© 2016 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Kiggins, SA July 13, 2016 Network Security and Access Control within AWS
© 2016 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, SAJuly 13, 2016
Network Security and Access
Control within AWS
What to Expect from the Session
• Configure network security using VPC
• Configure users, groups and roles to manage
actions
• Configure monitoring and logging to audit
changes
Network Security
Network Security Tools
• VPC
• Subnet
• Security Groups
• Network ACLs
• CloudFront
• Route53
• IPTables
region
VPC
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)
region
Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
HTTP GET Beer
TCP(6) Port(80)
srcIP=216.246.16.228
region
Obfuscate
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
userssecurity group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB
FAIL
region
End Run
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELBwww.foo.commail.foo.com
security group (BuildABeer-SG-1)
Public subnet
Mail servers
Private subnet
ELB
security group (BuildABeer-SG-2)
Public subnet
Web servers
Private subnet
ELB
mail.foo.com
www.foo.com
Hide ‘n Go Seek~>nslookup www.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.173
<snip>
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.85
~>nslookup ftp.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
Address: 54.148.117.41
<snip>
region
Layers Of Defense
VPC (BuildABeer-VPC-1)
userssecurity group (BuildABeer-SG-1)
Private subnet
Web
servers
Private subnet
ELBSecurity services
(IPS/IDS, WAF,
Firewall)
Public subnet
Access Denied
Access Points to AWS
CLI API Console~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)
IAM
Who can access resources
• Accounts
• Users
• IAM Users
• Federated Users
• Groups
• Roles
• ServicesIAM role
IAM Users
IAM Groups
Amazon EC2
Federated user
IAM
Managing Your Policies
• IAM Policies
• Managed Policies
• Inline Policies
• Resource Based Policies
IAM
IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role
• You can limit who can attach which managed policies
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)
IAM
Beyond IAM
Amazon Directory Services
AD Connector
Customer Identity Broker
AWS Directory
Service
SEC307 A Progressive Journey Through AWS IAM Federation Options
- https://www.youtube.com/watch?v=-XARG9W2bGc
Configuring Logging And
Monitoring
Services
• AWS CloudTrail
• AWS Config
• Amazon Inspector
• VPC FlowLogs
AWS CloudTrail
us-east-2
Introduction to AWS CloudTrail
Store/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously
recording API calls
Amazon
EBS
Use cases enabled by CloudTrail
• IT and security administrators can perform security
analysis
• IT administrators and DevOps engineers can attribute
changes on AWS resources to the identity, time and
other critical details of who made the change
• DevOps engineers can troubleshoot operational issues
• IT Auditors can use log files as a compliance aid
Security at Scale: Logging in AWS White Paper
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
AWS Config
AWS Config
Config Rules
• Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance Guideline Non-compliance Action
All EBS volumes should be
encrypted
Encrypt volumes
Instances must be within a VPC Terminate Instance
Instances must be tagged with
environment type
Notify developer (email, page, SNS)
AWS Config – Rules (example – instances must be tagged with a DataClassification)
Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices
Rule packages
• CVE (common vulnerabilities and exposures)
• 1000+ Rules Evaluated
• CIS (Center for Internet Security Benchmarks)
• OS Hardening
• Vulnerability
• Patch
• Inventory
• Compliance
• AWS Security Best Practices
• App Sec Learnings
VPC FlowLogs
Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()
Partners
Thank you!
aws.amazon.com/security
aws.amazon.com/compliance
Remember to complete
your evaluations!