Security on AWS€¦ · Security is the first priority for AWS ü Encryption of your data at rest with AES256 (EBS/S3/Glacier/RDS) ü Centralized (by Region) managed Key-Management

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Bertram DornSpecialized Sollutions Architect for Secuirty and Compliance

30. Juni 2016

Security on AWSA Update and Overview

Agenda:• AWS• AWS Services• Sicherheits Standards• Technische Compliance• DPA

ConsumerBusiness

Tens of millions of active customer accounts

13 countries:US, UK, Germany, Japan,

France, Canada, China, Italy, Brazil, Mexico, India, Spain,

Australia

SellerBusiness

Sell on Amazon websites

Use Amazon technology for your own retail website

Leverage Amazon’s massive fulfilment centre network

IT InfrastructureBusiness

Web-scale cloud computing infrastructure for developing,

deploying & operating applications

Over 1 million registered customers in over 190 countries

On demand Pay as you go

Uniform Available

Cloud

Infrastructure

What is DevOps?

DevOps = efficiencies that speed up this lifecycle

developers customers

releasetestbuild

plan monitor

delivery pipeline

feedback loop

Software development lifecycle

Monolith development lifecycle

developers

releasetestbuild

delivery pipelineapp

Microservice development lifecycle

developers delivery pipelinesservices

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

Service-Oriented Architecture (SOA)

Single-purpose

Connected through APIs

Highly decoupled

“Microservices”

DevOps Practices

DevOps Best Practices Tools, Methods, Process

Infrastructure as Code • CloudFormation -> Compute/Storrage/Network/Database/Messaging

IT Automation • AutoScaling, Events, Logging

Continuous Integration Code Pipeline

Continuous Deployment • Code Deploy

Version Control Integration

• Code Commit

Monitoring and Logging • CloudTrail, CloudWatch, Elasticsearch, SEIM approaches

Overview of DevOps on AWS Introduction to DevOps on AWS v1.0

AWS CodeDeploy

• Easy and reliable deployments

• Scale with ease• Deploy to any server

TestCodeDeployv1, v2, v3

Production

Dev

applicationrevisions

deployment groups

AWS CodePipeline

• Connect to best-of-breed tools

• Accelerate your release process• Consistently verify each release

Build1) Build2) Unit test

1) Deploy2) UI test

Source Beta Production1) Deploy2) Perf test

Gamma1) Deploy canary2) Deploy region 13) Deploy region 2

1) Pull

AWS CodeCommit

• Use standard Git tools• Scalability, availability, and durability of Amazon S3• Encryption at rest with customer-specific keys

git pull/push CodeCommit

Git objects inAmazon S3

Git index inAmazon DynamoDB

Encryption keyin AWS KMS

SSH or HTTPS

Provision Configure Orchestrate Deploy Report Monitor

DevOps• Continuous Integration• Continuous Deployment• IT Automation• Application Management

Evolution of DevOps from Agile

Business Case Requirements Use Case Features Plan Go to market

Business

Design Code Refactor Unit Test Bug Fix Deploy

Developers(application)

IT Operations(infrastructure)

Agile Development

• Iterative development• Scrum, sprints, stories• Velocity

BusinessAgility

ITAgility

What is AWS?

AWS Global Infrastructure

Application Services

Networking

Deployment & Administration

DatabaseStorageCompute

ENTERPRISE APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

DataWarehousing

Hadoop/Spark

Streaming Data Collection

Machine Learning

Elastic Search

Virtual Desktops

Sharing & Collaboration

Corporate Email

Backup

Queuing & Notifications

Workflow

Search

Email

Transcoding

One-click App Deployment

Identity

Sync

Single Integrated Console

PushNotifications

DevOps Resource Management

Application Lifecycle Management

Containers

Triggers

Resource Templates

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Training & Certification

Security & Pricing Reports

Partner Ecosystem

Solutions Architects

MARKETPLACE

Business Apps

Business Intelligence DatabasesDevOps

Tools NetworkingSecurity Storage

Regions Availability Zones

Points of Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling, & Load Balancing

StorageObject, Blocks, Archival, Import/Export

DatabasesRelational, NoSQL, Caching, Migration

NetworkingVPC, DX, DNS

CDN

Access Control

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

HYBRID ARCHITECTURE

Data Backups

Integrated App Deployments

DirectConnect

IdentityFederation

IntegratedResource Management

Integrated Networking

API Gateway

IoT

Rules Engine

Device Shadows

Device SDKs

Registry

Device Gateway

Streaming Data Analysis

Business Intelligence

MobileAnalytics

ENTERPRISE APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

DataWarehousing

Hadoop/Spark

Streaming Data Collection

Machine Learning

Elastic Search

Virtual Desktops

Sharing & Collaboration

Corporate Email

Backup

Queuing & Notifications

Workflow

Search

Email

Transcoding

One-click App Deployment

Identity

Sync

Single Integrated Console

PushNotifications

DevOps Resource Management

Application Lifecycle Management

Containers

Triggers

Resource Templates

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Training & Certification

Security & Pricing Reports

Partner Ecosystem

Solutions Architects

MARKETPLACE

Business Apps

Business Intelligence DatabasesDevOps

Tools NetworkingSecurity Storage

Regions Availability Zones

Points of Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling, & Load Balancing

