Strengthen Cybersecurity with AWS Carmela Gambardella AWS Solutions
Strengthen Cybersecurity with AWS Carmela Gambardella AWS Solutions Architect © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1
What Security Challenges are We Facing? Compliance 1 Ensure your AWS infrastructure meets compliance requirements Multiple formats 2 4 3 Dozens of security tools with different data formats © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visibility Prioritizing Large volume of alerts and the need to prioritize Lack of single pane of glass across security and compliance tools
Customers AWS Shared Responsibility Model Customer content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection AWS Foundation Services Compute Storage AWS Global Infrastructure Database Availability Zones Regions © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Networking Edge Locations Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
Security 101 • • • Data Application OS Virtualization Infrastructure Physical On-premises Your responsibility • • • Data Application OS Virtualization Infrastructure Physical Infrastructure AWS responsibility © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • • • Data Application OS Virtualization Infrastructure Physical Container Data Application OS Virtualization Infrastructure Physical Abstract
Improve your security posture with AWS On-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. On AWS Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protecting data Everything is automated
Security Assurance On-premises Start with bare concrete Periodic checks Workload-specific compliance checks Must keep pace and invest in security innovation Heterogeneous governance processes and tools Typically reactive © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. On AWS Start on accredited services Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance Integrated governance processes and tools Focus on prevention
Attacker Tactics for Initial Compromise Unpatched vulnerabilities Security misconfigurations AWS Systems Manager Weak, leaked, stolen passwords Social engineering Insider threat Amazon Guard. Duty AWS Secrets Manager Amazon Guard. Duty AWS Marketplace Amazon Inspector © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Guidance AWS Cloud. Trail
Attacker Tactics for Initial Compromise https: //aws. amazon. com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/ © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Advantages of the API • • Authoritative - the interface to, and between, AWS services Auditable – always know what, and who, is doing what Secure – verified integrity, authenticated, no covert channels Fast - can be read and manipulated in sub-second time Precise – defines the state of all infrastructure and services Evolving – continuously improving Uniform - provides consistency across disparate components Automatable - enables some really cool capabilities © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Logical Separation • Virtual Private Cloud (VPC) • • Virtualization • • • Nitro hypervisor Firecracker Encryption & key management, encrypting data atrest and in-transit • • Not possible for information to pass between multiple tenants without specifically being authorized by both transmitting and receiving customers Built-in encryption (examples: Amazon S 3, Amazon EBS) Key Management Service (KMS) Cloud. HSM Dedicated Instances, dedicated hosts, and bare metal https: //d 1. awsstatic. com/whitepapers/compliance/AWS_Logical_Separation_Handbook. pdf © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Services Overview AWS Systems Manager Amazon Inspector AWS Config Identify Amazon Macie Amazon Guard. Duty Automate AWS Lambda AWS Security Hub Detect Protect Respond Amazon Cloud. Watch Recover Snapshot Amazon VPC AWS Io. T Device Defender AWS Identity and Access Management (IAM) AWS Key AWS Management Firewall Service Manager AWS Single AWS Secrets Sign-On Manager © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield AWS WAF Investigate Amazon Cloud. Watch AWS Cloud. Trail Archive
AWS ML powered Security Services © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
AWS ML powered Security Services Amazon Guard. Duty Amazon Macie Content Classification Threat detection • PII and personal data • VPC Flowlog analysis • Source code • SSL certificates, private keys • • • i. OS and Android app signing keys • Database backups • OAuth and Cloud SAAS API Keys Unusual API calls. Potentially unauthorized deployments that indicate a possible account compromise. Potentially compromised instances or reconnaissance by attackers. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. •
VPC Flow Logs • • • Agentless Enable per ENI, per subnet, or per VPC Logged to AWS Cloud. Watch Logs Create Cloud. Watch metrics from log data Alarm on those metrics Interface Source IP Source port Protocol Packets Accept or reject AWS account Destination IP © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Destination port Bytes Start/end time
Logging and Audit © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Core logging services Amazon Cloud. Watch AWS Cloud. Trail Full visibility of your AWS environment • Cloud. Trail will record access to API calls and save logs in your S 3 buckets, no matter how those API calls were made Who did what and when and from where (IP address) • Cloud. Trail/Config support for many AWS services and growing - includes EC 2, EBS, VPC, RDS, IAM and Red. Shift • Edge/CDN, WAF, ELB, VPC/Network Flow. Logs • Easily Aggregate all log information • Cloud. Watch Alarms © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional logs from external systems and locations: External systems and applications Internal systems and applications Gaming Devices Web content IOT sensors Logs, logs, and more logs … Databases Servers © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Storage Networking
Log data analytics © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cyber Data Lake Analytics Machine/Deep Learning On premises activities Realtime Application and Users activities © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Services
Cyber Data Lake Amazon EMR Amazon Elasticsearch Service On premises activities Realtime Application and Users activities © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Services Machine/Deep Learning Amazon Athena AWS Glue
Amazon Elasticsearch: Analyzing Log Data Application monitoring & root-cause analysis Security Information and Event Management (SIEM) Io. T & mobile Business & clickstream analytics © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic. Search VPC flow logs Analysis © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub Overview © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub Benefits Managed regional AWS service in minutes that aggregates findings across AWS accounts Manage security and compliance findings in a single location, increasing efficiency of locating relevant data Create custom insights to track issues unique to your environment © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Hub workflow Account 1 Account 2 Account 3 Enable AWS Security Hub for all your accounts. Continuously aggregate and prioritize findings. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Conduct automated compliance scans and checks. Take action based on findings.
Compliance Standards • Based on CIS AWS Foundations Benchmark AWS Security Hub • Findings are displayed on main dashboard for quick access • Best practices information is provided to help Compliance Standards © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. mitigate issues
AWS Security Hub insights Security findings that are correlated and grouped for prioritization • More than 20 pre-built insights provided by AWS and AWS partners • Ability to create your own insights • Dashboard provides visibility into the top security findings • Additional details for each finding is available for review EC 2 instances that have missing security patches © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S 3 buckets with stored credentials S 3 buckets with public read and write permissions
AWS Security Finding Format ~100 JSON-formatted fields Finding Types • • Sensitive Data Identifications Software and Configuration Checks Unusual Behaviors Tactics, Techniques, and Procedures (TTPs) • Effects © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automated compliance checks 43 fully automated, nearly continuous checks © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Insights help identify resources that require attention © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Case: Alert Triage Status: Yellow AWS Lambda Function 1 Function AWS Lambda 2 AWS Lambda … Security findings as custom events Amazon Cloud. Watch AWS Security Hub Events Status: Red Notify Sec. Ops team with Amazon SNS Rule Amazon Simple Notification Service Customizable response and remediation actions © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Case: Compliance Scans 1 An ACL configuration change is discovered by Security Hub – bucket set to public Amazon Simple Storage Service (S 3) © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub 2 Lambda function sets bucket ACL back to private 3 Security Hub invokes Lambda function AWS Lambda
Key takeaways © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
cgambard@amazon. it © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thanks!
- Slides: 34