Security at Scale on AWS

Dave Walker – Specialist Solutions Architect, Security and Compliance

Chris Astley – Head of Cloud Ops, Tech Solutions KPMG UK

28/06/17

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Agenda
• AWS, Approaches and Controls
• AWS and Human Factors
• How AWS Handles Security at Scale
• AWS controls that you don’t need to worry about
• Framework to help you adapt the cloud Faster
• AWS Services that you should be Using
• Reference Architectures that you can Use
• Chris @ KPMG!

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Approaches Adopted by Successful Security Programmes

Ubiquitous Just-in-time Ubiquitous

DevSecOps
encryption access logging

Security
services and
API

Minimum Security
Security Security as Asset
security management
programme code management
baseline layer
 AWS Security Controls

70+
services

2,670
Controls

3,030 Audit
Requirements
7,710 Audit
Artifacts
Human Factors
AWS Security Team
Operations Engineering

Application Security Compliance

Aligned for agility

Security Ownership as Part of DNA

Distributed Embedded
Promotes culture of “everyone is an owner” for security
Makes security stakeholder in business success
Enables easier and smoother communication
Operating Principles

Separation of duties

Different personnel across service lines

Least privilege
Technology to Automate Operational Principles

Visibility through log analytics

Shrinking the protection boundaries

Ubiquitous encryption
How AWS Handles Security at Scale

Work
generator Lambda
SNS
(async)
Corp Scan target
S3
Results
processor Lambda
(sync)
How Fast is the Analysis?
• Scan cadence: continual! (not batch)
• Mean time to detect & respond = ~7.5 minutes
• ~5 min for CloudTrail log file to be produced
• ~0 min for scan to begin (on order of seconds!)
• ~0 min scan time (on order of milliseconds!)
• ~2.5 min for results processor to ticket (runs every 5 min*)
• Worst case: ~10 minutes
• Best case: ~5 minutes
Autoticketing

• Find and close gaps in security monitoring

• Be highly accurate and actionable

• Deliver results with low latency

How we make it even faster?
• Drink our own ale! CloudWatch Events
• Increase result processor run frequency
• It takes < 1 minute per run on average
• Change invocation to run every minute
• New worst case = 1 minute
• MTTD ≤ 1 minute
• (For your own use: see eg https://github.com/capitalone/cloud-
custodian )
I wish I was a Solid
State Drive in
someone else’s
Datacentre…
 AWS Security Controls
Your own Your own Your own Customer scope
Customer accreditation certifications external audits and effort is reduced

Better results
through focused
efforts
AWS Foundation Services

Compute Storage Database Networking

Built on AWS
AWS

consistent baseline
Availability Zones controls
AWS Global
Edge locations
Infrastructure Regions

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AWS Cloud Adoption Framework
• Each Perspective provides
guidance for different
parts of an organization

• Helps YOU adapt existing

practices or introduce new
practices for cloud
computing

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 The Security Journey to the Cloud

Security in the cloud is familiar.

The increase in agility and the ability to perform actions faster,

at a larger scale and at a lower cost, does not invalidate well-
established principles of information security.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 The AWS CAF Security Perspective

5 Core Capabilities
Identity and Access Management
Detective controls
Infrastructure security
Data protection
Incident response

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Scaling to >1 Million Users
Amazon
Route 53 Amazon
User CloudFront

Amazon S3

Load
balancer

Amazon SQS
Web Web Web Web
Instance Instance Instance Instance Worker Worker
Instance Instance

DynamoDB
ElastiCache Lambda

RDS DB Instance RDS DB Instance RDS DB Instance

Active (Multi-AZ) Internal App Internal App
Read Replica Read Replica Instance Amazon Amazon SES
Instance
CloudWatch
Availability Zone

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Security Already Built In…
Security groups are
virtual firewalls
that control the
traffic for one or
more resources

IAM securely
controls access to
AWS services and
resources for your
users.

