fault tolerant services Build resilient soluBons operaBng in mulBple datacenters AWS helps simplify acBve-‐acBve operaBons

All AWS faciliBes are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards

Robust connecBvity and bandwidth Each AZ has mulBple, redundant Tier 1 ISP Service Providers Resilient network infrastructure








Each AWS Region has mul2ple availability zones Av

aila

bilit

y Zo

ne A

Avai

labi

lity

Zone

B

Your VPC spans every availability zone in the Region Av

aila

bilit

y Zo

ne A

Avai

labi

lity

Zone

B

Customers control their VPC IP address ranges

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

Avai

labi

lity

Zone

B

Choose your VPC address range •  Your own private, isolated

secBon of the AWS cloud •  Every VPC has a private IP

address space •  That maximum CIDR block you

can allocate is /16 •  For example 10.0.0.0/16 – this

allows 256*256 = 65,536 IP addresses

Select IP addressing strategy •  You can’t change the VPC

address space once it’s created

•  Think about overlaps with other VPCs or exisBng corporate networks

•  Don’t waste address space, but don’t’ constrain your growth either

We will concentrate on a single availability zone just now

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

Segment your VPC address space into mul2ple subnets

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

NAT

10.0.5.0/24 10.0.4.0/24

EC2

EC2 Web

Place your EC2 instances in subnets according to your design

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Use VPC security groups to firewall your instances

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App

“Web servers can connect to app servers on port 8080”

Log

EC2 Web

Use separate security groups for applica2ons and management

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App

“Web servers can connect to app servers on port 8080”

“Allow outbound connections to the log server”

“Allow SSH and ICMP from hosts

in the Jump Hosts security group”

Log

EC2 Web

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

“Deny all traffic between the web server subnet and the database

server subnet”

Use Network Access Control Lists for defence in depth

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

NACLs are opBonal •  Applied at subnet level, stateless and

permit all by default •  ALLOW and DENY •  Applies to all instances in the subnet •  Use as a second line of defence

Use Elas2c Load Balancers to distribute traffic between instances

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web

Elas2c Load Balancer

Your security can scale up and down with your solu2on

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web EC2 EC2 Web

ElasBc load balancers •  Instances can automaBcally be

added and removed from the balancing pool using rules

•  You can add instances into security groups at launch Bme


Auto scaling

Add an Internet Gateway to route Internet traffic from your VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Internet Gateway

VPC Router

You choose what subnets can route to the Internet

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App


Internet Gateway

VPC Router

Internet rouBng •  Add route tables to subnets to

control Internet traffic flows – these become Public subnets

•  Internet Gateway rouBng allows you to allocate a staBc Elas2c IP address or use AWS-‐managed public IP addresses to your instance

Integra2ng your VPC with your exis2ng infrastructure

Your premises

Add a Virtual Private Gateway to route traffic to your premises

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App

EC2 Web EC2 Web EC2 EC2 Web VPC Router

Virtual Private Gateway

Your premises

You can create mul2ple IPSEC tunnels to your own VPN endpoints

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Virtual Private Gateway

Customer Gateway

Your premises

You can also connect privately using AWS Direct Connect

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Direct Connect Virtual Private

Gateway

Customer Gateway

Your premises

You can also create VPNs over Direct Connect if required

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Customer Gateway

Your premises

You can route VPC Internet connec2ons through your own gateways

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Customer Gateway

Your premises

You can have both Internet and private connec2vity to your VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Internet Gateway

Amazon S3 DynamoDB NAT

Customer Gateway

Your premises

You can access AWS Internet endpoints using Direct Connect

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Internet Gateway

Amazon S3 DynamoDB NAT

Customer Gateway

Your premises

You can distribute load across availability zones to build resilience

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A


Avai

labi

lity

Zone

B

Web

Public subnet

EC2

EC2

Private subnet

Private subnet

Web Auto scaling

Applica2on Applica2on


Private subnet

Elas2c Load Balancer Public subnet

Web

Private subnet

Web


Private subnet

EC2 Private subnet


Auto scaling

Auto scaling

Auto scaling

Internet Gateway

ELBs will balance traffic in an AZ and redirect in case of failure

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A


Avai

labi

lity

Zone

B

Web

Public subnet

EC2

EC2

Private subnet

Private subnet

Web Auto scaling



Private subnet

Elas2c Load Balancer Public subnet

Web

Private subnet

Web


Private subnet

EC2 Private subnet


Auto scaling

Auto scaling

Auto scaling

Internet Gateway








AWS IAM enables you to securely control access to AWS services and resources •  Fine grained control of user permissions, resources and acBons • Now includes support for RunInstances •  Add mulB factor authenBcaBon

• Hardware token or smartphone apps

•  Test out your new policies using the IdenBty and Access Management policy simulator

You have fine grained control of your AWS environment

Segregate du2es between roles with IAM

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

You get to choose who can do what in your AWS environment and from where

AWS account owner (master)

Network management

Security management

Server management

Storage management

Manage and operate

Increase your visibility of what happened in your AWS environment •  CloudTrail will record access to API calls and save logs in your S3 buckets, no ma_er how those API calls were made

•  Who did what and when and from what IP address •  Be noBfied of log file delivery using the AWS Simple NoBficaBon Service

•  Support for many AWS services including EC2, EBS, VPC, RDS, IAM, STS and RedShik

•  Aggregate log informaBon into a single S3 bucket Out of the box integraBon with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic.

