Zero trust security is quickly rising as a preferred alternative to traditional security approaches. The key enabling technology underlying the zero trust security approach is next-gen access which combines the critical capabilities of such technologies as identity as a service (IDaaS), enterprise mobility management (EMM), and privileged access management (PAM). In this session, we highlight AWS security best practices in a zero trust security model. Specifically, we explore securing the AWS root account, controlling access to the AWS Management Console, and the AWS Command Line Interface, and managing developer access to Amazon EC2 instances and containerized applications that run on them.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Andy Smith
VP of Product Marketing, Centrify
AWS Security Best Practices
in a Zero Trust Security Model
DEM08

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Security and your part of the Shared Responsibility Model
• Zero Trust Security overview
• Centrify best practices for AWS security

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model
YOU:
AWS:

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VERIFY
THE USER
VALIDATE
THEIR DEVICE
LIMIT ACCESS
& PRIVILEGE
LEARN & ADAPT
Centrify Zero Trust Security

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MATURITY
MORE
SECURE
DANGER
Too Many Passwords
Too Much Privilege
Zero Trust Security Maturity Model
Analyze Risk
Monitor Sessions
Integrate with SIEM
AUDIT
EVERYTHING
Just-in-Time Privilege
Just Enough Privilege
Don’t Break Glass
Lifecycle Management
ENFORCE
LEAST PRIVILEGE
Establish Access Zones
Trusted Endpoints
Conditional Access
Minimize VPN Access
No DevOps Passwords
LIMIT
LATERAL MOVEMENT
Consolidate Identities
MFA Everywhere
Risk-based Access
SSO Everywhere
ESTABLISH
IDENTITY ASSURANCE

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centrify Best Practices for Securing AWS workloads
Common Security
Model
Eliminate Shared
Amazon EC2 Key Pairs
Ensure
Accountability
Least Privilege
Access
MFA Everywhere Audit Everything

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional security for AWS Management Console access
Lock down the “root” or billing account
Establish Federated login
Enforce Role-based temporary privileges

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforce IAM Role-based Temporary Privileges
Delegate AWS privileges by AWS role mapping
Enable request-based access to enable temporary access rights
Centrify user portal provides SSO access to the AWS Management
Console
AWS CLI tools and PowerShell access

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control Access to Amazon EC2 Instances
Extend Enterprise IAM to Amazon EC2
Enforce Least Privilege
Require Multi-Factor Authentication
Site to Site
VPN
Active Directory
ENTERPRISE
Active Directory
VPC
Active Directory 1-way
Trust

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centrify Privilege Service for Amazon EC2 Instances
Secure Remote Access
Access Request Workflow
Lock down root accounts
Application Password Management
Active Directory

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enterprise IAM and MFA for Hosted Applications
Extend Enterprise IAM for apps
Require multi-factor authentication
Single sign-on for users

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Docker Hosts
IAM and PAM for Linux Docker Host or CoreOS
Container Linux
Docker Group Management
PAM for Docker
IT Ops
Containers
Container Host
Docker
AD

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Apps in Containers
IAM and PAM for DevOps login access to Containers
• Developers log in to container via SSH independent of the host
• Ops will most likely need break-glass access
AAPM and service accounts for apps Containers
Container
Host
Docker
Developers
Active
Directory
Containers
Container
Host
Docker
Centrify
Infrastructure
Services

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Your Container Management Platforms
IAM Services for Container Management
Active Directory Integration for on-premises
deployments
Containers
Container
Host
Docker
DevOps
Staff
Container
Orchestration
Active
Directory
Linux
Host with
Centrify
LDAP
Proxy
DevOps
Staff
Centrify
Service

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional Resources
Centrify Solutions for AWS
• www.centrify.com/aws
TechCenter for AWS
• community.centrify.com/aws
Script Repository
• github.com/centrify
Whitepapers:
• Centrify’s Six Best Practices for Securing AWS Environments
• http://www.centrify.com/resources/six-best-practices-for-securing-amazon-web-services/
• AWS IAM Best Practices and Use Cases
• http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
• Gartner “How to Make Cloud IaaS Workloads More Secure Than Your Own Data Center”
• https://www.gartner.com/doc/3352444/make-cloud-iaas-workloads-secure

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Submit session feedback
1. Tap the Schedule icon.
2. Select the session you attended.
3. Tap Session Evaluation to submit your feedback.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Please stop by Centrify booth #207
Andy.Smith@Centrify.com