Hello!
Jeremy Vincent
Solution Architect
Bulletproof
Aaron McKeown
Lead Security Architect
Xero
Neil Ramsay
Cloud Engineer
Bulletproof
What can you expect today?
An overview of:
• Xero
• AWS Migration Project
• AWS Security Principles
• Key Project Learnings
• Bulletproof
• Cloud Security Considerations
• Secure by Design Guidance
Who are we?
• Cloud House merged with Bulletproof in 2016
• First Premier Partner in A/NZ
• ASX listed (ASX:BPF)
• Only Premier Partner in NZ
• End-to-end Cloud services provider.
• 700+ customers
• 16+ years of experience
• We help you disrupt, transform and innovate
Beautiful cloud-based
accounting softwareConnecting people with the right numbers
anytime, anywhere, on any device
1450+
Staff globally
$474mraised in capital
$202msub revenue FY16
23m+
businesses have interacted
on the Xero platform
$1trincoming and outgoing
transactions in past 12 mths
450mincoming and outgoing
transactions in past 12 mths
All figures shown are in NZD
Public cloud
migrationImproving data protection
Eliminating scheduled downtime
Maintaining and improving security
Support the next wave of growth
Reducing our per customer cost
Approach: AWS Cloud Security
Security is a Journey
High Pace of Innovation with Cloud
Automation is key
How?
AWS Cloud Security
Focus on API Security
Fast rate of change
Cloud native systems with
consistent security capabilities
How?
AWS Cloud Security
Focus on API Security
AWS IAM
Fast rate of changeAWS
CloudFormation
Cloud native systems with
consistent security capabilitiesAWS KMS
AWSCloudTrail
AWSConfig
CloudWatchLogs
CloudWatch Alarms
AWS IAM
How?
Automation
Version
ControlCI Server
Package
Builder
Deploy
ServerCommit to
Git/masterOps
Get /
Pull
Code
AMIs
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
ConfigInstall
Create
Repo
CloudFormation
Templates for Environment
Generate
Key principles
Repeatable and automated build and
management of security systems
Accelerated pace of security innovation
On-demand security infrastructure that works at any scale
Security as a service
VPN
connectivity
Host
Based
Security
Web
Application
Security
and
Delivery
Shared Key
Management
Services
Security
Operations
and
Consulting
Services
Secure
Bastion
Access
Proxy
Services
Secure by Design
AWS Cloud Security
Account structure VPC structureService mapping
Key services VisibilityLogging/Monitoring Secure Bastions
Secure by Design
Account Structure
Billing
Non-Production
Development
Shared Services
UAT
Production
ProductionStaging
Shared Services
Identity
Security
Secure by Design
Service MappingNon-Production
Development
Shared Services
UAT
Security
Production
Staging
Shared Services
Production
Identity
AWS IAM
AWS KMS
IAM Roles
IAM Roles
IAM Policy
IAM Policy
Billing
IAM Roles
IAM Policy
AWSCloudTrail
AWSConfig
ConfigS3 Bucket
CloudTrailS3 Bucket
CloudTrailGlacier Vault
ConfigGlacier Vault
IAM Users
CloudWatch Logs CloudWatch Alarms
IAM Groups
SNS Email Notifications
Secure by Design
VPC Structure
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPC Endpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
VPC Peering
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPCEndpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
VPC Endpoints
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPC Endpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
CloudTrail
CloudTrail Settings
All Regions (Multi-Region setting)
Log File Integrity Validation
Log File Encryption with KMS
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the CloudTrail service to have Write access
Day One
AWS KMS
AWSCloudTrail
CloudTrailS3 Bucket
CloudTrailGlacier Vault
S3 Lifecycle Rules
Secure by Design
Config
Config Settings
All Regions (No multi-region setting, so Automate)
Enable All available Resource Types for tracking
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the Config service to have Write access
Day One
AWSConfig
ConfigS3 Bucket
ConfigGlacier Vault
S3 Lifecycle Rules
Secure by Design
Identity and Access Management (IAM)
AWS IAM
Amazon
EC2
AWS Elastic
Beanstalk
AWS
Lambda
Amazon
CloudFrontAmazon
S3
Amazon
DynamoDB
Amazon
RDS
Amazon
Redshift
Amazon
VPC
Amazon
Route 53
Logging/Monitoring
APIAWS
CloudTrail
CloudWatch Logs
CloudTrailS3 Bucket
CloudTrailGlacier Vault
Lifecycle Rules
AWS Config Config S3 Bucket
ConfigGlacier Vault
Lifecycle Rules
AWSLambda
CloudWatchAlarms
CloudWatchMetric Filters
SNS Email Notifications
Alarm
Amazon ElasticsearchService
OR
Logging/Monitoring…
OS
Network
Storage Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
S3 Bucket
Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
Amazon CloudFront
CloudWatch Logs
CloudWatch Alarms
CloudWatchMetric Filters
SNS Email NotificationsAmazon EC2
Log Events
Elastic LoadBalancing
Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
VPC Flow Log CloudWatch Logs
CloudWatch Alarms
CloudWatchMetric Filters
SNS Email Notifications
Packets Log Events
Secure by Design
Visibility
• CloudTrail, Config and the AWS Console
provide a lot of great information
• Can be hard to find the needle in the
haystack...
• Enter Netflix OSS Security Monkey
“You can’t secure what you don’t know about…”
Solution
Secure Bastions: Restrict Network Egress
RDP
SecureBastion
SQL ToolsServer
RDP
SQLServer
Internet
Solution
Secure Bastions: Restrict EC2 Instance Profiles
RDP
SecureBastion
IAM Role
IAM Policy
TemporaryAWS CredsLogged-in
User
“Secure Bastion”EC2 Instance
Profile
Delete RDS SQL DB
Solution
Secure Bastions: Restrict EC2 Instance Profiles
SQL ToolsServer
TemporaryAWS Creds
Logged-inUser
RDP
SecureBastion
IAM Role
IAM Policy
TemporaryAWS CredsLogged-in
User
“Secure Bastion”EC2 Instance
Profile
Delete RDS SQL DB
Create RDS SQL DB
“SQL Tools”EC2 Instance
Profile
Solution
Secure Bastions: Disposable
7 Days
EBS Snapshot
Forensics
SecureBastion
SecureBastion
“Golden Image”AMI
Deploy
Key learnings
Measure and Test, Monitor Everything
Welcome to the cloud -"Where's my span port"?
Security by Design -What's that?
Communication is Key -Who are your spokespeople?
Final takeaways
Repeatable and Automated build and
management of Security Systems
Accelerated pace of security innovation
On-Demand security infrastructure that works at any scale