best practices for managing security operations in aws - aws july 2016 webinar series
TRANSCRIPT
![Page 1: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Henrik Johansson, Security Solutions Architect
07/29/16
Best Practices for Managing Security Operations in AWS
![Page 2: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/2.jpg)
Since migrating to AWS, we created a secure solution for our
customers that can handle thousands of daily transactions, while reducing our costs by 30%
Stefano HarakOnline Senior Product Manager, Vodafone
”
“ Vodafone Italy, based in Milan, provides mobile services for more than 30 million customers.
Customers can buy additional credit for SIM cards using a credit or debit card.
Key requirement was to build a PCI DSS-compliant solution.
Vodafone Italy migrates to AWS and creates a secure environment for customer transactions while reducing capital costs by 30%
![Page 3: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/3.jpg)
Shared Responsibility Model
![Page 4: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/4.jpg)
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
AWS takes care of the security OF the Cloud
YouNetworkSecurity
Identity & Access Control
Customer applications & content
Inventory & Config
Data Encryption
You get to define your controls IN the Cloud
![Page 5: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/5.jpg)
AWS takes care of the security OF the Cloud
You
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Client-Side Data Encryption
Server-Side Data Encryption
Network Traffic Protection
Platform, Applications, and Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & content
You get to define your controls IN the Cloud
![Page 6: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/6.jpg)
Key AWS certifications and assurance programs
![Page 7: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/7.jpg)
Assurance ProgramsCertifications / AttestationsDoDSRGFedRAMPFIPSIRAPISO 9001ISO 27001ISO 27017ISO 27018MLPS Level 3MTCSPCI DSS Level 1SEC Rule 17-a-4(f)SOC 1SOC 2SOC 3
Laws, Regulations, and PrivacyDNB [Netherlands]EAREU Model ClausesFERPAGLBAHIPAAHITECHIRS 1075ITARMy Number Act [Japan]U.K. DPA – 1988VPAT / Section 508EU Data Protection DirectivePrivacy Act [Australia]Privacy Act [New Zealand]PDPA - 2010 [Malaysia]PDPA - 2012 [Singapore]
Alignments / FrameworksCJISCLIACMSEDGECMSRCSAFDAFedRAMPTICFISCFISMAG-CloudGxP (FDA CFR 21 Part 11)ICREAIT GrundschutzMITA 3.0MPAANERCNISTPHRUptime Institute TiersUK Cloud Security PrinciplesUK Cyber Essentialshttps://aws.amazon.com/compliance/
![Page 8: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/8.jpg)
You benefit from an environment built for the most security-sensitive organizations.
AWS manages 1,800+ security controls so you don’t have to. You get to define the right security controls for your workload
sensitivity. You always have full ownership and control of your data.
What this means
![Page 9: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/9.jpg)
You are in control of privacy
You retain full ownership and control of your content
Choose the AWS Singapore Region and AWS will not replicate it elsewhere unless you choose to do so.
Control format, accuracy, and encryption any way that you choose.
Control who can access content. Control content lifecycle and disposal.
![Page 10: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/10.jpg)
Your data stays where you put it13 regions35 Availability Zones
Announced:4 AWS regions (Canada, China, Ohio, and the United Kingdom)9 Availability Zones
![Page 11: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/11.jpg)
Identity management
![Page 12: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/12.jpg)
Encrypt your sensitive information
Native encryption across services for free Amazon S3, Amazon EBS, Amazon RDS, Amazon Redshift End-to-end SSL/TLS
Scalable key management AWS Key Management Service (KMS) provides scalable,
low-cost key management AWS CloudHSM provides hardware-based, high-assurance
key generation, storage, and management
Third-party encryption options Trend Micro, SafeNet, Vormetric, HyTrust, Sophos, etc.
![Page 13: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/13.jpg)
AWS Identity and Access Management (IAM) Enables you to control who can do what in your AWS account Splits into users, groups, roles, and permissions Control
Centralized Fine-grained - APIs, resources, and AWS Management Console
Security Secure (deny) by default
![Page 14: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/14.jpg)
Policy enforcement
Final decision =“Deny”(explicit Deny)
Yes
Final decision =“Allow”
Yes
No Is there anAllow?
