AWS Security Best Practices

Know the AWS Shared Responsibility Model

assets:

• Facilities

• Physical security of hardware

• Network infrastructure

• Virtualization infrastructure

assets of EC2:

• Amazon Machine Images (AMIs)

• Operating systems

• Applications

• Data in transit

• Data at rest

• Data stores

• Credentials

• Policies and configuration

three main categories of AWS service

Infrastructure Services: This category includes compute services, such as Amazon EC2, and related services, such as Amazon Elastic Block Store (Amazon EBS), Auto Scaling, and Amazon Virtual Private Cloud (Amazon VPC). With these services, you can architect and builda cloud infrastructure using technologies similar to and largely compatible with on-premises solutions. You control the operating system, and you configure and operate any identity management system that provides access to the user layer of the virtualization stack.

Container Services: Services in this category typically run onseparate Amazon EC2 or other infrastructure instances, but sometimes you don’t manage the operating system or the platform layer. AWS provides managed service for these application “containers”. You are responsible for setting up and managing network controls, such as firewall rules, and for managing platform-level identity and access management separately from IAM. Examples of container services include Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR) and AWS Elastic Beanstalk

Abstracted Services: This category includes high-level storage, database, and messaging services, such as Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple Queuing Service (Amazon SQS), and Amazon Simple Email Service (Amazon SES). These services abstract the platform or management layer on which you can build and operate cloud applications. You access the endpoints of these abstracted services using AWS APIs, and AWS manages the underlying service components or the operating system on which they reside. You share the underlying infrastructure, and abstracted services provide a multi- tenant platform which isolates your data in a secure fashion and provides for powerful integration withIAM

Shared Responsibility Model for Infrastructure Services

Shared Responsibility Model for Container Services

Shared Responsibility Model for Abstracted Services

Manage AWS Accounts, IAM Users, Groups, and Roles

least privilege principle

one company can have multiple account for each users.

one account can have multiple users.

acount strategies:sign-in credentials:

username/password

Multi-factor authentication (MFA)

Access Credential Type:

Access keys

MFA for API calls

IAM temporary role and credential is used to delegate user access in some cases.

Identity Federation (broker auth to AWS Security Token Service (STS))

Managing OS-level Access to Amazon EC2 Instances

cloud-init for linux instance

ec2config for windows instance

Secure Your Data

Protecting Data at Rest on Amazon S3

permissions

versioning

replication

backup

encryption-server side

encryption-client side

Protecting Data at Rest on Amazon EBS

replication

backup

encryption: windows EFS EFS is a extension to the NTFS file system that provides for transparent file and folder encryption, and integrates with Windows and Active Directory key management facilities, and PKI

Windows Bitlocker Windows BitLocker is a volume (or partition, in the case of single drive) encryption solution included in Windows Server 2008 and later operating systems

Encryption: Linux dm- crypt

Encryption: TrueCrypt

Encryption and integrity authentication: SafeNet ProtectV

Protecting Data at Rest on Amazon RDS

using database native encrypt function(mysql, oracle & MSSQL)

Decommission Data and Media Securely

AWS only mark block as deleted, not erase the data, so it maybe recovered. you need to manually erase the data if you want decommise it.

Protect Data in Transit

Managing Application and Administrative Access to AWS Public Cloud Services

https/SSL/TLS/RDP/SSH/database support ssl

Protecting Data in Transit when Managing AWS Services

AWS web console/API all use ssl/tls

Protecting Data in Transit to Amazon S3

https for s3

Protecting Data in Transit to Amazon RDS

mysql&MS SQL use ssl/tls, AWS generate the x.509 cert

orace use native network encryption

Protecting Data in Transit to Amazon DynamoDB

HTTP over SSL/TLS (HTTPS)

Protecting Data in Transit to Amazon EMR

Between Hadoop nodes: no need to secure, use the infrastracture secure mechanism

Between Hadoop Cluster and Amazon S3 : use https

Between Hadoop Cluster and Amazon DynamoDB: use https

User or application access to Hadoop cluster: use ssh to login, ssl/tls for api

Administrative access to Hadoop cluster: use ssh

Secure Your Operating Systems and Applications

Recommendations include:

