Más contenido relacionado
La actualidad más candente (20)
Similar a AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws (20)
Más de AWS Riyadh User Group (19)
AWS Technical Day Riyadh Nov 2019 - The art of mastering data protection on aws
- 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Art of Mastering Data
Protection on AWS
Ahmed Gouda
Solutions Architect, AWS
gouda@amazon.com
/ahmedgouda
@AskGouda
- 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Amazon Simple Storage Service (Amazon S3) access control mechanisms
Amazon S3 Block Public Access
How Amazon S3 authorizes a request
Amazon S3 encryption
Monitoring security in Amazon S3
- 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Protection on AWS
Identity & Access Management Encryption
- 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense in depth
KMS key policy
KMS keyRole
IAM policy
S3 VPC endpoint
VPCe policy
S3 bucket
Bucket policy
Users Documents
- 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can I help ensure the files in my Amazon S3
bucket are secure?
• Least privilege - Security best practice
• Start with a minimum set of permissions
• Grant additional permissions as necessary
• Defining the right set of permissions requires some research
• What actions a particular service supports?
• What is required for the specific task?
• What permissions are required in order to perform those actions?
- 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 access control mechanisms
• AWS Identity and Access Management (IAM) policies
• Amazon S3 bucket policy
• Amazon S3 access control lists (ACLs)
• Amazon S3 VPCE policy
• Pre-Signed URLs
- 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s start with IAM
1. Principal
AWS
Management
Console
API / CLI
- 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• “What can this user do in
AWS?”
• You prefer to keep access
control policies in IAM
environment
• Controls all AWS Services
• “Who can access this S3
resource?”
• You prefer to keep access
control policies in S3
environment
• Grant cross-account access to
your S3 bucket without using
IAM roles
IAM user policy Amazon S3 Bucket policy
User policy vs. resource policies
- 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
"Version":"2012-10-17",
"Statement":[
{
”Sid":"Allow-write-and-read",
"Effect": ”Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
],
"Resource":"arn:aws:s3:::mybucket/*"
}
]
}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": ”AllowingReadPermission",
"Effect": "Allow",
"Principal": {"AWS":"1111111111"},
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::
mybucket /*”],
"Condition": {"StringEquals":
{"s3:ExistingObjectTag/Project": "X"}}
}
]
}
Bucket policy allows principal from AWS Account
1111111111 to read objects from mybucket, but
condition limits it to objects that have a specific Tag value
IAM user policy Amazon S3 Bucket policy
User policy allows this particular user to PUT and GET
objects into the mybucket
- 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Access Control Lists (ACLs)
• ACLs only grant access (cannot explicitly deny)
• Written in XML format
• Has predefined groups like “All Users”, ”Any Authenticated User”
• Tip: Use caution when using these groups
• Finite set of permissions compared to policies
• For example, READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
• Preferably use bucket policies vs. bucket ACLs
- 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Virtual Private Cloud Endpoint (VPCE)
Prior to Amazon S3 VPCE Using Amazon S3 VPCE
• Public IP on Amazon Elastic Compute Cloud
(Amazon EC2) Instances and Internet Gateway
• Private IP on Amazon EC2 Instances and NAT
• Access S3 using S3 Private Endpoint without
using NAT instances or gateways
• Restrict access to S3 bucket from outside of VPC
Amazon
S3
Amazon S3
VPC NAT
gateway
Amazon
EC2
Amazon
EC2
Amazon
EC2
Internet Internet
Internet
gateway
- 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Restricting access to a specific bucket
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": {"AWS":"1111111111"},
"Action": [ "s3:GetObject, s3:PutObject",
"Effect": ”Allow",
"Resource": ["arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"],
}
]
}
- 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Restricting access to principals in your organization
{
"Version": "2012-10-17",
"Statement": {
"Sid": ”Principals-only-from-my-Org",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:putobject",
"Resource":["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {"StringEquals":
{"aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}
- 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: Restricting access to a specific endpoint
{ "Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::my_secure_bucket", "arn:aws:s3:::my_secure_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
} ] }
- 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pre-signed URLs
• Uses permissions of the IAM user/role
who creates the URL
• To generate URL, provide your
security credentials, a bucket name,
an object key, HTTP method (GET or
PUT) and expiration date and time
• Only valid until expiration time
• Caution: Anyone with URL can
perform those actions
Availability
Zone #1
EC2 instance
Generates
URL
S3
Request Access
Get/Put
Object
- 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is public access?
