The document provides an agenda for an AWS Security User Group meeting in Riyadh on May 1, 2019. The agenda includes discussions on cloud security, security terminology, cloud security threats, best practices for cloud security, AWS security services, identity and access management, and security of infrastructure. It also provides overviews and descriptions of AWS products and services related to security such as IAM, Inspector, Key Management Service, Macie, Organizations, Shield, Secrets Manager, SSO, WAF, and more.
4. Importance of Cloud Security
Trust = Visibility + Control
• Information is the most valuable asset for any Organization
• Trust is the most important Concern before adopting cloud
• Maintaining customer’s data security, privacy, and compliance
with the related regulations.
7. AWS Shared Responsibility Model
• AWS responsibility “Security of the Cloud”
– AWS is responsible for protecting the infrastructure that runs all of
the services offered in the AWS Cloud.
– This infrastructure is composed of the hardware, software,
networking, and facilities that run AWS Cloud services.
• Customer responsibility “Security in the Cloud”
– Customer responsibility will be determined by the AWS Cloud
services that a customer selects.
8. Cloud Services Model
Application
Database
Programming
Framework
OS
Compute system
Storage
Network
Application
Database
Programming
Framework
OS
Compute system
Storage
Network
PaaSIaaS SaaS
Application
Database
Programming
Framework
OS
Compute system
Storage
Network
CloudProvider
Consumer
CloudProvider
CloudProvider
10. Information security (InfoSec)
• Set of practices that protect information and
information systems from unauthorized access, use,
information disclosure, disruption, modification, or
destruction
• Goal of information Security is to provide:
– Confidentiality , Integrity and Availability
• Authentication Authorization and Accounting (AAA)
• Security Mechanisms ensure right users have access
to right resources at the right time
• Auditing enables assessing effectiveness of the
security mechanisms
11. Information Assurance (IA)
• The process of getting the right information
to the right people at the right time
• Ensure the integrity, availability, authenticity,
non-repudiation and confidentiality of user
data
– Operating on the Cloud do so legal (Allowed Services)
– Accessing only those data for which they have rights
– Access only to the degree their policies and their roles
permit
• IA Model
12. IA vs InfoSec
• Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality, integrity, and availability.
• Information Assurance: Measures that protect and defend information and information systems by ensuring their availability, integrity,
authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating
protection, detection, and reaction capabilities.
13. InfoSec Controls & Services
Physical Security
Assets tracking
system
Video
surveillance
system
Access
Managment
System
Network
Security
Unified Threat
Managment
Next Generation
Firewall
Next Generation
IPS
Network Access
Control
Network
Monitring
Application
Secuirty
Load balancing
and failover
Web Application
Firewall
Application Policy
Manager
Communication
Secuirty
User
Authenication
cryptography
Endpoint
Management
Endpoint
Protection
Endpoing
encryption
Secuirty
Services
Risk Assesment
Policy, Standards,
Procedures, and
Guidelines
Secuirty
Awarness
Vulnerabiity
assessment
Pentration testing
14. Common Security Frameworks
• An information security framework is a series of documented, agreed
and understood policies, procedures, and processes that define how
information is managed in a business, to lower risk and vulnerability,
and increase confidence in an ever-connected world.
– International Standards Organization (ISO) 27K ISMS
– US National Institute of Standards and Technology (NIST) FISA
– Control Objectives for Information and Related Technology (COBIT) GOV
– NZISM Protective Security Requirements (PSR) Framework
– Industry-Specific Standards : PCI DSS , HIPAA , others
15. Security Model (GRC)
• Defined Functional Requirements
• Identifiy Control Solutions
• Review Solution Against Requirments
• Estimate Risk Reduction
• Estimate Solution Cost
• Select Risk Mitigation Stratgey
•Seek Holistic Approach
•Oragnize the control Solutoins
•Plan Risk Data Gathering
•Gather Risk Data
•Prioritize Risks
• Develop Security Risk
Scorecard
• Measure Control Effectivness
Measuring
Program
Effective-ness
Assessing Risk
Conducting
Decision
Support
Implementing
Controls
17. Cloud Security Threats
• A data breach is the most common fear related to cloud security
• A breach may occur due to a simple human error, targeted attack, application glitches, or
poor security practices
• may involve release of personal information of company clients, patient health information,
financial information, trade secrets, personal identification information, etc
Data Breach
• using their login information and remotely access sensitive data present on the cloud
• access the sensitive information, but also falsify or manipulate the data using their hijacked
credentials
Account Hacks
• APIs that allows the customers to manage and interact with the cloud services
• communication between applications turns into an exploitable security risk for businesses.
