AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Securing Your Customers
Data From Day One
Rob De Feo | 2018

Security by design principles
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data (in transit and at rest)
• Prepare for security events
https://aws.amazon.com/architecture/well-architected/

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implement a strong identity foundation

Identity Access Management (IAM)
Ensure only authorized and authenticated users are able to
access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control

Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0 (ADFS)
• Define a management
policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code

Protecting AWS credentials
• Establish Less-privileged Users
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via STS

Fine grained access control
• Establish least privilege
principle
• Define clear roles for users
and roles
• Use AWS organizations to
centrally manage access

Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/

Detective controls
Identifying a potential security threat is essential for legal
compliance assurance, key areas in this are:
• Capture and analyze logs
• Integrate auditing controls with notifications and
workflow / Use your logs

Capture and analyze logs
Asset management
• Describe assets and instance programmatically
• No dependency on instance based agent
API driven log analysis
• Collect, filter and analyze with ease
• Automatically collect API calls with CloudTrail
• Use CloudWatch Logs or ElasticSearch with instances

Use your logs
Don’t just collect and store logs, analyze logs easily with
CloudWatch Events:
• Trigger notifications
• Automate responses with Lambda
• Integrate events with ticketing systems

Detect change
• Use native tools such as AWS Config to detect change in your environment
and trigger CloudWatch Events
• Collect output from Amazon Inspector to ensure compliance
• Use Amazon GuardDuty to constantly monitor and intelligently detect
threats and take action

Change management

Resources
AWS Config – https://aws.amazon.com/config/
AWS Config Rules –
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-
config.html
Amazon Inspector - https://aws.amazon.com/inspector/
Amazon ElasticSearch Service - https://aws.amazon.com/elasticsearch-service/
Amazon CloudWatch Logs - https://aws.amazon.com/cloudwatch/
Amazon Athena – https://aws.amazon.com/athena/
Amazon Glacier – https://aws.amazon.com/glacier/
AWS Lambda – https://aws.amazon.com/lambda/

Apply security at all layers

Defense-in-depth

Infrastructure protection
Protect network and
host level boundaries
System security config
and management
Enforce service-level
protection

Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACL’s to prevent access between subnets
• Use route tables to deny internet access from protected
subnets
• Use Security groups to grant access to and from other
security groups
Limit what you run in public subnets:
• ELB/ALB and NLB’s
• Bastion hosts
• Try and avoid where possible having a system directly
accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect

System security config and management
OS based firewalls
CVE vulnerability scanners
Virus scanners
Remove unnecessary tools from OS
Remove direct access to machines – use EC2 system
manager
Amazon Inspector to scan OS and applications

Enforce service-level protection
• Use least privilege IAM policies
• Use fined grained controls within policies
• Look at service level permission (such as S3 bucket
policies)
• Use KMS and define admin and user access policies

Resources
Amazon VPC – https://aws.amazon.com/vpc/
AWS Direct Connect – https://aws.amazon.com/directconnect/
Amazon Inspector - https://aws.amazon.com/inspector/

Automate security best practices

Ensure best practice
• Template everything (CloudFormation, Terraform, etc
etc)
• Utilise CI/CD pipelines
• Set custom AWS Config rules
• Amazon Inspector to detect vulnerabilities
• Automate response to non compliant infrastructure

Immutable infrastructure

Security as code

Resources
Amazon VPC – https://aws.amazon.com/
AWS Systems Manager – https://aws.amazon.com/systems-manager/Amazon/
Inspector - https://aws.amazon.com/inspector/
AWS CloudFormation - https://aws.amazon.com/cloudformation/
AWS SAM - https://github.com/awslabs/serverless-application-model
AWS Pipeline - https://aws.amazon.com/codepipeline/
AWS KMS - https://aws.amazon.com/kms/
Terraform - https://www.terraform.io/

Protect data (in transit and at rest)

Data classification
Start of by classifying data based on sensitivity:
• Public data = unencrypted, non-sensitive, available to everyone
• Critical data = encrypted, not directly accessible from the internet, requires
authorization and authentication
Use resource tags to help define the policy:
• “DataClassification=CRITICAL”
• Integrate access with IAM policies
Amazon Macie:
Macie can automatically discover, classify and protect sensitive data through machine
learning

Encrypt your data

Data in transit
AWS endpoints are HTTPS,
but what can you do?
• VPN connectivity to VPC
• TLS application communication
• ELB or CloudFront with ACM

Data at rest
Inbuilt encryption
• S3: select KMS key on upload
• EBS and RDS snapshots: automatically encrypt data at rest
• DynamoDB: encrypt backups
Bring your own Key
Encrypt data locally before uploading
SSE-C (server side encryption with customer key)

Encryption and tokenization
Tokens allow you to represent data (credit card number) as a token.
Generate and Retrieve encrypted data from a toke store such as cloudHSM or
encrypt and store data in DynamoDB.
cloudHSM is PCI-DSS and FIPS compliant

Resources
AWS KMS - https://aws.amazon.com/kms/
Amazon Macie – https://aws.amazon.com/macie/
AWS Cloud HSM – https://aws.amazon.com/cloudhsm/
Amazon EBS – https://aws.amazon.com/ebs/
S2n - https://github.com/awslabs/s2n

Prepare for security events

Incident response
“Even with a mature preventative and detective solution in
place, you should consider a mitigation plan”

Clean room
• Use Tags to quickly determine impact and escalate
• Get the right people access and on the call
• Use Cloud API’s to automate and isolate instances
• CloudFormation – recreate clean / update environments easily for
production or investigation purposes

Resources
AWS Well-Architected - https://aws.amazon.com/architecture/well-architected/
Security Pillar - https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-
Pillar.pdf

Thank You
Rob De Feo
Startup Solutions Architect
@robdefeo
robdefeo@amazon.co.uk

Q&A

AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One

More Related Content

AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One