Account Separation and

Mandatory Access Control on

AWSDave Walker

Specialist Solutions Architect, Security and Compliance

23/03/16

Mandatory Access Control?

• Contrast with Discretionary Access Control

– u/g/o / rwx file permissions

– Under the control of the file owner

• MAC is a function of core system policy

– Immutable to all system users; sometimes also invisible to them

– …including root

• Epitomised in SELinux, descended from Orange Book B1

systems

– Sometimes extended to do multilevel / cross-domain security

Mandatory Access Control?

• SELinux on AWS

– RHEL, Ubuntu, SuSE, etc AMIs…

– (Don’t forget FreeBSD and other Community AMIs)

• First native MAC service on AWS: Glacier Vault Lock

– Set a Policy and fix it in place

– Even the account owner can’t change it, until its time lock expires

– Designed to meet SEC “Books and Records” requirements (Rule 17a-

4(f))

• Also FINRA Rule 4511, CFTC Regulation 1.31

• How can we make more services behave similarly?

– Cross-account access gets us close!

S3 Subtleties

• Versioning

• MFA Delete

– Put these together, and you get something which looks a lot like an

append-only object store

– …consider evidential integrity and weight

– Consider adding lifecycle policies to rotate into Vault-Locked Glacier

• Good for long-term log retention

S3 Subtleties

• CloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow

Logs

– Make them write-only for production / resource accounts

• No means to read or list bucket contents

– Make them read-only for audit accounts

• Though audit user activities may need to be written to logs too

– Potentially to a different log location

• Create a separate Logging account and apply cross-account

sharing:

S3 Subtleties

• S3 write-only cross-account sharing– Share write-only (no reading or listing of contents) from owner

account via bucket policy

– Writer accounts have IAM permissions to write

S3 Subtleties: Log Bucket Policy, Part 1

• (Actual policy won’t fit here, but…):

– Start with the cross-account bucket policy for writing CloudTrail logs, at

https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sha

ring-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1

– Add the Sid + Effect + Principal + Action + Resource aggregate objects

from the bucket policy for Config, at

http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-

policy.html , applying the same principles

– Add s3:GetBucketLocation permissions, to handle cross-Region logs

• (we want to log from all Regions to 1 bucket)

– Add the following for CloudWatch Logs:

S3 Subtleties: Log Bucket Policy, Part 2{

"Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below",

"Effect": "Allow",

"Principal": ]

"AWS": "arn:aws:iam::Writer-Account-ID:root”,

<Add other accounts here>

],

"Action":[

"s3: PutObject",

"S3: GetBucketLocation"

],

"Resource":"arn: aws: s3:::myorg-logbucket/<optionalprefix>/AWSLogs/*"

},

{

"Sid":"Control to require full control grant on write",

"Effect":"Deny",

"Principal":[

"AWS":"arn: aws:iam::Writer-Account-ID:root”,

<Add other accounts here>

],

"Action": [

"s3:PutObject",

"s3:GetBucketLocation"

],

"Resource": "arn:aws:s3:::myorg-logbucket/<optional prefix>/AWSLogs/*",

"Condition": {

"StringNotEquals": {

"s3:"bucket-owner-full-control"

}

}}

S3 Subtleties: Log Bucket Policy, Part 3

• Audit users (in another account) will need read-only access to your log

bucket; see

https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing

-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)

• Good to do via a Role which has to be explicitly assumed;

again, see the URL above

S3 Subtleties: Log Bucket Policy and IAM

• Point CloudTrail and Config in other accounts to our log

bucket for writing, when setting these accounts up

• IAM policy to add to each log-generating account to allow

cross-account writing:{

"Version": "2012-10-17",

"Statement": [

{

"Sid": ”Cross-account Write",

"Effect": "Allow",

"Action": [

"s3:PutObject”,

”s3:GetBucketLocation”

],

"Resource": [

"arn:aws:s3:::myorg-logbucket"

]

}

]}

Detailed Billing: Sample Records

ItemDescription

UsageStar

tDate

UsageEn

dDate

UsageQua

ntity

Currenc

yCode

CostBef

oreTax

Cre

dits

TaxAm

ount

TaxT

ype

TotalCo

st

$0.000 per GB - regional data transfer under the

monthly global free tier

01.04.14

00:00

30.04.14

23:59

0.0000067

5 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.05 per GB-month of provisioned storage - US

West (Oregon)

01.04.14

00:00

30.04.14

23:59

1.126.666.