StorageObject, Blocks, Archival, Import/Export

DatabasesRelational, NoSQL, Caching, Migration

NetworkingVPC, DX, DNS

CDN

Access Control

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

HYBRID ARCHITECTURE

Data Backups

Integrated App Deployments

DirectConnect

IdentityFederation

IntegratedResource Management

Integrated Networking

API Gateway

IoT

Rules Engine

Device Shadows

Device SDKs

Registry

Device Gateway

Streaming Data Analysis

Business Intelligence

MobileAnalytics

ENTERPRISE APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

DataWarehousing

Hadoop/Spark

Streaming Data Collection

Machine Learning

Elastic Search

Virtual Desktops

Sharing & Collaboration

Corporate Email

Backup

Queuing & Notifications

Workflow

Search

Email

Transcoding

One-click App Deployment

Identity

Sync

Single Integrated Console

PushNotifications

DevOps Resource Management

Application Lifecycle Management

Containers

Triggers

Resource Templates

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Training & Certification

Security & Pricing Reports

Partner Ecosystem

Solutions Architects

MARKETPLACE

Business Apps

Business Intelligence DatabasesDevOps

Tools NetworkingSecurity Storage

Regions Availability Zones

Points of Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling, & Load Balancing

StorageObject, Blocks, Archival, Import/Export

DatabasesRelational, NoSQL, Caching, Migration

NetworkingVPC, DX, DNS

CDN

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

HYBRID ARCHITECTURE

Data Backups

Integrated App Deployments

DirectConnect

IdentityFederation

IntegratedResource Management

Integrated Networking

API Gateway

IoT

Rules Engine

Device Shadows

Device SDKs

Registry

Device Gateway

Streaming Data Analysis

Business Intelligence

MobileAnalytics

Access Control

AWS Global Footprint

US West (N.California)

US West (Oregon)

GovCloud

US East (Virginia)

EU West (Ireland)

Asia Pacific (Tokyo)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

China (Beijing)

São Paulo

EU Central (Frankfurt)

Korea (Seul)

RegionAn independent collection of AWS resources in a defined geography

A solid foundation for meeting location-dependent privacy and compliance requirements

ExampleAWSRegion

AZ

AZ

AZ AZ AZ

Transit

Transit• MeshofAvailabilityZones(AZ)andTransitCenters

• Redundantpathstotransitcenters

• Transitcentersconnectto:– PrivatelinkstootherAWSregions

– Privatelinkstocustomers

– Internetthroughpeering&paidtransit

• Metro-areaDWDMlinks betweenAZs

• 82,864 fiberstrandsinregion

• AZs<2msapart&usually <1ms

• 25Tbps peakinter-AZstraffic

AWS Global Footprint

Availability ZoneDesigned as independent failure zones

Physically separated within a typical metropolitan region

ExampleAWSAvailabilityZone

• 1of33AZsworld-wide• Allregionshave2ormoreAZs• EachAZis1ormoreDC

– NodatacenterisintwoAZs– SomeAZshaveasmanyas6DCs

• DCsinAZlessthan¼ms apart

AZ

AZ

AZ AZ AZ

Transit

Transit

ExampleAWSDataCenter

• SingleDCtypicallyover50,000servers&oftenover80,000

• LargerDCsundesirable (blastradius)• Upto102Tbpsprovisioned toasingleDC(interDCnotintra)

Shared Responsibility

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Security of the Cloud

Security in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Request reports at:aws.amazon.com/compliance/#contact

ISO27000

ISO9001

The main AWS Compliance Frameworks of todayCertificates: Programmes:

ISO9001

ISO27000

MPAA

Point-in-time, or continuous compliance assessments?

ISO27001/27017

270189001

Scope

• By Service (not only Datacenter)

• By Region• By Certification• Global• Scalable

Dedicated Security Services

§ Tennant Isolation§ Deep Network Security§ Scaling Crypto Services§ Detailed Monitoring§ Access Control

§ Mandatory§ Fine Grade§ MFA Possible

AWS Global Infrastructure

Application Services

Networking

Deployment & Administration

DatabaseStorageCompute

Inherit

Control

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

Access Control

Setup

AuftragsdatenvereinbahrungInclusive

Technische und Organisatorische Massnahmen

Mapping

Security Possibilities

Lift and Shift§ Integrate standards§ Replicate§ Automate§ Federate

Transparency§ Monitor Every Activity§ Transparent Data Flows§ No Hidden IT§ Cost Driven Awareness § Automatic Alarming

Scale and Innovate§ Use Cloud Security

Functions§ Scale Out § Services as Code§ Continuous Deployment§ Continuous Security

Permanent Monitoring/Audit§ Automatic Reaction§ Permanent Monitoring§ Integrated Audit§ Security - DevOps

Certifications/Audits: Scope

Features Overview

©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.

