© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Andrew Kiggins, Solutions Architect

April 19, 2016

Network Security and Access

Control within AWS

What to expect from the session

• Configure network security using VPC

• Configure users, groups and roles to manage

actions

• Configure monitoring and logging to audit

changes

Network security

Network security tools

• Amazon VPC

• Subnet

• Security groups

• Network ACLs

• Amazon CloudFront

• Amazon Route 53

• IP tables

VPC

VPC (BuildABeer-VPC-1)

security group (BuildABeer-SG-1)

HTTP GET Beer

TCP(6) Port(80)

NTP Buffer Overrun

UDP(17) Port(123)

Network ACL

VPC (BuildABeer-VPC-1)

security group (BuildABeer-SG-1)

HTTP GET Beer

TCP(6) Port(80)

HTTP GET Beer

TCP(6) Port(80)

srcIP=216.246.16.228

VPC (BuildABeer-VPC-1)

Obfuscate

Amazon

Route 53

CloudFront

Userssecurity group (BuildABeer-SG-1)

Public subnet

servers

Private subnet

ELB

FAIL

End run

VPC (BuildABeer-VPC-1)

Amazon

Route 53

CloudFront

security group (BuildABeer-SG-1)

Public subnet

servers

Private subnet

ELB load

balancer

www.foo.com

mail.foo.com

security group (BuildABeer-SG-1)

Public subnet

Mail servers

Private subnet

Elastic Load Balancing

load balancer

security group (BuildABeer-SG-2)

Public subnet

Web servers

Private subnet

ELB load balancer

mail.foo.com

www.foo.com

Hide ’n’ go seek~>nslookup www.buildabeer.com

Server: 10.43.23.72

Address: 10.43.23.72#53

Non-authoritative answer:

www.buildabeer.us canonical name = d3u9qbug2y23to.cloudfront.net.

Name: d3u9qbug2y23to.cloudfront.net

Address: 52.84.20.173

<snip>

Name: d3u9qbug2y23to.cloudfront.net

Address: 52.84.20.85

~>nslookup ftp.buildabeer.com

Server: 10.43.23.72

Address: 10.43.23.72#53

Non-authoritative answer:

ftp.buildabeer canonical name = bab-elb-1-916251722.us-west-2.elb.amazonaws.com.

Name: bab-elb-1-916251722.us-west-2.elb.amazonaws.com

Address: 54.148.117.41

<snip>

Layers of defense

VPC (BuildABeer-VPC-1)

userssecurity group (BuildABeer-SG-1)

Private subnet

Web

servers

Private subnet

ELBSecurity services

(IPS/IDS, WAF,

Firewall)

Public subnet

Access denied

Access points to AWS

AWS Command Line Interface API AWS Management Console~>aws ec2 describe-instances

{

"Reservations": [

{

"Groups": [],

"Instances": [

{

"KeyName": "kiggins-bab-ec1-t2micro-keypair_0217",

"VirtualizationType": "hvm",

"AmiLaunchIndex": 0,

"SourceDestCheck": true,

"PublicIpAddress": "52.37.47.60",

"Architecture": "x86_64",

"RootDeviceType": "ebs",

#!/usr/bin/python3

import boto3

# Get the service resource

ec2 = boto3.resource('ec2')

# Print out each ec2 instance

for instance in ec2.instances.all():

print(instance)

Who can access resources

• Accounts

• Users

• AWS Identity and Access

Management (IAM) Users

• Federated users

• Groups

• Roles

• Services

IAM role

IAM users

IAM groups

Amazon EC2

Federated user

Restricted access best practices

• Do not use the root account

• Create an administrative account

• Enable MFA

• Enforce strong passwords

• Use groups to assign permissions

• Use cross account access for secure logging

Managing your policies

• IAM policies

• Managed policies

• Inline policies

• Resource-based policies

IAM policies

• Managed policies (newer way)

