security on aws - iam amazon cloudwatch aws cloudtrail aws config aws cloudformation aws trusted...

Download Security on AWS -    IAM Amazon CloudWatch AWS CloudTrail AWS Config AWS CloudFormation AWS Trusted Advisor

Post on 29-Mar-2018

246 views

Category:

Documents

11 download

Embed Size (px)

TRANSCRIPT

  • Security on AWS

    Amazon Web Services

    Kyungsoo Lee Partner Solutions Architect

    Kyungsol@amazon.com

  • 2

    Firewall/NG Firewall :

    IPS/IDS : /

    NAC :

    WAF :

    Anti-Spam :

    App/DB

    Web

  • 3

    AWS /

    Cloud applications have

    amorphous, polymorphic

    attack surfaces.

    - Jason Chan

    Director of Engineering,

    Cloud Security

    Netflix

  • 4

    ,

  • 5

    AWS /

    AWS IAM Amazon CloudWatch

    AWSCloudTrail

    AWSConfig

    AWSCloudFormation

    AWS Trusted Advisor

  • 6

    Corporate Data center

    Servers

    Span/Tab

    Router

    ()

    One-Arm

  • 7

    , ,

  • 8

    Security is our #1 priority

  • 9

    This

    To this

  • 10

    AWS ! , /,

    2007 2008 2009 2010 2011 2012 2013 2014 2015

    48 6182

    159

    280

    514

    722

    269(37%), , ,

    2015 40% , 722

  • 11

    Shared Security Responsibility

  • 12

    WHAT NEEDS

    TO BE DONE

    TO KEEP THE

    SYSTEM SAFE

  • 13

    WHAT WE DO

    WHAT YOU HAVE TO DO

  • 14

    AWS

    Client-side Data

    Encryption

    Server-side Data

    EncryptionNetwork Traffic

    Protection

    Platform, Applications, Identity & Access Management

    Operating System, Network & Firewall Configuration

    Customer content

    Custo

    mers

    Customers are

    responsible for

    their security IN

    the Cloud

    AWS is

    responsible for

    the security OF

    the Cloud

    Compute Storage Database Networking

    AWS Global

    Infrastructure Regions

    Availability ZonesEdge

    Locations

    AWS Foundation Services

  • 15

    AWS

    Client-side Data

    Encryption

    Server-side Data

    EncryptionNetwork Traffic

    Protection

    Platform, Applications, Identity & Access Management

    Operating System, Network & Firewall Configuration

    Customer contentC

    usto

    mers

    Customers are

    responsible for

    their security IN

    the Cloud

    Independent validation by experts

    Every AWS Region is in scope

    SOC 1 (SSAE 16 & ISAE 3402) Type II

    SOC 2 Type II and public SOC 3 report

    ISO 27001 Certification

    Certified PCI DSS Level 1 Service Provider

    FedRAMP Certification, HIPAA capable

  • 16

    Based on our experience, I believe that

    we can be even more secure in the AWS

    cloud than in our own data center

    Tom Soderstrom

    CTO NASA JPL

  • 17

    AWS compliance

    program

    Third-party

    attestationsPh

    ysic

    al

    Security groups

    VPC configuration

    Netw

    ork

    Se

    cu

    rity

    Web application firewalls

    Bastion hosts

    Encryption in-transit

    Hardened AMIs

    OS and apppatch mgmt.

    IAM roles for EC2

    IAM credentials

    Syste

    m s

    ecu

    rity

    Logical access controls

    User authentication

    Encryption at-rest

    Data

    se

    cu

    rity

  • 18

    AWS

    .

    (Visibility)

    (Controllability)

    (Auditability)

  • 19

    (DATA, USER, NETWORK)

  • 20

    AWS 16 Region 42 Availability Zone

  • 21

    AWS

    US West (OR)

    AZ A AZ B

    AZ C

    GovCloud (US)

    AZ A AZ B

    US West (CA)

    AZ A AZ B

    AZ C

    US East (VA)

    AZ A AZ B

    AZ C AZ D

    AZ E

    China (Beijing)*

    AZ A

    *A limited preview of the China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China. These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts.

    EU (Ireland)

    AZ A AZ B

    AZ C

    AZ A AZ B

    S. America (Sao Paulo)

    Asia Pacific (Tokyo)

    AZ A AZ B

    AZ C

    AZ A AZ B

    Asia Pacific (Singapore)

    China (Bejing)Asia Pacific (Sydney)

    AZ A AZ B

    EU (Frankfurt)

    AZ A AZ B

    AWS Regions

    China (Bejing)Asia Pacific (Seoul)

    AZ A AZ B

  • 22

    AWS

    Details about encryption can be found in the AWS Whitepaper,Securing Data at Rest with Encryption.

