Post on 13-Jan-2015
description
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security Best Practices on AWS
Understanding AWS Security, the Shared Responsibility Model, and
some security best practices
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Cloud Security is:
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Every Customer Has Access to the Same
Security Capabilities
And gets to choose what’s right for their business needs • Governments
• Financial Sector
• Pharmaceuticals
• Entertainment
• Start-ups
• Social Media
• Home Users
• Retail
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Visible Cloud Security
This
Or
This?
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Auditable Cloud Security
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Transparent Cloud Security
http://aws.amazon.com/compliance/
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
ISO 27001 Certification
Covers the AWS Information Security Management System
Follows ISO 27002 best practice guidance
Includes all Regions
Certification in the standard requires: • Systematic evaluation of information security risks
• Evaluate the impact of company threats and vulnerabilities
• Design and implement comprehensive information security controls
• Adopt an overarching management process to ensure that the information
security controls meet the information security needs on an ongoing basis
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Service Organization Controls
What it contains Who uses it
SOC 1 Attests that the AWS internal controls for financial reporting are appropriately designed and the controls are operating effectively
User auditors & users’ controller’s office. Shared under NDA by AWS.
SOC 2 Expanded evaluation of controls to include AICPA Trust Services Principles
Management, regulators & others. Shared under NDA by AWS.
SOC 3 Summary of SOC 2 and provides AICPA SysTrust Security Seal. Management, regulators & others. Publicly available.
American Institute of Certified Public Accountants report
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
PCI DSS Level 1 Service Provider
PCI DSS 2.0 compliant
Covers core infrastructure & services • EC2, EBS, VPC, ELB, DirectConnect, S3, Glacier, RDS, DynamoDB,
SimpleDB, EMR, RedShift, CloudHSM, and IAM
Use services normally, no special configuration
Leverage the work of our QSA
AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) • can support forensic investigations
Certified in all regions
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
FedRAMP (FISMA) Moderate
U.S. Civilian Government Agency Specific
FedRAMP Approval To Operate (ATO)
FISMA Moderate (NIST 800-53) • Much more stringent than other commercial standards
• 205 high-level controls spanning 18 domains • Access Control, Awareness & Training, Audit & Accountability, Security
Assessment & Authorization, Configuration Management, Contingency Planning, ID & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environment Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisition, System & Communications Protections, System & Information Integrity, Program Management
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Assessments SIG
Standard Information Gathering (“SIG”) Questionnaire shared under NDA • www.sharedassessments.org
Robust, easy to use set of questions to gather and assess • Information Technology • Operating and Security Risks (and corresponding controls)
Based on referenced industry standards • Including, but not limited to, FFIEC, ISO, COBIT and PCI
Excel format with AWS provided answers Updated periodically to stay current
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Additional Initiatives
U.S. Health Insurance Portability and Accountability Act (HIPAA) • AWS enables covered entities and their business associates subject to the
U.S. HIPAA to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers.
Cloud Security Alliance (CSA) Questionnaire • Answers in the Risk and Compliance Whitepaper
Motion Picture Association of America (MPAA) • Answers in the Risk and Compliance Whitepaper
• Best practices for storing, processing and delivering protected media & content
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security & Compliance Control Objectives
Control Objective 1: Security Organization
Control Objective 2: Amazon User Access
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security and Environmental Safeguards
Control Objective 6: Change Management
Control Objective 7: Data Integrity, Availability and Redundancy
Control Objective 8: Incident Handling
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security & Compliance Control Objectives
(cont’d)
Control Objective 1: Security Organization
• Who we are
• Proper control & access within the organization
Control Objective 2: Amazon User Access
• How we vet our staff
• Minimization of access
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security & Compliance Control Objectives
(cont’d)
Control Objective 3: Logical Security
• Our staff start with no system access
• Need-based access grants
• Rigorous system separation
• System access grants regularly evaluated & automatically
revoked
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security & Compliance Control Objectives
(cont’d)
Control Objective 4: Secure Data Handling
• Storage media destroyed before being permitted outside our datacenters
• Media destruction consistent with US Dept. of Defense Directive 5220.22
Control Objective 5: Physical Security and Environmental Safeguards
• Keeping our facilities safe
• Maintaining the physical operating parameters of our datacenters
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Security & Compliance Control Objectives
(cont’d)
Control Objective 6: Change Management
• Continuous operation
Control Objective 7: Data Integrity, Availability and Redundancy