• Can be attached to multiple users, groups, and roles

• AWS managed policies: Created and maintained by AWS

• Customer managed policies: Created and maintained by you

• Up to 5K per policy

• Up to 5 versions of a policy so you can roll back to a prior version

• You can attach 10 managed policies per user, group, or role

• You can limit who can attach which managed policies

• Inline policies (older way)

• You create and embed directly in a single user, group, or role

• Variable policy size (2K per user, 5K per group, 10K per role)

Beyond IAM

Amazon Directory Services

AD Connector

Customer Identity Broker

AWS Directory

Service

SEC307 A Progressive Journey Through AWS IAM Federation Options

- https://www.youtube.com/watch?v=-XARG9W2bGc

Configuring logging and

monitoring

Services

• AWS CloudTrail

• AWS Config

• Amazon Inspector

• VPC Flow Logs

AWS CloudTrail

us-east-2

Introduction to AWS CloudTrail

Store/ archive

Troubleshoot

Monitor and alarm

You are making API

calls...

On a growing set of AWS

services around the world..

CloudTrail is continuously

recording API calls

Amazon Elastic

Block Store

(Amazon EBS)

Amazon S3

bucket

Use cases enabled by CloudTrail

• IT and security administrators can perform security

analysis

• IT administrators and DevOps engineers can attribute

changes on AWS resources to the identity, time and

other critical details of who made the change

• DevOps engineers can troubleshoot operational issues

• IT auditors can use log files as a compliance aid

• See: Security at Scale: Logging in AWS White Paper

AWS Config

• Get inventory of AWS resources

• Discover new and deleted resources

• Record configuration changes continuously

• Get notified when configurations change

AWS Config

AWS Config

• Check configuration changes

• Periodic

• Event driven

• Rules

• Pre-built rules provided by AWS

• Custom rules using AWS Lambda

• Use dashboard for visualizing compliance and

identifying offending changes

Compliance guideline Action if noncompliance

All EBS volumes should be encrypted Encrypt volumes

Instances must be within a VPC Terminate instance

Instances must be tagged with

environment type

Notify developer (email, page,

Amazon SNS)

AWS Config Rules

AWS Config Rules (Example—instances must be tagged with a data classification)

Amazon Inspector

• Vulnerability Assessment Service

• Built from the ground up to support DevOps model

• Automatable by using API actions

• AWS Context Aware

• Static and dynamic telemetry

• Integrated with CI/CD tools

• On-demand pricing model

• CVE and CIS rules packages

• AWS AppSec best practices

Rule packages

• CVE (common vulnerabilities and exposures)

• 1000+ rules evaluated

• CIS (Center for Internet Security Benchmarks)

• OS hardening

• Vulnerability

• Patch

• Inventory

• Compliance

• AWS Security best practices

• AppSec learnings

VPC Flow Logs

Dumping out the heavy hitter IP addresses

#!/usr/bin/python3

import boto3

# Get the service resource

logs = boto3.client(’logs’)

# Get the log groups

groups = logs.describe_log_groups()

for logGroup in groups[’logGroups’] :

# Get the LogStream for each logGroup

logStreamsDesc = logs.describe_log_streams(logGroupName=logGroup[’logGroupName’])

for logStream in logStreamsDesc[’logStreams’]:

events_resp = logs.get_log_events(logGroupName=logGroup[’logGroupName’], logStreamName=logStream[’logStreamName’])

# Store each log entry by the src IP address

ip_dict = {}

for event in events_resp[’events’] :

ip = event[cd ’message’].split()[4]

if ip in ip_dict:

ip_dict[ip] = ip_dict[ip] + 1

else :

ip_dict[ip] = 1

for w in sorted(ip_dict, key=ip_dict.get, reverse=True):

print (’{0:15} {1:8d}’.format(w, ip_dict[w]))

#Early exit

exit()

Partners

Thank you!

aws.amazon.com/security

aws.amazon.com/compliance

Remember to complete

your evaluations!

Remember to complete

your evaluations!