554USD 0.56 0.0

0.0000

00 None

0.5600

00

First 1,000,000 Amazon SNS API Requests per

month are free

01.04.14

00:00

30.04.14

23:5910.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

First 1,000,000 Amazon SQS Requests per month

are free

01.04.14

00:00

30.04.14

23:594153.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.00 per GB - EU (Ireland) data transfer from US

West (Northern California)

01.04.14

00:00

30.04.14

23:59

0.0000329

2 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.000 per GB - data transfer out under the monthly

global free tier

01.04.14

00:00

30.04.14

23:590.02311019USD 0.00 0.0

0.0000

00 None

0.0000

00

First 1,000,000 Amazon SNS API Requests per

month are free

01.04.14

00:00

30.04.14

23:5988.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.000 per GB - data transfer out under the monthly

global free tier

01.04.14

00:00

30.04.14

23:593.3E-7 USD 0.00 0.0

0.0000

00 None

0.0000

00

Linked Accounts

• Consolidate daily Detailed Billing logs into one bucket, for all

accounts

• Now put it all together…

The Base Account Structure

AWS AccountRoot Account • No Access Keys

• MFA Enabled

• Raise Alert on Login

IAM Master • No Access Keys

• MFA Enabled

• Raise Alert on LoginDefine IAM Policies

Enable IAM Managers (User or

Role)

• Have Passwd Policy

• Enforce Passwd

Rotation

• Have Acct Questions

set up

• Have Info eMail set

up

IAM Manager • No Access Keys

• MFA Enabled

Create IAM

Users/Groups/Roles

Use Pre-Defined Policies

The Larger Picture

BILLING

S3 Holder

CloudTrail

Config

CW Logs

S3 Holder

BILL

CloudTrail

IAMUser

IAM UserAssum

e

Role

IAM UserAssum

e

Role

IAM UserAssum

e

Role

Resources

IAM ROLE

IAM ROLE

IAM ROLE

Backup Data

Backup

S3 Holder

Audit

Display

Rights

STS

{

"Version": "2012-10-17",

"Statement": [ {

"Sid": ”STS-Only",

"Effect": "Allow",

"Action": [ "sts:AssumeRole" ],

"Resource": [ "*" ] }

]

}

There’s One More Account to Consider…

• (…and it won’t fit on the diagram)

• Service Catalogue

– Also has cross-account capability

– Repository for CloudFormation templates, golden AMIs…

– …add latest database backups and other necessary datasets, and

you have an Intellectual Property Holding Account

• Something to copy cross-Region for DR

• See http://aws.amazon.com/servicecatalog/faqs/ for cross-account access

Raising Alerts

• Raise (through CloudTrail, watched by a Lambda function triggered on

bucket writes) an Alert (through, eg, SNS) if:– Any account’s root user logs in

– Any IAM-Master account logs in

– Billing/CloudTrail accounts have another S3 Bucket created

– IAM-User generates any new AWS resource

– IAM-User generates any CloudTrail events other than assume-role

and console login

– IAM-User logs in to any Resource Accounts (besides IAM-Manager)

– Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)

Logs→metrics→alerts→actions

AWS Config

CloudWatch /

CloudWatch LogsCloudWatch

alarms

AWS CloudTrail

Amazon EC2 OS logs

Amazon VPC

Flow Logs

Amazon SNS

email notification

HTTP/S

notification

SMS notifications

Mobile push

notifications

API

calls

from

most

services Monitoring

data from

AWS

services

Custom

metrics

Also:

• Federate from IAM-User to another IdP

• Filter on LDAP DN elements; ou=, dc=

• Result: no PII in IAM!

– See page 20 of https://d0.awsstatic.com/whitepapers/aws-whitepaper-

single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf

• Set account and contact details to an email alias and a PABX

hunt group, and arrange with your AM to have your billing

invoiced to your company accounts

• …no PII in your AWS account

– unless you explicitly need to process PII in your AWS environment

Other Resources

• Re:Invent 2015: “Wrangling Security Events in

the Cloud” (SEC308)– https://www.youtube.com/watch?v=uc1Q0XCcCv4

– Further ways to enable service configuration immutability

• Essentially, “config-correcting Lambda functions”

Account Separation and

Mandatory Access Control on

AWS

Dave Walker

Specialised Solutions Architect, Security and Compliance

28/01/16