Shared Responsibility and Setting Up

Secure Multi-Account Structures

Dave Walker

Specialist Solutions Architect,

Security and Compliance

Shared Responsibility

Who manages which parts?

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer contentC

ust

om

ers

AWS Shared Responsibility Model

Customers are

responsible for

their security and

compliance IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Interacting with AWS (common protocols)

Management

SSH

RDP (only over fully-encapsulated VPN)

Database

MySQL

MS SQL

Oracle

File Transfer

SFTP, etc…..

AWS Shared Responsibility Model – Deep

Dive

Will one model work for all services?

Infrastruc

ture

Services

Container

Services

Abstract

Services

Network Traffic ProtectionEncryption / Integrity / Identity

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Platform & Applications Management

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Infrastructure Services

Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

AW

S IAM

Cu

stom

er IA

M

Operating System, Network & Firewall Configuration

Server-Side EncryptionFire System and/or Data

AP

I End

po

ints

Mgmt

Protocols

API

Calls

Infrastructure ServiceExample – EC2

• Foundation Services — Networking, Compute, Storage

• AWS Global Infrastructure

• AWS API Endpoints

AW

S

• Customer Data

• Customer Application

• Operating System

• Network & Firewall

• Customer IAM (Corporate Directory

Service)

• High Availability, Scaling

• Instance Management

• Data Protection (Transit, Rest, Backup)

• AWS IAM (Users, Groups, Roles,

Policies)

Custo

mers

RESPONSIBILITIES

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Optional – Opaque data: 1’s and 0’s (in transit/at rest)

Firewall

Co

nfigu

ration

Platform & Applications Management

Operating System, Network Configuration

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Container Services Managed by

Managed by

Client-Side Data encryption & Data Integrity Authentication

Network Traffic ProtectionEncryption / Integrity / Identity

AW

S IAM

Cu

stom

er IA

M

AP

I End

po

ints

Mgmt

Protocols

API

Calls

Infrastructure ServiceExample – RDS

• Foundational Services –

Networking, Compute, Storage

• AWS Global Infrastructure

• High Availability

• AWS API Endpoints

• Operating System

• Platform / Application

• Backup and Patching

AW

S

• Customer Data

• Firewall (VPC)

• Customer IAM (DB Users, Table

Permissions)

• AWS IAM (Users, Groups, Roles,

Policies)

• Data Protection (Transit, Rest)

• Scaling

Custo

mers

RESPONSIBILITIES

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability ZonesEdge Locations

Platform & Applications Management

Operating System, Network & Firewall Configuration

Customer content

Cu

sto

mer

s

AWS Shared Responsibility Model:for Abstract Services

Managed by

Managed by

Data Protection by the PlatformProtection of Data at Rest

Network Traffic Protection by the PlatformProtection of Data at in Transit

(optional)

Opaque Data: 1’s and 0’s

(in flight / at rest)

Client-Side Data Encryption & Data Integrity Authentication

AP

I End

po

ints

AW

S IAM

API Calls

• Foundational Services

• AWS Global Infrastructure

• AWS API Endpoints

• Operating System

• Platform / Application

• Data Protection (Rest - SSE, Transit)

• High Availability / Scaling

AW

S

• Customer Data

• Data Protection (Rest – CSE)

• AWS IAM (Users, Groups, Roles, Policies)

Custo

mers

Infrastructure ServiceExample – S3

Summary of Customer Responsibility in the Cloud

Customer IAM

AWS IAM

Firewall

Data

AWS IAM

Data

Applications

Operating System

Networking/Firewall

Data

Customer IAM

AWS IAM

Infrastructure

Services

Container

Services

Abstract

Services

Shared Responsibility

What about security OF the cloud?

Auditing - Comparisonon-prem vs on AWS

Start with bare concrete

Functionally optional – you can build a secure

system without it

Audits done by an in-house team

Accountable to yourself

Typically check once a year

Workload-specific compliance checks

Must keep pace and invest in security innovation

on-prem

Start on base of accredited services

Functionally necessary – high watermark of

requirements

Audits done by third party experts

Accountable to everyone

Continuous monitoring

Compliance approach based on all workload

scenarios

Security innovation drives broad compliance

on AWS

What this means

You benefit from an environment built for the most security

sensitive organizations

AWS manages 1,800+ security controls so you don’t have to

You get to define the right security controls for your workload

sensitivity

You always have full ownership and control of your data

AWS Assurance Programs

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Meet your own security objectives

Customer scope and

effort is reduced

Better results through

focused efforts

Built on AWS

consistent baseline

controls

Your own external audits

Cu

sto

mer

s Your own accreditation

Your own certifications

Navigating Shared Responsibility

Achieving accreditation or certification on

AWS is possible but how can we help?

