Security Best Practices for architecting in AWS

Dave Walker
, Specialist
Solutions Architect, Security and Compliance
Dave Walker
, Specialist
Solutions Architect, Security and Compliance
Dave Walker
, Specialist
Solutions Architect, Security and Compliance
Current AWS Security Recommendations
IMG_2845.JPG
Dave Walker, Specialist Solutions Architect, Security and Compliance

Slides available via dropbox

Typical AWS Region – Cross region replication available if required

“Everything starts with a threat model”

– STRIDE, DREAD, others…

‘Consider different points of view for risk. Boss, business, auditors and regulation’
See CIS Amazon Web Service Foundations
Centre for Internet Security’
-Available as a cloud foundation benchmark to automatically create from template
AWS Enterprise Accelerator Compliance Architecture, can be given to auditors to reduce the ‘pain’
Now supports YAMMA & JASON
Pillars of Well – Architected
See training links
– Just start learn, no prescribed route through
Recommendation 1
  • Encrypt data at rest
  • KMS is your friend
NB:- An encrypted storage volume is always a ‘full’ copy, no incremental stored copies
IAM – Policy enforcement
Explicit deny tumps ANY allow!
TIP
– No YAMMA in IAM but JASON can be converted into YAMMA via a single line of python at the end of the script
-Recommend using federation of Oauth groups. IAM is very much like RBAC
– IAM supports multi facture authentication and tokens
-Understanding NOTACTION
* One has an explicit DENY policy
Always an AND between statement and an OR between conditions.
IAM is not straight forward but it is VERY powerful. AWS has created a simulator to allow policies to be debugged ‘safely’
See top 11 IAM best practice in slides

IAM users vs federated users

* possible to use LDAP filtering to link only sub set groups
Recommendation
If roles are used, the STATIC user authentication key is exchanged for a temporary emthirial key. This prevents keys leaking in ‘poor’ scripts.
Also a GitHub ‘AWS Key’ scanner is available to intercept git posts and block any with keys included.
Policies are finite in size, 4k and will hard limit plans if not careful. Also try and use procedures

Single AWS account vs multiple accounts

Multi account very useful for limiting scope of environments, i.e. isolating for credit card processing environments or single bill but want to break it down into cost centres or projects.
Segregation via account level separation via Service Control Policies. Root is omnipotent on all machines until SCP is deployed.
Very complicated but AWS have created “AWS Organisations” to stream line the process and ensure best practise.
Question from room. “How do we know AWS tools are safe to use when the are early releases” Lots of information given about the rigours testing, including PEN & mathematical proof where appropriate.
See “How is Org diff from IAM” slide
Amazon QuickSight can be used to analyse logs from AWS security subsystems and create single view.
AWS is working on a new architecture for Account incident response.
All very complicated. – Automation via Infrastructure as code
PUT CONFIGURATION management under the same control as other software.
AWS OpsWork is ‘Chef’ under the lid
See slides on how to deploy this via templates.
Configuration files are just text files and can be automatically scanner for text strings that are not welcome. Beyond scope of this talk however.
RECOMMENDATION
Start with security and then add DevOps or it will create a ‘problem’
If it moves, log it! – Make sure the logging environment can scale with the applications as required.
Logs —> Metrics —> alerts —> actions
‘AWS Cloudtrail’ – Working to get detection to action time to under 2-4 minutes. Offers a single point of monitoring. “There are no virtual desks for hiding virtual servers under…”
Where data retention of log files needs to be long term, problems with privacy can be encountered. Move logs into an archive S3 bucket, then use a land function to star out unique ID data to keep the ICO happy.
VCP Flow logs. Once security is configured, set policy to drop ‘allows’ from logs but then DENY will become obvious. In effect, create an IDS. Slunk can be used to create knowledge from the information.
AWS Config rules
Library of about 20 conditions are available from repository. Such as a configuration rule to identify Cloud trail has been turned off. Spot this and then turn it back on again.
*** RISKs with automation remediation ***
Power to dig big holes fast.
See git hub for AWS ‘offline stack’ to test in lab
AWS Inspector
Provide information about configuration at multiple points in time. Would report a file system that was changed to ‘world write’ even if was only a single millisecond.
Don’t forget the built in AWS reporting tools.
  • AWS Trusted advisor
  • IAM credential reports

