© 2016 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Kiggins, SA July 13, 2016 Network Security and Access Control within AWS
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
© 2016 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Kiggins, SAJuly 13, 2016
Network Security and Access
Control within AWS
What to Expect from the Session
• Configure network security using VPC
• Configure users, groups and roles to manage
actions
• Configure monitoring and logging to audit
changes
Network Security
Network Security Tools
• VPC
• Subnet
• Security Groups
• Network ACLs
• CloudFront
• Route53
• IPTables
region
VPC
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
NTP Buffer Overrun
UDP(17) Port(123)
region
Network ACL
VPC (BuildABeer-VPC-1)
security group (BuildABeer-SG-1)
HTTP GET Beer
TCP(6) Port(80)
HTTP GET Beer
TCP(6) Port(80)
srcIP=216.246.16.228
region
Obfuscate
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
userssecurity group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELB
FAIL
region
End Run
VPC (BuildABeer-VPC-1)
Amazon
Route 53
CloudFront
security group (BuildABeer-SG-1)
Public subnet
servers
Private subnet
ELBwww.foo.commail.foo.com
security group (BuildABeer-SG-1)
Public subnet
Mail servers
Private subnet
ELB
security group (BuildABeer-SG-2)
Public subnet
Web servers
Private subnet
ELB
mail.foo.com
www.foo.com
Hide ‘n Go Seek~>nslookup www.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.173
<snip>
Name: d3u9qbug2y23to.cloudfront.net
Address: 52.84.20.85
~>nslookup ftp.buildabeer.com
Server: 10.43.23.72
Address: 10.43.23.72#53
Non-authoritative answer:
ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.
Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com
Address: 54.148.117.41
<snip>
region
Layers Of Defense
VPC (BuildABeer-VPC-1)
userssecurity group (BuildABeer-SG-1)
Private subnet
Web
servers
Private subnet
ELBSecurity services
(IPS/IDS, WAF,
Firewall)
Public subnet
Access Denied
Access Points to AWS
CLI API Console~>aws ec2 describe-instances
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",
"VirtualizationType": "hvm",
"AmiLaunchIndex": 0,
"SourceDestCheck": true,
"PublicIpAddress": "52.37.47.60",
"Architecture": "x86_64",
"RootDeviceType": "ebs",
#!/usr/bin/python3
import boto3
# Get the service resource
ec2 = boto3.resource('ec2')
# Print out each ec2 instance
for instance in ec2.instances.all():
print(instance)
IAM
Who can access resources
• Accounts
• Users
• IAM Users
• Federated Users
• Groups
• Roles
• ServicesIAM role
IAM Users
IAM Groups
Amazon EC2
Federated user
IAM
Managing Your Policies
• IAM Policies
• Managed Policies
• Inline Policies
• Resource Based Policies
IAM
IAM policies
• Managed policies (newer way)
• Can be attached to multiple users, groups, and roles
• AWS managed policies: Created and maintained by AWS
• Customer managed policies: Created and maintained by you
• Up to 5K per policy
• Up to 5 versions of a policy so you can roll back to a prior version
• You can attach 10 managed policies per user, group, or role
• You can limit who can attach which managed policies
• Inline policies (older way)
• You create and embed directly in a single user, group, or role
• Variable policy size (2K per user, 5K per group, 10K per role)
IAM
Beyond IAM
Amazon Directory Services
AD Connector
Customer Identity Broker
AWS Directory
Service
SEC307 A Progressive Journey Through AWS IAM Federation Options
- https://www.youtube.com/watch?v=-XARG9W2bGc
Configuring Logging And
Monitoring
Services
• AWS CloudTrail
• AWS Config
• Amazon Inspector
• VPC FlowLogs
AWS CloudTrail
us-east-2
Introduction to AWS CloudTrail
Store/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS
services around the world..
CloudTrail is continuously
recording API calls
Amazon
EBS
Use cases enabled by CloudTrail
• IT and security administrators can perform security
analysis
• IT administrators and DevOps engineers can attribute
changes on AWS resources to the identity, time and
other critical details of who made the change
• DevOps engineers can troubleshoot operational issues
• IT Auditors can use log files as a compliance aid
Security at Scale: Logging in AWS White Paper
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
AWS Config
AWS Config
Config Rules
• Check configuration changes
• Periodic
• Event driven
• Rules
• Pre-built rules provided by AWS
• custom rules using AWS Lambda
• Use dashboard for visualizing compliance and
identifying offending changes
Compliance Guideline Non-compliance Action
All EBS volumes should be
encrypted
Encrypt volumes
Instances must be within a VPC Terminate Instance
Instances must be tagged with
environment type
Notify developer (email, page, SNS)
AWS Config – Rules (example – instances must be tagged with a DataClassification)
Amazon Inspector
• Vulnerability Assessment Service
• Built from the ground up to support Dev/Ops Model
• Automatable via API’s
• AWS Context Aware
• Static & Dynamic Telemetry
• Integrated with CI/CD tools
• On-Demand Pricing model
• CVE & CIS Rules Packages
• AWS AppSec Best Practices
Rule packages
• CVE (common vulnerabilities and exposures)
• 1000+ Rules Evaluated
• CIS (Center for Internet Security Benchmarks)
• OS Hardening
• Vulnerability
• Patch
• Inventory
• Compliance
• AWS Security Best Practices
• App Sec Learnings
VPC FlowLogs
Dumping out the heavy hitter IP addresses
#!/usr/bin/python3
import boto3
# Get the service resource
logs = boto3.client(’logs’)
# Get the log groups
groups = logs.describe_log_groups()
for logGroup in groups[’logGroups’] :
# Get the LogStream for each logGroup
logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])
for logStream in logStreamsDesc[’logStreams’]:
events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])
# Store each log entry by the src IP address
ip_dict = {}
for event in events_resp[’events’] :
ip = event[cd ’message’].split()[4]
if ip in ip_dict:
ip_dict[ip] = ip_dict[ip] + 1
else :
ip_dict[ip] = 1
for w in sorted(ip_dict, key=ip_dict.get, reverse=True):
print (’{0:15} {1:8d}’.format(w, ip_dict[w]))
#Early exit
exit()
Partners
Thank you!
aws.amazon.com/security
aws.amazon.com/compliance
Remember to complete
your evaluations!
Related Documents
![Fine-Grained Access Control Within NoSQL … Access Control Within NoSQL Document-Oriented ... ... 2]](https://static.cupdf.com/doc/110x72/5ac3f7327f8b9a5c558c6ace/fine-grained-access-control-within-nosql-access-control-within-nosql-document-oriented.jpg)
