Security in the cloud, originally presented at AWS Vancouver Initiate Day on September 27, 2018.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Geordie Anderson
Security Solutions Architect
Amazon Web Services
geordiea@amazon.com
September 27, 2018
Staying Secure in the Cloud

2. Move fast. Stay secure.OR

3. Move fast. Stay secure.AND

4. Security At AWS Is Our #1 Priority
Familiar Security
Model
Security measures are
validated and driven by
security experts across our
customer base
Superset of security
controls that benefit all
customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL

5. AWS Shared Responsibility Model
DatabaseStorageCompute Networking
Edge
Locations
Regions
Avail. Zones
AWS Global
Infrastructure
Customers are
responsible for
security ‘in’ the cloud
AWS is responsible for
security ‘of’ the cloud
Customer Content
Platform, Applications,
Identity & Access Management
Operating System, Network &
Firewall Configuration
Client-side Data
Encryption & Data
Integrity
Authentication
Server-side Encryption
(Filesystem and/or
Data)
Network Traffic
Protection (Encryption /
Integrity / Identity)

6. AWS Reports, Certifications, & Accreditations
https://aws.amazon.com/compliance/

7. AWS Security Training
AWS Security Fundamentals
Complimentary, 4-hour, online course
Security Operations on AWS
Instructor-led, 3-day class
Details at aws.amazon.com/training

8. Considerations for Security and Privacy
Encryption at scale with keys
managed by our AWS Key Management
Service (KMS), 3rd party AWS
Marketplace solutions, or manage your
own encryption keys with AWS
CloudHSM
Meet data
residency requirements
You choose the AWS Region to place
your data, data is not replicated to other
AWS Regions and does not move
Access services and automation tools
that enable you to
build compliant infrastructure
and enable audit trails and
governance on top of AWS
Comply with local
data privacy laws
by controlling who
can access content, its
lifecycle, and deletion
Enable central identity
management using AWS Identity &
Access Management (IAM), integrated
with Microsoft Active Directory using
SAML 2.0 and ADFS
Enforce isolation at different context
layers using AWS Organizations, AWS
Accounts, AWS Landing Zone, Amazon
Virtual Private Cloud (VPC), and
Security Groups

9. Connecting to the cloud
Customer On-Premises
Network
Client Client
Remote
Servers
Availability Zone 1
Availability Zone B
Subnet 1
Subnet 2
AWS Region (Canada – Montreal)
Router/
Firewall

10. Method 1 – Internet Via Public IP
Customer On-Premises
Network
Client Client
Remote
Servers
Router/
Firewall
Availability Zone 1
Availability Zone B
AWS Region (Canada – Montreal)
Internet
Internet
Gateway
(IGW)
Resources with
Public IPs
Subnet 1
Subnet 2

11. Method 2 – Internet Via Secure VPN
Customer On-Premises
Network
Client Client
Remote
Servers
Router/
Firewall
Availability Zone 1
Availability Zone B
AWS Region (Canada – Montreal)
Internet
AWS
Managed
VPN
Service
Secure VPN
Tunnel
Subnet 1
Subnet 2

12. Method 3 – AWS Direct Connect (DX)
Customer On-Premises
Network
Client Client
Remote
Servers
Router/
Firewall
Availability Zone A
Availability Zone B
Availability Zone A
AWS Region
(Canada – Montreal)
VPC 1 – Subnet 1
VPC 2 – Subnet 1
VPC 2 – Subnet 2
AWS Supported 3rd Party
Direct Connect
Colocation Facility
Service
Provider
Router
AWS Direct
Connect
Router
Cross
Connect
Fiber circuit via
Service Provider
/ Telco
(customer
responsibility)
AWS Direct Connect Ports
(1 Gbps or 10 Gbps)
VLAN 100 (802.1Q / BGP)
VLAN 101 (802.1Q / BGP)