Industry Best Practices for Securing AWS Resources

CIS Amazon Web Services Foundations

Architecture agnostic set of security

configuration best practices

provides set-by-step implementation and

assessment procedures

AWS Enterprise Accelerator: Compliance Architectures

Sample Architecture –

Security Controls Matrix

Cloudformation Templates

5 x templates

User Guide

NIST 800-53 and PCI-DSS

assets, so far

http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

Education — AWS Security & Compliance

AWS Security Fundamentals

3 hour eLearning course

Target audience – Security Auditors/Analysts

It’s Free

AWS Security Operations

3 day Instructor Lead Training

Target audience – Security Engineer/Architects

12 Modules + Labs

Self-paced labs available on http://qwiklabs.com

https://aws.amazon.com/training/course-

descriptions/

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-

compliance/

Compliance Center Website: https://aws.amazon.com/compliance

Security Center: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

AWS Audit Training: awsaudittraining@amazon.com

Helpful Resources: New Videos

The AWS Shared Security Responsibility Model in Practice: https://youtu.be/RwUSPklR24M

IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U

Encryption Options on AWS: https://youtu.be/9bn7p2tdym0

Compliance, Logging, Analysis and Alerting: https://youtu.be/42-1xpT-s6U

Mandatory Access Control?

Contrast with Discretionary Access Control

• u/g/o / rwx file permissions

• Under the control of the file owner

MAC is a function of core system policy

• Immutable to all system users; sometimes also invisible to them

• …including root

Epitomised in SELinux, descended from Orange Book B1

systems

• Sometimes extended to do multilevel / cross-domain security

Mandatory Access Control?

SELinux on AWS

• RHEL, Ubuntu, SuSE, etc AMIs…

• (Don’t forget FreeBSD and other Community AMIs)

First native MAC service on AWS: Glacier Vault Lock

• Set a Policy and fix it in place

• Even the account owner can’t change it, until its time lock expires

• Designed to meet SEC “Books and Records” requirements (Rule 17a-

4(f))

• Also FINRA Rule 4511, CFTC Regulation 1.31

How can we make more services behave similarly?

• Cross-account access gets us close!

S3 Subtleties

Versioning

MFA Delete

• Put these together, and you get something which looks a lot like an

append-only object store

• …consider evidential integrity and weight

• Consider adding lifecycle policies to rotate into Vault-Locked Glacier

• Good for long-term log retention

S3 Subtleties

CloudTrail, Config, CloudWatch Logs, ELB logs, VPC Flow Logs

• Make them write-only for production / resource accounts

• No means to read or list bucket contents

• Make them read-only for audit accounts

• Though audit user activities may need to be written to logs too

– Potentially to a different log location

Create a separate Logging account and apply cross-account

sharing:

S3 Subtleties

S3 write-only cross-account sharing

• Share write-only (no reading or listing of contents) from owner

account via bucket policy

• Writer accounts have IAM permissions to write

S3 Subtleties: Log Bucket Policy, Part 1

(Actual policy won’t fit here, but…):

• Start with the cross-account bucket policy for writing CloudTrail logs, at

https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sha

ring-AWS-CloudTrail-Log-Files-Between-Accounts Scenario 1

• Add the Sid + Effect + Principal + Action + Resource aggregate objects

from the bucket policy for Config, at

http://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-

policy.html , applying the same principles

• Add s3:GetBucketLocation permissions, to handle cross-Region logs

• (we want to log from all Regions to 1 bucket)

• Add the following for CloudWatch Logs:

S3 Subtleties: Log Bucket Policy, Part 2{

"Sid": "Cross-account write allow for CloudWatch Logs, mediated by control below",

"Effect": "Allow",

"Principal": ]

"AWS": "arn:aws:iam::Writer-Account-ID:root”,

<Add other accounts here>

],

"Action":[

"s3: PutObject",

"S3: GetBucketLocation"

],

"Resource":"arn: aws: s3:::myorg-logbucket/<optionalprefix>/AWSLogs/*"

},

{

"Sid":"Control to require full control grant on write",

"Effect":"Deny",

"Principal":[

"AWS":"arn: aws:iam::Writer-Account-ID:root”,

<Add other accounts here>

],

"Action": [

"s3:PutObject",

"s3:GetBucketLocation"

],

"Resource": "arn:aws:s3:::myorg-logbucket/<optional prefix>/AWSLogs/*",

"Condition": {

"StringNotEquals": {

"s3:"bucket-owner-full-control"

}

}}

S3 Subtleties: Log Bucket Policy, Part 3

• Audit users (in another account) will need read-only access to your log

bucket; see

https://blogs.aws.amazon.com/security/post/Tx1QT0TX44KW7XM/Sharing

-AWS-CloudTrail-Log-Files-Between-Accounts , again (Scenario 2)

