Architecture for Security on AWS

Transcript

1. ARCHITECTURE FOR SECURITY ON AWS_ JON TOPPER | @jtopper |

   he/him/his @scalefactory

2. $ whoami Founder/CEO/CTO The Scale Factory Working in hosting/infrastructure for

   20 years Infrastructure / AWS / DevOps

3. WEBINAR DETAILS_ Please use the Q&A button to ask questions

   This webinar will be recorded The slides will be available
4. None

5. THE TEAM_

6. OUR CLIENTS_

7. Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

8. Security Reliability Performance Efficiency Cost Optimization Operational Excellence

9. TODAY'S AGENDA_ Who’s responsible for security? Leveraging the AWS platform

   The 5 areas of security A Well-Architected review Q&A

10. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_

11. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE

12. WHO'S RESPONSIBLE FOR SECURITY IN YOUR ORGANISATION?_ YOU ARE EVERYONE

    IS

13. ARCHITECTURE FOR SECURITY ON AWS_ @scalefactory

14. STATE OF DEVOPS REPORT_ DORA "Low performers take weeks to

    conduct security reviews and complete the changes identified. In contrast, elite performers build security in and can conduct security reviews and complete changes in just days."

15. THE SCALE FACTORY WAY_ People First Match solution to workload

    Leverage the AWS platform Automate Iterate

16. LEVERAGE THE AWS PLATFORM_ @scalefactory

17. Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Power

    Customer MySQL Compute Storage Data Centre HA Scripts Monitoring Config Mgmt Networking

18. Visible Invisible Value Chain Evolution Genesis Custom Product Commodity Customer

    RDS Aurora
19. None

20. Somebody Else's Problem

21. 5 AREAS OF SECURITY_ Identity and access management Detective controls

    Infrastructure protection Data protection Incident response @scalefactory

22. IDENTITY & ACCESS MANAGEMENT_ @scalefactory

23. GOOD IAM PRACTICE_ No access to the root account Unique

    credentials per person Create least-privilege policies

24. USE MFA_

25. FEDERATED IDENTITY_

26. Root Account OU: Developers Jon's Sandbox Salma's Sandbox SSO Security

    DeveloperRole SecurityAdminRole OperatorRole OU: Services Live Staging Trust Relationship Policy DeveloperRole Security Log Bucket Service Control Policy AWS ORGANIZATIONS_

27. TEACH YOUR TEAMS AWS IAM @scalefactory

28. Instance App Instance Metadata Service 1 2 3 INSTANCE PROFILES_

29. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [

    "s3:CreateBucket", "s3:DeleteObject", "s3:Put*", "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } LEAST PRIVILEGE?_ @scalefactory

30. TEACH YOUR TEAMS AWS IAM @scalefactory

31. YOUR IAM MIGHT NEED WORK IF YOU_ Log in with

    the root account Have >1 identity for a single person Don't use roles for compute services Don’t enforce MFA Hard-code secrets in app config (or code!) Have IAM policies with *s in (too permissive) Use a lot of AWS managed IAM policies

32. DETECTIVE CONTROLS_ @scalefactory

33. LOG EVERYTHING_ CloudWatch Logs CloudTrail VPC Flow Logs DNS Query

    Logs

34. USE THE LOGS_ ELK Stack / Vendor tools Queries with

    Athena Kinesis streams

35. AWS GUARDDUTY_

36. AWS SECURITY HUB_

37. AMAZON DETECTIVE_

38. YOUR CONTROLS MAY NEED WORK IF..._ You're not logging anything

    / enough You're not alerting on important log conditions Alerts/notifications are noisy or ignored You're only using logs when debugging

39. INFRASTRUCTURE PROTECTION_ @scalefactory

40. None

41. SECURITY GROUPS_ Default App1 App2

42. FINE GRAINED POLICIES_ KMS key policies S3 bucket policies SNS

    access control

43. DIRECT CONNECT_

44. AWS Shield DDoS Protection AWS WAF Web Application Firewall

45. AWS INSPECTOR_ Scans for network reachability Checks hosts against known

    CVEs Checks against CIS benchmarks Checks other security best practice Analyses app runtime behaviour
46. None

47. CASE STUDY_

48. WHAT ABOUT SERVERLESS?_

49. YOUR PROTECTION MAY NEED WORK IF..._ You have anything other

    than LB or NAT in public networks Your security groups are too permissive You mainly use CIDR network ranges in your SGs You're not protecting your application with WAF You're not actively scanning for vulnerabilities You're not checking your application dependencies' security

50. DATA PROTECTION_ @scalefactory

51. CLASSIFY DATA_ Identify different data classification levels Use tagging of

    resources Use KMS keys per classification level Control principal access to keys & resources Consider tokenisation Use AWS Macie to look for sensitive data in S3

52. DATA AT REST_ Use service features to encrypt at rest

    Limit personnel access to data (IAM) Copy base AMIs with encryption

53. PROTECT SECRETS_ AWS Secrets Manager Temporary RDS tokens Parameter Store

    Control principal access with IAM (Vendor solutions)

54. DATA IN TRANSIT_ Use HTTPS listeners on load balancers Use

    HTTPS on CloudFront Use ACM for certificate management Use VPNs where necessary*

55. DATA BACKUPS_ Use per-service backup features Replicate to other regions

    Limit personnel access to backups

56. DATA PROTECTION MAY NEED WORK IF..._ Too many people have

    access to too much data You haven't thought about data classification You're not encrypting at rest You're not encrypting in transit You store secrets anywhere other than in AWS services You don't have complete backups You haven't tried restoring your backups recently

57. INCIDENT RESPONSE_ @scalefactory

58. AUTOMATE RESPONSE_ Use CloudWatch events Send notifications with SNS Trigger

    actions (Lambda, Step Functions)

59. CLEAN ROOM_ Pre-install forensic tools Ensure security team shell access

    Automatically quarantine suspect nodes

60. RUNBOOK/ PLAYBOOK_ Document incident response for your team Ensure team

    members are on call Run regular incident drills

61. INCIDENT RESPONSE MAY NEED WORK IF..._ You can't remediate common

    incidents automatically You can't quarantine bad nodes for later forensics You don't have engineers on-call for security incidents Engineers don't know how to respond to on-call alerts You don't regularly practice incident response

62. TOO MUCH TO THINK ABOUT!_ @scalefactory

63. LANDING ZONE_

64. LANDING ZONE_

65. LANDING ZONE_

66. LANDING ZONE_

67. CASE STUDY_ “We’ve been continuously impressed with the expertise at

    The Scale Factory, their keenness to understand our business needs and pressures, and help us pave the foundations for a step change in our capability to serve our clients” James Ramirez CTO

68. EVEN LANDING ZONE IS TOO MUCH TO THINK ABOUT!_ @scalefactory

69. CONTROL TOWER_

70. WHAT'S NEXT?_ @scalefactory

71. TALK TO US ABOUT: CONSULTANCY TRAINING WELL-ARCHITECTED MIGRATION

72. Leading Well-Architected Partner Worldwide >200 Reviews Completed Since April 2018

    Book a Well-Architected review today https:/ /scalefactory.com/services/well-architected/ $5,000 funding available to support improvement work

73. BREAKFAST OPS_ Monthly hosted discussion For CTOs and tech decision

    makers

74. Q&A_

75. KEEP IN TOUCH_ http:/ /www.scalefactory.com/ @scalefactory [email protected]