Hijacked Interfaces and APIs
18. Cloud Security Threats Cont.
• Exploitable bugs within the programs can be used by hackers to infiltrate
a cloud to steal data, take control of the system as well as cause
disruption within the service operation
System Bugs
• Employees with access to the cloud-based services can misuse their
power and access the customer accounts, financial information
Insider Threats
• Attackers can inject malicious codes into cloud services such that they
are viewed as a part of the authentic code and runs within the cloud
serves
Malware Codes
19. Cloud Security Threats Cont.
• Data can be lost on the cloud due to various reasons
• This includes natural disasters such as earthquakes, floods, or fire
Data Loss
• Many companies tend to rush into cloud services without taking any pains to verify
the company’s claims.
• This can be a serious security risk as you do not know if the cloud service provider will
match your needs of security and privacy.
Detailed Cloud Provider Verification
• Denial of Service (DoS) occurs when targeted cloud service is forced to use system
resources such as memory, disk space, processor power, network bandwidth, etc.
• The attackers slow down the system to such an extent that all legitimate users are left
without access to services.
Denial of Service
20. Security Best Practices on Cloud
• Planning
• Development and Deployment
• Operation
• Decommissioning
• Develop a multiple-CSP strategy
Perform Due Diligence
• Identify and Authenticate Users
• Assign User Access Rights
• Create and Enforce Resource Access Policies
Managing Access ( Remember : Principle of least privilege )
• Protect Data from Unauthorized Access
• Ensure Availability of Critical Data
• Prevent Disclosure of Deleted Data.
Protect Data
• Monitor Cloud-Deployed Resources
• Analyze Both Cloud and On-Premises Monitoring
• Coordinate with the CSP.
Monitor and Defend
21. Key Security Mechanisms
Physical Security
Security of hypervisor
Identity and Access Management
Role-based Access Control
Network monitoring and Analysis
Firewall , IPS and Adaptive security
22. Key Security Mechanisms Cont.
virtual private network
virtual machine hardeninig
securing operating system and application
data encryption
data shredding
23. Tips
Defense-in-depth (Layard Approach)
• Strategy in which multiple layers of defense
are deployed throughout the infrastructure
to help mitigate the risk of security threats in
case one layer of the defense is
compromised.
• Provide additional time to detect and
response to an attack
• Reduces the scope of a security breach
• Recuded velecority of the attack
30. Service Product Type Description
AWS Identity and Access
Management (IAM)
Access Control
Use AWS Identity and Access Management (IAM) to control users' access to AWS services. Create and manage users
and groups, and grant or deny access.
Amazon Inspector Security Assessment
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of
applications deployed on AWS.
AWS Key Management Service Key Storage & Management
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the
encryption keys used to encrypt your data.
Amazon Macie Sensitive Data Classification Amazon Macie is a machine learning-powered security service to discover, classify, and protect sensitive data.
AWS Organizations Multiple Account Management
AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create
groups of accounts and then apply policies to those groups.
AWS Shield DDoS Protection
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications
running on AWS.
AWS Secrets Manager Secrets management
AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other
secrets throughout their lifecycle.
AWS Single Sign-On Single Sign-On (SSO)
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS
accounts and business applications.
AWS WAF Web Application Firewall
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could
affect application availability, compromise security, or consume excessive resources.
https://aws.amazon.com/products/security/
Security , Identity & Compliance Products
31. https://aws.amazon.com/products/security/
Security , Identity & Compliance Products Cont.
Service Product Type Description
AWS Artifact Compliance Reports
The AWS Artifact portal provides on-demand access to AWS' security and compliance documents, also known as audit
artifacts.
AWS Certificate Manager SSL/TLS Certificates
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport
Layer Security (SSL/TLS) certificates.
Amazon Cloud Directory Directory
Amazon Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along
multiple dimensions.
AWS CloudHSM Key Storage & Management
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
Amazon Cognito User Sign Up & Sign In Amazon Cognito lets you add user sign-up/sign-in and access control to your web and mobile apps quickly and easily.
AWS Directory Service Directory
AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, enables your
directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
AWS Firewall Manager WAF Management
AWS Firewall Manager is a security management service that makes it easier to centrally configure and manage AWS WAF
rules across your accounts and applications.
Amazon GuardDuty Threat Detection
Amazon GuardDuty is a managed threat detection service that provides you with a more accurate and easy way to
continuously monitor and protect your AWS accounts and workloads.
