using aws networking and logging features to enhance security | aws public sector summit 2016
TRANSCRIPT
![Page 1: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 2016
Using AWS Networking and Logging Features to Enhance Security
Nathan McGuirt, Senior Solutions Architect, AWSDave Rogers, Head of Architecture & Security, UK MOJ Digital & Technology
![Page 2: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/2.jpg)
Expectations
![Page 3: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/3.jpg)
Managing traditional networks is hard
Lack of visibility Heavy technical lift
![Page 5: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/5.jpg)
![Page 6: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/6.jpg)
Network enforcement tools
![Page 7: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/7.jpg)
Server 192.168.0.3
Server 192.168.0.4
Server 192.168.1.3
Server 192.168.1.410.0.0.3
10.0.0.4
10.0.0.4
10.0.0.2
10.0.0.5
10.0.0.3
Mapping service
10.0.0.2
Amazon Virtual Private Cloud VPC A
VPC B
![Page 8: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/8.jpg)
Enforcement—security groupsWeb Server Security GroupAllow Inbound HTTP from 0.0.0.0/0
Allow Inbound HTTPS from 0.0.0.0/0
Allow Outbound SQL to DB Servers
DB Security GroupAllow Inbound SQL from Web Servers
AD Member Security GroupAllow Outbound AD traffic to AD Servers
XTCP 139
![Page 9: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/9.jpg)
Enforcement—VPC subnet ACLs
Subnet ACL
VPC Subnet
Security Group
![Page 10: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/10.jpg)
Enforcement—VPC route tables
VPC subnet VPC subnet
0.0.
0.0/
0
0.0.0.0/0
0.0.0.0/0
VPC subnet
X
X
Local routes only
0.0.0.0/0
![Page 11: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/11.jpg)
Enforcement: AWS WAF (Web Application Firewall)
AWS Management ConsoleAdmins
Developers AWS APIWeb app in
Amazon CloudFront
Define rules
Deploy protection
AWS WAF
![Page 12: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/12.jpg)
Traffic isolation—VPN and AWS Direct Connect
Customer gateway
Virtual gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Private fiber via peering facility
![Page 13: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/13.jpg)
Traffic isolation—VPC endpoints
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
![Page 14: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/14.jpg)
Isolation—VPC peering
![Page 15: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/15.jpg)
Logging
![Page 16: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/16.jpg)
Amazon CloudWatch Logs
![Page 17: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/17.jpg)
Logging: VPC Flow Logs
10.10.0.0/16
10.10.1.0/24AZ A
10.10.2.0/24AZ B
![Page 18: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/18.jpg)
Logging—AWS CloudTrail
"Records": [{ "eventVersion": "1.0", "userIdentity": {... "arn": "arn:aws:iam::123456789012:user/Alice",... }, "eventTime": "2015-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-1", "sourceIPAddress": ”55.55.55.55",...
![Page 19: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/19.jpg)
Logging—Elastic Load Balancing, CloudFront, Amazon S3 access logs
Logging destination bucket
Elastic Load Balancing
logs
CloudFront logs
Amazon S3 bucket logs
![Page 20: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/20.jpg)
Change control
![Page 21: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/21.jpg)
Normalize
RecordChanging resources
Deliver
Stream
Snapshot (ex. 2014-11-05)AWS Config
APIs
Store
History
Change control—AWS Config
![Page 22: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/22.jpg)
Change control—AWS CloudFormation
Template StackAWSCloudFormation
Orchestrate changes across AWS services
Use as foundation to AWS Service Catalog products
Use with source code repositories to manage infrastructure changes
JSON-based text file describing infrastructure
Resources created from a template
Can be updated Updates can be
restricted
![Page 23: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/23.jpg)
Change control—CloudFormation change sets
Separation of Duties
![Page 24: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/24.jpg)
Making use of logs
![Page 25: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/25.jpg)
Example events of concern
• Configuration changes that impact ability to detect or understand events
• Activities that are inconsistent with expectations• Activities that violate policy
![Page 26: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/26.jpg)
Monitoring logging status—CloudTrailCloudTrail EventsCloudTrail
CloudWatch Logs CloudWatch Logs Filter
Metric filter"FilterPattern": ”{ ($.eventName = StopLogging) }",
CloudWatch metric
Air-raid siren
CloudWatch Alarm
![Page 27: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/27.jpg)
Monitoring for unexpected (network) behavior
VPC
VPC Flow LogsAt some meaningful rate,
fire an alarm
Filter: RejectedFilter: Source: Internal
Take an automated action:Cut off network access
CloudWatch Logs Metric Filter CloudWatch Alarm AWS Lambda Function
![Page 28: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/28.jpg)
Watching for disallowed configurations
AWS Config
Config Rule
Email alert
Automated action:modify SG
No TCP 22 from 0.0.0.0/0 in Production
SO’s mailbox
![Page 29: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/29.jpg)
VPC Flow Logs—network dashboard
• Amazon Elasticsearch Service
• Amazon CloudWatch Logs subscriptions
![Page 30: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/30.jpg)
All of this can be automatedSo what does that do for practices in the cloud?
![Page 31: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/31.jpg)
Automation, enabled by public cloud, leads to continuous practice
![Page 32: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/32.jpg)
continuous delivery is the foundation
![Page 33: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/33.jpg)
continuous securityprevention & response
continuous deliverycontinuous security testingcontinuous hacking continuous risk managementcontinuous assurancecontinuous compliance
![Page 34: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/34.jpg)
continuous security testing
![Page 35: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/35.jpg)
continuous hacking
![Page 36: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/36.jpg)
continuous risk management
![Page 37: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/37.jpg)
continuous compliance the public cloud provides a platform
![Page 38: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/38.jpg)
continuous securitydetection
continuous intrusion detectioncontinuous health checkingcontinuous anomaly detectioncontinuous capacity managementcontinuous scaling
![Page 39: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/39.jpg)
continuous prevention& response
continuous detection
![Page 40: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/40.jpg)
continuous delivery is hard
![Page 41: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/41.jpg)
DevOps
Continuous
Delivery
![Page 42: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/42.jpg)
DevOps is hard
because change toward DevOps is culture change
![Page 43: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/43.jpg)
DevOps is culture changeNew skillsNew methodologiesNew hours & working locationsNew careersNew ways of thinkingNew planningNew governanceSometimes, new clothes
![Page 44: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/44.jpg)
Rising cyber security threats require us to be adaptive.
Security conservatism, attempting to achieve stability through restricted change, increases risk.
We must embrace continuous practice.
![Page 45: Using AWS Networking and Logging Features to Enhance Security | AWS Public Sector Summit 2016](https://reader034.vdocuments.us/reader034/viewer/2022042723/58ed3c321a28ab75358b4585/html5/thumbnails/45.jpg)
Thank you!