• Ensuring your data remains safe, intact, & available
Control Objective 8: Incident Handling
• Process & procedures for mitigating and managing potential issues
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Shared Responsibility
AWS • Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
Customer
• Choice of Guest OS
• Application Configuration Options
• Account Management Flexibility
• Security Groups
• Network ACLs
• Network Configuration Control
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
You Decide Where Applications and Data
Reside
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Network Security
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon EC2 Security
Host operating system (AWS controlled) • Individual SSH keyed logins via bastion host for AWS admins • All accesses logged and audited
Guest operating system (Customer controlled) • AWS admins cannot log in • Customer-generated keypairs
Stateful firewall • Mandatory inbound firewall, default deny mode • Customer controls configuration via Security Groups
Signed API calls • Require customer’s secret AWS key
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Physical interfaces
Customer 1
Hypervisor
Customer 2 Customer n …
… Virtual interfaces
Firewall
Customer 1 Security groups
Customer 2 Security groups
Customer n Security groups
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Tiering Security Groups
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Tiering Security Groups Dynamically created rules based on Security Group
membership
Effectively create tiered network architectures
“Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32
Firewall
Web Server
App Server
Firewall
Firewall
DB Server
Web
(HTTP)
808
0
330
6
22
22
Bastion Host
Firewall
22
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon VPC Architecture
Customer’s
network
Amazon
Web Services
cloud
Secure VPN
connection
over the
Internet
Subnets
Router Internet
NA
T
AWS Direct
Connect –
Dedicated
Path/Bandwi
dth
Customer’s
isolated AWS
resources
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Amazon VPC Network Security Controls
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
VPC - Dedicated Instances
Option to ensure physical hosts are not shared with other customers
$2/hr flat fee per region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Deployment Models Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
Commercial
Cloud Public-facing apps, web
sites, dev, test, etc.
Virtual Private
Cloud (VPC) Datacenter extension,
TIC environment, email,
FISMA low and
Moderate
AWS GovCloud
(US) US Persons Compliant
and Government
Specific Apps
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
The Importance of Access Control
One of customers’ top considerations when moving to the cloud
CONTROL
Why do we want control? • Appropriate access to do appropriate actions
• I want to implement security best practices
• I want to be at least as secure as on premise
• I must comply with certain industry specific security regulations
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
• Users and Groups within Accounts
• Unique security credentials • Access keys • AWS Management Console Login/Password • Enforce password complexity • Optional MFA device
• Policies control access to AWS APIs
• All API calls must be signed by secret key
• Resource level integration into many Services
• EC2: tags control access to resources
• S3: policies on objects and buckets
• Not for Operating Systems or Applications
• Use LDAP, Active Directory/ADFS, etc...
AWS Identity and Access Management (IAM)
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Authentication Methods
• Username + Password
• Optional multifactor authentication
• Access + Secret Keys
• Optional multifactor authentication • Access + Secret Keys for REST calls
• SSH Keys for access to EC2
instances
Web UI API CLI
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Multi-Factor Authentication (MFA)
Extra level of security
Works with
• AWS root account
• IAM users
Multiple form factors
• Virtual MFA on your phone
• Hardware MFA key fobs
No additional cost!
• Except for the cost of the
hardware key fob
xxxxxxxxxxxxxxxxxxxxxxxxxxx
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS CloudHSM
Secure Key Storage • Dedicated access to tamper-resistant HSM appliances (SafeNet® Luna SA) • Designed to comply with Common Criteria EAL4+ and NIST FIPS 140-2 • You retain full control of your keys and cryptographic operations
Contractual and Regulatory Compliance • Helps comply with the most stringent regulatory and contractual requirements for key
protection.
Reliable and Durable Key Storage • Available in multiple AZs and Regions
Simple and Secure Connectivity • Connected to your VPC • Improved Application Performance between EC2 and HSM
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Premium Support Trusted Advisor
Security Checks
• Security Group Rules (Hosts & Ports)
• IAM Use
• S3 Policies
Fault Tolerance Checks
• Snapshots
• Multi-AZ
• VPN Tunnel Redundancy
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Enable Root Account MFA!
If you don’t see:
Go to:
http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5
R80UD/Securing-access-to-AWS-using-MFA-Part-1
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Security, Compliance, & Architecture
Resources http://aws.amazon.com/security/
Security whitepaper
Security best practices
Security bulletins
Customer security testing process
http://aws.amazon.com/compliance/
Risk and compliance whitepaper
http://aws.amazon.com/architecture/
Reference Architectures
Whitepapers
Webinars
http://blogs.aws.amazon.com/security/
Stay up to date on security and compliance in AWS
Feedback is always welcome!
© 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
Thank You!!!
awsmax@amazon.com
Any questions?