4
Decisionstarts at Deny
1Evaluate allapplicable
policies
2
Is there an explicit Deny?
3No Final decision =“Deny”
(default Deny)
5
AWS retrieves all policies associated with the user and resource.
Only policies that match the action and conditions are evaluated.
If a policy statement has a Deny, it trumps all other policy statements.
Access is granted if there is an explicit Allow and no Deny.
• By default, an implicit (default) Deny is returned.
A Deny always wins over an Allow.
![Page 15: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/15.jpg)
IAM anatomy
JSON-formatted documents Statement (permissions) specifies:
Principal Action Resource Condition
{ "Statement":[{ "Effect":"effect", "Principal":"principal", "Action":"action", "Resource":"arn", "Condition":{ "condition":{ "key":"value" } } } ] }
![Page 16: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/16.jpg)
Principal – Examples An entity that is allowed or denied access to a resource Indicated by an Amazon Resource Name (ARN) With IAM policies, the principal element is implicit (i.e., the user, group, or role attached)
<!-- Everyone (anonymous users) -->"Principal":"AWS":"*.*"
<!-- Specific account or accounts -->"Principal":{"AWS":"arn:aws:iam::123456789012:root" }"Principal":{"AWS":"123456789012"}
<!-- Individual IAM user -->"Principal":"AWS":"arn:aws:iam::123456789012:user/username"
<!-- Federated user (using web identity federation) -->"Principal":{"Federated":"www.amazon.com"}"Principal":{"Federated":"graph.facebook.com"}"Principal":{"Federated":"accounts.google.com"}
<!-- Specific role -->"Principal":{"AWS":"arn:aws:iam::123456789012:role/rolename"}
<!-- Specific service --> "Principal":{"Service":"ec2.amazonaws.com"}
Replace with your account number
![Page 17: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/17.jpg)
Action – Examples Describes the type of access that should be allowed or denied You can find these in the docs or use the policy editor to get a drop-down list Statements must include either an Action or NotAction element
<!-- EC2 action -->"Action":"ec2:StartInstances"
<!-- IAM action -->"Action":"iam:ChangePassword"
<!-- S3 action -->"Action":"s3:GetObject"
<!-- Specify multiple values for the Action element-->"Action":["sqs:SendMessage","sqs:ReceiveMessage"]
<--Use wildcards (* or ?) as part of the action name. This would cover Create/Delete/List/Update-->"Action":"iam:*AccessKey*"
![Page 18: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/18.jpg)
Understanding NotAction Lets you specify an exception to a list of actions Could result in shorter policies than using Action and denying many actions Example: Let’s say you want to allow everything but IAM APIs
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ]}
![Page 19: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/19.jpg)
Understanding NotAction Lets you specify an exception to a list of actions Could result in shorter policies than using Action and denying many actions Example: Let’s say you want to allow everything but IAM APIs
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ]}
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ]}
or
![Page 20: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/20.jpg)
Understanding NotAction Lets you specify an exception to a list of actions Could result in shorter policies than using Action and denying many actions Example: Let’s say you want to allow everything but IAM APIs
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": "iam:*", "Resource": "*" } ]}
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": "iam:*", "Resource": "*" } ]}
or
This is not a Deny. A user could still have a separate policy that grants IAM:*
If you want to prevent the user from ever being able to call IAM APIs, use an explicit Deny.
