aws security: a practitioner’s perspectivefiles.meetup.com/1751034/sf-aws-ug-jachan.pdftraffic in...
TRANSCRIPT
AWS Security: A Practitioner’s Perspective
Jason [email protected]
San Francisco AWS Users Group April 17, 2012
Wednesday, April 18, 12
Jason Chan
• Cloud Security Architect @ Netflix
• Previously:
• Most recently led security team at VMware
• Primarily security consulting at @stake, iSEC Partners
• Some presentations at:
• http://www.slideshare.net/netflix
Wednesday, April 18, 12
Agenda
• Goals and non-goals
• AWS on one slide
• Netflix in the cloud
• AWS security: Overview
• AWS security: Gotchas
• AWS security: Recommendations
• Takeaways
Wednesday, April 18, 12
Non-Goals
• Primer on general cloud security issues
• AWS how-to
• Comprehensive guide to AWS security
• Info on designing for high-availability
Wednesday, April 18, 12
AWS Overview
Wednesday, April 18, 12
AWS on a Slide
“The cloud lets its users focus on delivering differen4a4ng business value instead of was4ng valuable resources on the undifferen)ated heavy li0ing that makes up most of IT infrastructure.”-‐ Werner Vogels (AWS CTO)
August 25, 2009, ‘All Things Digital
Wednesday, April 18, 12
Netflix in the Cloud
Wednesday, April 18, 12
Datacenter(Capacity(
37x Growth 1/10 - 1/11
Outgrowing Data Centerhttp://techblog.netflix.com/2011/02/redesigning-netflix-api.html
Netflix API: Growth in Requests
Wednesday, April 18, 12
Netflix Deployed on AWS
Content&
Video&Masters&
EC2&
S3&
CDN&
Logs&
S3&
EMR&Hadoop&
Hive&
Business&Intelligence&
Play&
DRM&
CDN&RouAng&
Bookmarks&
Logging&
WWW&
SignEup&
Search&&
Movie&Choosing&
RaAngs&
API&&
Metadata&
Device&Config&
TV&Movie&Choosing&
Social/Facebook&
CS&
InternaAonal&CS&Lookup&
DiagnosAcs&and&AcAons&
Customer&Call&Log&
CS&AnalyAcs&
2009 2009 2010 2010 2010 2011
EC2, S3, SQS, SDB, VPC, ELB, EMR, Route53, IAM, SWF, CloudWatch, EBS, SNS, SES
Wednesday, April 18, 12
AWS Security OverviewShared Responsibility
AWS Credentials and IdentifiersServices, Actions, and Resources
Controlling Network TrafficAWS Security-Related Services
Wednesday, April 18, 12
Shared Responsibility
http://aws.amazon.com/security/
YOU
AWS
Wednesday, April 18, 12
AWS Credentials and Identifiers
Access CredentialsAccess Credentials
Access Keys REST API
X.509 Certificates SOAP API, EC2 tools
Key Pairs CloudFront, EC2
Sign-In CredentialsSign-In Credentials
Main Account E-Mail/PW Console access
IAM Account Name/PW Console access
MFA Token HW/SW token for additional security
Account IdentifiersAccount Identifiers
Account ID 12 digit identifier
Canonical User ID Used for S3 permissioning
Resource IdentifierResource Identifier
Amazon Resource Name (ARN) Unique resource identifier:arn:aws:sns:us-east-1:1234567890123456:mytopic
http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html
Wednesday, April 18, 12
AWS Services, Actions, and Resources
Service Action Resource
S3Get Object,
Delete BucketBucket, Object
EC2Terminate Instances, Associate Address
Instance, AMI, EBS Volume
AWS policies can be applied to actions and resources. Compatibility is service-dependent.
http://docs.amazonwebservices.com/IAM/latest/UserGuide/Using_SpecificProducts.html
Wednesday, April 18, 12
Policies - Example{ "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::testbucket/files/*", "Condition": { "DateLessThanEquals": { "aws:CurrentTime": "2012-05-31T12:00:00Z" }, "IpAddress": { "aws:SourceIp": "1.1.1.1" } }, "Principal": { "AWS": [ "123456789012" ] } } ]}
Which actions?
Allow or deny?Which resource?
To whom does the policy apply?
http://awspolicygen.s3.amazonaws.com/policygen.html
Any conditions? (optional)
Which service?
