Security and compliance

AWS Security Essentials & Best
Practices
By
Lilian Shulika Tata

Summary
Shared responsibility model
Security control framework of AWS cloud
AWS security services and features
Security and auditing best practices in the AWS cloud

Overview
Overview of the AWS cloud security concepts such as the AWS Security Center,
Shared Responsibility Model, and Identity and Access Management.
What are your perceptions
on cloud security?
-protecting your account tby using notifications,
Least privileges principle
Who gets in and out
What are your top security concerns

AWS security Benefits
 Build an environment for the most secure – sensitive organizations
 Benefits ALL customers
 Validate design, eand operational excellence

Question 1
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud

‘of’ the cloud
Securing Your AWS Infrastructure
Responsible for security
‘in’ the cloud
• AWS Security Services
• Asset Management
• Data Security
• Network Security
• Access Controls
Responsible for security
•
• Physical & Environmental Security
• IT Operations Access Controls
• Security Policy & Governance
• Change Management

AWS : Security of the Cloud
Physical security of data centers
Hardware and software infrastructure
Network infrastructure
Virtualization infrastructure
Host operating system

Physical & Environmental Security: Physical Security
Building
Perimeter and entry
Security staff and surveillance
Two-factor authentication Escort

AWS Responsibilities
• Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
• Guest (a.k.a. Instance) operating system
• Customer controlled (customer owns root/admin)
• AWS admins cannot log in
• Customer-generated keypairs
• Stateful firewall
• Mandatory inbound firewall, default deny mode
• Customer controls configuration via Security Groups
Configuration Management
• Most updates are done in such a manner that they will not impact the customer.
• Changes are authorized, logged, tested, approved, and documented.
• AWS will communicate with customers, either via email, or through the AWS Service
Health Dashboard (http://status.aws.amazon.com/) when there is a potential for service
being affected.

Physical & Environmental Security: Environmental Security
Fire detection and suppression
Power
Climate and temperature
Monitoring equipment
Storage device decommissioning

Audit Logging Capacity
Management
Vulnerability
Management
Incident
Management
Prevent unauthorized
access going undetected
Prevent system
outages
Detect unauthorized
access
Recover and reconstitute
incidents quickly and
effectively
IT Operations Controls

IT Operations Controls
Backup &
Recovery
Business
Continuity and
Disaster Recovery
Secure
Communication
Data
Management
Prevent loss of critical
data
Respond to & recover
from major disruptions
Prevent sensitive
information from being
disclosed to unauthorized
parties
Detect suspicious
activities & unauthorized
tampering of the system

AWS Responsibility? or Customer Responsibility?
Configuring the
Security Group rules
that determine which
ports are open on the
EC2 Linux instance
Toggling on the
Server-side
encryption feature for
S3 buckets
Patching the operating
system with the latest
security patches
Installing camera
systems to monitor
the physical
datacenters
Shredding disk drives
before they leave a
datacenter
Preventing packet
sniffing at the
hypervisor level
Securing the internal
network inside the AWS
datacenters

 AWS Customers: Security in the Cloud
 Validate design, and operational excellence
 maintain complete control over your content.
 managing security requirements for your content, including which content you choose
to store on AWS, which AWS services you use, and who has access to that content.
 You also control how access rights are granted, managed, and revoked.
 Security steps - configuring, and patching the operating systems that will run on
Amazon EC2 instances, configuring security groups, and managing user accounts.

Access Controls
Segregation
Account Review &
Audit
Background
Checks
Credentials Policy
Restrict access to
information resources
+
disclosure

Security Policy and governance Controls
Security
Policy
Risk
Assessment
Training &
Awareness
Guide operations &
information security in the
organization
Mitigate risks & reduce
exposure to
vulnerabilities
Enhance awareness of
AWS policies &
procedures

Security policy and governance controls
Communication Compliance HR Security Third Party
Management
modification or disclosure
of information
Prevent inadvertent
violation of laws &
regulations
Prevent potential security
breaches resulting from
human resource
Prevent potential
compromise of information
due to misuse

Questions
1. A customer has recently experienced an SQL injection attack on their web
application’s database hosted in EC2. They submitted a complaint ticket to AWS. What
should be the response from AWS?
A) AWS should not be liable for the damages since the customer should have properly
patched the EC2 instance.
B) AWS and the customer should contact a third party auditor to verify the incident.
C) AWS should reiterate that the customer is responsible for the security of their
applications in the Cloud.
D) AWS should secure their infrastructure better to reduce these kinds of incidents.

Questions
Shared Controls: Controls which apply to both the infrastructure layer and customer
layers, but in completely separate contexts or perspectives. In a shared control, AWS
provides the requirements for the infrastructure and the customer must provide their own
control implementation within their use of AWS services.
Examples inc
– Patch Management: AWS is responsible for patching and fixing flaws within the
infrastructure, but customers are responsible for patching their guest OS and
applications.
– Configuration Management: AWS maintains the configuration of its infrastructure
devices, but a customer is responsible for configuring their own guest operating systems,
databases, and applications.
– Awareness & Training: AWS trains AWS employees, but a customer must train their

Questions
What is AWS responsible for securing?
• AWS-owned hardware
• AWS-owned software
• AWS-owned networking
• All of the above
What constitutes "inherited controls" in AWS' shared responsibility model?
• Physical and environmental controls
• Patch management
• Zone security
• None of the above

Questions
1. Patch management is solely the responsibility of the user.
• True
• False
Who holds the responsibility to protect user data stored on physical disks?
• Government regulatory agencies
• Users
• AWS

Questions
Who holds the responsibility to protect user data stored on physical disks?
• Government regulatory agencies
• Users
• AWS

Enables you to manage access to AWS services and resources securely.
IAM features; IAM users, groups, and roles, IAM policies, Multi-factor authentication
Definitions
• IAM = Identity and Access Management, Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups
AWS Identity and Access Management (IAM)
Different ways of
Authentication:
- What you know()
- What you have
(RSA, token)
- Who you are(Finger
print, eye
scanner)

AAA with AWS
Authenticate
IAM Username/Password
Access Key
(+ MFA)
Federation
Authorize
IAM Policies
Audit
CloudTrail

AWS account root user
use the root user to create your first IAM user
and assign it permissions to create other users.