![Page 21: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/21.jpg)
Resource – Examples The object or objects that are being requested Statements must include either a Resource or a NotResource element
<-- S3 Bucket -->"Resource":"arn:aws:s3:::my_corporate_bucket/*"
<-- SQS queue-->"Resource":"arn:aws:sqs:us-west-2:123456789012:queue1"
<-- Multiple DynamoDB tables -->"Resource":["arn:aws:dynamodb:us-west-2:123456789012:table/books_table",
"arn:aws:dynamodb:us-west-2:123456789012:table/magazines_table"]
<-- All EC2 instances for an account in a region --> "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
![Page 22: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/22.jpg)
Conditions
Optional criteria that must evaluate to true for the policy to evaluate as true
Ex: restrict to an IP address range Can contain multiple conditions Condition keys can contain multiple values If a single condition includes multiple values
for one key, the condition is evaluated using logical OR
Multiple conditions (or multiple keys in a single condition): the conditions are evaluated using logical AND
Condition element
Condition 1:
Key1: Value1A
Condition 2:
Key3: Value3A
AND
ANDKey2: Value2A OR Value2B
OR ORKey1: Value1A Value1B Value 1C
![Page 23: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/23.jpg)
Condition example
"Condition" : { "DateGreaterThan" : {"aws:CurrentTime" : "2015-10-08T12:00:00Z"}, "DateLessThan": {"aws:CurrentTime" : "2015-10-08T15:00:00Z"}, "IpAddress" : {"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]}}
Allows a user to access a resource under the following conditions: The time is after 12:00 P.M. on 10/8/2015 AND The time is before 3:00 P.M. on 10/8/2015 AND The request comes from an IP address in the 192.0.2.0 /24 OR 203.0.113.0 /24
range
All of these conditions must be met in order for the statement to evaluate to TRUE.
AND
OR
What if you wanted to restrict access to a time frame and IP address range?
![Page 24: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/24.jpg)
Policy variables
Predefined variables based on service request context• Existing keys (aws:SourceIP, aws:CurrentTime, etc.)• Principal-specific keys (aws:username, aws:userid, aws:principaltype)• Provider-specific keys (graph.facebook.com:id,
www.amazon.com:user_id)• SAML keys (saml:aud, saml:iss)• See documentation for service-specific variables
Benefits• Simplifies policy management• Reduces the need for hard-coded, user-specific policies
Use cases we’ll look at• Easily set up user access to “home folder” in Amazon S3• Limit access to specific Amazon EC2 resources
![Page 25: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/25.jpg)
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::myBucket"], "Condition":
{"StringLike": {"s3:prefix":["home/${aws:username}/*"]}
} }, { "Effect":"Allow", "Action":["s3:*"], "Resource": ["arn:aws:s3:::myBucket/home/${aws:username}", "arn:aws:s3:::myBucket/home/${aws:username}/*"] } ]}
The anatomy of a policy with variables
Version is required
Variable in conditions
Variable in resource ARNs
Grants a user access to a home directory in Amazon S3 that can be accessed programmatically
![Page 26: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/26.jpg)
![Page 27: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/27.jpg)
![Page 28: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/28.jpg)
IAM best practices
![Page 29: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/29.jpg)
Basic user and permission management
1. Create individual users. Benefits Unique credentials Individual credential rotation Individual permissions Simplifies forensics
![Page 30: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/30.jpg)
Basic user and permission management
1. Create individual users.2. Grant least privilege.
Benefits Less chance of people making
mistakes Easier to relax than tighten up More granular control
![Page 31: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/31.jpg)
Basic user and permission management
1. Create individual users.2. Grant least privilege.3. Manage permissions with groups.
Benefits Easier to assign the same
permissions to multiple users Simpler to reassign permissions
based on change in responsibilities
Only one change to update permissions for multiple users
![Page 32: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/32.jpg)
Basic user and permission management
1. Create individual users.2. Grant least privilege.3. Manage permissions with groups.4. Restrict privileged access further with
conditions.
Benefits Additional granularity when
defining permissions Can be enabled for any AWS
service API Minimizes chances of
accidentally performing privileged actions
![Page 33: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/33.jpg)
Basic user and permission management
1. Create individual users.2. Grant least privilege.3. Manage permissions with groups.4. Restrict privileged access further with
conditions.5. Enable AWS CloudTrail to get logs of API
calls.
Benefits Visibility into your user activity
by recording AWS API calls to an Amazon S3 bucket
![Page 34: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/34.jpg)
Credential management
6. Configure a strong password policy.
Benefits Ensures your users and your
data are protected
![Page 35: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/35.jpg)
Credential management
6. Configure a strong password policy. 7. Rotate security credentials regularly.
Benefits Normal best practice
![Page 36: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/36.jpg)
Credential management
6. Configure a strong password policy. 7. Rotate security credentials regularly.8. Enable multi-factor authentication
(MFA) for privileged users.