13. DXDX
DX
DX
Cologix
MTL3
eStruxture
MTL
Allied
Toronto
Cologix
VAN2
AWS Direct Connect (DX) Locations in Canada

14. https://www.flickr.com/photos/travelingroths/2518727675

15. Best Practices – Identity & Access Management (IAM)
Enable multi-factor
authentication
Lock down the root
credentials, enforce multi-
factor authentication for all
privileged accounts
Grant least privilege
Not everyone needs to be
an administrator
Enable identity
federation
Access your AWS accounts
using credentials from your
corporate directory
Use Roles for
applications that run
on EC2 instances
To provide credentials to
applications in a secure way,
use IAM Roles

16. Federation to AWS Using AD, ADFS, and SAML
AWS IAM Roles
(Authorization)
Active Directory Groups
(Authentication)
ADFS / SAML
Enterprise (Identity Provider)
Browser
Microsoft Active
Directory (AD)
Microsoft Active
Directory Federation
Services (ADFS)
AWS Canada Central Region
AWS Management
Console Sign-In
User browses
to a local
ADFS-served
URL
1
2
User authenticates
against Active
Directory, using
corporate credentials
3
Authentication
response
4
Post to AWS Sign-In
with authentication
response
Redirect client to AWS
Management Console
5

17. AWS CloudTrail – AWS Audit Logging
Users are
constantly
making API
calls...
On a growing set of
AWS services
around the world…
AWS CloudTrail
is continuously
recording and
logging the API
calls…
Who made the request?
What was requested?
When and from where?
What was the response?

18. Example 3-Tier Web Architecture
AWS Canada Central (Montreal) Region
10.10.0.0/16
Availability Zone A Availability Zone B
Web Subnet A 10.10.1.0/24
Database Subnet A 10.10.5.0/24
Web Subnet B 10.10.2.0/24
Database Subnet B 10.10.6.0/24
Web Tier Security Group
Database Tier Security Group
Web
Server
Web
Server
Elastic Load Balancer
(ELB)
Internet Gateway (IGW)
Web Tier Auto Scaling Group
App Subnet A 10.10.3.0/24 App Subnet B 10.10.4.0/24
App Tier Security Group
App
Server
App
Server
App
Server
App
Server
App Tier Auto Scaling Group
Synchronous Replication
ELB
RDS DB HA DNS ENDPOINT
Web
Server
Web
Server
Web
Server
Web
Server

19. VPC Flow Logs – See All Your Traffic
• Agentless
• Enable per network interface, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data, and alarm on those metrics
Source IP
Destination IP
Source Port
Destination Port
Interface Protocol
Packets
Bytes
Start Time Accept
or
Reject
Account ID
End Time

20. Visualize Your Network Traffic With
Amazon Elasticsearch Service and Kibana
VPC Flow Logs

21. AWS Web Application Firewall (WAF)
Optional 3rd party
managed rules
Pre-configured
protections
Cross-site scripting
SQL injection
Bots and content scrapers
IP block
Geo match
String match
Regex match
Rate-based rules
Real-time visibility
Integrated with both AWS
CloudWatch and Amazon
Kinesis Data Firehose,
AWS WAF provides real-
time metrics and detailed
web activity logs
Synchronize AWS WAF
rules with 3rd party
reputation lists
Protect your web
applications from exploits
that originate from IP
addresses that are known to
be operated by bad actors
such as spammers, malware
distributors, and botnets

22. Amazon GuardDuty
Amazon
Guard DutyAmazon VPC
Flow Logs
Amazon EC2
DNS Logs
AWS CloudTrail
Logs
Amazon
CloudWatch
Events
Multiple AWS
Accounts
SECURITY
Threat Intelligence Feeds
Use machine
learning to
continuously
analyze, and
intelligently
detect malicious
or unauthorized
behaviour
AWS Lambda
A fully managed intelligent threat detection service
Integrate with 3rd party
workflow (eg. SIEM,
central SecOps, SOC)
https://aws.amazon.com/guardduty/resources/partners/
https://aws.amazon.com/marketplace/
Represents a sample of Amazon
GuardDuty Partners and AWS
Marketplace Partner Solutions.
Further details available here:

23. EC2
RECON
IAM
PHISHING
MALWARE
SPAMBOTS
BOTNETS
BITCOIN
BLACKHOLES
DROP POINTS
DRIVE BY DOWNLOADS
DNS DATA EXFILTRATION
DOMAIN GENERATION ALGORITHM DOMAINS
API INVOKED FROM A MALICIOUS IP
API INVOKED FROM A TOR EXIT NODE
SSH / RDP BRUTE FORCE ATTACK
PORT PROBE FROM A MALICIOUS HOST
OUTBOUND PORT SCANS
UNUSUAL NETWORK CHANGES (SGs, ROUTES, ACLs)
CLOUDTRAIL LOGGING MODIFIED
UNUSUAL IAM CHANGES (USERS, POLICIES)
CLOUDTRAIL LOGGING DISABLED
UNUSUAL RESOURCE PERMISSION CHANGES
Example Amazon GuardDuty Detections

24. Governance with AWS Config Rules
Example rules, available out of the box…
AWS Config Rules
• Powerful configuration rule
system
• Define custom rules that can look
for desirable or undesirable
conditions
• Enforce best practices using
automated compliance checks
• Trigger additional alerts or
workflow
CloudTrail enabled
Desired instance types selected
Security groups have restricted SSH
S3 bucket public read / write prohibited
EC2 OS patch levels in compliance
RDS DB backup enabled
S3 bucket server side encryption enabled
Root credentials MFA enabled
Lambda functions public access prohibited
RDS storage encrypted
RDS multi-AZ support enabled
EC2 instances have the required tags

25. AWS Config Compliance Dashboard

26. AWS Marketplace:
One-Stop Shop For Security Tools
Infrastructure
Security
Logging &
Monitoring
Identity & Access
Control
Configuration &
Vulnerability Analysis
Data Protection

27. Security By Design
Infrastructure as code – automate deployment, provisioning, and
configurations of AWS Cloud environments
CloudFormation Service CatalogStack
Templates
Instances AppsResources
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
Tagging

28. Enforce Consistent Security On Servers
EC2
Your catalog of
approved templates
Your custom
template specs
Your custom
running template
Hardening
Audit and logging
Vulnerability management
Anti-virus, HIDS / HIPS
Whitelisting and integrity
User administration
Operating system
• Amazon Machine Image (AMI)
• Configure and harden EC2 instances to your own specs
• Use host-based protection software
• Manage administrative users
• Enforce separation of duties & least privilege
• Connect to your existing services, e.g. SIEM, patching
• Follow the immutable infrastructure pattern
Base OS
image

29. Deploying and Managing Instances
EC2 EC2

30. Deploying and Managing More Instances

31. Deploying and Managing More Instances
Do we SSH / RDP in
to troubleshoot?
VM has become
unreachable
What do we do?
https://i.stack.imgur.com/Lm3Td.jpg

32. Deploying and Managing Instances… At Scale
EC2 Instance Auto Recovery
Auto Scaling Groups
AWS Systems Manager
Amazon CloudWatch
Amazon Machine Images
AWS CloudFormation
AWS OpsWorks (Chef)
AWS OpsWorks (Puppet)
https://i.stack.imgur.com/Lm3Td.jpg

33. Evolving the Practice of Security Architecture
Security architecture as a separate function can no longer exist
Static position papers,
architecture diagrams, risk
assessments & documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice

34. Evolving the Practice of Security Architecture
Using infrastructure as code, security architecture can now be part of the “maker” team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions for
deployment automation
Security architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice
AWS
CodeCommit
AWS
CodePipeline
Jenkins

35. Thank you
Geordie Anderson
Security Solutions Architect
Amazon Web Services
geordiea@amazon.com

36. Join us for our first-ever Amazon Web Services Summit
in Ottawa on October 29, 2018
15 sessions featuring various
management and technical
topics
Connect with AWS & our
Canadian public sector partners
in the Solutions Expo
Meet and mingle with other public
sector customers from government,
education, and nonprofits
Register today!
aws.amazon.com/summits/ottawa-public-sector

37. We value your feedback!
Please share your feedback on the
AWS Public Sector Summit survey.
Survey will be emailed 24-48 hours following event.