Use AWS CloudTrail (beta) to track access to APIs and IAM

AWS CloudTrail logs can be used for many powerful use cases

CloudTrail can help you achieve many tasks •  Security analysis

•  Track changes to AWS resources, for example VPC security groups and NACLs

•  Compliance – understand AWS API call history

•  Troubleshoot operaBonal issues – quickly idenBfy the most recent changes to your environment

CloudTrail is currently available in US-‐WEST1 and US-‐EAST1

Keep control of who can do what on AWS using your exisBng directory •  AWS IAM now supports SAML 2.0 •  Federate with on-‐premise directories like AcBve Directory or another SAML 2.0 compliant idenBty provider

•  Use AcBve Directory users and groups in AWS for authenBcaBon and authorizaBon

•  E.g. ‘Database Administrators’ AD security group can have access to create and manage on-‐premise and AWS RDS instances

Federate AWS IAM with your exis2ng directories

How you can make the maximum use of AWS IAM features

Avoid hard-‐coding You don’t need to put credenBals into applicaBons – access AWS resources using IAM roles for EC2 •  Search your source code for hard-‐coded

access keys •  Create IAM roles with least-‐privilege

permissions for access to relevant AWS services, e.g. an S3 bucket

•  Use IAM roles in your applicaBon and launch your EC2 instance with the role

•  You can also use this technique to distribute non-‐AWS creden2als to your applica2ons to avoid checking them into GitHub!

Rotate your AWS access keys regularly Having a shorter period an access key is acBve will reduce the impact if compromised •  Create a second access key in addiBon to

the one in use •  Update all your applicaBons to use the

new access key and validate that the applicaBons are working

•  Change the state of the previous access key to inacBve

•  Validate that your applicaBons are sBll working as expected

•  Delete the inacBve access key

Integrate AWS IAM with web iden22es in your solu2ons

Use IAM roles to authorise web idenBBes access to AWS resources •  Your users can sign-‐in with mulBple authenBcaBon opBons •  Roles can be created on-‐the-‐fly to permit AWS resource access •  Token validity can be limited •  No need to run your own EC2 endpoints

Your applicaBons don’t need to use AWS IAM •  Customers retain their own design

choices •  Extend internal directories into

AWS over private connecBons •  Replicate internal directories into

your VPC or use trust domains •  Create new directories within your

VPC

Your solu2ons can also use your exis2ng directories








AWS has many different content storage services

EBS

DBA S3 RDS

Redshik

Configure S3 access controls at bucket and object level •  Restrict access and rights as Bghtly as possible and regularly review

access logs •  Use versioning for important file, with MFA required for delete Use S3 cryptographic features •  Use SSL to protect data in transit •  S3 server side encrypBon

•  AWS will transparently encrypt your objects using AES-‐256 and manage the keys on your behalf

•  Use S3 client side encrypBon •  Encrypt informaBon before sending it to S3 •  Build yourself or use the AWS Java SDK

•  Use MD5 checksums to verify the integrity of objects loaded into S3

Making use of available Amazon S3 security features

Encryp2ng EBS volumes on Amazon EC2 instances

Volume encrypBon built into EBS

•  Use KMS to control the keys which perform disk encrypBon

•  Seamless, transparent to operaBng system

Managing encrypBon keys is cri2cal and difficult!

•  How will you manage keys and make sure they are available when required, for example at instance start-‐up?

•  How will you keep them available and prevent loss?

•  How will you rotate keys on a regular basis and keep them private?

EBS

Tamper-‐resistant, customer controlled hardware security module within your VPC •  Industry-‐standard SafeNet Luna devices. Common

Criteria EAL4+, NIST FIPS 140-‐2 cerBfied •  No access from Amazon administrators who manage

and maintain the appliance •  High availability and replicaBon to on-‐premise HSMs

Reliable & Durable Key Storage •  Use for transparent data encrypBon on self-‐

managed databases and naBvely with AWS Redshik •  Integrate with applicaBons using Java APIs •  IntegraBon with marketplace disk-‐encrypBon and

SSL services coming soon

Use the AWS CloudHSM to store encryp2on keys








Controlling and launching your Amazon EC2 instances

You choose the base image They are stored as Amazon Machine Images (AMIs)

AMI catalogue

Amazon maintained images

AWS maintains a catalogue of operaBng system images and regularly refreshes them so you have a known baseline

