© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bertram Dorn Specialized Sollutions Architect for Secuirty and Compliance 30. Juni 2016 Security on AWS A Update and Overview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bertram DornSpecialized Sollutions Architect for Secuirty and Compliance
30. Juni 2016
Security on AWSA Update and Overview
Agenda:• AWS• AWS Services• Sicherheits Standards• Technische Compliance• DPA
ConsumerBusiness
Tens of millions of active customer accounts
13 countries:US, UK, Germany, Japan,
France, Canada, China, Italy, Brazil, Mexico, India, Spain,
Australia
SellerBusiness
Sell on Amazon websites
Use Amazon technology for your own retail website
Leverage Amazon’s massive fulfilment centre network
IT InfrastructureBusiness
Web-scale cloud computing infrastructure for developing,
deploying & operating applications
Over 1 million registered customers in over 190 countries
On demand Pay as you go
Uniform Available
Cloud
Infrastructure
What is DevOps?
DevOps = efficiencies that speed up this lifecycle
developers customers
releasetestbuild
plan monitor
delivery pipeline
feedback loop
Software development lifecycle
Monolith development lifecycle
developers
releasetestbuild
delivery pipelineapp
Microservice development lifecycle
developers delivery pipelinesservices
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
Service-Oriented Architecture (SOA)
Single-purpose
Connected through APIs
Highly decoupled
“Microservices”
DevOps Practices
DevOps Best Practices Tools, Methods, Process
Infrastructure as Code • CloudFormation -> Compute/Storrage/Network/Database/Messaging
IT Automation • AutoScaling, Events, Logging
Continuous Integration Code Pipeline
Continuous Deployment • Code Deploy
Version Control Integration
• Code Commit
Monitoring and Logging • CloudTrail, CloudWatch, Elasticsearch, SEIM approaches
Overview of DevOps on AWS Introduction to DevOps on AWS v1.0
AWS CodeDeploy
• Easy and reliable deployments
• Scale with ease• Deploy to any server
TestCodeDeployv1, v2, v3
Production
Dev
applicationrevisions
deployment groups
AWS CodePipeline
• Connect to best-of-breed tools
• Accelerate your release process• Consistently verify each release
Build1) Build2) Unit test
1) Deploy2) UI test
Source Beta Production1) Deploy2) Perf test
Gamma1) Deploy canary2) Deploy region 13) Deploy region 2
1) Pull
AWS CodeCommit
• Use standard Git tools• Scalability, availability, and durability of Amazon S3• Encryption at rest with customer-specific keys
git pull/push CodeCommit
Git objects inAmazon S3
Git index inAmazon DynamoDB
Encryption keyin AWS KMS
SSH or HTTPS
Provision Configure Orchestrate Deploy Report Monitor
DevOps• Continuous Integration• Continuous Deployment• IT Automation• Application Management
Evolution of DevOps from Agile
Business Case Requirements Use Case Features Plan Go to market
Business
Design Code Refactor Unit Test Bug Fix Deploy
Developers(application)
IT Operations(infrastructure)
Agile Development
• Iterative development• Scrum, sprints, stories• Velocity
BusinessAgility
ITAgility
What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
ENTERPRISE APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
DataWarehousing
Hadoop/Spark
Streaming Data Collection
Machine Learning
Elastic Search
Virtual Desktops
Sharing & Collaboration
Corporate Email
Backup
Queuing & Notifications
Workflow
Search
Transcoding
One-click App Deployment
Identity
Sync
Single Integrated Console
PushNotifications
DevOps Resource Management
Application Lifecycle Management
Containers
Triggers
Resource Templates
TECHNICAL & BUSINESS SUPPORT
Account Management
Support
Professional Services
Training & Certification
Security & Pricing Reports
Partner Ecosystem
Solutions Architects
MARKETPLACE
Business Apps
Business Intelligence DatabasesDevOps
Tools NetworkingSecurity Storage
Regions Availability Zones
Points of Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling, & Load Balancing
StorageObject, Blocks, Archival, Import/Export
DatabasesRelational, NoSQL, Caching, Migration
NetworkingVPC, DX, DNS
CDN
Access Control
Identity Management
Key Management & Storage
Monitoring & Logs
Assessment and reporting
Resource & Usage Auditing
SECURITY & COMPLIANCE
Configuration Compliance
Web application firewall
HYBRID ARCHITECTURE
Data Backups
Integrated App Deployments
DirectConnect
IdentityFederation
IntegratedResource Management
Integrated Networking
API Gateway
IoT
Rules Engine
Device Shadows
Device SDKs
Registry
Device Gateway
Streaming Data Analysis
Business Intelligence
MobileAnalytics
ENTERPRISE APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
DataWarehousing
Hadoop/Spark
Streaming Data Collection
Machine Learning
Elastic Search
Virtual Desktops
Sharing & Collaboration
Corporate Email
Backup
Queuing & Notifications
Workflow
Search
Transcoding
One-click App Deployment
Identity
Sync
Single Integrated Console
PushNotifications
DevOps Resource Management
Application Lifecycle Management
Containers