34. AWS Identity and Access Management
• All AWS accounts have root user credentials (that is, the
credentials of the account owner).
• These credentials allow full access to all resources in the
account.
• You may need AWS account root user access for specific tasks,
such as changing an AWS support plan or closing your account
• AWS recommends that you delete your root user access keys and then
create AWS Identity and Access Management (IAM) user credentials
for everyday interaction with AWS
35. AWS Identity and Access Management
AWS Root
Account
Administrators Developers
HR
Department
Finance
Department
MFA
Delegation
36. AWS Identity and Access Management
• AWS Identity and Access Management (IAM) enables you to
manage access to AWS services and resources securely.
– Using IAM, you can create and manage AWS users and
groups, and use permissions to allow and deny their
access to AWS resources.
• IAM is a feature of your AWS account offered at no
additional charge.
• You will be charged only for use of other AWS services by
your users
38. Use Cases
Fine-grained access
control to AWS
resources
Multi-factor
authentication for
highly privileged users
Manage access
control for mobile
applications with Web
Identity Providers
Integrate with your
corporate directory
39. How it works?
• IAM assists in creating roles and permissions
• You can create users in IAM, assign them individual security credentials (in other words, access keys,
passwords, and multi-factor authentication devices), or request temporary security credentials to
provide users access to AWS services and resources. You can manage permissions in order to control
which operations a user can perform.
Manage IAM users and their access
• You can create roles in IAM and manage permissions to control which operations can be performed
by the entity, or AWS service, that assumes the role. You can also define which entity is allowed to
assume the role. In addition, you can use service-linked roles to delegate permissions to AWS
services that create and manage AWS resources on your behalf.
Manage IAM roles and their permissions
• You can enable identity federation to allow existing identities (users, groups, and roles) in your
enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the
need to create an IAM user for each identity. Use any identity management solution that supports
SAML 2.0, or use one of our federation samples (AWS Console SSO or API federation).
Manage federated users and their permissions
40. Best Practices
• Create individual usersUsers
• Manage permissions with groupsGroups
• Grant least privilegePermissions
• Turn on AWS CloudTrailAuditing
• Configure a strong password policyPassword
• Enable MFA for privileged usersMFA
• Use IAM roles for Amazon EC2 instancesRoles
• Use IAM roles to share accessSharing
• Rotate security credentials regularlyRotate
• Restrict privileged access further with conditionsConditions
• Reduce or remove use of rootRoot
41. Demo: Grant Access to AWS Resources for User/Groups
Policies
Create Group(s)
Create User(s)
Define Required Access : Web |CLI |API
Assign users them to the GROUP
Optional : Create Your Custom
Assign Required Policy to the Group or User
Users / Group AWS Resources
Access to AWS Resources from Web | CLI | API
42. Demo: Grant Access to Trusted Entity [Roles]
Access Policies
Choose The Trusted Entity Optional : Create Your Custom
Assign Required Policy to The Trusted Entity
AWS Resources
Access to AWS Resources
AWS Services
[EC2, Lambda anthers]
Another AWS Account
[Belonging to you or 3rdpart]
Web Identity
[Congnito or any OpenID]
SAML 2.0 Federation
[Your Cooperate directory]
Trusted Entity
44. AWS Infrastructure Overview
• VPC [Virtual Private Cloud ] lets you provision a logically isolated section of
the Amazon Web Services (AWS) Cloud where you can launch AWS resources
in a virtual network that you define. You have complete control over your
virtual networking environment, including selection of your own IP address
range, creation of subnets, and configuration of route tables and network
gateways
• EC2 [Elastic Compute Cloud] is a web service that provides resizable compute
capacity in the cloud. Amazon EC2 reduces the time required to obtain and
boot new server instances to minutes, allowing you to quickly scale capacity,
both up and down, as your computing requirements change
• S3 (Simple storage Service) provides developers and IT teams with secure,
durable, highly-scalable object storage. Amazon S3 is easy to use, with a
simple web services interface to store and retrieve any amount of data from
anywhere on the web.
45. VPCs and Subnets
• A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is
logically isolated from other virtual networks in the AWS Cloud. You can launch your
AWS resources, such as Amazon EC2 instances, into your VPC. You can specify an IP
address range for the VPC, add subnets, associate security groups, and configure
route tables.
• A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a
specified subnet. Use a public subnet for resources that must be connected to the
internet, and a private subnet for resources that won't be connected to the internet.
For more information about public and private subnets, see VPC and Subnet Basics.
• To protect the AWS resources in each subnet, you can use multiple layers of security,
including security groups and network access control lists (ACL).