Benefits Supplements user name and
password to require a one-time code during authentication
![Page 37: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/37.jpg)
Delegation
9. Use IAM roles to share access.
Benefits No need to share security
credentials No need to store long-term
credentials Use cases
Cross-account access Intra-account delegation Federation
![Page 38: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/38.jpg)
Delegation
9. Use IAM roles to share access.10. Use IAM roles for Amazon EC2 instances.
Benefits Easy to manage access keys
on EC2 instances Automatic key rotation Assign least privilege to the
application AWS SDKs fully integrated AWS CLI fully integrated
![Page 39: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/39.jpg)
Delegation
9. Use IAM roles to share access.10. Use IAM roles for Amazon EC2 instances.11. Reduce or remove use of root.
Benefits Reduce potential for misuse of
credentials
![Page 40: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/40.jpg)
Top 11 IAM best practices1. Users – Create individual users.2. Permissions – Grant least privilege.3. Groups – Manage permissions with groups.4. Conditions – Restrict privileged access further with conditions.5. Auditing – Enable AWS CloudTrail to get logs of API calls. 6. Password – Configure a strong password policy. 7. Rotate – Rotate security credentials regularly.8. MFA – Enable MFA for privileged users.9. Sharing – Use IAM roles to share access.10. Roles – Use IAM roles for Amazon EC2 instances.11. Root – Reduce or remove use of root.
![Page 41: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/41.jpg)
IAM users vs. federated users
Depends on where you want to manage your users On-premises → Federated users (IAM roles) In your AWS account → IAM users
Other important use cases Delegating access to your account → Federated users (IAM roles) Mobile application access → Should always be federated access
IMPORTANT: Never share security credentials.
![Page 42: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/42.jpg)
AWS access keys vs. passwords
Depends on how your users will access AWS Console → Password API, CLI, SDK → Access keys
Make sure to rotate credentials regularly Use credential reports to audit credential rotation. Configure password policy. Configure policy to allow access key rotation.
![Page 43: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/43.jpg)
Invalidating temporary security credentials{ "Version": "2012-10-17","Statement": [{ "Effect": "Deny", "Action": "*", "Resource": "*", "Condition":
{ "DateLessThan":
{"aws:TokenIssueTime": "2013-12-15T12:00:00Z”} }
}]}
https://blogs.aws.amazon.com/security/post/Tx1P6IGLLZ935I4/What-to-Do-If-You-Inadvertently-Expose-an-AWS-Access-Key
![Page 44: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/44.jpg)
Enabling credential rotation for IAM users(Enable access key rotation sample policy)
Access keys{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [
"iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey"],
"Resource": "arn:aws:iam::123456789012:
user/${aws:username}"}]}
1. While the first set of credentials is still active, create a second set of credentials, which will also be active by default.
2. Update all applications to use the new credentials.
3. Change the state of the first set of credentials to Inactive.
4. Using only the new credentials, confirm that your applications are working well.
5. Delete the first set of credentials.
Steps to rotate access keys
![Page 45: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/45.jpg)
Inline policies vs. managed policies
Use inline policies when you need to: Enforce a strict one-to-one relationship between policy and principal. Avoid the wrong policy being attached to a principal. Ensure the policy is deleted when deleting the principal.
Use managed policies when you need: Reusability. Central change management. Versioning and rollback. Delegation of permissions management. Automatic updates for AWS managed policies. Larger policy size.
![Page 46: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/46.jpg)
Groups vs. managed policies
Provide similar benefitsCan be used to assign the same permission to many users.Central location to manage permissions.Policy updates affect multiple users.
Use groups when you need to Logically group and manage users .
Use managed policies when you need to Assign the same policy to users, groups, and roles.
![Page 47: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/47.jpg)
Combine the power of groups AND managed policies
Use groups to organize your users into logical clusters. Attach managed policies to groups with the permissions those groups need.
Pro tip: Create managed policies based on logically separated permissions such as AWS service or project, and attach managed policies mix-and-match style to your groups.
