security on aws - iam amazon cloudwatch aws cloudtrail aws config aws cloudformation aws trusted...
Post on 29-Mar-2018
246 views
Embed Size (px)
TRANSCRIPT
Security on AWS
Amazon Web Services
Kyungsoo Lee Partner Solutions Architect
Kyungsol@amazon.com
2
Firewall/NG Firewall :
IPS/IDS : /
NAC :
WAF :
Anti-Spam :
App/DB
Web
3
AWS /
Cloud applications have
amorphous, polymorphic
attack surfaces.
- Jason Chan
Director of Engineering,
Cloud Security
Netflix
4
,
5
AWS /
AWS IAM Amazon CloudWatch
AWSCloudTrail
AWSConfig
AWSCloudFormation
AWS Trusted Advisor
6
Corporate Data center
Servers
Span/Tab
Router
()
One-Arm
7
, ,
8
Security is our #1 priority
9
This
To this
10
AWS ! , /,
2007 2008 2009 2010 2011 2012 2013 2014 2015
48 6182
159
280
514
722
269(37%), , ,
2015 40% , 722
11
Shared Security Responsibility
12
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
13
WHAT WE DO
WHAT YOU HAVE TO DO
14
AWS
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Custo
mers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability ZonesEdge
Locations
AWS Foundation Services
15
AWS
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentC
usto
mers
Customers are
responsible for
their security IN
the Cloud
Independent validation by experts
Every AWS Region is in scope
SOC 1 (SSAE 16 & ISAE 3402) Type II
SOC 2 Type II and public SOC 3 report
ISO 27001 Certification
Certified PCI DSS Level 1 Service Provider
FedRAMP Certification, HIPAA capable
16
Based on our experience, I believe that
we can be even more secure in the AWS
cloud than in our own data center
Tom Soderstrom
CTO NASA JPL
17
AWS compliance
program
Third-party
attestationsPh
ysic
al
Security groups
VPC configuration
Netw
ork
Se
cu
rity
Web application firewalls
Bastion hosts
Encryption in-transit
Hardened AMIs
OS and apppatch mgmt.
IAM roles for EC2
IAM credentials
Syste
m s
ecu
rity
Logical access controls
User authentication
Encryption at-rest
Data
se
cu
rity
18
AWS
.
(Visibility)
(Controllability)
(Auditability)
19
(DATA, USER, NETWORK)
20
AWS 16 Region 42 Availability Zone
21
AWS
US West (OR)
AZ A AZ B
AZ C
GovCloud (US)
AZ A AZ B
US West (CA)
AZ A AZ B
AZ C
US East (VA)
AZ A AZ B
AZ C AZ D
AZ E
China (Beijing)*
AZ A
*A limited preview of the China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China. These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts.
EU (Ireland)
AZ A AZ B
AZ C
AZ A AZ B
S. America (Sao Paulo)
Asia Pacific (Tokyo)
AZ A AZ B
AZ C
AZ A AZ B
Asia Pacific (Singapore)
China (Bejing)Asia Pacific (Sydney)
AZ A AZ B
EU (Frankfurt)
AZ A AZ B
AWS Regions
China (Bejing)Asia Pacific (Seoul)
AZ A AZ B
22
AWS
Details about encryption can be found in the AWS Whitepaper,Securing Data at Rest with Encryption.
Encryption In-Transit
HTTPS
SSL/TLS
SSH
VPN
Object
Encryption At-Rest
Object
Database
Filesystem
Disk
https://media.amazonwebservices.com/AWS_Securing_Data_at_Rest_with_Encryption.pdf
23
AWS KMS - //
Centralized Key Management for use with AWS: Customer MasterKey(s)
Data Key 1
S3 Object EBS Volume Redshift Cluster
Data Key 2 Data Key 3 Data Key 4
EBS S3 Redshift AWS SDK
AWS CloudTrail
Details about security controls can be found in the AWS Whitepaper: KMS Cryptographic Details.
Application or
AWS Service
+
Data Key Encrypted Data Key
Encrypted
Data
Master Key(s) in
Customers Account
KMS
http://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
24
AWS Key Management ServiceIntegrated with Amazon EBS
25
USER
26
AWS IAM : Identity + Authentication + Authorization
Access to specific services. Access to console and/or APIs. Access to Customer Support (Business and Enterprise).
IAM Users, Groups and Roles
Access to specific services. Access to console and/or APIs.
Temporary Security Credentials
Access to all subscribed services. Access to billing. Access to console and APIs. Access to Customer Support.
Account Owner ID (Root Account)
AWS Account Owner (Root)
AWS IAM User
Temporary Security
Credentials
27
28
NETWORK
29
AWS Cloud
A
B
AWS Virtual Private Cloud
VPC IP
EC2
AWS network security
AWS IP Spoofing
2
EC2
30
VPC
Web App
DBWeb
31
(NACL)
App
DBWeb
Web
Deny all traffic
Allow
32
EC2 (Security Group)
App
DBWeb
WebPort 443
Port 443
Deny all traffic
33
VPC 10.1.0.0/16
VPC
34
[WAF] AWS WAF (WAF on CDN)
WEBWAS
WEBWAS
www.a.com WAF on CloudFront edges
users
SafeTraffic
Edge Location
Edge Location
54 edges
WAF
WAF
hackers
Bad bots
legitimatetraffic
SQL Injection,
XSS, ..
site scripting
CloudFront edge
WAF monitor & filter
edge
scaling
SQL injection, XSS
CloudFront
35
(NETWORK, SYSTEM, AUDIT)
36
:
,
.
37
:
AWS IAM Amazon CloudWatch
AWSCloudTrail
AWSConfig
AWSCloudFormation
AWS Trusted Advisor
AWS
IT Governance
.
38
AWS CloudWatchAWS AWS
EC2
AutoScaling
ELB
Route 53
EBS
Storage Gateway
CloudFront
DynamoDB
ElastiCache
RDS
EMR
SNS
SQS
EBS
Custom
39
AWS Trusted Advisor Security
40
41
AWS Inspector
Agent -
API
Rule Package CVE (common vulnerabilities and exposures)
Network security best practices 4
Authentication best practices 9
Operating system security best practices 4
Application security best practices 2
PCI DSS 3.0 readiness 25
42
(COMPLIANCE, HISTORY, LOG)
43
44
45
AWS CloudTrailAWS
API...
CloudTrailAPI
CloudTrail :
API ()
API call ()
API IP()
()
AWS ()
46
AWS CloudTrailAWS
CloudWatch Logs
CloudTrail
47
AWS Config/RulesAWS(AWS SNS)
Troubleshooting Discovery
ConfigRules custom rule
/
/
Lambda blueprint
GitHub Lambda
48
AWS Service CatalogAWS
Clo
ud
Form
atio
n
Service Catalog
Product
ProductA
ProductB
Product
Product
. Product . AWS
API
49
WHAT WE DO
WHAT YOU HAVE TO DO
THANK YOUAmazon Web Services
Kyungsoo Lee
Recommended