One Response to “Security Best Practices for architecting in AWS”

  1. gravatar Server Managment

    Online training supplies you real time palms-on experience in working with cloud computing and various components of cloud.
    AWS IoT offers developers with a comprehensive yet smooth performance by spanning the
    sting to the cloud. Amazon S3 Cloud – It means that you can run a Lambda function as
    quickly as you add a brand new file to an S3 bucket.
    Amazon Kinesis – It lets you set off Lambda features on particular logging events for e.g.
    new visitors to web site. As soon because the Lambda operate is in place, it’ll function as often as
    its parameters point out. Click save. After saving your
    policy, you will note the following message: “This bucket has public entry. Since AWS’s price is modified supported the shoppers’ utilization, start-ups and little companies will see the obvious advantages of utilizing Amazon for their computing wants. Amazon Sumerian means that you can develop and run Virtual Reality (VR), Augmented Reality (AR), and 3D purposes with out the need of any specialised programmer or a 3D graphics expert. With Lambda, you’ll be able to concentrate on developing your functions without worrying concerning the infrastructure, i.e. CPU, storage or memory.|{Wir sind heute beim Digital Forum in Frankfurt als Sponsor vor Ort. Das Event wird von unserem Partner @sitewards organisiert. Wir freuen uns auf einen toll Tag! dff19 aws cloud hosting|- Maria Livia Chiorean | Tips and Tricks for Running AWS Dependencies Locally

    – Jon Pither | Introducing Crux – Bitemporality & Databases

    scala meetup scalainthecity|1) you assume SME having 1000 customers should be forced to pay the compliance cost

    One-man company offers online tool for easier task Managment 50$ per year with 1000 customers makes 50000 before AWS insurance etc, you are killing this man’s living.

    2) give link/src with facts|10 tips and tricks from AWS Enterprise Strategist Mark Schwartz and UK Enterprise Technology Lead Paul Hannan for navigating a successful cloud|3 cost-cutting tips for Amazon DynamoDB data bigdata aws database …|@awscloud have just improved how lambda functions perform inside a vpc with hyperplane’s NAT capabilities – likely changing the existing best practice of avoiding putting lambdas inside a vpc.

