2. Rob Alexander
Capital One's chief information officer (presented at AWS
re:Invent 2015 user conference keynote)
"The financial service industry attracts some of
the worst cyber criminals. We work closely with
AWS to develop a security model, which we
believe enables us to operate more securely
in the public cloud than we can in our own
data centers."
3. At AWS, cloud security is job zero.
All AWS customers benefit from a data
center and network architecture built to
satisfy the requirements of the most
security-sensitive organizations.
4. Where would some of the world’s top security
people like to work? At scale on huge challenges
with huge rewards
So AWS has world-class security and compliance
teams watching your back!
Every customer benefits from the tough
scrutiny of other AWS customers
Gain access to a world-class security team
7. AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
.
• Scope of responsibility depends on the type of service offered by AWS:
Infrastructure, Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and
systems are secure!
More secure and
compliant systems
than any one entity
could achieve on its
own at scale
8. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud
CustomerAWS
9. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
CustomerAWS
10. • Amazon has been building large-scale data centers for many years.
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– Two or more levels of two-factor authentication
• Controlled, need-based access.
• All access is logged and reviewed.
• Separation of Duties
– Employees with physical access don’t have logical privileges.
AWS Responsibilities
Physical Security of Data Center
11. • Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
• Guest (a.k.a. Instance) operating system
• Customer controlled (customer owns root/admin)
• AWS admins cannot log in
• Customer-generated keypairs
• Stateful firewall
• Mandatory inbound firewall, default deny mode
• Customer controls configuration via Security Groups
AWS Responsibilities
EC2 Security
• IP Spoofing prohibited at host OS level.
• Packet sniffing is ineffective (protected at hypervisor level).
• Unauthorized Port Scanning a violation of TOS and is detected/blocked.
• Inbound ports blocked by default.
Network Security
13. AAA with AWS
Authenticate
IAM Username/Password
Access Key
(+ MFA)
Federation
Authorize
IAM Policies
Audit
CloudTrail
14. AWS IAM Hierarchy of Privileges
AWS Account
Owner (Root)
AWS IAM
User
Temporary
Security
Credentials
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by
Group and User policies
Action:
[‘s3:*’,’sts:Get*’]
Effect: Allow
Resource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]
Effect: Allow
Resource:
‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM) users, groups, and policies
and temporary credentials.
17. AWS Key Management Service
Customer Master
Key(s)
Data Key 1
Amazon
S3 Object
Amazon
EBS Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
Managed service to securely create, control, rotate, and use encryption keys.
18. • AWS Certificate Manager (ACM) makes it easy to provision,
manage, deploy, and renew SSL/TLS certificates on the AWS
platform.
AWS Certificate Manager
20. AWS Shield
Standard Protection Advanced Protection
• Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional,
comprehensive protections from large
and sophisticated attacks
22. Amazon Inspector
• Vulnerability Assessment Service
- Built from the ground up to support DevSecOps
- Automatable via APIs
- Integrates with CI/CD tools
- On-Demand Pricing model
- Static & Dynamic Rules Packages
- Generates Findings
23. AWS CloudTrail
Web service that records AWS API calls for your account and delivers logs.
Who? When? What? Where to? Where from?
Bill 3:27pm Launch Instance us-west-2 72.21.198.64
Alice 8:19am Added Bob to
admin group
us-east-1 127.0.0.1
Steve 2:22pm Deleted
DynamoDB table
eu-west-1 205.251.233.176
24. AWS Config & Config Rules
Managed service for tracking AWS inventory and configuration, and configuration change notification.
AWSConfig
EC2
VPC
EBS
CloudTrail
Change
Management
Audit
Compliance
Security
Analysis
Troubleshootin
g
Discovery
Also, mention the IDC whitepaper: “Assessing the Risk: Yes, the Cloud can be More Secure than your On-Premises Environment”
--Pete Lindstrom, June 2015
Do treat security as code, allowing you to deploy and validate security
infrastructure in a manner that allows you the scale and agility to protect the
organization.
Do create guardrails, sensible defaults, and offer templates and best practices
as code.
Do build security services that the organization can leverage for highly
repetitive or particularly sensitive security functions.
Do define actors and then storyboard their experience interacting with AWS
services.
Do use the AWS Trusted Advisor tool to continually assess your AWS security
posture, and consider an AWS Well Architected review.
Do establish a minimal viable security baseline, and continually iterate to
raise the bar for the workloads you’re protecting.
There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.
We look after the security OF the cloud, and you look after your security IN the cloud.
Segway to talk about FedRAMP potentially and share your experiences from around the world!
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Integrated with AWS SDKs and AWS services:
S3, EBS, AWS Import/Export Snowball, RDS, Redshift, CodeCommit, CloudTrail, EMR, Kinesis Firehose, Elastic Transcoder, SES, WorkSpaces, WorkMail
Centralized control.
Easy and automatic key rotation (KMS keeps track of old keys for decryption)
*New Feature*: Bring your own keys to KMS
Provision trusted SSL/TLS certificates from AWS for use with AWS resources:
Elastic Load Balancing
Amazon CloudFront distributions
AWS handles the muck
Key pair and CSR generation
Managed renewal and deployment
Domain validation (DV) through email
Available through AWS Management console, CLI, or API
Let’s talk about why we built the WAF based on customer feedback.
Initially the WAF will be a CDN offering, but will be extended shortly after launch to include ELB
WAFs help protect web sites & applications against attacks that cause data breaches and downtime.
General WAF use cases
Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
Prevent Web Site Scraping, Crawlers, and BOTs
Mitigate DDoS (HTTP/HTTPS floods)
Gartner reports that main driver of WAF purchase (25-30%) is PCI compliance
Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted up on in the API call?
Where was the API call made from and made to?
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Use Cases:
Security analysis: Am I safe?
Audit compliance: Where is the evidence?
Change management: What will this change affect?
Troubleshooting: What has changed?
Discovery: What resources exist?