Wednesday, April 18, 12
Controlling Network Traffic in AWS
App Server DB ServerTCP 3306
Cisco Configurationpermit tcp host 1.1.1.1 host 2.2.2.2 eq 3306
AWS Configurationec2-authorize db -P tcp -p 3306 -s app
Wednesday, April 18, 12
Security Groups & ACLs
Type Stateful Ingress Egress EC2 VPC Cross-Account
Dynamic Membership
EC2 Security Group
Y Y N Y N Y N
VPC Security Group
Y Y Y N Y N Y
DB Security Group
Y Y N Y Y Y Y
VPC Network ACL
N Y Y N Y N/A N/A
Wednesday, April 18, 12
AWS Security-Related Services
• Identity and Access Management (IAM)
• Multi-Factor Authentication (MFA)
• Security Token Service (STS)
• Virtual Private Cloud (VPC)
Wednesday, April 18, 12
AWS Security GotchasAWS Limits
IP Addresses in EC2Elastic Load Balancing Security
S3 Policies and Object OwnershipAWS Resource Logging
Delivering Credentials to Instances
Wednesday, April 18, 12
AWS Limits• “Because the cloud is infinite if your requirements
are moderate”
• Many AWS services have a variety of limits
• Some of which are easily discoverable
• AWS services also have throttling (i.e. max RPS)
• Beware of self DoS via automation and autoscaling
• NOTE: http://aws.amazon.com/contact-us/ for limit increase requests
• NOTE: Track limits and inspect error messages
Wednesday, April 18, 12
EC2 IP Addresses
• Each instance has two IPs - private and public
# ec2-metadata
...
local-hostname: ip-10-245-134-152.ec2.internal
local-ipv4: 10.245.134.152
...
public-hostname: ec2-72-44-52-70.compute-1.amazonaws.com
public-ipv4: 72.44.52.70
...
Wednesday, April 18, 12
EC2 IP Addresses
• Name resolution depends on client location
# ec2-metadata -o
local-ipv4: 10.245.134.152
# dig +short ec2-72-44-52-70.compute-1.amazonaws.com
10.245.134.152
# dig @8.8.4.4 +short ec2-72-44-52-70.compute-1.amazonaws.com
72.44.52.70
Wednesday, April 18, 12
EC2 IP Addresses• Both public and private IPs are dynamic
• Elastic IPs can be used for persistent public IPs
• Within a region, instances use their private IPs
• Across regions & for Internet traffic, the public IP is used
• NOTE: Traffic to the public IP/EIP:
• Incurs regional data transfer costs
• Is less performant in-region
• Does not preserve source security group info
Wednesday, April 18, 12
Elastic Load Balancers• Service availability and
traffic balancing across EC2 instances
• Stable DNS for publicly-facing services
• Alias to the ELB DNS CNAME
• SSL termination, session stickiness, etc.
Internet
ELB
Instance Instance Instance
Wednesday, April 18, 12
Elastic Load Balancers• ELB intercepts and forwards traffic
• Traffic loses source IP
• Client IP is accessible via X-Forwarded For
• Backend instances must allow traffic from the ELB
• Traffic from ELB == Traffic from Internet
• Without additional (non security group) filtering, ELBs should only be used for public use cases
• NOTE: VPC ELBs can use security groups for limiting access
Wednesday, April 18, 12
• S3 bucket similar to container, object similar to a file
• Access control can be applied via bucket policy, bucket ACL, and object ACLs
• NOTE: Objects only inherit bucket-level permissions if written by bucket owner
• Default ACL is “object creator: full control”
• Objects written by non bucket owner are inaccessible by bucket owner
• Use “x-amz-acl” header on write to fix permissions
S3 Policies and Object Ownership
Wednesday, April 18, 12
AWS Resource Logging
• AWS APIs and resources are publicly (Internet) accessible
• So, your management interfaces, file store, databases, etc. are publicly addressable
• Preventing access is generally possible through policy configuration
• NOTE: AWS provides no capability for logging or auditing resource access
Wednesday, April 18, 12
Delivering Credentials to EC2 Instances
• AWS becomes more valuable when leveraging multiple services (e.g. EC2 + SQS, S3, etc.)