46. Security Group
• A security group acts as a virtual firewall that controls the traffic for
one or more instances.
• When you launch an instance, you can specify one or more security
groups; otherwise, we use the default security group.
• You can add rules to each security group that allow traffic to or from
its associated instances.
• You can modify the rules for a security group at any time; the new
rules are automatically applied to all instances that are associated
with the security group.
• When we decide whether to allow traffic to reach an instance, we
evaluate all the rules from all the security groups that are associated
with the instance.
47. Network Access List
• A network access control list (ACL) is an optional layer of security for your
VPC that acts as a firewall for controlling traffic in and out of one or more
subnets.
• You might set up network ACLs with rules similar to your security groups
in order to add an additional layer of security to your VPC.
• Your VPC automatically comes with a modifiable default network ACL.
• By default, it allows all inbound and outbound IPv4 traffic and, if
applicable, IPv6 traffic.
• You can create a custom network ACL and associate it with a subnet.
• By default, each custom network ACL denies all inbound and
outbound traffic until you add rules.
• Each subnet in your VPC must be associated with a network ACL. If you
don't explicitly associate a subnet with a network ACL, the subnet is
automatically associated with the default network ACL.
48. Network Access List Cont.
• You can associate a network ACL with multiple subnets; however, a subnet can be
associated with only one network ACL at a time. When you associate a network ACL
with a subnet, the previous association is removed.
• A network ACL contains a numbered list of rules that we evaluate in order, starting
with the lowest numbered rule, to determine whether traffic is allowed in or out of
any subnet associated with the network ACL. The highest number that you can use
for a rule is 32766. We recommend that you start by creating rules in increments (for
example, increments of 10 or 100) so that you can insert new rules where you need
to later on.
• A network ACL has separate inbound and outbound rules, and each rule can either
allow or deny traffic.
• Network ACLs are stateless; responses to allowed inbound traffic are subject to the
rules for outbound traffic (and vice versa).
49. Network Access List vs Security Group
Network Access List Security Group
Network ACL is Stateless changes applied
to incoming will not be applied to Security
Group.
Security Group is stateful, any changes
applied to an incoming rules is
automatically applied to an outgoing rule
Network ACL are tied to the subnet Security groups are tied to an instance
Network ACL is the second layer of the
defense
Security group is the first layer of the
defense.
Network ACL rules are applied in order,
with rules with lower number processed
first.
Security group all rules are applied.
Link :
https://aws.amazon.com/compliance/shared-responsibility-model/
Link :
https://aws.amazon.com/compliance/shared-responsibility-model/
More INFO :
https://www.sans.org/information-security/ https://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
https://simplicable.com/new/data-security-vs-information-security
http://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-information
https://pmworldlibrary.net/wp-content/uploads/2017/05/171126-Nweke-Using-CIA-and-AAA-Models-to-explain-Cybersecurity.pdf
More INFO :
https://www.sans.org/information-security/ https://sites.google.com/site/syeditec5321/reading-assignment/model-for-information-assurance-an-integrated-approach
More INFO :
https://www.novainfosec.com/2011/08/30/information-assurance-versus-information-security/
More INFO :
https://www.lahmeyer.de/en/energy/cyber-security-services/
More Details :
https://originit.co.nz/the-strongroom/five-most-common-security-frameworks-explained/
https://pmworldlibrary.net/wp-content/uploads/2017/05/171126-Nweke-Using-CIA-and-AAA-Models-to-explain-Cybersecurity.pdf
http://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-information
https://slideplayer.com/slide/1515009/
More INFO :
https://slideplayer.com/slide/1515009/
Information …. Explain theses types
http://www.thecloudnetworking.com/top-cloud-security-threats/
http://www.thecloudnetworking.com/what-is-cloud-computing-security/
Information …. Explain theses types
http://www.thecloudnetworking.com/top-cloud-security-threats/
http://www.thecloudnetworking.com/what-is-cloud-computing-security/
The following scenario illustrate how the users/groups get access on AWS resources :
Scenario 1 :
Explore IAM Dashboard and super admin
Create group “superadmins” and users : “webadmin” and “cliadmin”
Login from web and CLI
Compare permission with super users
Scenario 2 :
Create s3admin group & s3webadmin
Assign privilege and show access to s3 only
Scenario 3 :
Create custom policy for reading one bucket only
https://aws.amazon.com/iam/
Scenario 1 :
Create VPC & 2 subnets
Create virtual machine and try access to s3
Create role for the ec2 and assign it and try access to s3
https://aws.amazon.com/iam/
Link :
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html