Recent AWS Security Improvements - AWS User Group Perth - November 2018
Download as PPTX, PDF0 likes156 views
James is talking about recent security changes at AWS. He outlines several new security features launched by AWS in 2017-2018 including GuardDuty for threat detection, Single Sign On for identity federation, and Secrets Manager for secrets management. He also discusses new capabilities for services like Inspector, API Gateway, and DynamoDB encryption. While many of the changes increase security, James notes the AWS console could still improve security by implementing features like TLS 1.3 and HTTP Strict Transport Security. He concludes by promoting his security training courses.
Recent AWS Security Improvements - AWS User Group Perth - November 2018
- 1. Recent AWS Security Changes AWS User Group – Perth – November 2018 PRAGMATIC CUSTOMERS AGILE CARING COURAGEOUS INNOVATIVE
- 2. Australia
- 3. 13/11/20183 ©Modis 1200+ • Managed Services • Digital Services and Solutions • People Solutions 450 380 150 90 145 75 Modis Australia
- 4. 13/11/20184 ©Modis Cloud Partnerships and Certifications Advanced Tier since 2014.
- 5. Why is James talking about security? 13/11/20185 © Modis
- 7. our (you and me, engineers and developers in this “I.T.” industry) 13/11/20187 © Modis
- 8. Security Highlights Significant to me and my customers 13/11/20188 © Modis
- 9. Launched at re:Invent 2017 (Nov/18) • Cross account, consolidated view (1,000 member account limit Jan/18) • New “findings” added (5/Feb/18, 25/Feb/18) • CloudFormation support (6/Mar/18) • Cost reduction (15/Jun/18, 1/Nov/18) • Can hook into CloudWatch Events for notifications/integration • Add your own threat intel set (in addition to managed set) 13/11/2018 1. GuardDuty 9 © Modis
- 10. Launched post re:Invent 2017 (Dec/18) • Back-end user-pool on native MS Active Directory or AWS Managed AD, or local in cloud pool • Temporary credentials for CLI use (22/Feb/18) • Session state duration SAML claim for 3rd party apps (10/Oct/18) • Session duration support for AWS Console (30/Oct/18) 13/11/2018 2. Single Sign On 10 © Modis
- 11. Launched April 2018 • Hold & automate secret rotation • Native integration to RDS credential rotation • Resource-based policies permit cross-account access (26/Jun/18) • Private VPC Endpoint (11/Jul/18) • Secrets can be deleted, but default have an undelete window (with new exception of instant delete 9/Aug/18) 13/11/2018 3. Secrets Manager 11 © Modis
- 12. Postgres support launched Sept 2018 • Each EC2 instance gets its own Access Token • Access Tokens are AWS Sig v4 (go read it or join me for training) • Tokens last 15 minutes (ie, rotate often) • No need for Secrets manager! 13/11/2018 4. IAM Database Authentication for MySQL and PostgreSQL 12 © Modis
- 13. Anytime I can get tick box compliance for encryption at rest, I’m happy! 13/11/2018 5. DynamoDB (and DAX) Encryption at rest, Glue Encryption at rest (4/Sept), SQS Server-side encryption at rest 13 © Modis
- 14. Launched 11 Sept 2018 • Doesn’t require • local instance users and passwords or SSH keys • Security group ingress (keep management ports closed) • No bastions to jump via • Bash or PowerShell interface (not GUI) • Keystroke logging to S3 and/or CloudWatch logs • IAM policy to control access • Command line support (aws ssm …) • Scriptable 13/11/2018 6. Systems Manager Session Manager 14 © Modis
- 15. Launched 9 Aug 2018 • Validate instance compliance on demand, at scale, against current CVEs Launched 9/Nov/2018: • Agent-less determination of reachability (Provable Security) • https://aws.amazon.com/security/provable-security/ 13/11/2018 7. Inspector Security (Assessments for Debian, Security Provability) 15 © Modis
- 16. KMS extension launched 1 Aug 2018 • All data in flight already encrypted • Previously all data at rest in AWS was default KMS S3 master key (per AWS Account) • Now can select an individual key for compliance/separation SMB launched 20/Jun/18 • SMB v2 or V3 • Either AD joined, or all as guest Fun fact: • Original SGW re:Invent bootcamp written by me! • SGW now available in US as a hardware appliance 13/11/2018 8. StorageGateway KMS Support (1/Aug/18) and SMB support (20/Jun/18) 16 © Modis
- 17. DNS validation was last year (22/nov/2017): • But DNS secrets left in DNS mean auto-revalidation, re-issuance, zero-touch • Automated population of R53 secrets during request (if in same account) 13/11/2018 9. ACM Validation via DNS Secrets 17 © Modis
