AWS Security presentation from SaintCon 2014.

1. AWS Security
Jason Chan
chan@netflix.com : @chanjbs
SAINTCON 2014

2. Quick Survey
AWS Experience
1-4

4. 14m users in 1+ year

5. 14m users in 1+ year
150m photos

6. 14m users in 1+ year
150m photos
3 engineers

7. 14m users in 1+ year
150m photos
3 engineers
$1B acquisition by FB

9. So . . .

10. idea + cloud = profit!

13. So . . .

15. Goal: AWS benefits, securely

16. AWS Intro
Typical Setup
Thinking about AWS Security
Tips and Traps
Other Resources

17. Me
Now: Security @ Netflix
Before: Security @ VMware
Before: @stake, iSEC

19. AWS

20. IaaS
Undifferentiated heavy lifting

21. API-driven building
blocks
Customer control

22. Evolving quickly

24. Typical AWS Setup

32. Thinking About AWS
Security

33. Philosophy

36. A note on security
automation

39. Typically, how do
you:

40. Create a user account

41. Create a user account
Inventory your systems

42. Create a user account
Inventory your systems
Update a firewall config

43. Create a user account
Inventory your systems
Update a firewall config
Make a forensic image

44. Create a user account
Inventory your systems
Update a firewall config
Make a forensic image
Disable a MFA token

45. In AWS . . .

46. CreateUser()
DescribeInstances()
AuthorizeSecurityGroupIngress()
CreateSnapshot()
DeactivateMFADevice()

48. Three Areas of Focus

52. Shared Responsibility

54. Guidance
High-level
• CSA and ENISA guidance
AWS specific
• Security Whitepaper
• Risk and Compliance Whitepaper
• Security Center and Compliance Center

55. Shared responsibility tips
Understand the model, and what AWS can't do
Engage AWS for support - SSAE 16, PCI, etc.

56. Shared responsibility traps
AWS can help, but you're ultimately responsible
Contract, Ts & Cs are not a firewall

57. Segregation and
Access Control

58. "Users/Accounts" in
AWS

59. Users = API access control
Three types
1. Main/Root
2. IAM
3. IAM Roles for EC2

61. IAM user
(accounts for humans)

62. Keys are static
Must be protected

64. IAM role
(accounts for
services)

65. Keys are short-lived
Difficult to protect

66. curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
{
"Code" : "Success",
"LastUpdated" : "2012-04-26T16:39:16Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "token",
"Expiration" : "2012-04-27T22:39:16Z"
}

68. Users in AWS - Tips
Don't use the root account
Protect IAM keys
Use IAM roles for EC2

69. Users in AWS - Traps
Keys have a way of finding
themselves in GitHub
No way to control access to EC2
metadata

70. Permissions and
Policies

71. Suggested homework
Read the API docs

72. Two Permission Types
1. User-Based - Attached to a user, controls what the user can
do (also applies to groups and roles)
2. Resource-Based - Attached to a resource, controls what can
be done to the resource

73. Bonus, Confusing Third Type
• Resource-Level - Attached to a user, controls what the user
can do, to which resource

76. User policies

77. {
"Statement": [
{
"Action": [
"ses:SendEmail"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "1.1.1.1"
}
}
}
]
}

78. Common approach -
blacklisting

79. {
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Statement": [
{
"Action": "ses:*",
"Effect": "Deny",
"Resource": "*"
},
{
"Action": "iam:*",
"Effect": "Deny",
"Resource": "*"
}
]
}

81. Creating policies
• AWS has dozens of services
• Hundreds of API calls across those services
• Resource-level control and conditions provides tremendous
granularity

82. Sounds great!
Sign me up!

84. Looking at resource-level
policies again

86. Who (or what) can
apply (or delete)
tags?

87. Permissions and policies - Tips
Think least-privilege
Think traditional RBAC

88. Permissions and policies - Traps
Be careful with tag-based security
Be careful with policy size limitations
Be careful with non-specific policies

89. Account-Level
Strongest separation

92. Account segregation - Tips
Test / Dev / Staging / Prod
Compliance requirements
Business units (billing boundaries)
Core/platform vs. end-user

93. Account segregation - Traps
Cross-account limitations (VPC security groups, S3)
Logistics and planning - AZ mapping, reservations and
limits

94. Monitoring AWS
Security

95. Bill as IDS
AWS Billing Alerts

97. CloudTrail
Logging of API calls

99. {
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accessKeyId": "EXAMPLE_KEY_ID",
"accountId": "123456789012",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:22:54Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2"
}]
}
},

100. "responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}]
}
}
},
... additional entries ...
]
}

101. Trusted Advisor
Checks config vs. best practices

104. Shameless Plug
Section of the Talk

105. Edda
AWS config history

106. What instance has a given public
IP?
$ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"

107. $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
["i-0123456789","i-012345678a","i-012345678b"]

108. What is the most recent change to
a security group?
$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"

109. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
--- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810
+++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504
@@ -1,33 +1,33 @@
{
"class" : "com.amazonaws.services.ec2.model.SecurityGroup",
"description" : "App1",
"groupId" : "sg-0123456789",
"groupName" : "app1-frontend",
"ipPermissions" : [
{
"class" : "com.amazonaws.services.ec2.model.IpPermission",
"fromPort" : 80,
"ipProtocol" : "tcp",
"ipRanges" : [
"10.10.1.1/32",
"10.10.1.2/32",
+ "10.10.1.3/32",
- "10.10.1.4/32"
],
"toPort" : 80,
"userIdGroupPairs" : [ ]
}
],
"ipPermissionsEgress" : [ ],
"ownerId" : "2345678912345",
"tags" : [ ],
"vpcId" : null
}

110. Security Monkey

112. Monitoring - Tips
Know your options
Ideal place to drive automation

113. Monitoring - Traps
There is no configuration history
CloudTrail logs are complex

114. AWS Security
Resources
http://tiny.cc/awssecurity

115. Thank you!
chan@netflix.com : @chanjbs