![Page 48: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/48.jpg)
One AWS account vs. multiple AWS accounts?Use a single AWS account when you: Want simpler control of who does what in your AWS environment. Have no need to isolate projects/products/teams. Have no need for breaking up the cost.
Use multiple AWS accounts when you: Need full isolation between projects/teams/environments. Want to isolate recovery data and/or auditing data (e.g., writing your
CloudTrail logs to a different account). Need a single bill, but want to break out the cost and usage.
![Page 49: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/49.jpg)
Segmented AWS account structure
Procurement and Finance
SOC/Auditors
Billing account
Production accounts
User managementaccount
Security/Auditaccount
Application Owners
Security/auditUtilityFinancial
Consolidated Billing, Billing Alerts
Read-only access for all accounts
Dev/Test accounts
Operational
LoggingaccountBackup/DR account
Key management account
Shared services account
Domain Specific Admins
Event and State Logging
Read-only access to logging data
![Page 50: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/50.jpg)
Infrastructure as code
![Page 51: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/51.jpg)
Infrastructure as code is a practice whereby traditional infrastructure management techniques are supplemented and often replaced by using code-based tools and software development techniques.
![Page 52: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/52.jpg)
“It’s all software”
AWS Resources
Operating System and Host Configuration
Application Configuration
![Page 53: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/53.jpg)
AWS Resources Operating System and Host Configuration
Application Configuration
Infrastructure Resource Management
Host Configuration Management
Application Deployment
![Page 54: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/54.jpg)
AWS Resources Operating System and Host Configuration
Application Configuration
AWS CloudFormation
AWS OpsWorks
AWS CodeDeploy
![Page 55: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/55.jpg)
AWS Resources Operating System and Host Configuration
Application Configuration
Amazon Virtual Private Cloud (VPC)Amazon Elastic Compute Cloud (EC2)AWS Identity and Access Management (IAM)Amazon Relational Database Service (RDS)Amazon Simple Storage Service (S3)AWS CodePipeline…
Windows RegistryLinux Networking OpenSSHLDAPAD Domain RegistrationCentralized loggingSystem MetricsDeployment agentsHost monitoring…
Application dependenciesApplication configurationService registrationManagement scriptsDatabase credentials…
AWS CloudFormation
AWS OpsWorks
AWS CodeDeploy
![Page 56: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/56.jpg)
Template CloudFormation Stack
JSON formatted fileParameter definition
Resource creation
Configuration actions
Configured AWS resourcesComprehensive service support
Service event aware
Customizable
FrameworkStack creation
Stack updates
Error detection and rollback
CloudFormation – Components & technology
![Page 57: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/57.jpg)
Template File Defining Stack
GitPerforce
SVN…
Dev
Test
Prod
The entire infrastructure can be represented in an AWS CloudFormation
template.
Use the version control system of your choice to store and track changes to this template
Build out multiple environments using the same template, such as for Development, Test, Production, and even DR
Many stacks & environments from one template
![Page 58: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/58.jpg)
What security benefits does this give
Ability to perform “Code Audit” on your infrastructure Look for unauthorized network configurations Verify security groups Verify operating system Use with AWS CodeCommit trigger or GitHub hooks
Split ownership (single file or merge) App team owns main section Network team owns VPC/subnets Security team owns security groups
Automate upon check-in!
![Page 59: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/59.jpg)
Where else can this be applied?
CloudFormation template
Task definition Application- specification file (AppSpec file)
…and more.
*AWS CloudFormation AWS CodeDeployAmazon EC2 Container Service
![Page 60: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/60.jpg)
Audit and log your AWS service usage
![Page 61: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/61.jpg)
If it moves…log it!
![Page 62: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/62.jpg)
Why cloud logging/monitoring is different
Distributed servers coming and going (e.g., Auto Scaling, micro services)
More visibility (e.g., AWS CloudTrail) In the cloud, we have more log types than in the data center.
More different kinds of data. Many distinct log sources not monitored by same systems on premises.