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Identity and Access Management

AWS
Organizations IAM

AWS Security Token

Service

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Detective Controls
Account Resources Network

AWS Amazon
CloudWatch VPC Flow Logs
CloudTrail

Amazon
AWS Config
Inspector

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
If it moves…log it!
If it moves…log it!
(If it doesn’t move, watch it ‘til it
moves – then log it!)
 Logs→metrics→alerts→actions
Custom
HTTP/S
metrics notification

Amazon EC2 OS logs

email notification

AWS Config

CloudWatch / CloudWatch Amazon SNS

API calls
CloudWatch Logs alarms
from most
services SMS
notifications
AWS CloudTrail

Monitoring data
from AWS
services
Mobile push
Amazon VPC notifications
Flow Logs
Different log categories
• AWS infrastructure logs • AWS service logs • Host-based logs

§ AWS CloudTrail § Amazon S3 § Messages

§ Amazon VPC Flow Logs § Elastic Load Balancing § Security
§ Amazon CloudFront § NGINX/Apache/
§ AWS Lambda § Syslog etc
(sometimes) § Performance Monitoring
§ AWS Elastic Beanstalk § …
§ …

Security-related events
 Detective Controls - VPC Flow Logs

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Flow Log Record Structure
2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589

ACCEPT OK

Event-Version Source-IP SourcePort Start-Time Window

Account Number Destination-IP Destination-Port End-Time Window

ENI-ID Protocol Number Action

Number of Packets State

Number of Bytes
 Infrastructure Security
Resources Network
AWS Trusted
AWS Shield
Advisor

AWS Config
Rules AWS WAF

AWS OpsWorks

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules
• Amazon CloudTrail is enabled…
• Is it?
• All EBS volumes are encrypted…
• Are they?
• All security groups in attached state should not have
unrestricted access to port 22.
• Do they?

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules
• Codify and Automate your own Practices
• Get started with Samples in AWS Lambda
• Implement guidelines for security best practices and
compliance
• Use Rules from various AWS Partners
• View Compliance in one Dashboard

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules
• Set your Policy, formulate your implementation plan:
Undesirable Event Log Source Action (Remedial or Function to Perform
Alerting)

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Infrastructure Security – AWS Config Rules

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing AWS Organizations
Policy-based management for multiple AWS accounts.

Control AWS service Automate AWS Consolidate billing

use across accounts account creation
Industry Best Practices for
Securing AWS Resources

CIS Amazon Web Services Foundations

Architecture agnostic set of security configuration
best practices
provides set-by-step implementation and assessment
procedures
Automating New Account Security Baselining…
 AWS Enterprise Accelerator:
Compliance Architectures
Sample Architecture –
Security Controls Matrix
Cloudformation Templates
5 x templates
User Guide

http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
 Infrastructure Security – Organizations SCPs
• Enables you to control which AWS service APIs are
accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection
between the SCP and assigned IAM permissions
• Necessary but not sufficient
• IAM policy simulator is SCP aware

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blacklisting example Whitelisting example
{ {
"Version": "2012-10-17", "Version": "2012-10-17",
"Statement": [{ "Statement": [{
"Effect": "Allow", "Effect": "Allow",
"Action": "*", "Action": [
"Resource": "*" "ec2:RunInstances",
}, "ec2:DescribeInstances",
{ "ec2:DescribeImages",
"Effect": "Deny", "ec2:DescribeKeyPairs",
"Action": "redshift:*", "ec2:DescribeVpcs",
"Resource": "*" "ec2:DescribeSubnets",
}
] "ec2:DescribeSecurityGroups"

} ],
"Resource": "*"
}]}
 More on SCPs
But:
• you don't have to apply an SCP before you populate your account with
assets...
• this lends the idea of "immutable infrastructure" to other services, from
the point of view of the child accounts
• (including Serverless)
• eg:
• S3 websites which can't have their contents changed
• Lambda functions which are invoke-only "black boxes"
• ACM cert / key pairs which can't be deleted
• Prevent CloudTrail, Config ever being turned off
• ...
 Data Protection

AWS CloudHSM AWS Key Management Service

AWS Certificate Manager

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Data Protection - Encryption
Encryption In-Transit Encryption At-Rest

SSL/TLS Object

Database
VPN / IPSEC
Filesystem
SSH Disk

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Data Protection – AWS KMS
Customer Master Keys