• Any anonymous or overly permissive access is considered public access
• Access control lists (ACLs) with grantees such as
• All Users – Anyone on the Internet
• Any authenticated user – Anyone with an AWS account
• Public bucket policy with overly permissive access, for example
• { “Principal”: “*”, “Resource”: “*”, “Action”: “s3:PutObject”, “Effect”: “Allow” }
• {“Principal”: “*”, “Resource”: “*”, “Action”: “s3:putobject”, “Effect”: “Allow”, “Condition”: {
“StringLike”:{ “aws:sourcevpc”: “vpc-*”}}}
• Any explicit cross-account access IS NOT considered public access
- 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Block Public Access
API, SDK, CLI
and Console
- 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Block Public Access settings
1. Block new public ACLs and uploading public objects
2. Remove public access granted through public ACLs
3. Block new public bucket policies
4. Block public and cross-account access to buckets that have public
policies
- 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 Block Public Access APIs
• PUT PublicAccessBlock
• GET PublicAccessBlock
• DELETE PublicAccessBlock
• GET BucketPolicyStatus
• Returns if the bucket policy is public or not
- 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• User check – Check if parent account granted permission
• Bucket check – Check if bucket owner granted permission
• Object check – Look for explicit ”allow”
• Policy enforcement: An explicit deny in any policy overrides any allows
How Amazon S3 authorizes a request?
- 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ex1: Bucket operation requested by bucket owner
Bucket
Check
Access
Denied
Access
Granted
Authorized
Request made with
root credentials Yes
No
Requester: AWS Account: 1111-1111-1111
PD’s has root credentials: 1111-1111-1111
Bucket Owner: 1111-1111-1111
- 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ex2: Bucket operation requested by an IAM user
whose parent AWS account is also the bucket owner
Requester: PD (IAM User)
PD’s parent Account: 1111-1111-1111
Bucket Owner: 1111-1111-1111
Authority:
AWS Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
Check
Bucket
Check
- 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authority:
Account: 1111-1111-1111
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
User
check
Bucket
check
Authority:
Account:2222-2222-2222
Requester: PD
PD’s parent Account: 1111-1111-1111
Bucket Owner: 2222-2222-2222
Ex3: Bucket operation requested by an IAM user
whose parent AWS account is not the bucket owner
- 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ex4: Authorization request for object operation
Access
Denied
Access
Granted
Authorized
PD’s Request Yes
No
Requester: PD
PD’s parent Account: 1111-1111-1111
Bucket Owner: 2222-2222-2222
Object Owner: 3333-3333-3333
Authority:
1111-1111-1111
User
Check
Bucket
Check
Authority:
2222-2222-2222
Object
Check
Authority:
3333-3333-3333
- 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Account-A Bucket
Managing cross-account access in Amazon S3
AccountARole
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::AccountA:role/AccountARole"
}
}
Users in other Accounts assumes AccountARole
- 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region replication – Ownership Override
For business continuity, you can use the Object Ownership Override to
separate the access control of source objects and replicated objects, so the
source object owners cannot read, update, or delete the replicated
objects in the destination
Source bucket owner owns
object
Destination bucket owner
owns replica
Override access control
Maintain two
different stacks
of ownership
- 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypt, where?
Client InstancesHTTPS
Application
code
Data in motion
Network encryption
Data at rest
Storage encryption
Data in use
Application level encryption
Client-side encryption = You encrypt
Server-side encryption = AWS encrypts
S3 bucket EBS volume
- 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense in depth
KMS key
policy
KMS keyRole
IAM policy
S3 VPC endpoint
VPCe policy
S3 bucket
Bucket policy
Users Documents
- 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional reasons to not encrypt
Performance Complexity Availability
Latency overhead
Crypto acceleration
Fragmented systems
Inconsistent controls
Loss of keys
Key provisioning
- 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption in AWS
Audit
Access
controls
Encrypting services
Secondary
storage
Client
Corporate data
center
AWS Cloud
- 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS integration
AWS offering
category
AWS services integrated with AWS KMS for customer owned keys
Compute Amazon EC2 - AWS Lambda - Amazon Lightsail*
Storage Amazon EBS - Amazon EFS - Amazon FSx for Windows File Server - Amazon S3 Glacier - Amazon S3 - AWS Storage Gateway
Databases Amazon Aurora - Amazon DynamoDB* - Amazon DynamoDB Accelerator (DAX)* - Amazon Neptune - Amazon Redshift - Amazon RDS
Analytics
Amazon Athena - Amazon Elasticsearch Service - Amazon EMR - AWS Glue - Amazon Kinesis Data Firehose - Amazon Kinesis Data
Streams - Amazon Managed Streaming for Kafka (Amazon MSK)
Machine learning Amazon Comprehend* - Amazon Lex - Amazon SageMaker - Amazon Translate
Application services Amazon Elastic Transcoder - Amazon Simple Email Service (Amazon SES) - Amazon Simple Queue Service (Amazon SQS)
Migration & transfer AWS Snowball - AWS Snowball Edge - AWS Snowmobile - AWS Database Migration Service
Developer tools AWS Cloud9 - AWS CodeBuild - AWS CodeCommit* - AWS CodeDeploy - AWS CodePipeline - AWS X-Ray
Management tools AWS CloudTrail - Amazon CloudWatch Logs - AWS Systems Manager
Media services Amazon Kinesis Video Streams
Security & identity AWS Certificate Manager* - AWS Secrets Manager
Enterprise applications Amazon WorkMail - Amazon WorkSpaces
Business productivity Alexa for Business*
Contact center Amazon Connect
*Supports only AWS managed KMS keys.