    awsHyperplane serverless performance …|@awscloud told me they were working on recovering EBS vols ystrday, and askd me to create a new one if I have snapshots.
    Fortunately I follow best practice of keeping multiple snapshots (last 7 days). Volume was confirmed lost today. Bt I didn’t loose any data.WellArchitected|AWS Lake Formation: a faster way to build a best practice DataLake?|AWS Well-Architected reviews instill best practice says Darryl Govender, head of cloud services at @SynthesisSA|AWSLaunches in the last day include:
    * AWS Key Managment Service increases API requests per second limits
    * ElastiCache for Redis adds support for in-place version upgrades for Redis Cluster|AWSLaunches in the last day include:
    * AWS Key Managment Service increases API requests per second limits
    * ElastiCache for Redis adds support for in-place version upgrades for Redis Cluster|AWSLaunches in the last day include:
    * AWS Key Managment Service increases API requests per second limits
    * ElastiCache for Redis adds support for in-place version upgrades for Redis Cluster|CloudFirstNetworking offers a common user experience for configuration, troubleshooting & ops managment, regardless if workloads are hosted across on-prem + AWS, AZURE + GPC multicloud ReInforce|IoT Cybersecurity Conference speakers: @Arm @AWS_UKI @NCCGroupInfosec | Learn about risks, threats, best practice|Mycloud is best solution for Multi cloud and Hybrid Infa Managment..!! AI ML RPA aws azure gcp Devops Automation|Orabuntu_LXC announces the release of v6.12.0-beta AMIDE with unified SCST code managment and support for UbuntuLinux 19.04 OracleLinux 6,7 Fedora RedHat 6,7 CentOS 6,7 UbuntuLinux 16-19, Linux AWS …|RT @awscloud: 10 tips and tricks from AWS Enterprise Strategist Mark Schwartz and UK Enterprise Technology Lead Paul Hannan for navigating a successful cloud|RT @awscloud: AWSLaunches in the last day include:
    * AWS Key Managment Service increases API requests per second limits
    * ElastiCache for Redis adds support for in-place version upgrades for Redis Cluster|RT @awscloud: Troubleshoot errors with Managed Microsoft AD & Amazon RDS for SQL Server in this how-to with Nanda.|@spdiscus. saw your tweet in the past about tagging AWS resources. Is there a best practice you follow? (ex. … )|@woodlands_derby are very proud to say that our own Ms Middleton-Lee and Mrs Brailsford are presenting at the SecEd 12th National Pupil Premium Best Practice Conference today. Taking themselves out of their comfort zones just like our students. We are with them all the way! AWS|Amazon ElastiCache for Redis adds support for customer managed keys in AWS Key Management Service for encryption at rest – aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|Amazon Polly Voices available in Windows applications – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|AMIMOTO WordPress AMI AWS Nginx
    High Performance WordPress Cloud|Any kind of laptop that runs a browser, a proxy and a terminal will work, you will be hosting your recon/ bash scripts on droplets or aws instances. If your planning on using burp a bit more ram is recommended. And when you got that crit, get yourself a MB for that sweet workflow|Apps team at the Amazon Sphere! Starting left: Pete Salamanca,-VP Cloud Services, Adrian King – COO, @BSaltys -Sr. VP AWS Program Managment, Jacqueline Modica-AWS Partner Development, Carla Roddy – Director Marketing, @DustinBrines – AWS Alliance Leader, Paul Vian – Sr VP Sales.|Are you managing a multi-account system in an AWS Organization? Our consultant Rob has some tips on how to use Service Control Policies to manage security.|Ashok Leyland: Running Telematics at Scale – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|Atlas abi, sabi boy. Just use their servers. Don’t do anything managed oh. That’s how they rope you into using all their products for everything. I hate that about AWS too. Ugh.|AWS “S3 ” + “Versioning” On Best Practice By Er. Sandip Dabre …|AWS Amplify Console – Hosting for Fullstack Serverless Web Apps with Continuous Deployment from your preferred source code repository. … AWS AWSAmplify AmplifyConsole Fullstack Serverless GitHub|AWS Amplify will continue to fly under the radar despite being the *best* serverless hosting environment reinventpredictions|AWS Cloud Map Available in Three Additional AWS Regions – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|AWS Direct Connect support for AWS Transit Gateway is Now Available in Six Additional Regions – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|AWS Floor28 News – September – Hebrew – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|AWS makes this imagery available extremely quickly, often respond to natural disasters, prevent hunger, design and managment, and the develo|AWS Turns to G4 Instances for Handling Machine Learning Workloads webhosting|Can’t find any good reasons to have IAM users when I already have users in an AD. It’s all about tooling. With a multi-account setup centralized credential managment seems like the way to go. aws DevSecOps|Capital One Hacker Used Stolen Data to Mine Cryptocurrencies The hacker had already got access to Amazon Web Services (AWS) servers and managed to steal sensitive data.|Check out the latest Mission blog and learn more about AmazonGameLift, a managed service for deploying, operating, and scaling dedicated multiplayer game servers in the AWS cloud. AWS awscloud @awscloud|Cloud Migration to AWS, Azure and other cloud platforms: initiate a planned migration of workloads and assets to the cloud by applying best practice processes and tools to get you to your desired state – to know more, please click on Cloud|Cloud Migration to AWS, Azure and other cloud platforms: initiate a planned migration of workloads and assets to the cloud by applying best practice processes and tools to get you to your desired state – to know more, please click on Cloud|Cloud Migration to AWS, Azure and other cloud platforms: initiate a planned migration of workloads and assets to the cloud by applying best practice processes and tools to get you to your desired state – to know more, please click on Cloud|Dave Walker @awscloud @AWS_UKI speaking at Secure IoT 2019, Internet of Things IoT cybersecurity conference @tv_secureIoT
    expert in IT security, networking & compliance design, consultancy, review, implementation. Learn about risks|threats|best practice|Del Monte worked with Accenture to execute the transition of an end-to-end managed cloud framework: in all, Del Monte migrated more than 200 servers to the cloud. DelMonte CloudMigration Journey2Cloud AWS Digital|Did we mention we’ve got your backend covered? AOTOMOT is fully hosted and managed on @awscloud by us. No need to worry about servers, devops or tech infrastructure, you just focus on building awesome web and mobile apps|Exactly. 3 problems I see, again and again: 1.) VMs everywhere because, ‘that’s what we do’ or, ‘it’s too hard to refactor’ 2.) One AZ (whether it’s AWS, Azure or GCP) because, it’s ‘cheaper’ or ‘easier’ to understand 3.) Studying nothing about best practice|Find out more about hosting the javascript stack on AWS with @iTomHanson and then touch on the playful edge of tech with Bluetooth for the web with @CodeFoodPixels – join us next Wednesday – just 2 slots …|Get $10 Cash Back at Cloudways – – ALINAAZ
    Alinaaz cloudways rocks thishosting
    Cloudways is a popular managed server provider that uses servers from Google Cloud, Vultr, AWS, etc. along with their managed platform with 24/7 …|Great announcement on AWS Redshift: Query your clusters directly from the Managment Console, no more JDBC or ODBC clients to connect and query Redshift

