AWS BEST PRACTICES Module 3: Security in AWS July 2017
Performance Optimization AWS Best Practices Training Program Basic Approaches Course overview Basic infrastructure requirements Reliability and Performance overview Costs optimization overview Monitoring tools overview Useful tools overview Security in AWS Basic security principles and tools Security Services overview Access management Network security Data encryption and protection Costs Optimization The “Minimum Principle” and Auto Scaling Serverless architectures Container-based architectures Resources review and optimization Using Reserved Instances Using Spot Instances Performance Optimization AWS Service Limits Components selection and review Backup Components failure withstanding
Security in AWS: Basic Approaches
Basic Security Principles and Tools The security is based on the three main principles that should be kept to in any Cloud infrastructure. Find more at: https://d0.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
Responsibilities Of Sides EPAM Cloud Side User Side Manage infrastructure in terms of self-service Keep to third-party software licensing rules Keep to security policies and EPAM Cloud terms and conditions Organize data backup Receive and process the information provided by EPAM Cloud Orchestrator and Support teams Provide Cloud Computing and related services and tools Provide Cloud access to users according to their permissions Provide information on infrastructure state and costs Provide full and comprehensive documentation Provide Cloud infrastructure support Terms and Conditions EPAM Cloud terms and Conditions: https://epa.ms/cloud-doc-terms
Security Regulations Responsible Teams User Side Cloud Security Policy Data centers security Default images checks Default network settings Automatic security checks Notifying users on detected security issues Keeping an eye on the compromised activities Credentials and keys safety MFA for AWS IAM Users Installed custom software Detected security issues fixing Personal responsibility for VMs exposed to Internet EPAM Cloud Security Policy: https://epa.ms/cloud-security
Weekly Security Report The Weekly Security Report is delivered to project primary contacts (PM/DM) and includes the following sections: List of resources, marked as vulnerable Expiring Service Accounts in EPAM Cloud IAM Users Report Scan result Detailed AWS Security Groups Issues Details attached
Vulnerabilities Management VM owners, Project Managers, Delivery Managers, Project Coordinators are responsible for resolving issues and vulnerabilities detected on the VMs assigned to their projects. The urgency of issues and vulnerabilities resolving depends on the vulnerability/issue type: Vulnerabilities: Critical: 30 days High: 60 days Medium: 60 days Issues: Critical: 7 days High: 10 days Medium: 10 days
AWS SeQuirity Services
Security Services in AWS: Brief Overview IAM enables you to securely control access to AWS services and resources for your users KMS makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. CloudHSM service helps you control the encryption keys and cryptographic operations performed by the Hardware Security Model. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources
Security Services in AWS: AWS Inspector Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
AWS Config Service AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Monitoring and Logging Logging Tools Store Logs AWS Cloud Trail (+SNS) S3 Logs Elastic Load Balancing logs Amazon Cloud Front logs Amazon CloudWatch Logs (+SNS) Amazon CloudWatch events Amazon S3 Amazon Glacier Amazon Cloud Watch Logs Amazon EBS Amazon EFS See more at: https://d0.awsstatic.com/whitepapers/aws-security-at-scale-logging-in-aws.pdf
Access Management In AWS
IAM Users Access AWS Identity Access Management allows to establish access rules and permissions to specific users and applications. Set up permissions for users and applications Create user groups for common rules assignment Cloud Trail allows to monitor the access Identity federation: allow users to log in with their company credentials Temporary security credentials, obtained by calling AWS STS APIs like AssumeRole or GetFederationToken
IAM Users Access: Options and Terms IAM policy - a document that defines the effect, actions, resources, and optional conditions IAM role – an identity with permission policies, to which users can be assigned IAM group – a group of users to which common policies can be attached Best Practices Minimize the use of the root account Create Individual users with least privileges. Use MFA Use AWS Defined policies Use groups Use access levels to review IAM permissions Use roles for applications that run on EC2 instances Rotate credentials
IAM Users Access: EPAM SSO Role Name Permissions BasicReadOnly access to EC2, S3, RDS, DynamoDB, Lambda with read-only access. FullReadOnly access to all services with read-only access. BasicUser access to EC2, S3, RDS, DynamoDB, Lambda with full access but without permissions to create IAM users, manage IAM roles, manage security groups. AdminUser access to all services with full access without permissions to create IAM users, manage IAM roles, manage security groups. Using temporary access (or2awsmc) Requesting an IAM user for extra permissions
Assigning IAM Roles to EC2 Instances Assigning a role to an instance allows to specify the actions that can be performed from this instance to other AWS Services, without need to pass credentials via your application. VS
AWS Network Security
Network Security General Best Practices Using DMZs Isolating resources with subnets, firewalls, and routing tables Securing DNS configurations Limiting in/outbound traffic Securing accidental exposures
Network Security VPC in EPAM Linked accounts A VPC is a virtual private network dedicated to your AWS account and isolated logically from other virtual networks. By default, all EPAM VMs in AWS are created in VPCs, dedicated to their accounts. To establish connection from AWS to infrastructures in EPAM network, please submit a request to HelpDesk, and get a VPN set up.