Data key 1 Data key 2 Data key 3 Data key 4

S3 object EBS Amazon Custom

volume Redshift application
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. cluster
Responding to Issues: the Automation Playbook…

CloudWatch
Adversary Your environment Responder
Events event
(or Intern)
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – Lambda Log
from __future__ import print_function
import json

def lambda_handler(event, context):

print(json.dumps(event, indent=2))

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – AWS CloudWatch Events

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – Lambda Respond
cloudtrail = boto3.client('cloudtrail')
trail_arn =
event["detail"]["requestParameters"]["name
"]

ct_response = cloudtrail.start_logging(
Name = trail_arn
)

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – Lambda Notify
sns_topic = "arn:aws:sns:us-east-1:123459227412:reporter-topic"

subject = 'EVENT: ' + event["detail"]["eventName"]

message = "What happened? " + event["detail"]["eventName"] + "\n" \
"What service? " + event["detail"]["eventSource"] + "\n" \
"Where? " + event["detail"]["awsRegion"] + "\n" \
"When? " + event["detail"]["eventTime"] + "\n" \
"Who? " + str(json.dumps(event["detail"]["userIdentity"], indent=2))

sns = boto3.client('sns')
sns_response = sns.publish(
TopicArn = sns_topic,
Message = message,
Subject = subject,
MessageStructure = 'string'
)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – Amazon SNS Notification

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Incident Response – Complete

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Scaling to >1 Million Users
Amazon
Route 53 Amazon
User CloudFront

Amazon S3

Load
balancer

Amazon SQS
Web Web Web Web
Instance Instance Instance Instance Worker Worker
Instance Instance

DynamoDB
ElastiCache Lambda

RDS DB Instance RDS DB Instance RDS DB Instance

Active (Multi-AZ) Internal App Internal App
Read Replica Read Replica Instance Amazon Amazon SES
Instance
CloudWatch
Availability Zone

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Scaling to >1 Million Users AWS
Shield
AWS
WAF
AWS
Organizations
Amazon
Route 53 Amazon
User CloudFront

Amazon S3

load balancer

Amazon SQS
Web Web Web Web
Instance Instance Instance Instance Worker Worker
Instance Instance
AWS
DynamoDB CloudTrail
ElastiCache Lambda

RDS DB Instance RDS DB Instance RDS DB Instance

Active (Multi-AZ) Internal App Internal App
Read Replica Read Replica Instance Amazon Amazon SES
Instance
CloudWatch
Availability Zone
AWS
AWS Amazon Config
OpsWorks Inspector
VPC Flow Logs

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security + DevOps = DevSecOps
Software development lifecycle
delivery pipeline

build test release

Security

developers plan monitor customers

feedback loop
DevOps = Efficiencies that speed up this lifecycle
DevSecOps = Validate building blocks without slowing lifecycle
CI/CD for DevOps
CloudFormation
Templates for Environment
Repo
Generate

Package
Config Builder
Install
Create AMIs
Code Push
Config
Test Env
Tests
Version Staging Env
CI Server Deploy Server
Commit to
Control Get /
Git/master Pull Prod Env
Dev Code
Distributed Builds
Run Tests in parallel

Send Build Report to Dev

Stop everything if build failed
CI/CD for DevSecOps
CloudFormation
Templates for Environment

Continuous
Scan
Package
Config Builder
Checksum
AMIs
Code Audit/Validate
Config
Test Env
Tests
Version Promote Staging Env
CI Server
Control Get / Process
Validate Pull Prod Env
Dev Code
Log for audit

Send Build Report to Security

Stop everything if audit/validation failed
Deployment Mechanisms for Software Artifacts

Amazon Machine Docker Image Amazon EC2 Container AWS CloudFormation

Images (AMIs) Service

OS Packages AWS CodeDeploy

Deployment Mechanisms for Software Artifacts
Software Artifacts Deployment Services

Amazon Machine Docker Images Amazon EC2 Container AWS CloudFormation

Images (AMIs) Service

OS Packages AWS CodeDeploy

Configuration building blocks

…and more.