• Access to resources will generally require credentials
• Secure delivery and storage of credentials becomes difficult with scale and automation
• Some ideas:
• http://shlomoswidler.com/2009/08/how-to-keep-your-aws-credentials-on-ec2.html
Wednesday, April 18, 12
AWS Security Recommendations
Systematic Approach to AWS SecurityShared ResponsibilityAWS Management
AWS Security Features and ServicesResource Security
Operations Security
Wednesday, April 18, 12
Systematic Approach to AWS Security
• Understand shared responsibility model
• Management of AWS
• AWS security features and services
• AWS resource security
• Secure AWS operations
Wednesday, April 18, 12
SharedResponsibility• Analyze what each side
provides in terms of security controls
• Understand legal/contractual aspects
• Make plans to bridge any gaps
https://wiki.cloudsecurityalliance.org/guidance/index.php/Cloud_Computing_Architectural_Frameworkhttp://www.computer.org/csdl/mags/sp/2011/02/msp2011020050-abs.html
Wednesday, April 18, 12
AWS Management• No longer any reason to not use IAM
• Enable:
• IAM
• MFA (for account and IAM accounts)
• Create groups and assign permissions appropriate for organizational model
• Consider using separate top-level accounts for compartmentalization
Wednesday, April 18, 12
AWS Security Features and Services
• Understand security features, limitations, and options of the features you use
• S3 - encryption, MFA delete, versioning
• EC2 - dedicated instances, disabling API termination
• Consider VPC based on use cases and requirements
Wednesday, April 18, 12
AWS Resource Security
• Review access requirements for AWS resources
• S3 buckets, SimpleDB domains, SQS queues
• Apply resource policies to control access appropriately
• Use policy conditions to enhance security
• SourceIP, CurrentTime, SecureTransport
Wednesday, April 18, 12
Secure AWS Operations
• Understand security group/ACL differences
• Design and implement according to architectural requirements
• Actively manage and monitor accounts and credentials
Wednesday, April 18, 12
Other Recommendations
• Tools like boto are useful for security monitoring and analysis
• Keep an eye on:
• http://aws.typepad.com/
• @jeffbarr
• AWS Endpoints: http://docs.amazonwebservices.com/general/latest/gr/rande.html
• EC2 IP Ranges: https://forums.aws.amazon.com/forum.jspa?forumID=30
Wednesday, April 18, 12
Takeaways
• AWS provides an array of services that allow you to construct and operate large scale web services in a self-service, pay as you go model
• The cloud operating model requires you to understand the security responsibilities of both provider and consumer
• Understanding AWS’ security features and capabilities and taking a systematic approach to AWS security will help ensure optimized and secure service use
Wednesday, April 18, 12
Thanks!Questions?
Wednesday, April 18, 12
Backup Slides
Wednesday, April 18, 12
Cloud and Platform Engineering
• Orchestra*on,.build.and.deployment.Engineering'Tools'
• Monitoring,.consul*ng,.Simian.Army.Cloud'Solu0ons'
• 24/7.site.reliability.CORE''
• Core.shared.components.and.libraries.Pla5orm'Engineering'
• Applica*on,.engineering,.and.opera*onal.Security'
• Cassandra,.SDB,.RDS.Cloud'Database'Engineering'
• Tes*ng,.op*miza*on,.cost.Cloud'Performance'
• Overall.design.paFerns.Cloud'Architecture'
Wednesday, April 18, 12
Netflix PaaS• Supports all AWS regions
and availability zones
• Supports multiple AWS accounts
• One-click deployment and load balancing across three datacenters
• Cross-region and account data replication and archive
• Dynamic and fine-grained security
• Automatic scaling to thousands of instances
• Monitoring for millions of metrics
• Base server and client
• I18n, L10n, geo IP routing
http://www.slideshare.net/netflix
Wednesday, April 18, 12
Security Monkeyhttp://techblog.netflix.com/2011/07/netflix-simian-army.html
• Centralized framework for cloud security monitoring and analysis
• Leverages AWS APIs and common security tools
Wednesday, April 18, 12
Security Monkey
• Certificate monitoring
• Security group monitoring
• Exposed instances/applications
• Web application vulnerability scanning
• Upcoming:
• Policy analysis (firewall, user, S3, etc.)
Wednesday, April 18, 12
References
• http://www.slideshare.net/netflix
• http://techblog.netflix.com
• https://cloudsecurityalliance.org/
Wednesday, April 18, 12