- 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
KMS key hierarchy
Two-tiered hierarchy for keys
• Data keys used to encrypt customer data
• Customer master keys (CMKs) protect data keys
• CMK policies control access to data
• All activity associated with CMKs is logged
Benefits
• Envelope encryption avoids managing data keys
• Encrypted data keys stored with encrypted objects
• Well suited to encrypting large data objects
• Enables local key caching for high I/O operations
Customer
master key
S3
bucket
EBS
volume
RDS
instance
CMK
Data key Data key Data key
Key Management Service
- 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Envelope encryption
Example: S3 server-side encryption
Plaintext
data
Encrypt process
Encrypted
data key
3
Data key
Data key
7
Data key
Encrypted
data key
6 Data key
Generate data key request
2
CMK
1
Amazon S3
Encrypt
Encrypted
data and
data key in
S3 bucket
4
Data key
Decrypt process
5
Encrypted
data and
data key in
S3 bucketData key
Decrypt
Amazon S3
Plaintext
data
8
- 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key management lifecycle
Define
Key
use
CreateDelete
Disable
Enable
Recover
Back up
Rotate
- 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two approaches for managing your keys
AWS managed master keys
• AWS services request AWS KMS
to automatically create master
keys
• Keys are in your account but can
only be used by the AWS
services that created them
Customer managed master keys
• You create your master keys in
advance using AWS KMS
• You choose which keys to use
when setting up an AWS service
to use encryption
All operational aspects are the same:
security, latency, throughput, durability, availability, and auditability
- 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Take control over your keys
• Control who can manage and use your keys
• Limit how your keys can be used (scope reduction)
• Define conditions of use (encryption context = specific data objects)
• Delegate permissions and share access across accounts
• Enable and disable keys instantly
• Control key deletion
• Control key rotation
• Organize your keys with aliases and tags
• Use keys outside AWS encrypting services
• Use AWS Encryption SDK or AWS KMS directly to encrypt data
- 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit AWS KMS usage with AWS CloudTrail
"EventName":"DecryptResult", This KMS API action was called…
"EventTiime":"2014-08-18T18:13:07Z", …at this time
"RequestParameters":
{"keyId":"2b42x363-1911-4e3a-8321-6b67329025ex”}”, …in reference to this key
“EncryptionContext":"volumeid-12345", …to protect this AWS resource
"SourceIPAddress":" 203.0.113.113", …from this IP address
"UserIdentity":
{"arn":"arn:aws:iam:: 111122223333:user/User123“} …by this AWS user in this account
- 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bring your own key (BYOK)
Do you have any of these requirements?
Control how your
key was generated
(entropy sources)
Keep your own
backup copy of
your key material
Upload keys only
when you need
them
- 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS custom key store
Enables you to use an AWS CloudHSM cluster, that you control, as
your own KMS key store. Your KMS keys are generated, stored, and
used in devices that are comparable to traditional on-premises HSMs.
AWS CloudHSM provides
cloud-based HSMs that are
easy to scale with automatic
provisioning, high-availability,
and managed back-ups.
Clients
AWS
services
- 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 default encryption
Provides S3 encryption-at-rest support for applications that do not
otherwise support encrypting data in Amazon S3
One time
bucket level
set up
Automatically
encrypts all new
objects
Supports SSE-S3
and SSE-KMS
Simplified
compliance
- 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Amazon S3 security settings
Bucket access control
view in S3 console
Trusted Advisor
Amazon MacieAWS Config rules
S3-bucket-public-read-prohibited
S3-bucket-public-write-prohibited
- 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitoring Amazon S3 security settings...contd.
AWS CloudTrail
Object encryption status
Amazon S3 Inventory
Amazon S3 Server
Access Logs
- 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s recap some of the best practices
• Always follow the principle of least privilege
• Most use cases don’t require public access – Recommend turning on
the Amazon S3 Block Public Access settings
• Authorization: All decisions start at Deny
• Authorization: An explicit Deny will override any allows
• Use default encryption to protect your data
• Monitor and audit your data with tools such as AWS Trusted Advisor,
AWS Config, AWS CloudTrail, and S3 Inventory
- 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s recap some of the best practices
• Encryption by default is a realistic goal
• Sound key management provides enhanced access controls and
visibility
• AWS KMS is durable, secure, and integrated with 50+ AWS
services
• You have choices about the controls you place over your keys
• AWS KMS can be used as an independent control point for your
own applications and AWS partner solutions
- 51. Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ahmed Gouda
gouda@amazon.com
/ahmedgouda
@AskGouda