Networking (Amazon VPC Flow Logs) System/application Configuration (very difficult on-premises) Large amount of information(e.g., Amazon VPC Flow Logs)
![Page 63: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/63.jpg)
Different log categories
AWS infrastructure logs
AWS CloudTrail Amazon VPC Flow
Logs
AWS service logs
Amazon S3 Elastic Load Balancing Amazon CloudFront AWS Lambda AWS Elastic Beanstalk …
Host-based logs
Messages Security NGINX/Apache/IIS Windows Event Logs Windows Performance
Counters …
![Page 64: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/64.jpg)
Different log categories
AWS infrastructure logs
AWS CloudTrail Amazon VPC Flow
Logs
AWS service logs
Amazon S3 Elastic Load Balancing Amazon CloudFront AWS Lambda AWS Elastic Beanstalk …
Host-based logs
Messages Security NGINX/Apache/IIS Windows Event Logs Windows Performance
Counters …
Security-related events
![Page 65: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/65.jpg)
Amazon CloudWatch LogsMonitor logs from Amazon EC2 instances in real time
![Page 66: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/66.jpg)
Ubiquitous logging and monitoringAmazon CloudWatch Logs lets you grab everything and monitor activity Storage is cheap - collect and keep your logs Agent based (Linux and Windows) Export data
• To Amazon S3• Stream to Amazon Elasticsearch Service or AWS Lambda
Integration with metrics and alarms means you can continually scan for events you know might be suspicious
Combine/use third-party productsIF (detect web attack> 10 in a 1-minute period)
ALARM == INCIDENT IN PROGRESS!
![Page 67: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/67.jpg)
AWS CloudTrailRecords AWS API calls for your account
![Page 68: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/68.jpg)
What can you answer using a CloudTrail event? Who made the API call?
When was the API call made?
What was the API call?
Which resources were acted upon in the API call?
Where was the API call made from and made to?
Supported services:http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
![Page 69: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/69.jpg)
What does an event look like?{
"eventVersion": "1.01","userIdentity": {
"type": "IAMUser", // Who?"principalId": "AIDAJDPLRKLG7UEXAMPLE",
"arn": "arn:aws:iam::123456789012:user/Alice", //Who? "accountId": "123456789012","accessKeyId": "AKIAIOSFODNN7EXAMPLE","userName": "Alice","sessionContext": {
"attributes": {"mfaAuthenticated": "false","creationDate": "2014-03-18T14:29:23Z"
}}
},
"eventTime": "2014-03-18T14:30:07Z", //When?"eventSource": "cloudtrail.amazonaws.com",
"eventName": "StartLogging", //What?"awsRegion": "us-west-2",//Where to?"sourceIPAddress": "72.21.198.64", // Where from?"userAgent": "AWSConsole, aws-sdk-java/1.4.5 Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters": {
"name": "Default“ // Which resource?},// more event details
}
![Page 70: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/70.jpg)
AWS CloudTrail best practices
![Page 71: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/71.jpg)
AWS CloudTrail best practices
1. Enable in all regions Benefits Also tracks unused regions Can be done in single
configuration step
![Page 72: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/72.jpg)
AWS CloudTrail best practices
1. Enable in all regions2. Enable log file validation
Benefits Ensure log-file integrity Validated log files are invaluable
in security and forensic investigations
Built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing
AWS CloudTrail will start delivering digest files on an hourly basis
Digest files contain hash values of log files delivered and are signed by CloudTrail
![Page 73: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/73.jpg)
AWS CloudTrail best practices
1. Enable in all regions2. Enable log file validation3. Encrypted logs
Benefits By default, CloudTrail encrypts
log files using S3 server-side encryption (SSE-S3)
You can choose to encrypt using AWS KMS (SSE-KMS)
S3 will decrypt on your behalf if your credentials have decrypt permissions
![Page 74: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/74.jpg)
AWS CloudTrail best practices
1. Enable in all regions2. Enable log file validation3. Encrypted logs4. Integrate with Amazon
CloudWatch Logs
Benefits Simple search Configure alerting on events
![Page 75: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/75.jpg)
AWS CloudTrail best practices
1. Enable in all regions2. Enable log file validation3. Encrypted logs4. Integrate with Amazon
CloudWatch Logs5. Centralize logs from all
accounts
Benefits Configure all accounts to send
logs to a central security account
Reduce risk for log tampering Can be combined with S3 CRR Include dev/stage accounts!
