Amazon Web Services Security: Release Engineering & Recommended Architecture

Transcript

1. Amazon Web Services Security: Release Engineering & Recommended Architecture Kenneth

   White Principal, BAO Systems Raleigh ISSA Back-to-Basics May 1, 2014

2. My Background Developer: Embedded, safety-critical, clinical trials Imaging: Signal processing,

   classifiers, ML OS: kernel, network, file/volume encryption DevOps: deployment, risk mgmt, lifecycle/governance Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA Security: DOD, Red Team, defense, forensics, TLS Service: Open Crypto Audit Project

3. Agenda AWS Overview: footprint, offerings, major clients Current-gen infrastructure &

   services Recommended practices Access Control Identity Management File & Disk Encryption Orchestration Auditing Required Reading & Resources

4. Disclosures Views expressed are my own No financial interests in

   vendors presented

5. Security is hard

6. So, what is AWS?

7. Amazon Web Services Footprint 2003: Chris Pinkham & Benjamin Black

   paper to Bezos 2004-2006: Team develops v. 1 in Cape Town (EC2+S3) 2008: EC2 reaches General Release (skipping a lot) 2014: $4.5B est. annual AWS revenue 5.1M public IP addresses Long-time leader in Gartner MQ for Cloud Infrastructure

8. AWS Infrastructure & Service Offerings EC2: Virtual machines “Compute” (PVM

   & HVM) S3: Durable file/object storage Route 53: Geo-aware DNS, programmatic anycast VPC: Isolation, VLANs, h/w VPN integration, IPsec IAM: Fine-grain identity access, key management RDS: Managed DBs (MySQL, Oracle, Postgres, SQL Server) ELB: Programmatic load balancing, SSL termination EMR: Hadoop-as-a-Service, on-demand MapReduce

9. Major Clients Federal Government DOE, CIA, NASA, HHS, FDA, NIH,

   CDC, Navy, AF, FBI, State May 2013: FedRAMP ATO, all US Regions http://www.gsa.gov/portal/content/171827 March 2014: DoD Authorization Level 1-2, GovCloud

10. Major Clients Enterprise GE SAP Comcast Discovery Nasdaq Medidata Bristol-Myers

    Squibb Pfizer J&J

11. Current-gen infrastructure & services M1 is deprecated M1 is deprecated

    M1 is deprecated M1 is deprecated M1 is deprecated

12. Current-gen infrastructure & services M3, C3, R3 instance types: All-SSD

    M3 best for general purpose All-SSD local storage M3 & R3 Intel Xeon E5-2670 (Sandy Bridge) CPUs C3 best for high CPU workload E5-2680 v2 (Ivy Bridge) R3 best for high-memory (up to 244GB) VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load

13. Recommended Practices IAM Roles, Groups, Object-level control, time-limited Delegation (EC2

    roles, cross-account access) Policy variables Policy simulator 2FA One-time secret keys Native SSO SAML v 2.0 in AWS Management Console

14. Recommended Practices File/Disk Encryption Vendor-managed S3 Client-managed Java, .Net SDK

    APIs & code samples DM-Crypt Key Management Integration for CMPs (Enstratius) Oracle RDS Transparent Data Encryption (TDE) Off-cloud key management for high-sensitivity workloads AWS HSM appliance

15. Recommended Practices Orchestration Automate, automate, automate *So* many options ElasticBeanstalk

    CloudFormation Chef, Puppet, Salt, Ansible RightScale, Enstratius, …

16. Recommended Practices Auditing & Logging IAM AD & Shibboleth CloudTrails,

    Sumo Logic Financial report automation Central logging Managed Splunk, et al

17. Required Reading AWS Security by Stephen Schmidt: http://www.slideshare.net/AmazonWebServices/ aws-security-keynote-address-sec101-aws- reinvent-2013

    AWS Security Blog: http://blogs.aws.amazon.com/security/blog Security & Compliance Docs http://aws.amazon.com/compliance/

18. How good are your controls?

19. Thank you!

20. Contacts Twitter: @kennwhite LinkedIn: www.linkedin.com/in/biotech Email: kwhite @ baosystems .

    com Web: opencryptoaudit.org/people