    Encryption In-Transit

    HTTPS

    SSL/TLS

    SSH

    VPN

    Object

    Encryption At-Rest

    Object

    Database

    Filesystem

    Disk

    https://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf

  • 23

    AWS KMS - //

    Centralized Key Management for use with AWS: Customer MasterKey(s)

    Data Key 1

    S3 Object EBS Volume Redshift Cluster

    Data Key 2 Data Key 3 Data Key 4

    EBS S3 Redshift AWS SDK

    AWS CloudTrail

    Details about security controls can be found in the AWS Whitepaper: KMS Cryptographic Details.

    Application or

    AWS Service

    +

    Data Key Encrypted Data Key

    Encrypted

    Data

    Master Key(s) in

    Customers Account

    KMS

    http://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

  • 24

    AWS Key Management ServiceIntegrated with Amazon EBS

  • 25

    USER

  • 26

    AWS IAM : Identity + Authentication + Authorization

    Access to specific services. Access to console and/or APIs. Access to Customer Support (Business and Enterprise).

    IAM Users, Groups and Roles

    Access to specific services. Access to console and/or APIs.

    Temporary Security Credentials

    Access to all subscribed services. Access to billing. Access to console and APIs. Access to Customer Support.

    Account Owner ID (Root Account)

    AWS Account Owner (Root)

    AWS IAM User

    Temporary Security

    Credentials

  • 27

  • 28

    NETWORK

  • 29

    AWS Cloud

    A

    B

    AWS Virtual Private Cloud

    VPC IP

    EC2

    AWS network security

    AWS IP Spoofing

    2

    EC2

  • 30

    VPC

    Web App

    DBWeb

  • 31

    (NACL)

    App

    DBWeb

    Web

    Deny all traffic

    Allow

  • 32

    EC2 (Security Group)

    App

    DBWeb

    WebPort 443

    Port 443

    Deny all traffic

  • 33

    VPC 10.1.0.0/16

    VPC

  • 34

    [WAF] AWS WAF (WAF on CDN)

    WEBWAS

    WEBWAS

    www.a.com WAF on CloudFront edges

    users

    SafeTraffic

    Edge Location

    Edge Location

    54 edges

    WAF

    WAF

    hackers

    Bad bots

    legitimatetraffic

    SQL Injection,

    XSS, ..

    site scripting

    CloudFront edge

    WAF monitor & filter

    edge

    scaling

    SQL injection, XSS

    CloudFront

  • 35

    (NETWORK, SYSTEM, AUDIT)

  • 36

    :

    ,

    .

  • 37

    :

    AWS IAM Amazon CloudWatch

    AWSCloudTrail

    AWSConfig

    AWSCloudFormation

    AWS Trusted Advisor

    AWS

    IT Governance

    .

  • 38

    AWS CloudWatchAWS AWS

    EC2

    AutoScaling

    ELB

    Route 53

    EBS

    Storage Gateway

    CloudFront

    DynamoDB

    ElastiCache

    RDS

    EMR

    SNS

    SQS

    EBS

    Custom

  • 39

    AWS Trusted Advisor Security

  • 40

  • 41

    AWS Inspector

    Agent -

    API

    Rule Package CVE (common vulnerabilities and exposures)

    Network security best practices 4

    Authentication best practices 9

    Operating system security best practices 4

    Application security best practices 2

    PCI DSS 3.0 readiness 25

  • 42

    (COMPLIANCE, HISTORY, LOG)

  • 43

  • 44

  • 45

    AWS CloudTrailAWS

    API...

    CloudTrailAPI

    CloudTrail :

    API ()

    API call ()

    API IP()

    ()

    AWS ()

  • 46

    AWS CloudTrailAWS

    CloudWatch Logs

    CloudTrail

  • 47

    AWS Config/RulesAWS(AWS SNS)

    Troubleshooting Discovery

    ConfigRules custom rule

    /

    /

    Lambda blueprint

    GitHub Lambda

  • 48

    AWS Service CatalogAWS

    Clo

    ud

    Form

    atio

    n

    Service Catalog

    Product

    ProductA

    ProductB

    Product

    Product

    . Product . AWS

    API

  • 49

    WHAT WE DO

    WHAT YOU HAVE TO DO

  • THANK YOUAmazon Web Services

    Kyungsoo Lee