AWS Principals
• Access to specific services.
• Access to console and/or APIs.
• Access to Customer Support (Business and Enterprise).
IAM Users, Groups and Roles
• Access to specific services.
• Access to console and/or APIs.
Temporary Security Credentials
• Access to all subscribed services.
• Access to billing.
• Access to console and APIs.
• Access to Customer Support.
Account Owner ID (Root Account)

AWS Identity Authentication
Authentication: How do we know you are who you say you are?
AWS Management Console API access
Login with Username/Password with
optional MFA (recommended)
Access API using Access Key +
Secret Key, with optional MFA
ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
SECRET KEY
Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
For time-limited access: Call the AWS Security Token
Service (STS) to get a temporary AccessKey +
SecretKey + session token
For time-limited access: a Signed URL can provide
temporary access to the Console

Authorization: What are you allowed to do?
Account Owner (Root)
• Privileged for all actions.
IAM Policies
• Privileges defined at User and
Resource Level
Note: Always associate the account owner ID with
an MFA device and store it in a secured place!

AWS Account
Owner (Root)
AWS IAM
User
Temporary
Security
Credentials
Permissions Example
Unrestricted access to all
enabled services and
resources.
Action: *
Effect: Allow
Resource: *
(implicit)
Access restricted by
Group and User policies
Action:
[‘s3:*’,’sts:Get*’]
Effect: Allow
Resource: *
Access restricted by
generating identity and
further by policies used
to generate token
Action: [ ‘s3:Get*’ ]
Effect: Allow
Resource:
‘arn:aws:s3:::mybucket/*’
Enforce principle of least privilege with Identity and Access Management (IAM)
users, groups, and policies and temporary credentials.

Securely control access to AWS services and resources for your users.
Username/
User
Manage groups
of users
Centralized
Access Control
• Password for console access.
• Policies for controlling access AWS APIs.
• Two methods to sign API calls:
•X.509 certificate
•Access/Secret Keys
• Multi-factor Authentication (MFA)
Optional Configurations:
AWS Identity and Access Management (IAM)

The End
Encryption and
configuration
management

• AWS Certificate Manager (ACM)
makes it easy to provision, manage, deploy, and renew SSL/TLS
certificates on the AWS platform.
Customer
Master
Key(s)
Data Key 1
Amazo
n S3
Object
Amazon
EBS
Volume
Amazon
Redshift
Cluster
Data Key 2 Data Key 3 Data Key 4
• AWS key Management Service
Managed service to securely create, control, rotate, and use
encryption keys.
• AWS CloudHSM
Help meet compliance requirements for data
security by using a dedicated Hardware Security
Module appliance with AWS.
Dedicated, single-tenant hardware device

Amazon Inspector
Amazon Inspector is an automated security
assessment service that helps improve the
security and compliance of applications deployed
on AWS.
AWS CloudTrail
Web service that records AWS API
calls for your account and delivers
logs.
• Whomade the API call?
• When was the API call made?
• What was the API call?
• Which resources were acted up on in the API call?
• Where was the API call made from and made to?
AWS CloudWatch
Monitoring services for AWS Resources and AWS-based Applications
Monitor and Store Logs
Set Alarms (react to changes)
View Graphs and Statistics
Collect and Track Metrics
How can you use it?
React to application log events and availability
Automatically scale EC2 instance fleet
View Operational Status and Identify Issues
Monitor CPU, Memory, Disk I/O, Network, etc.
What does it do?

AWS WAF
General WAF use cases
• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
• Prevent Web Site Scraping, Crawlers, and BOTs
• Mitigate DDoS (HTTP/HTTPS floods)

Vulnerability Assessment Service
 Built from the ground up to support DevSecOps
 Automatable via APIs
 Integrates with CI/CD tools
 On-Demand Pricing model
 Static & Dynamic Rules Packages
 Generates Findings
AWS Artifact
is a service that provides on-demand access to AWS
security and compliance reports and select online
agreements. AWS Artifact consists of two main sections:
AWS Artifact Agreements and AWS Artifact Reports.
AWS CloudTrail
Web service that records AWS API calls for your
account and delivers logs.
• Whomade the API call?
• When was the API call made?
• What was the API call?
• Which resources were acted up on in the API call?
• Where was the API call made from and made to?
AWS GuardDuty
Amazon GuardDuty is a threat detection service that
continuously monitors for malicious activity and unauthorized
behavior to protect your AWS accounts, workloads, and data
stored in Amazon S3

Amazon Inspector
Vulnerability Assessment Service
 Built from the ground up to support DevSecOps
 Automatable via APIs
 Integrates with CI/CD tools
 On-Demand Pricing model
 Static & Dynamic Rules Packages
 Generates Findings
AWS Artifact
is a service that provides on-demand access to AWS
security and compliance reports and select online
agreements. AWS Artifact consists of two main sections:
AWS Artifact Agreements and AWS Artifact Reports.
Managed service for tracking AWS inventory and configuration, and
configuration change notification.
AWS Config
AWS Trusted Advisor
Leverage Trusted Advisor to analyze your AWS resources for best
practices for availability, cost, performance and security.
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service that safeguards applications running on AWS.

Security and compliance

More Related Content

Security and compliance