Good to do via a Role which has to be explicitly assumed; again,

see the URL above

S3 Subtleties: Log Bucket Policy and IAM

Point CloudTrail and Config in other accounts to our log bucket

for writing, when setting these accounts up

IAM policy to add to each log-generating account to allow cross-

account writing:{

"Version": "2012-10-17",

"Statement": [

{

"Sid": ”Cross-account Write",

"Effect": "Allow",

"Action": [

"s3:PutObject”,

”s3:GetBucketLocation”

],

"Resource": [

"arn:aws:s3:::myorg-logbucket"

]

}

]}

Detailed Billing: Sample Records

ItemDescription

UsageStar

tDate

UsageEn

dDate

UsageQua

ntity

Currenc

yCode

CostBef

oreTax

Cre

dits

TaxAm

ount

TaxT

ype

TotalCo

st

$0.000 per GB - regional data transfer under the

monthly global free tier

01.04.14

00:00

30.04.14

23:59

0.0000067

5 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.05 per GB-month of provisioned storage - US

West (Oregon)

01.04.14

00:00

30.04.14

23:59

1.126.666.

554USD 0.56 0.0

0.0000

00 None

0.5600

00

First 1,000,000 Amazon SNS API Requests per

month are free

01.04.14

00:00

30.04.14

23:5910.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

First 1,000,000 Amazon SQS Requests per month

are free

01.04.14

00:00

30.04.14

23:594153.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.00 per GB - EU (Ireland) data transfer from US

West (Northern California)

01.04.14

00:00

30.04.14

23:59

0.0000329

2 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.000 per GB - data transfer out under the monthly

global free tier

01.04.14

00:00

30.04.14

23:590.02311019USD 0.00 0.0

0.0000

00 None

0.0000

00

First 1,000,000 Amazon SNS API Requests per

month are free

01.04.14

00:00

30.04.14

23:5988.0 USD 0.00 0.0

0.0000

00 None

0.0000

00

$0.000 per GB - data transfer out under the monthly

global free tier

01.04.14

00:00

30.04.14

23:593.3E-7 USD 0.00 0.0

0.0000

00 None

0.0000

00

Linked Accounts

Consolidate daily Detailed Billing logs into one bucket, for all

accounts

Now put it all together…

The Base Account Structure

AWS AccountRoot Account • No Access Keys

• MFA Enabled

• Raise Alert on Login

IAM Master • No Access Keys

• MFA Enabled

• Raise Alert on Login

Define IAM Policies

Enable IAM Managers (User or Role)

• Have Passwd Policy

• Enforce Passwd

Rotation

• Have Acct Questions

set up

• Have Info eMail set

up

IAM Manager • No Access Keys

• MFA Enabled

Create IAM

Users/Groups/Roles

Use Pre-Defined Policies

The Larger Picture

BILLING

S3 Holder

CloudTrail

Config

CW Logs

S3 Holder

BILL

CloudTrail

IAMUser

IAM UserAssume

Role

IAM UserAssume

Role

IAM UserAssume

Role

Resources

IAM ROLE

IAM ROLE

IAM ROLE

Backup Data

Backup

S3 Holder

Audit

Display

Rights

STS

{

"Version": "2012-10-17",

"Statement": [ {

"Sid": ”STS-Only",

"Effect": "Allow",

"Action": [ "sts:AssumeRole" ],

"Resource": [ "*" ] }

]

}

There’s One More Account to Consider…

(…and it won’t fit on the diagram)

Service Catalogue

• Also has cross-account capability

• Repository for CloudFormation templates, golden AMIs…

• …add latest database backups and other necessary datasets, and

you have an Intellectual Property Holding Account

• Something to copy cross-Region for DR

• See http://aws.amazon.com/servicecatalog/faqs/ for cross-account access

Raising Alerts

Raise (through CloudTrail, watched by a Lambda function triggered on bucket

writes) an Alert (through, eg, SNS) if:

• Any account’s root user logs in

• Any IAM-Master account logs in

• Billing/CloudTrail accounts have another S3 Bucket created

• IAM-User generates any new AWS resource

• IAM-User generates any CloudTrail events other than assume-role

and console login

• IAM-User logs in to any Resource Accounts (besides IAM-Manager)

• Resource-Account has IAM-Users assigned (besides IAM-Master/IAM-Manager)

Logs→metrics→alerts→actions

AWS Config

CloudWatch /

CloudWatch LogsCloudWatch

alarms

AWS CloudTrail

Amazon EC2 OS logs

Amazon VPC

Flow Logs

Amazon SNS

email notification

HTTP/S

notification

SMS notifications

Mobile push

notifications

API

calls

from

most

services Monitoring

data from

AWS

services

Custom

metrics

davwal@amazon.com