• Disable root API access keys and secret key

• Restrict access to instances from limited IP ranges using Security Groups

• Password protect the .pem file on usermachines

• Delete keys from the authorized_keys file on your instanceswhen someone leaves your organization or no longer requires access

• Rotate credentials (DB, Access Keys)

• Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys

• Use bastion hosts to enforce control and visibility

Creating Custom AMIs security guide:

Disable insecure applications

Disable services and protocols that authenticate users in clear text over the network, or otherwise insecurely.

Minimize exposure

Disable non-essential network services on startup. Only administrative services (SSH/RDP) and the services required for essential applications should be started.

Protect credentials

Securely delete all AWS credentials from disk and configuration files.

Protect credentials

Securely delete any third-party credentials from disk and configuration files.

Protect credentials

Securely delete all additional certificates or key material from the system.

Protect credentials

Ensure that software installed does not use default internal accounts and passwords.

Use good governance

Ensure that the system does not violate the Amazon Web Services Acceptable Use Policy. Examples of violations include open SMTP relays or proxy servers. For more information, see the Amazon Web Services Acceptable Use Policy–http://aws.amazon.com/aup/.

securing Linux AMIs

Secure services

Configure sshd to allow only public key authentication. Set PubkeyAuthentication to Yes and PasswordAuthentication to No in sshd_config.

Secure services

Generate a unique SSH host key on instance creation. If the AMI uses cloud-init, it will handle this automatically.

Protect credentials

Remove and disable passwords for all user accounts so that they cannot be used to log in and do not have a default password. Run passwd -l <USERNAME> for each account.

Protect credentials

Securely delete all user SSH public and private key pairs.

Protect data

Securely delete all shell history and system log files containing sensitive data.

securing Windows AMIs

Protect credentials

Ensure that all enabled user accounts have new randomly generated passwords upon instance creation. You can configure the EC2 Config Service to do this for the Administrator account upon boot, but you must explicitly do so before bundling the image.

Protect credentials

Ensure that the Guest account is disabled.

Protect data

Clear the Windows event logs.

Protect credentials

Make sure the AMI is not a part of a Windows domain.

Minimizing exposure

Do not enable any file sharing, print spooler, RPC, and other Windows services that are not essential but are enabled by default.

Secure Your Infrastructure

Using Amazon Virtual Private Cloud (VPC)

You can leverage Amazon VPC-IPSec or VPC-AWS Direct Connect to seamlessly integrate on-premises or other hosted infrastructure with your Amazon VPC resources in a secure fashion. With either approach, IPSec connections protect data in transit, while BGP on IPSec or AWS Direct Connect links integrate your Amazon VPC and on-premises routing domains for transparent integration for any application, even applications that don’t support native network security mechanisms.

Using Security Zoning and Network Segmentation

A network segment simply isolates one network from another,

where a security zone creates a group of system components with similar security levels with common controls.

Strengthening Network Security

Best practices for network security in the AWS cloud include the following:

• Always use security groups: They provide stateful firewalls forAmazon EC2 instances at the hypervisor level. You can apply multiple security groups to a single instance, and to a singleENI.

• Augment security groups with Network ACLs: They are stateless but they provide fast and efficient controls. Network ACLs are not instance- specific so they can provide another layer of control in addition to security groups. You can apply separation of duties to ACLs management and security group management.

• Use IPSec or AWS Direct Connect for trusted connections to other sites. Use Virtual Gateway (VGW) where Amazon VPC-based resources require remote network connectivity.

• Protect data in transit to ensure the confidentiality and integrity of data,as well as the identities of the communicating parties.

• For large-scale deployments, design network security in layers. Instead of creating a single layer of network security protection, apply network security at external, DMZ, and internal layers.

• VPC Flow Logs provides further visibility as it enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Building Threat Protection Layers

Log security

results matching ""

    No results matching ""