    dataops cloud bigdata cloudcomputing dataanalytics aws database|Great tips on AWS Lambda cost optimization from @alex_casalboni at @ServerlessBGD. Writing cost effective code becomes more and more important nowadays! aws|Griffith Observatory finds a rendering solution in AWSThinkbox – plus some tips for when you’re creating dome projection content!|Griffith Observatory finds a rendering solution in AWS Thinkbox (plus some tips when creating dome projection content) | Amazon Web Services|Have you ever tried to educate people by writing a blog for years, done talks on cloud architecture and best practice and STILL get told that you’re wrong and that is fine to run everything for a client in a single EC2 instance in AWS?

    No?

    I have.|Hmm, isn’t my understanding wrong then? ECS pure ran docker on EC2 servers, Fargate abstract that EC2 servers so we simply need to deploy our container (pay per use like Lambda), while EKS is docker managed with k8s master node host by aws, which in this case we paid for ec2 ?|How do I backup my website on Amazon S3 using cPanel? aws|How to use the Apple Pencil: 3 must-read tips via @hybrid_ts AWS|I added a video to a @YouTube playlist AWS Configuration Managment Comparison – UserData, AMI, CloudFormation,|I think there ist no easier way than doing it with a script. Isn‘t there a best practice from vmware when moving to AWS?|if I’m hosting a real basic site, what host would you use? AWS, Azure, something else? (I’ll need an ssl too so… keep that in mind)|Job Alert: AWS Cloud Engineer – … Bachelor’s Degree in Computer Science, Engineering or a related technical discipline. Work with the architecture team to design and implement secure cloud management solutions. Ability to provide best practice guidance on…|Just came across an old Hosting Provider bill from 2003 – $4,830 / month! Today, the equivalent on @digitalocean would be <$20/month. Or under $100 on Azure or AWS – if you enjoy more time dealing / tweaking with infrastructure Go build something! saas|Katelyn Decraene of @MorningstarInc sharing tips for getting teams involved in FinOps process – governance, estimating and assumptions are hard! A central group to manage can help. awschicago ChicagoAWS|Little things add up! FinOps tips: use ubuntu vs rhel or using spot instances to test vs on-demand or dedicated EC2 instances. awschicago ChicagoAWS|Managed infrastructure make companies less cautious about what they put and how they put it (AWS buckets is a good example).Majoriry of top 10 2018-19 data breach are cloud hosted not inhouse servers. I didn't say it's bad or good, it's just a fact.|Maybe before you write something about a subject, best practice is to investigate about eventual papers what are published about that subject. In this case reading
    AWS Well-Architected Framework, before you can come with some advice about …|Medisanté increases agility and works globally with the cloud – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|National Crime Agency plans AWS migration – cybercrime unit seeks partner to provide DevOps support as it moves a number of services from off-the-shelf software to cloud hosting

    Story
    Amazon cybercrime CloudComputing cloud AWS|New Partnership Adds White-Glove Mission-Critical CMS Hosting on Fully-Managed Servers and on AWS JetRails,… …|Next Session will be August 22nd with talks on PowerShell Module Development and Identity Managment with PowerShell in AWS.
    Come along!|Now use AWS Systems Manager to execute complex Ansible playbooks – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|Now you asked. I think it is in terms of document/nosql data stores.

