Best Practices for Security at Scale

“Best of the Best” tips for Security in the Cloud

Matt Robinson
Sr Partner SA
[email protected]

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda

• Sources of Best Practices

• A Bad Day
• Best of the Best Practices
– Identity and Access Management
– Logging and Monitoring
– Infrastructure Security
– Data Protection

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Sources of Best Practices
AWS Cloud Adoption AWS Security Best Centre for Internet
Framework (CAF) Practices Security (CIS)
Benchmarks

How to move to the cloud securely Whitepaper with 44 best practices 148 detailed recommendations for
including the “Core Five Epics”: including: configuration and auditing covering:
• Identity and Access Management • Identity and Access Management • “AWS Foundations” with 52
• Logging and Monitoring (10 best practices) checks aligned to AWS Best
• Logging and Monitoring (4) Practices
• Infrastructure Security
• Infrastructure Security (15) • “AWS Three-Tier Web
• Data Protection
Architecture” with 96 checks for
• Incident Response • Data Protection (15)
web applications
CIS Benchmarks: What, Why, Check, Fix
A is for “Alice” and B is for “Bill”

Alice follows best practices Bill does NOT follow best practices

:-(
:-)
Bill’s Bad Day
Bill

AWS Account

Internet Web Server Internal

Gateway Instance Data Service
Internet

S3 Bucket S3 Bucket
“Website “Data
Images” Backup”
Bill’s Bad Day Access the
1 vulnerable web
Bill application

AWS Account
Pivot to the data
2
service
1 2
5 Delete the website
3 image files
Internet Web Server Internal
Bad Person Gateway Instance Data Service
Internet

Change
4 permissions to the
3 4 data backup

S3 Bucket S3 Bucket
Download the data
“Website “Data
5
Images” Backup”
backup
Bill’s Bad Day No web application
1 protection
Bill

AWS Account 2 No segmentation

3 One account

Internet Web Server Internal

Internet Gateway Instance Data Service
All permissions
4
granted

Sensitive data not

5 encrypted
Alice S3 Bucket S3 Bucket
“Website “Data
… now let’s help Alice Images” Backup” No logging,
6 monitoring, alerting
have a great day! :-)
 Best of the Best Practices: Identity and Access Mgmt
1) Use multiple AWS accounts 2) Use limited roles and 3) Federate to an existing
to reduce blast radius grant temporary security identity service
credentials
Production Staging

MFA token
IAM IAM Roles Secrets IAM AWS SSO
Manager

AWS accounts provide IAM roles and temporary Control access to AWS
administrative isolation security credentials mean resources, and manage the
between workloads across you don't always have to authentication and
different lines of business, manage long-term authorisation process
regions, stages of credentials and IAM users without needing to re-create
production and types of data for each entity that requires all your corporate users as
classification. access to a resource. IAM users.

AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark
Identity and Access Management

Alice

AWS SSO
AWS Account AWS Account

MFA token

Internet
1
Internet Web Server Internal
IAM
Gateway Instance Data Service

Secrets
Manager
S3 Bucket S3 Bucket
“Website “Data
Images” Backup”

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Best of the Best Practices: Logging and Monitoring
4) Turn on logging in all 5) Use the AWS platform’s 6) Use a separate AWS
accounts, for all services, in built-in monitoring and account to fetch and store
all regions alerting features copies of all logs
Production Security

AWS Amazon Security Hub AWS

CloudTrail GuardDuty Config

The AWS API history in Monitoring a broad range of Configuring a security

CloudTrail enables security sources will ensure that account to copy logs to a
analysis, resource change unexpected occurrences are separate bucket ensures
tracking, and compliance detected. Establish alarms access to information which
auditing. GuardDuty and notifications for can be useful in security
provides managed threat anomalous or sensitive incident response
intelligence & findings. account activity. workflows.

AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark
Logging and Monitoring
Alice
Amazon
2
Amazon AWS AWS AWS SSO
CloudWatch
GuardDuty CloudTrail Config
AWS Account AWS Account

MFA token

Internet
Internet Web Server Internal
IAM
Gateway Instance Data Service

Secrets
Manager
S3 Bucket S3 Bucket
“Website “Database
Images” Backup”

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Best of the Best Practices: Infrastructure Security
7) Create a threat prevention 8) Create network zones with 9) Manage vulnerabilities
layer using AWS edge Virtual Private Clouds through patching and
services (VPCs) and security groups scanning
Security Group

Amazon Amazon
AWS Shield AWS WAF
CloudFront Inspector

Use the 100s of worldwide Implement security controls Test virtual machine images
points of presence in the at the boundaries of hosts and snapshots for operating
AWS edge network to and virtual networks within system and application
provide scalability, protect the cloud environment to vulnerabilities throughout
from denial of service enforce access policy. the build pipeline and into
attacks, and protect from the operational environment.
web application attacks.

AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark
Infrastructure Security
Alice
Amazon
3 Amazon
Inspector
AWS
CloudTrail
CloudWatch AWS
Config
AWS SSO

AWS Account AWS Account

Security Group Security Group

MFA token

AWS WAF

Internet Amazon
CloudFront Internet Web Server Internal
IAM
Gateway Instance Data Service

AWS Shield

Secrets
Manager
S3 Bucket S3 Bucket
“Website “Data
Images” Backup”

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Best of the Best Practices: Data Protection
10) Encrypt data at rest (with 11) Use server-side 12) Encrypt data in transit
occasional exceptions) encryption with provider (with no exceptions)
managed keys

Amazon S3 Data
AWS KMS AWS KMS Amazon SSL / TLS /
Encryption Key ACM
CloudFront HTTPS

Enabling encryption at rest AWS Key Management Encryption of data in transit

helps ensure the Service (KMS) is seamlessly provides protection from
confidentiality and integrity integrated with 18 other accidental disclosure,
of data. Consider encrypting AWS services. You can use verifies the integrity of the
everything that is not public. a default master key or data, and can be used to
select a custom master key, validate the remote
both managed by AWS. connection.

AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier AWS Best CIS Foundation CIS Web-Tier
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark Practices Paper Benchmark Benchmark
Data Protection
Alice
Amazon
Amazon AWS AWS AWS SSO
CloudWatch
Inspector CloudTrail Config
AWS Account AWS Account

Security Group Security Group

MFA token

AWS WAF

Internet Amazon
CloudFront Internet Web Server Internal
IAM
Gateway Instance Data Service

AWS Shield

Secrets
Manager
S3 Bucket S3 Bucket
“Website “Data
Images” Backup”
ACM
4
Data
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS KMS AWS KMS Encryption Key
Best Practices
Alice
Amazon
Amazon Amazon AWS AWS AWS SSO
CloudWatch
GuardDuty Inspector CloudTrail Config
Security Hub
AWS Account AWS Account

Security Group Security Group

MFA token

AWS WAF

Internet Amazon
CloudFront Internet Web Server Internal
IAM
Gateway Instance Data Service

AWS Shield

Secrets
Manager
S3 Bucket S3 Bucket
“Website “Data
Images” Backup”
ACM

Data
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS KMS AWS KMS Encryption Key
Now its time to move from the

WHAT
to the

HOW
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Speeds

?
Crawl Run

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Speeds

Crawl Walk Run

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Stages

?
Zero Hero

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Stages

Zero Pro Hero

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Stages

Click Script Commit

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Three Stages of Cloud Security Maturity

Stage One “Click” Stage Two “Script” Stage Three “Commit”

Manual Best Practices Automated Controls Continuous Security

Static Workloads Evolving Workloads Agile Workloads

Release 1x per month Release 1-10x per month Release 10-100x per
month

… DevSecOps?

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tools and Automation
Amazon Amazon AWS
Inspector CloudWatch Events Config Rules

An automated security A monitoring service for AWS A fully managed service that
assessment service that helps cloud resources and the provides you with an AWS
improve the security and applications you run on AWS. resource inventory, configuration
compliance of applications You can easily build workflows history, and configuration change
deployed on AWS. Amazon that automatically take actions notifications. Config Rules
Inspector automatically assesses you define, such as invoking an enables you to create rules that
applications for vulnerabilities or AWS Lambda function, when an automatically check the
deviations from best practices. event of interest occurs. configuration of AWS resources
recorded by AWS Config.

AWS re:Invent 2018: “Five New Security Automations Using AWS Security
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Services & Open Source (SEC403)”
Resources
AWS Security Pillar CIS AWS Security CIS AWS
Well Architected Foundations Three-Tier Web
Framework Benchmark Architecture Benchmark
http://bit.ly/WellArchSec http://bit.ly/AWSCIS http://bit.ly/AWSCIS3T

https://aws.amazon.com/summits/sydney/on-demand/Tracks/secure/
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Thank you!

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.