![Page 76: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/76.jpg)
VPC Flow LogsLog network traffic for Amazon VPC, subnet, or single interfaces
![Page 77: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/77.jpg)
VPC Flow Logs Stores log in AWS CloudWatch Logs Can be enabled on
Amazon VPC, a subnet, or a network interface Amazon VPC and subnet enables logging for all interfaces in the VPC/subnet Each network interface has a unique log stream
Flow logs do not capture real-time log streams for your network interfaces Can capture on interfaces for other AWS services
Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift, and Amazon WorkSpaces
Filter desired result based on need All, Reject, Accept Troubleshooting or security related with alerting needs? Think before enabling all on VPC—will you use it?
![Page 78: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/78.jpg)
Log management and analytics
ELK (Elasticsearch Service + Logstash + Kibana)
Elasticsearch Service + Kibana + Amazon CloudWatch Logs
Third-party solution
![Page 79: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/79.jpg)
AWS Technology Partner solutions integrated with CloudTrail
New
![Page 80: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/80.jpg)
AWS Technology Partner solutions integrated with CloudTrail
![Page 81: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/81.jpg)
Automating your compliance checks
![Page 82: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/82.jpg)
Multiple levels of automation
Self managed AWS CloudTrail -> Amazon CloudWatch Logs -> Amazon CloudWatch Alerts AWS CloudTrail -> Amazon SNS -> AWS Lambda
Compliance validation AWS Config Rules
Host-based compliance validation Amazon Inspector
Active change remediation Amazon CloudWatch Events
![Page 83: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/83.jpg)
AWS Config RulesAutomated compliance validation
![Page 84: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/84.jpg)
Tools - AWS Config RulesTime based When configuration snapshot is delivered Choose between 1, 3, 6, 12 or 24 hours
Change based EC2, IAM, CloudTrail, or tags
AWS managed or custom checks using Lambda Control compliance status using Lambda Encrypted volumes, CloudTrail, EIP attached, SSH access, Amazon
EC2 in Amazon VPC, restricted common ports, and require tags
![Page 85: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/85.jpg)
How do I know what happened?{ ”account”: “123456789012”, ”region”: “us-east-1”, ”detail”: { ”eventVersion”: “1.02”, ”eventID”: “c78ce8de-46ee-4fea-bcf4-0e889d419f2f”, ”eventTime”: “2016-01-18T03:32:18Z”, ”requestParameters”: { ”userName”: “trigger” }, ”eventType”: “AwsApiCall”, ”responseElements”: { ”user”: { ”userName”: “trigger”, ”path”: “/”, ”createDate”: “Jan 18, 2016 3:32:18 AM”, ”userId”: “AIDACKCEVSQ6C2EXAMPLE”, ”arn”: “arn:aws:iam::123456789012:user/trigger” } }, ”awsRegion”: “us-east-1”, ”eventName”: “CreateUser”,
”userIdentity”: { ”userName”: “IAM-API-RW”, ”principalId”: “AIDACKCEVSQ6C2EXAMPLE”, ”accessKeyId”: “AKIAIOSFODNN7EXAMPLE”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::123456789012:user/IAM-API-RW”, ”accountId”: “123456789012” }, ”eventSource”: “iam.amazonaws.com”, ”requestID”: “13bb5711-bd94-11e5-9abd-af4e7ff9090f”, ”userAgent”: “aws-cli/1.9.20 Python/2.7.10 Darwin/15.2.0
botocore/1.3.20”, ”sourceIPAddress”: “192.0.2.10” }, ”detail-type”: “AWS API Call via CloudTrail”, ”source”: “aws.iam”, ”version”: “0”, ”time”: “2016-01-18T03:32:18Z”, ”id”: “d818DD19-7b16-4e1d-a491-794a26b51657”,
![Page 86: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/86.jpg)
The key to custom rules
response = client.put_evaluations(Evaluations=[
{'ComplianceResourceType': 'string','ComplianceResourceId': 'string','ComplianceType':
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA','Annotation': 'string', 'OrderingTimestamp': datetime(2015, 1, 1) },
],ResultToken='string’
)
![Page 87: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/87.jpg)
The key to custom rules
response = client.put_evaluations(Evaluations=[
{'ComplianceResourceType': 'string','ComplianceResourceId': 'string','ComplianceType':