Network Security Default Settings Security Group Name Covered Regions epam-world US, Canada, Kazakhstan, China, India, Armenia epam-europe Offices in Europe epam-by-ru Offices in Russia and Belarus Customer Customers and custom IPs All AWS instances are subject to Nessus security scanning, triggered by Orchestrator regularly or in case any of the following threatening events are detected: An AWS security group includes an IP which does not belong to the list of EPAM addresses. A security group includes 0.0.0.0/0 IP A security group change is detected before a schedule execution
Data Encryption and protection
Data Protection: Common Tools Storage access management Data encryption at rest Data encryption at transit Root volume encryption Encryption keys management
Storage Protection Basic Flows Add metadata with the file, and set permissions to control access Supports KMS Access is restricted to the AWS account that created the volume, and to the users under the AWS account created with IAM. Permission to view and access EBS is denied to all AWS users. Supports KMS
Encryption Encryption: Basic Rules Server-Side encryption on S3 available with the following options of encryption keys management: Amazon S3-Managed keys (SSE-S3) AWS KMS-Managed keys (SSE-KMS) Customer-provided keys (SSE-C) Client-Side encryption: encrypt data before sending to Amazon with any method you like, and decrypt data when you take it back. The most common open source tools are: Bouncy Castle Open SSL
Encryption at Rest Encryption at REST: Key management options DIY: In this model, you use your own KMI to generate, store and manage access to keys as well as control all encryption methods in your applications. This physical location of the KMI and the encryption method can be outside of AWS or in an Amazon Elastic Compute Cloud (Amazon EC2) instance you own. AWS KMS: AWS controls the encryption method and the entire KMI . AWS cloud HSM: You control the encryption method, and store keys in an AWS cloud HSM. Read more: https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf
Encryption: AWS Key Management Service The service is set up in the IAM User’s settings: Fully Managed Centralized Key Management Integrated with AWS Services Encryption for all your applciations Built-in Audit Low Cost Secure Copliance See more at: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
Encryption Keys Control: Cloud HSM The AWS CloudHSM service helps you control the encryption keys and cryptographic operations performed by the Hardware Security Model. Basic approach
Encryption Keys Control: Cloud HSM Separation of duties AWS has administrative credentials to the appliance, but these can only be used to manage and maintain the appliance, and not to access the HSM partitions on the appliance.
Encryption of the Root Volume Encrypt your Root or Boot Volumes Flow 1: Unencrypted free AMI: Create an encrypted copy of your AMI using the CopyImage operation (specify the encryption and the KMS key to be used) Run instances from the encrypted AMI copy Flow 2: Unencrypted billable AMI: Create an EC2 instance. Create a private AMI using the create image operation Create an encrypted copy of your new AMI Run instances from the encrypted copy. Read More at: https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf
Encryption at Transit Certificates: AWS Certificate Manager Certificates: Establish identity and trust between two parties Contains a public key to encrypt data, and a private key to decrypt it. Issued by a Certificate Authority and need manual work on certificates request, installing, and maintaining. AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services Read more: https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf
Next Steps
Security Education: Online Course Get a free course on AWS APN portal (https://partnercentral.awspartner.com/SelfRegisterPartner) Pass an APN Course or a Certification Submit a Certificate Get a badge Get to the pro-list for further courses + Investigate our Web Site (https://epa.ms/cloud-learn) + Watch the Video Portal (https://videoportal.epam.com)
Issues Resolving Flow Please also feel free to address EPAM Cloud Consulting team (SpecialEPM-CSUPConsulting@epam.com)
AWS Enterprise Support Access 24/7 customer support with less than 1 hour response time Response to critical events less than 15 minutes Support by Senior Cloud Support Engineers via email, chat and phone in case of critical events Unlimited number of cases Dedicated technical Account Manager and Concierge Agent Free Infrastructure Event Management Service Access to AWS Trusted Advisor and Support API functions Regular communication including AWS resource usage reporting, monitoring, recommendations on infrastructure optimization and improvement Access to Amazon documentation
Home Work Get a free course on AWS APN portal (https://partnercentral.awspartner.com/SelfRegisterPartner) Pass AWS Security Fundamentals Course
Documentation Hybrid Cloud Guide Terms and Conditions Cloud Security Policy https://epa.ms/hybrid-cloud https://epa.ms/cloud-doc-terms https://epa.ms/cloud-security The guide providing the details on integration with AWS and Azure. EPAM Cloud terms and conditions: terms definitions, parties responsibilities EPAM Cloud Security policies and approaches FAQ Cloud Glossary Cloud Consulting https://epa.ms/cloud-faq https://epa.ms/cloud-glossary https://epa.ms/cloud-consulting What’s New Release Notes Video Overview Address us if you have any questions! EPAM Cloud frequently asked questions See the whole documentation set on https://epa.ms/cloud-doc
NEXT: Performance Optimization AWS Best Practices Training Program Basic Approaches Course overview Basic infrastructure requirements Reliability and Performance overview Costs optimization overview Monitoring tools overview Useful tools overview Costs Optimization The “Minimum Principle” and Auto Scaling Serverless architectures Container-based architectures Resources review and optimization Using Reserved Instances Using Spot Instances Security in AWS Basic security principles and tools Access management Data encryption and protection Network security NEXT: Performance Optimization AWS Service Limits Components selection and review Backup Components failure withstanding
Thank you for attention! Cloud in Yammer: https://epa.ms/cloud-yammer EPAM Cloud Consulting team (SpecialEPM-CSUPConsulting@epam.com)