Triggers
Resource Templates
TECHNICAL & BUSINESS SUPPORT
Account Management
Support
Professional Services
Training & Certification
Security & Pricing Reports
Partner Ecosystem
Solutions Architects
MARKETPLACE
Business Apps
Business Intelligence DatabasesDevOps
Tools NetworkingSecurity Storage
Regions Availability Zones
Points of Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling, & Load Balancing
StorageObject, Blocks, Archival, Import/Export
DatabasesRelational, NoSQL, Caching, Migration
NetworkingVPC, DX, DNS
CDN
Access Control
Identity Management
Key Management & Storage
Monitoring & Logs
Assessment and reporting
Resource & Usage Auditing
SECURITY & COMPLIANCE
Configuration Compliance
Web application firewall
HYBRID ARCHITECTURE
Data Backups
Integrated App Deployments
DirectConnect
IdentityFederation
IntegratedResource Management
Integrated Networking
API Gateway
IoT
Rules Engine
Device Shadows
Device SDKs
Registry
Device Gateway
Streaming Data Analysis
Business Intelligence
MobileAnalytics
ENTERPRISE APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
DataWarehousing
Hadoop/Spark
Streaming Data Collection
Machine Learning
Elastic Search
Virtual Desktops
Sharing & Collaboration
Corporate Email
Backup
Queuing & Notifications
Workflow
Search
Transcoding
One-click App Deployment
Identity
Sync
Single Integrated Console
PushNotifications
DevOps Resource Management
Application Lifecycle Management
Containers
Triggers
Resource Templates
TECHNICAL & BUSINESS SUPPORT
Account Management
Support
Professional Services
Training & Certification
Security & Pricing Reports
Partner Ecosystem
Solutions Architects
MARKETPLACE
Business Apps
Business Intelligence DatabasesDevOps
Tools NetworkingSecurity Storage
Regions Availability Zones
Points of Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling, & Load Balancing
StorageObject, Blocks, Archival, Import/Export
DatabasesRelational, NoSQL, Caching, Migration
NetworkingVPC, DX, DNS
CDN
Identity Management
Key Management & Storage
Monitoring & Logs
Assessment and reporting
Resource & Usage Auditing
SECURITY & COMPLIANCE
Configuration Compliance
Web application firewall
HYBRID ARCHITECTURE
Data Backups
Integrated App Deployments
DirectConnect
IdentityFederation
IntegratedResource Management
Integrated Networking
API Gateway
IoT
Rules Engine
Device Shadows
Device SDKs
Registry
Device Gateway
Streaming Data Analysis
Business Intelligence
MobileAnalytics
Access Control
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Korea (Seul)
RegionAn independent collection of AWS resources in a defined geography
A solid foundation for meeting location-dependent privacy and compliance requirements
ExampleAWSRegion
AZ
AZ
AZ AZ AZ
Transit
Transit• MeshofAvailabilityZones(AZ)andTransitCenters
• Redundantpathstotransitcenters
• Transitcentersconnectto:– PrivatelinkstootherAWSregions
– Privatelinkstocustomers
– Internetthroughpeering&paidtransit
• Metro-areaDWDMlinks betweenAZs
• 82,864 fiberstrandsinregion
• AZs<2msapart&usually <1ms
• 25Tbps peakinter-AZstraffic
AWS Global Footprint
Availability ZoneDesigned as independent failure zones
Physically separated within a typical metropolitan region
ExampleAWSAvailabilityZone
• 1of33AZsworld-wide• Allregionshave2ormoreAZs• EachAZis1ormoreDC
– NodatacenterisintwoAZs– SomeAZshaveasmanyas6DCs
• DCsinAZlessthan¼ms apart
AZ
AZ
AZ AZ AZ
Transit
Transit
ExampleAWSDataCenter
• SingleDCtypicallyover50,000servers&oftenover80,000
• LargerDCsundesirable (blastradius)• Upto102Tbpsprovisioned toasingleDC(interDCnotintra)
Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
Request reports at:aws.amazon.com/compliance/#contact
ISO27000
ISO9001
The main AWS Compliance Frameworks of todayCertificates: Programmes:
ISO9001
ISO27000
MPAA
Point-in-time, or continuous compliance assessments?
ISO27001/27017
270189001
Scope
• By Service (not only Datacenter)
• By Region• By Certification• Global• Scalable
Dedicated Security Services
§ Tennant Isolation§ Deep Network Security§ Scaling Crypto Services§ Detailed Monitoring§ Access Control
§ Mandatory§ Fine Grade§ MFA Possible
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
Inherit
Control
Identity Management
Key Management & Storage
Monitoring & Logs
Assessment and reporting
Resource & Usage Auditing
SECURITY & COMPLIANCE
Configuration Compliance
Web application firewall
Access Control
Setup
AuftragsdatenvereinbahrungInclusive
Technische und Organisatorische Massnahmen
Mapping
Security Possibilities
Lift and Shift§ Integrate standards§ Replicate§ Automate§ Federate
Transparency§ Monitor Every Activity§ Transparent Data Flows§ No Hidden IT§ Cost Driven Awareness § Automatic Alarming
Scale and Innovate§ Use Cloud Security
Functions§ Scale Out § Services as Code§ Continuous Deployment§ Continuous Security
Permanent Monitoring/Audit§ Automatic Reaction§ Permanent Monitoring§ Integrated Audit§ Security - DevOps
Certifications/Audits: Scope
Features Overview
©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.
