Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Network Security and Access Control within AWS

3.990 visualizaciones

Publicado el

AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.

Publicado en: Tecnología
  • Sé el primero en comentar

Network Security and Access Control within AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Network Security & Access Control in AWS
  2. 2. AWS Account Security Day One Governance
  3. 3. Account Governance – New Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  4. 4. Account Governance – Existing Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  5. 5. AWS Identity & Access Management Overview of the Core Principles
  6. 6. AWS Identity & Access Management IAM Users IAM Groups IAM Roles
  7. 7. Policy specification basics JSON-formatted documents Contain a statement (permissions) that specifies: • Which actions a principal can perform • Which resources can be accessed { "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] } Principal Action Resource Condition You can have multiple statements and each statement is comprised of PARC.
  8. 8. Managing your policies
  9. 9. IAM policies • Managed policies (newer way) • Can be attached to multiple users, groups, and roles • AWS managed policies: Created and maintained by AWS • Customer managed policies: Created and maintained by you • Up to 5K per policy • Up to 5 versions of a policy so you can roll back to a prior version • You can attach 10 managed policies per user, group, or role • You can limit who can attach which managed policies • Inline policies (older way) • You create and embed directly in a single user, group, or role • Variable policy size (2K per user, 5K per group, 10K per role)
  10. 10. Resource-based policies IAM policies live with: • IAM users • IAM groups • IAM roles Some services allow storing policy with resources: • S3 (bucket policy) • Amazon Glacier (vault policy) • Amazon SNS (topic policy) • Amazon SQS (queue policy) • AWS KMS (key policy) { "Statement": { "Effect": "Allow", "Principal": {"AWS": "111122223333"}, "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-east-1:444455556666:queue1" } }
  11. 11. AWS CloudTrail
  12. 12. Introduction to AWS CloudTrail Store/ Archive Troubleshoot Monitor & Alarm You are making API calls... On a growing set of AWS services around the world.. CloudTrail is continuously recording API calls
  13. 13. Use cases enabled by CloudTrail IT and security administrators can perform security analysis IT administrators and DevOps engineers can attribute changes on AWS resources to the identity, time and other critical details of who made the change DevOps engineers can troubleshoot operational issues IT Auditors can use log files as a compliance aid Security at Scale: Logging in AWS White Paper
  14. 14. Encrypted CloudTrail log files using SSE-KMS By default, CloudTrail encrypts log files using S3 server side encryption Additional layer of security for your log files by encrypting with your KMS key Application logic for ingesting and processing log files stays the same S3 will decrypt on your behalf if your credentials have decrypt permissions
  15. 15. CloudTrail log file integrity validation Validate that a log file has not been changed since CloudTrail delivered the log file to your S3 bucket Detect whether a log file was deleted or modified or unchanged Use the tool as an aid in your IT security, audit and compliance processes
  16. 16. AWS Config
  17. 17. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  18. 18. NormalizeRecordChanging Resources AWS Config Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History
  19. 19. AWS Config
  20. 20. AWS Config
  21. 21. Config Rules (preview) • Set up rules to check configuration changes recorded • Use pre-built rules provided by AWS • Author custom rules using AWS Lambda • Invoked automatically for continuous assessment • Use dashboard for visualizing compliance and identifying offending changes
  22. 22. NormalizeRecordChanging Resources AWS Config & Config Rules Deliver Stream Snapshot (ex. 2014-11-05) AWS Config APIs Store History Rules
  23. 23. AWS Config – Rules (example – instances must be tagged with a DataClassification)
  24. 24. AWS Network Security – Global Networking Building a Robust Internet Architecture
  25. 25. us-west-2 VPC us-east-1 sa-east-1 ap-southeast-2 eu-central-1 VPCVPC VPC VPC VPC eu-west-1 ap-southeast-1 VPC VPC ap-northeast-1 VPC
  26. 26. us-west-2 VPCVPC Amazon CloudFront, AWS WAF and Amazon Route 53 eu-central-1 VPC
  27. 27. CloudFront - Shield custom origin • Shield your custom origin • Whitelist Amazon CloudFront IP range Amazon CloudFront Region Amazon S3 bucket Custom origin AWS WAF
  28. 28. AWS Network Security - VPC Building a Trust Zone architecture
  29. 29. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet VPC
  30. 30. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end .1 VPC .1 .1 .1 .1 .1
  31. 31. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Public Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW VPC
  32. 32. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Public subnet Private subnet ELB Web Back end VPC CIDR 10.1.0.0/16 ELB Web Back end VPC sg_ELB_FrontEnd (ELB Security Group) sg_Web_Frontend (Web Security Group) Security Groups sg_Backend (Backend Security Group)
  33. 33. Security Groups
  34. 34. Security Groups
  35. 35. Security Groups
  36. 36. Security Groups
  37. 37. Network Access Control Lists (NACLs) Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region VPC
