account separation and mandatory access control on aws | security roadshow dublin
TRANSCRIPT
Account Separation and
Mandatory Access Control on
AWSDave Walker
Specialist Solutions Architect, Security and Compliance
23/03/16
Mandatory Access Control?
• Contrast with Discretionary Access Control
– u/g/o / rwx file permissions
– Under the control of the file owner
• MAC is a function of core system policy
– Immutable to all system users; sometimes also invisible to them
– …including root
• Epitomised in SELinux, descended from Orange Book B1
systems
– Sometimes extended to do multilevel / cross-domain security
Mandatory Access Control?
• SELinux on AWS
– RHEL, Ubuntu, SuSE, etc AMIs…
– (Don’t forget FreeBSD and other Community AMIs)
• First native MAC service on AWS: Glacier Vault Lock
– Set a Policy and fix it in place
– Even the account owner can’t change it, until its time lock expires
– Designed to meet SEC “Books and Records” requirements (Rule 17a-
4(f))
• Also FINRA Rule 4511, CFTC Regulation 1.31
• How can we make more services behave similarly?
– Cross-account access gets us close!
S3 Subtleties
• Versioning
• MFA Delete
– Put these together, and you get something which looks a lot like an
append-only object store
– …consider evidential integrity and weight
– Consider adding lifecycle policies to rotate into Vault-Locked Glacier
• Good for long-term log retention
S3 Subtleties
• CloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow
Logs
– Make them write-only for production / resource accounts
• No means to read or list bucket contents
– Make them read-only for audit accounts
• Though audit user activities may need to be written to logs too
– Potentially to a different log location
• Create a separate Logging account and apply cross-account
sharing:
S3 Subtleties
• S3 write-only cross-account sharing– Share write-only (no reading or listing of contents) from owner
account via bucket policy
– Writer accounts have IAM permissions to write
S3 Subtleties: Log Bucket Policy, Part 1
• (Actual policy won’t fit here, but…):
– Start with the cross-account bucket policy for writing CloudTrail logs, at
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sha
ring-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1
– Add the Sid + Effect + Principal + Action + Resource aggregate objects
from the bucket policy for Config, at
http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-
policy.html , applying the same principles
– Add s3:GetBucketLocation permissions, to handle cross-Region logs
• (we want to log from all Regions to 1 bucket)
– Add the following for CloudWatch Logs:
S3 Subtleties: Log Bucket Policy, Part 2{
"Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below",
"Effect": "Allow",
"Principal": ]
"AWS": "arn:aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action":[
"s3: PutObject",
"S3: GetBucketLocation"
],
"Resource":"arn: aws: s3:::myorg-logbucket/<optionalprefix>/AWSLogs/*"
},
{
"Sid":"Control to require full control grant on write",
"Effect":"Deny",
"Principal":[
"AWS":"arn: aws:iam::Writer-Account-ID:root”,
<Add other accounts here>
],
"Action": [
"s3:PutObject",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::myorg-logbucket/<optional prefix>/AWSLogs/*",
"Condition": {
"StringNotEquals": {
"s3:"bucket-owner-full-control"
}
}}
S3 Subtleties: Log Bucket Policy, Part 3
• Audit users (in another account) will need read-only access to your log
bucket; see
https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing
-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)
• Good to do via a Role which has to be explicitly assumed;
again, see the URL above
S3 Subtleties: Log Bucket Policy and IAM
• Point CloudTrail and Config in other accounts to our log
bucket for writing, when setting these accounts up
• IAM policy to add to each log-generating account to allow
cross-account writing:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”Cross-account Write",
"Effect": "Allow",
"Action": [
"s3:PutObject”,
”s3:GetBucketLocation”
],
"Resource": [
"arn:aws:s3:::myorg-logbucket"
]
}
]}
Detailed Billing: Sample Records
ItemDescription
UsageStar
tDate
UsageEn
dDate
UsageQua
ntity
Currenc
yCode
CostBef
oreTax
Cre
dits
TaxAm
ount
TaxT
ype
TotalCo
st
$0.000 per GB - regional data transfer under the
monthly global free tier
01.04.14
00:00
30.04.14
23:59
0.0000067
5 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.05 per GB-month of provisioned storage - US
West (Oregon)
01.04.14
00:00
30.04.14
23:59
1.126.666.
