At our winter East Midlands Cyber Security Forum event, Dave Walker gave a presentation looking at Amazon’s security approach for their web services, outlining the key tools that are available to ensure a secure deployment.
http://qonex.com/east-midlands-cyber-security-forum/
2. About the Presenter
• Worked in IT for 24 years
• ...of which 18 have been in security
• project-based
• Telcos, Utilities, Retail, Financial Services, Public Sector...
• Design, Implementation, Invention, Incident Response,
Standards Contribution
• Also been looking carefully at Cloud security for 5 years
• ...and been working at AWS for the last 2
3. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
4. AWS Shared Responsibility Model – More
Detail
Will one model work for all services?
Infrastructure
Services
Container
Services
Abstract
Services
5. Network Traffic Protection
Encryption / Integrity / Identity
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
AWSIAMCustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
Fire System and/or Data
APIEndpoints
Mgmt
Protocols
API
Calls
6. Infrastructure Service
Example – EC2
• Foundation Services — Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
AWS
• Customer Data
• Customer Application
• Operating System
• Network & Firewall
• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling
• Instance Management
• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles,
Policies)
Customers
RESPONSIBILITIES
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Container Services Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAMCustomerIAM
APIEndpoints
Mgmt
Protocols
API
Calls
8. Infrastructure Service
Example – RDS
• Foundational Services –
Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• High Availability (in part)
AWS
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles,
Policies)
• High Availability (in part)
• Data Protection (Transit, Rest,
Backup)
• Scaling
Customers
RESPONSIBILITIES
9. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model:
for Abstract Services
Managed by
Managed by
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption
& Data Integrity Authentication
APIEndpoints
AWSIAM
API Calls
10. • Foundational Services
• AWS Global Infrastructure
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data
• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Customers
Infrastructure Service
Example – S3
11. Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
Infrastructure
Services
Container
Services
Abstract
Services
12. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Meet your own security objectives
Customer scope and
effort is reduced
Better results through
focused efforts
Built on AWS
consistent baseline
controls
Your own
external audits
Customers
Your own
accreditation
Your own
certifications
13. Auditing - Comparison
on-prem vs on AWS
Start with bare concrete
Functionally optional – you can build a secure
system without it
Audits done by an in-house team
Accountable to yourself
Typically check once a year
Workload-specific compliance checks
Must keep pace and invest in security innovation
on-prem
Start on base of accredited services
Functionally necessary – high watermark of
requirements
Audits done by third party experts
Accountable to everyone
Continuous monitoring
Compliance approach based on all workload
scenarios
Security innovation drives broad compliance
on AWS
15. What this means
You benefit from an environment built for the most security
sensitive organisations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
16. Compliance: How to work with AWS Certifications
• “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in
a compliant deployment
• …but it won’t be usable for a purpose which touches sensitive data
• See Re:Invent sessions, especially "Navigating PCI Compliance in the
Cloud”,
https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr
1KZpdzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model
• “we do our bit at AWS, but you must also do your bit in what you build
using our services”
• Our audit reports make it easier for our customers to get approval
from their auditors, against the same standards
• Liability can’t be outsourced…
17. Compliance: How to work with AWS Certifications
• Time-based Subtleties:
• PCI, ISO: point-in-time assessments
• SOC: assessment spread over time, therefore more rigorous assessment
of procedures and operations
• (AWS Config allows you to make a path between these, for your own
auditors)
• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit
report, can this be designed around?
• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…
• Metadata is typically “out”
18. SOC 1
• Availability:
• Audit report available to any customer with an NDA
• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect,
Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB,
Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon
RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon
SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import /
Export, Amazon VPC, Amazon Workspaces
• Sensitive data:
• N/A
• Particularly good for:
• Datacentre management, talks about KMS for key management and
encryption at rest, discusses Engineering bastions
• Downsides:
• None
23. Others (and Resources):
• ISO 27017: Cloud security recommended practices
• ISO 9001: Quality control (Handbook available under NDA)
• UK G-Cloud / NCSC Security Principles, gov.uk “Cyber Essentials”:
• See me and our whitepaper at
https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_U
K_Cloud_Security_Principles.pdf
• IT-Grundschutz: Workbook at
https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschu
tz_TUV_Certification_Workbook.pdf
• MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch
with AWS Specialist Security and Compliance SAs there as needed,
there are also some whitepapers.
• EU Data Protection Guidance:
https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Prot
ection_Whitepaper.pdf
24. Other Resources:
• CSA CAIQ: See Risk and Compliance whitepaper at
https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Co
mpliance_Whitepaper.pdf
• Santa Fe Group SIG (available under NDA)
• ...or see my sessions on Control Mapping
25. Agreements:
• Click-through
• Enterprise
• EU Data Processor
• available to all customers
• includes commitment to maintain ISO 27001 or
successor certification, in perpetuity
• Pentest authorisation
26. “Familiar functions, made Cloud scale”:
• IAM: “RBAC writ large”
• Fine-grained privilege
• Further access controls
• Source IP
• Time of day
• Use of MFA
• Region affected (a work in progress; works for EC2, RDS)
• Data Pipeline: “Cron writ large”
• (…and now, CloudWatch Events =
“cron for Lambda”)
27. Asset Management, Logging and Analysis:
• “What the API returns, is true”
• CloudTrail, Config, CloudWatch Logs
• “Checks and balances”
• S3 append-only, MFA delete
• SNS for alerting
• Easy building blocks for Continuous Protective Monitoring
AWS
Config
AWS CloudTrail CloudWatch
28. Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch Logs
CloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notifications
API calls
from most
services
Monitoring
data from
AWS services
Custom
metrics