'COMPLIANT'|'NON_COMPLIANT'|'NOT_APPLICABLE'|'INSUFFICIENT_DATA','Annotation': 'string', 'OrderingTimestamp': datetime(2015, 1, 1) },
],ResultToken='string’
)
Use annotation for pulling rule status using CLI
![Page 88: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/88.jpg)
AWS Config Rules repository
AWS Community repository of custom Config Ruleshttps://github.com/awslabs/aws-config-rules
Contains Node and Python samples for custom rules for AWS Config
![Page 89: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/89.jpg)
Amazon CloudWatch EventsThe central nervous system for your AWS environment
![Page 90: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/90.jpg)
Tools - Amazon CloudWatch Events
Trigger on event Amazon EC2 instance state change notification AWS API call (very specific) AWS Management Console sign-in Auto Scaling (no lifecycle hooks)
Or schedule (used by AWS Lambda) Cron is in the cloud! No more “unreliable town clock” Min 5 minutes
Single event can have multiple targets
![Page 91: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/91.jpg)
Different sources have different events”eventName”: “CreateUser”, ”userIdentity”: {
”userName”: “IAM-API-RW”, ”principalId”: “AIDACKCEVSQ6C2EXAMPLE”, ”accessKeyId”: “AKIAIOSFODNN7EXAMPLE”, ”type”: “IAMUser”, ”arn”: “arn:aws:iam::123456789012:user”accountId”: “123456789012”
”eventName”: “CreateUser”, "userIdentity": {
"principalId": "AKIAI44QH8DHBEXAMPLE:admin", "accessKeyId": ”GFSHKUOLZG53JE5DHKRC",
"sessionContext": { "sessionIssuer": { "userName": ”AssumeAdministrator", "type": "Role", "arn": "arn:aws:iam::123456789012:role/Administrator", "principalId": "AKIAI44QH8DHBEXAMPLE", "accountId": "123456789012" }, "attributes": { "creationDate": "2016-01-18T16:50:04Z", "mfaAuthenticated": "false" } }, "type": "AssumedRole", "arn": "arn:aws:sts::123456789012:assumed-role/Administrator/admin", "accountId": "123456789012"
![Page 92: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/92.jpg)
How can I get the different events?
import json
def lambda_handler(event, context):eventdump = json.dumps(event, indent=2)print("Received event: " + json.dumps(event, indent=2))return eventdump
![Page 93: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/93.jpg)
Risks with automatic remediation
You can now automatically mess up your approved changes
No proper alerting and follow-up on automatic events Overcomplicated and undercomplicated scripts No info on desired state Race the hacker…automation wars!
![Page 94: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/94.jpg)
Amazon InspectorAutomated security assessment service
![Page 95: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/95.jpg)
What is Amazon Inspector?Enables you to analyze the behavior of your AWS resources and helps identify potential security issues
Application security assessment Agent based 15 minutes–24 hours
Selectable built-in rules (rule packages) Common vulnerabilities and exposures CIS Operating System Security Configuration Benchmarks Security best practices Run-time behavior analysis
Security findings – guidance and management Automatable via APIs
![Page 96: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/96.jpg)
Don’t forget built-in reporting
![Page 97: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/97.jpg)
AWS Trusted Advisor checks your account
![Page 98: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/98.jpg)
IAM credential reports
![Page 99: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/99.jpg)
Summing up
Enforce separation of duties and least privilege accounts
MFA on users; enforce using IAM policies
Know what is security vs. troubleshooting logs
Storage is cheap, not knowing can be very expensive – log if possible
Alerting is good, automating your security response is better
Use managed services and built-in reporting to offload and automate
See the big picture: what info do you want and what tool can give it to you
![Page 100: Best Practices for Managing Security Operations in AWS - AWS July 2016 Webinar Series](https://reader036.vdocuments.mx/reader036/viewer/2022081514/587125e81a28abe4448b61c7/html5/thumbnails/100.jpg)
Thank you!