554USD 0.56 0.0
0.0000
00 None
0.5600
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5910.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SQS Requests per month
are free
01.04.14
00:00
30.04.14
23:594153.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.00 per GB - EU (Ireland) data transfer from US
West (Northern California)
01.04.14
00:00
30.04.14
23:59
0.0000329
2 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:590.02311019USD 0.00 0.0
0.0000
00 None
0.0000
00
First 1,000,000 Amazon SNS API Requests per
month are free
01.04.14
00:00
30.04.14
23:5988.0 USD 0.00 0.0
0.0000
00 None
0.0000
00
$0.000 per GB - data transfer out under the monthly
global free tier
01.04.14
00:00
30.04.14
23:593.3E-7 USD 0.00 0.0
0.0000
00 None
0.0000
00
Linked Accounts
• Consolidate daily Detailed Billing logs into one bucket, for all
accounts
• Now put it all together…
The Base Account Structure
AWS AccountRoot Account • No Access Keys
• MFA Enabled
• Raise Alert on Login
IAM Master • No Access Keys
• MFA Enabled
• Raise Alert on LoginDefine IAM Policies
Enable IAM Managers (User or
Role)
• Have Passwd Policy
• Enforce Passwd
Rotation
• Have Acct Questions
set up
• Have Info eMail set
up
IAM Manager • No Access Keys
• MFA Enabled
Create IAM
Users/Groups/Roles
Use Pre-Defined Policies
The Larger Picture
BILLING
S3 Holder
CloudTrail
Config
CW Logs
S3 Holder
BILL
CloudTrail
IAMUser
IAM UserAssum
e
Role
IAM UserAssum
e
Role
IAM UserAssum
e
Role
Resources
IAM ROLE
IAM ROLE
IAM ROLE
Backup Data
Backup
S3 Holder
Audit
Display
Rights
STS
{
"Version": "2012-10-17",
"Statement": [ {
"Sid": ”STS-Only",
"Effect": "Allow",
"Action": [ "sts:AssumeRole" ],
"Resource": [ "*" ] }
]
}
There’s One More Account to Consider…
• (…and it won’t fit on the diagram)
• Service Catalogue
– Also has cross-account capability
– Repository for CloudFormation templates, golden AMIs…
– …add latest database backups and other necessary datasets, and
you have an Intellectual Property Holding Account
• Something to copy cross-Region for DR
• See http://aws.amazon.com/servicecatalog/faqs/ for cross-account access
Raising Alerts
• Raise (through CloudTrail, watched by a Lambda function triggered on
bucket writes) an Alert (through, eg, SNS) if:– Any account’s root user logs in
– Any IAM-Master account logs in
– Billing/CloudTrail accounts have another S3 Bucket created
– IAM-User generates any new AWS resource
– IAM-User generates any CloudTrail events other than assume-role
and console login
– IAM-User logs in to any Resource Accounts (besides IAM-Manager)
– Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)
Logs→metrics→alerts→actions
AWS Config
CloudWatch /
CloudWatch LogsCloudWatch
alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC
Flow Logs
Amazon SNS
email notification
HTTP/S
notification
SMS notifications
Mobile push
notifications
API
calls
from
most
services Monitoring
data from
AWS
services
Custom
metrics
Also:
• Federate from IAM-User to another IdP
• Filter on LDAP DN elements; ou=, dc=
• Result: no PII in IAM!
– See page 20 of https://d0.awsstatic.com/whitepapers/aws-whitepaper-
single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf
• Set account and contact details to an email alias and a PABX
hunt group, and arrange with your AM to have your billing
invoiced to your company accounts
• …no PII in your AWS account
– unless you explicitly need to process PII in your AWS environment
Other Resources
• Re:Invent 2015: “Wrangling Security Events in
the Cloud” (SEC308)– https://www.youtube.com/watch?v=uc1Q0XCcCv4
– Further ways to enable service configuration immutability
• Essentially, “config-correcting Lambda functions”
Account Separation and
Mandatory Access Control on
AWS
Dave Walker
Specialised Solutions Architect, Security and Compliance
28/01/16