CloudFormation Task Definition Application

Template Specification File
(AppSpec file)
Amazon EC2 Systems Manager

• Announced at Re:Invent 2016

• See sessions WIN401
(https://www.youtube.com/watch?v=Eal9K0aGLYI ) and WIN402
(https://www.youtube.com/watch?v=L5TglwWI5Yo )
Systems Manager Capabilities
Configuration, Shared Update and
Administration Capabilities Track

Automation

Run Command Maintenance

Windows
Inventory

State Manager Parameter Store

Patch Manager
Inventory – System Diagram

EC2 Windows
Instance
AWS Config EC2 Console,
Console + CLI/APIs SSM CLI/APIs
SSMAgent
AWS Config AWS SSM Service

State Manager EC2 Linux

Instance

SSMAgent
EC2 Inventory SSM
document On-
Premises
Instance
Inventory
Store
SSMAgent
State Manager Associations

aws ssm create-association

--document-name WebServerDocument
--document-version \$DEFAULT
--schedule-expression cron(0 */30 * * * ? *)
--targets “Key=tag:Name;Values=WebServer”
--output-location "{ \"S3Location\": { \"OutputS3Region\": \“us-east-1\",
\"OutputS3BucketName\": \“MyBucket\", \"OutputS3KeyPrefix\": \“MyPrefix\" } }“

Configures all instances that match the tag query and reapplies every 30
minutes
Parameter Store Substitution
$ aws ssm put-parameter
--name myprivatekey
--type SecureString
--value “-----BEGIN RSA PRIVATE KEY-----
WtcUTC+57cf…”
--key-id <KMS keyID>
$ aws ssm send-command
--name Insert-Websvr-Private-Key
--parameters commands=[“cat {{ssm:myprivatekey}} >
/etc/apache2/keys/private.key ; chmod 400
/etc/apache2/keys/private.key ; chown webserver:webserver
/etc/apache2/keys/private.key”]
--target Key=tag:Name,Values=WebServer
 AWS Marketplace Security Partners
Infrastructure Logging & Identity & Access Configuration & Data Protection
Security Monitoring Control Vulnerability Analysis

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Summary
• AWS security benefits:
• Integrated security & compliance
• Global resilience, visibility, & control
• Maintain your privacy and data ownership
• Agility through security automation
• Security innovation at scale
• Broad security partner & marketplace solutions

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Centre Website: https://aws.amazon.com/compliance

Security Centre: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/

AWS Audit Training: awsaudittraining@amazon.com

New Security and Compliance Webinar Series

Getting Started with AWS Security: https://www.brighttalk.com/webcast/9019/256391

AWS Security Checklist:

https://www.brighttalk.com/webcast/9019/257297

Automating Security Event Response: https://www.brighttalk.com/webcast/9019/258547

Compliance with AWS – Verifying AWS Security:: https://www.brighttalk.com/webcast/9019/260695

Securing Enterprise Big Data Workloads: https://www.brighttalk.com/webcast/9019/261911

Architecting Security across Multi-Acct Architectures: https://www.brighttalk.com/webcast/9019/261915

AWS Security Best Practices: https://www.brighttalk.com/webcast/9019/264011

Software Security and Best Practices: https://www.brighttalk.com/webcast/9019/264917

Thank you!
 Security at Scale on AWS

Dave Walker – Specialist Solutions Architect, Security and Compliance

Chris Astley – Head of Cloud Ops, Tech Solutions KPMG UK

28/06/17

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 3 years 150+ Projects

KPMG
CloudOps

250+ Production 25 Engineers

workloads

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Banking Public Sector
Global investment Government Civil
banking client Service

All sectors

Retail Tax and Audit

Multi-national FMCG KPMG Tax
retailer

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Consistency: Cattle not Pets

Obfuscation: No EC2 instances directly exposed to the internet

Standard Access: SSH/RDP Disabled by default. And anything else not needed!
Practices

Segregation: At an AWS Account level. Secure access through VPC Peering

Process: Infrastructure as Code – SDLC Processes

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Security
Pattern

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Cloud On-Premise

No instances internet facing LOTS of instances internet facing

RDS for automated DB patching Manual DB patching – limited HA

SMB disabled in Security Groups Limited internal network restrictions

Account segregation – limit blast radius One instance could expose the estate

Gold AMI patched and rolled out Individual servers patched in-line

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!