NetworkSecurity Chooseandcombineabunchofbuild innetworkrelatedoptions:
ü Buildinfirewallfeatures(SecurityGroupsandNACL’s)ü VirtualPrivateCloudü TransportEncryption (IPsecandTLS)ü DedicatedNetworkConnection (DirectConnect)ü CypherSuiteswithPerfectForwardSecrecyü ManagedNATGatewaysü WebApplicationFilters
Virtual Private Cloud Security Layers
Security Group
Subnet 10.0.0.0/24
Routing Table
Network ACL
Subnet 10.0.1.0/24
Routing Table
Network ACL
Virtual Private Gateway Internet Gateway
Lockdown at instance level
Isolate network functions
Lockdown at network level
Route restrictively
Router
Availability Zone A Availability Zone B
Security Group
Security Group
©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.
AccessControl AllowonlyauthorizedadministratorsandapplicationsaccessonAWSresources
ü Multi-Factor-Authentication (MFA)ü FinegranularaccesstoAWSobjectinS3-Buckets/SQS/SNS
andothersü API-RequestAuthenticationü Geo-Restrictionsü Temporaryaccesstokensthrough STS
©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.
MonitoringandLogging GetanoverviewaboutactivitiesonyourAWSressources
ü Asset-Managementand-Configuration withAWSConfigü ComplianceAuditing andsecurityanalyticswithAWS
CloudTrailü Identificationsofconfiguration challengesthrough
TrustedAdvisorü Finegranularlogging ofaccesstoS3objectsü Detailedinformations aboutflowsinthenetwork through
VPC-FlowLogsü Rulebasedconfig checksandactionswithAWSConfig Rulesü Filterandmonitoring ofHTTPaccesstoapplicationswith
WAFfunctions inCloudFront
©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.
Encryption Securityisthefirstpriority forAWS
ü EncryptionofyourdataatrestwithAES256(EBS/S3/Glacier/RDS)
ü Centralized(byRegion)managedKey-Managementü IPsectunnels intoAWSwiththeVPN-Gatewaysü Deicated HSMmodules inthecloudwithCloudHSM
IAM Overview
Identity and Access Management
• Users & Groups
Identity and Access Management
• Users & Groups• Unique Security Credentials
Identity and Access Management
• Users & Groups• Unique Security Credentials• Temporary Security
Credentials
Identity and Access Management
• Users & Groups• Unique Security Credentials• Temporary Security
Credentials• Policies & Permissions
Identity and Access Management
• Users & Groups• Unique Security Credentials• Temporary Security
Credentials• Policies & Permissions• Roles
Identity and Access Management
• Users & Groups• Unique Security Credentials• Temporary Security
Credentials• Policies & Permissions• Roles• Multi-factor Authentication
IAM Best Practices
Vielen Dank
Bertram Dorn
Root Accounts Do Not Need Access Keys
Root Accounts Do Normally Not Log In
Best PracticesLock away your AWS account access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Configure a strong password policy for your users
Enable MFA for privileged users
Use roles for applications that run on Amazon EC2 instances
Delegate by using roles instead of by sharing credentials
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions
Keep a history of activity
What type of events should I monitor for?
v You can monitor any specific event recorded by CloudTrail and receive notification from CloudWatch
v Monitor for security or network related events that are likely to have a high blast radius
v Popular examples based on customer feedback
1. Creation, deletion and modification of security groups and VPCs2. Changes to IAM policies or S3 bucket policies3. Failed AWS Management Console sign-in events4. API calls that resulted in authorization failures5. Launching, terminating, stopping, starting and rebooting EC2 instances
v Fully defined and pre-built CloudFormation template to get started
Receive email notifications of specific API activity
Demo: Kibana
Data at Rest: Simplified
Securing Data at Rest
Amazon RDS Redshift
Amazon S3GlacierAmazon EBS
> AES-256 key
> KMS integration
> Easy one-click encryption
Securing Data at Rest
Amazon S3 Glacier
> AES-256 key
> Each object is encrypted
> Each key is encrypted with a master key
> Master key is rotated regularly
> KMS integration
Amazon EBS
Securing Data at Rest
> AES-256 key
> Performed on EC2 host
> Snapshots
> KMS integrated
> Each Volume gets it‘s DataKey
> DataKey is encrypted withMasterKey
Amazon RDS
Securing Data at Rest
> AES-256 key
> Logs, backups, and snapshots
> Read replicas
> Active and backup
> CloudHSM (Oracle TDE only)
> KMS integration
Redshift
Securing Data at Rest
> AES-256 key
> Data blocks
> Metadata
> Active and backup
> CloudHSM integration
> 4-tier encryption architecture
Securing Data at Rest
CloudHSM
> Hardware Security Module
> Single tenancy
> Private key material never leaves the HSM
> AWS provisioned, customer managed