- 18. Limited release Nov/2017, from/to Sydney 20/Feb/2018: • No SPOF • Encrypted as a service between Regions • Routed over AWS’s own inter region connectivity • Standard inter-region data rate charge 13/11/2018 10. Inter-region VPC peering 18 © Modis
- 19. Launched 14/Jun/2018 • Score based rating of risk: • New devices • New locations • Compromised credentials protection 13/11/2018 11. Cognito Protection for Unusual sign in and compromised credentials 19 © Modis
- 20. Private APIs Launched 14/Jun/18: • Provides endpoints within your VPC, not directly Internet exposed • Peer, or route via DirectConnect, or share via PrivateLink • Convert existing APIs (Edge, or Regional) to Private • Private APIs have 2 ENIs (one in each AZ) WAF support launched 5/Nov/18: • Protect WAF endpoint protection (at Lambda STAGE, so protects Edge API GW (without CloudFront)) 13/11/2018 12. API Gateway Private APIs, WAF 20 © Modis
- 21. 13/11/2018 13. IAM Policy Boundaries 21 © Modis "Condition": { "StringEquals": { "iam:PermissionsBoundary": "arn:aws:iam::111122223333:policy/XCompanyBoundaries" } } Launched 13/Jun/18: • Permit deputies to create policy • Limit their ability to privilege escalation
- 22. 13/11/2018 14. CloudFormation 22 © Modis Launched 9/Nov/18: • Support for Secrets manager. The following resources were added: AWS::DLM::LifecyclePolicy, AWS::SecretsManager::ResourcePolicy, AWS::SecretsManager::RotationSchedule, AWS::SecretsManager::Secret, and AWS::SecretsManager::SecretTargetAttachment. Launched 13/11/18: • Data Lifecycle Manager for EBS snapshots
- 23. • One U2F device (v4 or v5) to Multiple Accounts/Identities. • Can be used for Root or for IAM Users. The following browsers currently support the use of U2F security keys: • Google Chrome, version 38 and later. • Opera, version 40 and later. • Mozilla Firefox, version 57 and later. Note: Most Firefox versions that currently support U2F do not enable support by default. 13/11/2018 15. U2F on the console 23 © Modis
- 26. 13/11/201826 © Modis Account A Account B Root Y Y IAM User “James” Y Y
- 27. 13/11/201827 © Modis Account A Account B Root Y 1 Y 1 IAM User “James” Y 2 Y 2 1 2
- 28. 13/11/201828 © Modis Account A Account B Root Y 1 Y 2 IAM User “James” Y 1 Y 2 1 2
- 29. 13/11/201829 © Modis Two fun enhancements Just thing I liked…
- 30. Launched 11/Oct/18 • Frames (MTU) up to 9001 bytes • Overlay networks can retain 1500 bytes, including back to on prem (think: vmware on AWS stretch networks) • Better efficiency, eg: S3 on Public VIF @ 9k/frame History: • 1st postulated to me by Wazza @ AARnet when we turned up a 10G DX in 2013 and started loading it up… 13/11/2018 Fun 1: DirectConnect Jumbo Frames 30 © Modis
- 31. Launched 27/Jul/18 • 3.5k/s/prefix PUT, 5.5k/s/prefix GET • Yeah, per prefix. Per second. • This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications 13/11/2018 Fun 2: S3 Request Rate increases 31 © Modis
- 32. 13/11/201832 © Modis One enhancement that, well Kind of is… well… not as much as I thought it would be…
- 33. Not this one 13/11/201833 © Modis
- 34. Not this one 13/11/201834 © Modis
- 35. 13/11/201835 © Modis Console Security The GUI window into visualising AWS
- 36. This may be tough for my AWS friends to swallow, but… friends don’t let friends… 13/11/201836 © Modis
- 37. Console (Sydney): Missing some security headers 13/11/201837 © Modis
- 38. Console (Sydney): No CAA, TLS 1.0/1.1 enabled, AES GCM not top cipher suites, no IPv6, no TLS 1.3 yet, no CT, non-ephemeral key exchanges enabled… 13/11/201838 © Modis
- 39. Connect Smarter Australia 2018 PRAGMATIC CUSTOMERS AGILE CARING COURAGEOUS INNOVATIVE Twitter: @JamesBromberger Linkedin: /in/JamesBromberger Email: james.bromberger@modis.com
- 45. Connect Smarter Australia 2018 PRAGMATIC CUSTOMERS AGILE CARING COURAGEOUS INNOVATIVE Twitter: @JamesBromberger Linkedin: /in/JamesBromberger Email: james.bromberger@modis.com
- 46. Advanced Security and Operations on AWS • Detailed use of securely using the most popular AWS Services • Delivered in-person over 2 days • Small class sizes • Once every six months in Perth • Bookings online https://nephology.net.au/ See also: Nephology Web Security * Code-minimal security for any web based application, internal or external
Editor's Notes
- #3: Perth