NetworkSecurity Chooseandcombineabunchofbuild innetworkrelatedoptions:

ü Buildinfirewallfeatures(SecurityGroupsandNACL’s)ü VirtualPrivateCloudü TransportEncryption (IPsecandTLS)ü DedicatedNetworkConnection (DirectConnect)ü CypherSuiteswithPerfectForwardSecrecyü ManagedNATGatewaysü WebApplicationFilters

Virtual Private Cloud Security Layers

Security Group

Subnet 10.0.0.0/24

Routing Table

Network ACL

Subnet 10.0.1.0/24

Routing Table

Network ACL

Virtual Private Gateway Internet Gateway

Lockdown at instance level

Isolate network functions

Lockdown at network level

Route restrictively

Router

Availability Zone A Availability Zone B

Security Group

Security Group

©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.

AccessControl AllowonlyauthorizedadministratorsandapplicationsaccessonAWSresources

ü Multi-Factor-Authentication (MFA)ü FinegranularaccesstoAWSobjectinS3-Buckets/SQS/SNS

andothersü API-RequestAuthenticationü Geo-Restrictionsü Temporaryaccesstokensthrough STS

©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.

MonitoringandLogging GetanoverviewaboutactivitiesonyourAWSressources

ü Asset-Managementand-Configuration withAWSConfigü ComplianceAuditing andsecurityanalyticswithAWS

CloudTrailü Identificationsofconfiguration challengesthrough

TrustedAdvisorü Finegranularlogging ofaccesstoS3objectsü Detailedinformations aboutflowsinthenetwork through

VPC-FlowLogsü Rulebasedconfig checksandactionswithAWSConfig Rulesü Filterandmonitoring ofHTTPaccesstoapplicationswith

WAFfunctions inCloudFront

©2015,AmazonWebServices,Inc.oritsAffiliates.Allrightsreserved.

Encryption Securityisthefirstpriority forAWS

ü EncryptionofyourdataatrestwithAES256(EBS/S3/Glacier/RDS)

ü Centralized(byRegion)managedKey-Managementü IPsectunnels intoAWSwiththeVPN-Gatewaysü Deicated HSMmodules inthecloudwithCloudHSM

IAM Overview

Identity and Access Management

• Users & Groups

Identity and Access Management

• Users & Groups• Unique Security Credentials

Identity and Access Management

• Users & Groups• Unique Security Credentials• Temporary Security

Credentials

Identity and Access Management

• Users & Groups• Unique Security Credentials• Temporary Security

Credentials• Policies & Permissions

Identity and Access Management

• Users & Groups• Unique Security Credentials• Temporary Security

Credentials• Policies & Permissions• Roles

Identity and Access Management

• Users & Groups• Unique Security Credentials• Temporary Security

Credentials• Policies & Permissions• Roles• Multi-factor Authentication

IAM Best Practices

Vielen Dank

Bertram Dorn

Root Accounts Do Not Need Access Keys

Root Accounts Do Normally Not Log In

Best PracticesLock away your AWS account access keys

Create individual IAM users

Use groups to assign permissions to IAM users

Grant least privilege

Configure a strong password policy for your users

Enable MFA for privileged users

Use roles for applications that run on Amazon EC2 instances

Delegate by using roles instead of by sharing credentials

Rotate credentials regularly

Remove unnecessary credentials

Use policy conditions

Keep a history of activity

What type of events should I monitor for?

v You can monitor any specific event recorded by CloudTrail and receive notification from CloudWatch

v Monitor for security or network related events that are likely to have a high blast radius

v Popular examples based on customer feedback

1. Creation, deletion and modification of security groups and VPCs2. Changes to IAM policies or S3 bucket policies3. Failed AWS Management Console sign-in events4. API calls that resulted in authorization failures5. Launching, terminating, stopping, starting and rebooting EC2 instances

v Fully defined and pre-built CloudFormation template to get started

Receive email notifications of specific API activity

Demo: Kibana

Data at Rest: Simplified

Securing Data at Rest

Amazon RDS Redshift

Amazon S3GlacierAmazon EBS

> AES-256 key

> KMS integration

> Easy one-click encryption

Securing Data at Rest

Amazon S3 Glacier

> AES-256 key

> Each object is encrypted

> Each key is encrypted with a master key

> Master key is rotated regularly

> KMS integration

Amazon EBS

Securing Data at Rest

> AES-256 key

> Performed on EC2 host

> Snapshots

> KMS integrated

> Each Volume gets it‘s DataKey

> DataKey is encrypted withMasterKey

Amazon RDS

Securing Data at Rest

> AES-256 key

> Logs, backups, and snapshots

> Read replicas

> Active and backup

> CloudHSM (Oracle TDE only)

> KMS integration

Redshift

Securing Data at Rest

> AES-256 key

> Data blocks

> Metadata

> Active and backup

> CloudHSM integration

> 4-tier encryption architecture

Securing Data at Rest

CloudHSM

> Hardware Security Module

> Single tenancy

> Private key material never leaves the HSM

> AWS provisioned, customer managed