•  Amazon, RedHat, Ubuntu or SUSE Linux

•  Microsok Windows 2008 and 2012

Your own images

•  You can save your OS configuraBons as private AMIs

•  Can reduce Bme to launch new servers, for example save a pre-‐configured web server and use it when auto-‐scaling

Amazon Marketplace images

•  Maintained by Amazon’s partner community

Community images

•  Images other people have made public

•  Many popular free packages and tools

You decide on network placement and security group membership

Launch instance EC2

You choose the instance configuraBon

AMI catalogue Running instance

Host configuraBon

•  CPU, memory, architecture type

•  You can verBcally scale this anyBme by simply restarBng with a new configuraBon

Network placement

•  VPC subnet, or EC2 classic

•  Choose whether to automaBcally a_ach an Internet IP address

Security groups

•  Add up to five security groups at launch, or anyBme

Access keys and IAM roles

You decide how to configure your instance environment

Launch instance EC2

AMI catalogue Running instance Your instance

Hardening and configuraBon

Audit and logging

Vulnerability management

Malware and IPS

WhitelisBng and integrity

User administraBon

OperaBng system

Configure instance

You take responsibility for final configuraBon Harden operaBng system and pla[orms •  Use standard hardening guides and techniques •  Apply latest security patches – Amazon maintains repositories

Use host-‐based protecBon sokware •  Think of how they will work in an elasBc environment -‐ hosts may only

be in use for hours before being replaced

Think about how you will manage administraBve users •  Restrict access as much as possible

Build out the rest of your standard security environment

You need to apply the same secure coding principles as you currently do •  Build secure applicaBons that can defend

against common threats like XSS and SQL InjecBon

•  Implement the OWASP Top 10 for web apps •  Perform regular penetraBon and web

applicaBon security tests •  Don’t wait for Li_le Bobby Tables to find your

applicaBon!

Run through AWS best pracBces, audit and operaBonal checklists before release

Test the security of your solu2ons before go-‐live

Frequent patching is one of the most effecBve controls •  Design applicaBons that can survive regular recycling and

rebuilding of hosts – queues and workers •  Customers are responsible for patching their EC2 instances •  Keep track of patch levels and dependencies which mean

applicaBons can’t be patched •  Aim to patch criBcal vulnerabiliBes in hours or days, not weeks •  Subscribe to security mailing lists and news sources AWS ElasBc Beanstalk can help reduce patching burden for most web applicaBon pla[orms

Patch applica2ons and plaborms regularly

Is your soluBon sBll configured the way you intended? •  Are you using CloudTrail to monitor changes made through APIs? •  Is the configuraBon of your AWS services correct?

•  VPC networks, Security groups and NACLs •  IAM policies and rights – who has access and why

Script and automate describing your enBre AWS environment and compare the results on an ongoing basis •  Consider using configuraBon integrity checking for EC2 instances

–  Tripwire, Chef and Puppet

•  Have uncontrolled changes been applied? •  If so, how did it happen? Can you prevent reoccurrence?

•  Try and whitelist what can be installed and ran on hosts

Perform these checks on a regular basis

Check the integrity of configura2ons and plaborms

TradiBonal network intrusion detecBon and prevenBon is less relevant now •  A_ackers have moved to layer 7 (HTTP) so we need to follow them there •  You can sBll build an effecBve DMZ within the VPC using a wide-‐range of

open source or AWS technology partner soluBons

Drop bad traffic before it hits your applicaBon and databases •  Can be deployed in two-‐way configuraBon to implement simple

DLP, for example scan outgoing traffic for Credit Card Numbers •  Design for scale and high-‐availability using ELBs •  Scale fast and wide to cope with huge traffic volumes •  Build a soluBon designed to cope with volumetric a_acks Lets build an example in the next slides

Block threats to your applica2on

Customers are responsible for detecBng and responding to security incidents within their soluBons •  What sources of informaBon, logging and data are available to you? AWS CloudTrail

will capture and log API and IAM acBvity •  How do you plan to monitor these? AWS CloudWatch can help you monitor your AWS

resources and noBfy you when alarms go off •  How will you know if an incident has taken place? •  What will you do if you detect an incident? •  What data may have been accessed and what would be the impact of disclosure?

Monitor for security incidents and have a plan to respond

Software as a Service

Self Managed

BYOL -‐ AMI’s Available on AWS Marketplace

Hunk for EMR – Available hourly as AWS OEM

Splunk and AWS Integration

AWS CloudTrail

AWS Config

Amazon EMR

Amazon S3

Amazon Kinesis

Amazon CloudWatch

Splunk Provides Search, Visualiza2on, Analy2cs & Aler2ng for

h_p://aws.amazon.com •  /security •  /compliance •  /support

For more info

Shaun Norris @shaunnorris

Thanks!

Date post:	07-Aug-2015
Category:	Technology
Upload:	amazon-web-services
View:	895 times
Download:	4 times

Splunk Live - Security Best Practices for AWS

Technology