  38. 38. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet And what if instances in a private subnet need to reach outside the VPC? They have no route to the IGW and no public IP address. VPC
  39. 39. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet ELB Web Back end ELB Web Back end AWS region Internet Why go outside? VPC • AWS API endpoints • Regional services • Third-party services
  40. 40. To NAT, or not to NAT… • Leave NAT for less bandwidth-critical connectivity • Don’t bottleneck high-bandwidth-out workloads • Run high-bandwidth components from public subnets • Goal is full-instance bandwidth out of VPC
  41. 41. EC2 status checks StatusCheckFailed_System StatusCheckFailed_Instance CloudWatch per-instance metrics:
  42. 42. Amazon CloudWatch alarm actions Instance status check fails? REBOOT System status check fails? RECOVER Instance ID Instance metadata Private IP addresses Elastic IP addresses EBS volume attachments Instance retains:
  43. 43. A few things to remember… • Recover action only applies to system status checks • Limited to C3, C4, M3, R3, and T2 instance types • Cannot use local instance store • Cannot be dedicated instances • Use EC2ActionsAccess AWS Identity and Access Management (IAM) role Amazon EC2 Auto Recovery
  44. 44. Amazon EC2 Auto Recovery Set your failed check threshold Choose 1-minute period and statistic minimum Choose recover action Metric = StatusCheckFailed_System CloudWatch Console
  45. 45. Amazon EC2 Auto Reboot Choose reboot action Metric = StatusCheckFailed_Instance CloudWatch Console
  46. 46. Availability Zone A Private subnet Public subnet Private subnet Availability Zone B Private subnet Public subnet Private subnet Web Back end Web Back end AWS region Internet NAT VPC NAT Average tested recovery time: ~ 1 to 4 minutes Could be shorter or longer depending on nature of failure HA NAT with EC2 Auto Recovery + Auto Reboot
  47. 47. Pick a NAT, any NAT Amazon Linux NAT Amazon Machine Image (AMI)
  48. 48. AWS region Internal application to VPC Public-facing web app Internal company app VPN connection VPCVPC Customer network
  49. 49. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B Internal customers Private Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW VPC Internal application to VPC Customer network
  50. 50. But apps want to leverage… Amazon S3 …as a primary data store
  51. 51. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway VPN connection Intranet app Intranet app Availability Zone B You really don’t want to do this: Amazon S3 Internet Customer border router Customer VPN Internet VPC Customer network
  52. 52. Availability Zone A Private subnet Private subnet AWS region Virtual Private Gateway Intranet app Intranet app Availability Zone B So do this instead: Amazon S3 VPC VPN connection VPC Endpoints • No IGW • No NAT • No public IPs • Free • Robust access control Customer network
  53. 53. “Currently, we support endpoints for connections with Amazon S3 within the same region only. We'll add support for other AWS services later.” From the Amazon VPC User Guide: VPC endpoints $ aws ec2 describe-vpc-endpoint-services SERVICENAMES com.amazonaws.us-west-2.s3
  54. 54. Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Private subnet VPC Route Table Destination Target 10.1.0.0/16 Local Corp CIDR VGW Prefix List for S3 us-west-2 VPCE
  55. 55. Creating S3 VPC endpoint aws ec2 create-vpc-endpoint --vpc-id vpc-40f18d25 --service-name com.amazonaws.us-west-2.s3 --route-table-ids rtb-2ae6a24f rtb-61c78704 Public subnet VPC Route Table Destination Target 10.1.0.0/16 Local 0.0.0.0 IGW Prefix List for S3 us-west-2 VPCE
  56. 56. Prefix lists aws ec2 describe-prefix-lists PREFIXLISTS pl-68a54001 com.amazonaws.us-west-2.s3 CIDRS 54.231.160.0/19 • Logical route destination target • Dynamically translates to service IPs • S3 IP ranges change over time • S3 prefix lists abstract change
  57. 57. Prefix lists … and use them in security groups!
  58. 58. Private subnet Controlling VPC access to Amazon S3 IAM policy on VPCE: VPC { "Statement": [ { "Sid": "vpce-restrict-to-backup-bucket", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject” ], "Effect": "Allow", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"] } ] } Backups bucket?
  59. 59. Private subnet Controlling VPC access to Amazon S3 S3 bucket policy: VPC From vpce-bc42a4e5? { "Statement": [ { "Sid": "bucket-restrict-to-specific-vpce", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::backups-reinvent2015", "arn:aws:s3:::backups-reinvent2015/*"], "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-bc42a4e5” } } } ] }
  60. 60. Controlling VPC access to Amazon S3 Recap on security layers: 1. Route table association 2. VPCE policy 3. Bucket policy 4. Security groups with prefix list Private subnet VPC 1. 2. 3. 4.
  61. 61. Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps
  62. 62. Private subnet Private subnet AWS region Intranet apps Compliance app Endpoints in action VPC Compliance Backups VPCE1 VPCE2 Private subnet Intranet apps Private subnet Private subnet Private subnet
  63. 63. VPC Flow Logs
  64. 64. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  65. 65. VPC Flow Logs: Automation Amazon SNS CloudWatch Logs Private subnet Compliance app AWS Lambda If SSH REJECT > 10, then… Elastic Network Interface Metric filter Filter on all SSH REJECTFlow Log group CloudWatch alarm Source IP
  66. 66. VPC Flow Logs
  67. 67. VPC Flow Logs
  68. 68. https://aws.amazon.com/blogs/aws/new-amazon-elasticsearch-service/ VPC Flow Logs • Amazon Elasticsearch Service (ES) • Amazon CloudWatch Logs subscriptions • Kibana
  69. 69. Refreshment Break Please return to your seats at 3:10 pm

×