As your use of the AWS platform matures and evolves you need to be continuously looking at ways to improve your security posture and take advantage of new security services and features. In this advanced technical session we will share architecture patterns for different workloads, IAM policy tips & tricks, how to implement security automation and for forensics. Be prepared for a technically deep session on AWS security.
Speaker: Ben Potter, AWS Cloud Security Consultant, Amazon Web Services
4. Well-Architected Security Design Principles
• Apply security at all layers
• Enable traceability
• Implement a principle of least privilege
• Focus on securing your system
• Automate security best practices
6. Example Corp Current Architecture
Public Web
www.example.com
AWS Edge Locations
Amazon
Route 53
Amazon
CloudFront
Production VPC - Sydney Development VPC - Sydney
ELB
RDS Master RDS Standby
Public Web
ELB
RDS Master RDS Standby
Development Account >< Production Account
Design App Design App
AZ 1 AZ 2 AZ 1 AZ 2
7. Current Storage
AWS managed IAM policies:
• Administrator
• Power user
• EC2 roles
Root login is never used
examplecorp-cfn-templates CloudFormation Templates
examplecorp-dbexport Database Exports
examplecorp-logs-cloudtrail CloudTrail Logs
EBS Data Volumes Default KMS key
Identity & Access Management
8. Example Corp Self Assessment
SEC 2. How are you defining roles and responsibilities of system users to control human access to
the AWS Management Console and API?
SEC 3. How are you limiting automated access to AWS resources?
SEC 5. How are you enforcing network and host-level boundary protection?
SEC 6. How are you leveraging AWS service level security features?
SEC 8. How are you classifying your data?
SEC 9. How are you encrypting and protecting your data at rest?
SEC 10. How are you managing keys?
SEC 12. How do you ensure that you have the appropriate incident response?
10. Multi VPC & Account Strategy
• Security & data classification
• Supportability & limits
• Automation & lifecycle
• Networking & data centre centric
Considerations for a multi-account, multi-VPC strategy;
11. Split Public Web & Design Apps
Public Web
www.example.com
AWS Edge Locations
Amazon
Route 53
Amazon
CloudFront
Production VPC - Sydney Development VPC - Sydney
ELB
RDS Master RDS Standby
Public Web
ELB
RDS Master RDS Standby
Development Account >< Production Account
Design App Design App
AZ 1 AZ 2 AZ 1 AZ 2
12. New DNS Architecture: Public Info Web Site
CloudFront
Primary
Sydney
OregonGeo Record Set
Oceania:
origin. > apac.
North America:
origin. > usa.
Default:
origin. > usa.
Zone
example.com
Route53
Health Check
CloudFront
Failover
13. AWS WAF
New Edge Architecture: Public Info Web Site
Amazon S3
Static Hosting
CloudFront
Failover Site
*.example
Route 53
Failover health check
The internet CloudFront
Primary Site
www.example
Amazon S3
Static Hosting
AWS WAF
Route 53
Origin Routing
1 to Many Regions
VPC
EC2
Amazon S3
Error Pages
Custom
Header
Secret
14. New VPC Architecture: Public Info Web Site
EC2 WAF
Public Web VPC - Sydney
ELB
Public Web
CloudFront Edge
Locations
ELB
AZ 1 AZ 2 AZ 3
Services
15. New VPC Architecture: Design App
Elastic Load
Balancing
Proxy
DNS Filtering
DLP
VPN
Application VPC
Egress VPC
Services VPC
Bastions Security
Tools
Code Tools
CI/CD
AZ 1 AZ 2 AZ 3
Design App
ELB
16. New Storage
examplecorp-dbexport-syd-accid-123abc Unique Suffix
examplecorp-dbexport ! Old buckets are canaries
S3:
• Automatic remediation of object ACLs
• Enforcing encrypted objects
• Object tagging for data classification
• Replicating critical data
All EBS volumes KMS keys per application, envr
17. VPC: Tips from the Trenches
• Use Security Group outbound rules
• Use NACL’s, sparingly, horizontal
• Avoid launch wizard to create Security Groups
• Avoid using default route table
• Decide on IGW use and control with IAM
19. Account Structure
Production Development
Master
M
Playpen OU
Playpen (Sydney)A
Playpen (Oregon)A
Security OU
Security OperationsA
Security ForensicsA
Current
Future
Production OU
Design App (Sydney)A
Design App (Oregon)A
Public Web (Global)A
Development OU
Design App (Sydney)A
Design App (Oregon)A
A Public Web (Global)
Blacklist OCP
Blacklist OCP Blacklist OCP
Blacklist OCP
Blacklist OCP
20. New Roles & Policies
Assumed IAM roles:
• Break-glass administrator:
CloudTrail & security maintenance
• Security Operators
Read only audit + read only logs to all accounts
• Developers/Operators
Every day reduced scope + EC2 Systems Manager
• Playpen
Unrestricted, no access to development or production
Guardrails
21. IAM: Force Tags & Restrict
"Effect": "Allow",
"Action": [
"ec2:RunInstances"],
"Condition": {
"StringEquals": {
"aws:RequestTag/Classification": ”Public",
"aws:RequestTag/Application": ”Public Web”},
"ForAllValues:StringEquals": {
"aws:TagKeys": [”Classification",”Application"]}}
"Resource": {
"arn:aws:ec2:ap-southeast-2:123456789012:instance/*”,
"arn:aws:ec2:ap-southeast-2:123456789012:volume/*”}
.....