    If you just don't want to manage one db server, AWS RDS or Digital Ocean/Linode managed DBs are good to go|Phew – just managed to save an AWS server instance for my work that had gone AWOL… it's been running for a LONG time without a root filesystem check. EC2 doesn't offer any sort of console view (a lame "screenshot of the logs" option but that… …|POL JANE at the AWS Conference in Madrid. As part of our partnership with AWS, we gave a conference about Identity Managment. …|Question! Is it best practice to have a different Cloud front distribution for every S3 bucket? I am serving up two subdomains from two buckets with one distro and seeing weird behavior. aws s3 @AWS @awscloud|Really digging into my learning and forcing myself to commit has been the best practice. However, when my regular job starts dominating my time it’s very difficult to focus. Trying to change that. Have to get moving forward. aws AWScert|SAM TIP: It is possible to use EventBridge rules in AWS SAM. Here is how. Serverless …|SD Times news digest: Amazon announces new Alexa Skills Kit developer tools, TIBCO collaborates with AWS, and Melissa now accepts Bitcoin
    …|Security Tip 16: Don't use a bastion host that is yet another server to secure. Dynamically attach and detach a port 22 security group to your cloud resources when you need remote access.

    Full security checklist: …

    aws devops cybersecurity|Singapore Exchange: Clearing Financial Transactions on Amazon Managed Blockchain – … aws awscloud amazonwebservices devops server hosting compute computing news ec2 s3 lambda awslambda serverless|So happy to hear that I have been selected to present a Dev Chat at reInvent 2019! My talk will be on the @acloudguru Tips & Best Practices to help you pass the AWS Security Speciality exam the very first time!|Social Security Scotland develops new hosting platforms on AWS Cloud in partnership with IBM Services: Repeatable infrastructure Automated infrastructure provisioning using a DevOps approach DevOps-based operations… via @IBM ibmautomation cognitive ai|Teletext Holidays a) exists and b) left 200k customer call recordings exposed in S3 bucket • DigitalMunition: Teletext Holidays managed to leave more than 200,000 customer phone call recordings exposed on an unsecured AWS server, according to reports. A…|Teletext Holidays managed to leave more than 200,000 customer phone call recordings exposed on an unsecured AWS server, according to reports. A total of 532,000 files were exposed on AWS servers belonging to Truly Travel, the company that trades as Tel…|This AWS best practice guide will walk you through the 10 steps to securing and correctly configuring your Cloud environment:|This blog on VMware Cloud on AWS really breaks down the discussion for both engineering and managment on the Why our hybrid solution makes sense. vmware|This is one of our most popular Serverless AWS Tips posts: "How to
    build a CI/CD pipeline for Serverless apps with CircleCI". It's super detailed and is probably one of the best guides out there! So make sure to check it out and|Tips for building a cloudsecurity operating model in the financialservices industry|Tips for building a cloud security operating model in the financial services industry aws security|Troubleshoot errors with Managed Microsoft AD & Amazon RDS for SQL Server in this how-to with Nanda.|VMC on AWS – simplifying Managment.|Well, you're better off with other providers if you want a quality managed api server. Rolling your own: if you want to stay with AWS then kops is better than rolling your own. It even generates terraform manifests!|When attached to an Amazon VPC which two components provide connectivity with external networks? Choose 2 answers IPS (EIP) Gateway (NAT) Gateway {IGW) Private Gateway (VGW)|With ECS and EKS, you can customize the server it's running on and change kernel parameters and such. With Fargate running on managed AWS ECS infra, you cannot.|Conocemos y probamos los servicios de AWS: Elastic Compute Cloud EC2, Identity & Acces Managment IAM y Simple Storage Service S3|CWOM: Cisco Workload Operation Managment
    Mira el ambiente virtual en VMware y balancea la carga,a su vez calcula cuanto saldría esa misma carga en AWS
    CiscoLiveLA|AWS CLIの利用方法まとめ(主にqueryオプションとTips) – …|AWS
    2. Kamatera
    3. A2 Hosting
    4. DigitalOcean
    5. Heroku
    6. Redhat OpenShift
    7. Google Cloud
    8.
    9. NodeChef
    10. Azure
    11. HostPresto

    Reply

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>