How to lock down to region & tag:
“Classification” : ”Top Secret"
“Team” : ”Team A”
“Application” : ”Public Web”
“Owner” : ”Marketing"
22. IAM: Tag Restrictions
"Effect": "Allow",
"Action": [
”rds:CreateDBCluster"],
"Resource": {
"arn:aws:rds:ap-southeast-2:123456789012:cluster:myprefix-*”}
"Effect": "Allow",
"Action": [
”rds:CreateDBInstance"],
"Resource": {
"arn:aws:rds:ap-southeast-2:123456789012:db:myprefix-*”}
How to lock down to region & tag for RDS:
23. IAM: Lambda Restrictions
"Effect": ”Deny",
"Action": [
"lambda:CreateFunction"",
"lambda:UpdateFunctionCode",
"lambda:DeleteFunction”
],
"Resource": {
"arn:aws:lambda:ap-southeast-2:123456789012:function:security*”
}
Naming lambda’s with a prefix prevents security automations
from being tampered with:
24. S3 Bucket Policy: Explicit Deny
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutLifecycleConfiguration",
],
Ensures no IAM user or role can modify,
requires root login to revoke:
25. S3 Bucket Policy: Force KMS Key
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::BucketName/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption-aws-kms-key-id":
"arn:aws:kms:ap-southeast-2:123456789012:key/key-id"
}
}
Note: All GET and PUT requests for an object protected by AWS KMS will fail if they are
not made via SSL/TLS or by using SigV4
Forces use of KMS encrypted object with specific key:
30. Example Corp: First Incident
Monitoring tools alerted to web instance network
anomaly in VPC Flow Logs
630247214269 eni-0123456a 10.0.1.221
10.76.2.101 27039 22 6 5 268 1466491141
1466491200 REJECT OK
?
Web
Instance
Web
Instance
443 IN | 3128 OUT 443 IN | 3128 OUT
31. Incident Response
A well handled incident (NIST 800-61)
• Preparation
• Detection & Analysis
• Containment, Eradication and Recovery (Response)
• Post-Incident Activity
The Function of each
• Automation
• Plan and Procedure
• Communications
32. Containment, Eradication and Forensics
SnapshotWeb
Instance
Instance
Anomaly
Detected
Amazon EBS
Amazon EBS
Mem
Dump
Web
Instance
Forensics
Application VPC Cleanroom VPC
Share Snapshot
Create New Volume
443 IN | 3128 OUT n/a IN | n/a OUT
34. Automated Incident Response
Air Gapped Forensics Lab:
Tooling
Snapshots & dumps
EC2 Systems Manager:
Log & data collection
Memory collection
Lambdas:
IAM Policy collection
Snapshot creation
Account snapshot transfer
Security Group changes
Log Triggers:
Privilege Elevation
Restricted Action Attempts
Malware
DLP Violation
35. Forensics Clean Room
• Define the goals for the Lab
• Define the boundary
• Automate as much as possible
• Remember any access to the lab is a risk
Memory
- FTK Imager
- LiME
- Volatility
Network
- Wireshark
- Moloch
- p0f
- GRR
Commercial
- FireEye
- EnCase
- FTK
36. AWS IR: Open Source Tool
$ aws_ir instance-compromise --instance-ip 192.0.2.15 --user ec2-user --ssh-key key.pem
Initial connection to AmazonWebServices made.
Beginning inventory of instances world wide. This might take a minute...
Security Group Created sg-abcd1234
Security Group Egress Access Revoked for sg-abcd1234
Shifted instance into isolate security group.
Took a snapshot of volume vol-abcd1234 to snapshot snap-abcd1234
Attempting run margarita shotgun for ec2-user on 192.0.2.15 with key.pem
dumping memory to s3://abc123
capture complete
Stopping instance: instance_id=i-abcd1234
CLI for instance and access key based response