AWS Deck Template
Berlin
Mapping traditional security technologies to AWS Bertram Dorn– Specialized Solutions Architect Security and Compliance EMEA Amazon Web Germany GmbH
Advanced IAM • Risk – Sub-bullet
• Strategy – Sub-bullet
• Structures – Sub-bullet
Risk Typical Customer Question:
What is my biggest risk if my resources run on Amazon Web Services
Risk Loosing control about your AWS • • • •
[root|IAM] account
No knowledge what is going on No baselining No sensors No alarming
Strategy • Need to Know • Segregation of Duties • Clear Field Traps
The Base Account Structure AWS Account
Root Account
• • • •
• No Access Keys • MFA Enabled • Rise Alarm When Login
IAM Master
• No Access Keys • MFA Enabled • Rise Alarm When Login Create IAM Policies Enable IAM Managers (User or Role)
IAM Manager
• No Access Keys • MFA Enabled
Have PWD Policy Enforce PWD Rotation Have Questions Setup Have Info eMail setup
Create IAM Users/Groups/Roles Use Pre-Defined Policies
Strategy
100%
0
power
none
Root Account IAM Manager
sometimes
IAM Manager
might need to happen
Managing IDs
If I can’t I will not be able to do my job!
Users/Roles
possibility to log-in/interact programmatically
Root Account
The Larger Picture BILLING Audit
S3 Holder
CloudTrail
S3 Holder
Backup
IAMUser Resources IAM User
Assume Role
IAM User
Assume Role
IAM User
Assume Role
S3 Holder
STS
IAM ROLE
BILL
IAM ROLE
CloudTrail
IAM ROLE
Backup Data
Display Rights
Clear Field • Raise (e.g. through CT as a sensor)a Alaert (e.g. trhgouh SNS) IF – Any Root-Account does log in – Any IAM-Master does log in – Billing/CloudTrail accounts do have more than a single S3 Bucket – IAM-User has any resource (does generate a bill) – IAM-User has CT Events besides assume-role and console login – IAM-User login to Ressource-Accounts (besides IAM-Manager) – Ressource-Account has IAM-Users (besides IAM-Master/IAM-Manager)
AWS CloudTrail collects new data
CT Data with full content
Trigger over S3 put object
Use Lambda
CT Bucket with livecycle policy for delete
Amazon Lambda with CT-anonymize-Function
CT Data with reduced content
LT Bucket gor long term storage/analyzing
PLACE
Mapping traditional security technologies to AWS Bertram Dorn– Specialized Solutions Architect Security and Compliance EMEA Amazon Web Germany GmbH
Advanced IAM • Risk – Sub-bullet
• Strategy – Sub-bullet
• Structures – Sub-bullet
Risk Typical Customer Question:
What is my biggest risk if my resources run on Amazon Web Services
Risk Loosing control about your AWS • • • •
[root|IAM] account
No knowledge what is going on No baselining No sensors No alarming
Strategy • Need to Know • Segregation of Duties • Clear Field Traps
The Base Account Structure AWS Account
Root Account
• • • •
• No Access Keys • MFA Enabled • Rise Alarm When Login
IAM Master
• No Access Keys • MFA Enabled • Rise Alarm When Login Create IAM Policies Enable IAM Managers (User or Role)
IAM Manager
• No Access Keys • MFA Enabled
Have PWD Policy Enforce PWD Rotation Have Questions Setup Have Info eMail setup
Create IAM Users/Groups/Roles Use Pre-Defined Policies
Strategy
100%
0
power
none
Root Account IAM Manager
sometimes
IAM Manager
might need to happen
Managing IDs
If I can’t I will not be able to do my job!
Users/Roles
possibility to log-in/interact programmatically
Root Account
The Larger Picture BILLING Audit
S3 Holder
CloudTrail
S3 Holder
Backup
IAMUser Resources IAM User
Assume Role
IAM User
Assume Role
IAM User
Assume Role
S3 Holder
STS
IAM ROLE
BILL
IAM ROLE
CloudTrail
IAM ROLE
Backup Data
Display Rights
Clear Field • Raise (e.g. through CT as a sensor)a Alaert (e.g. trhgouh SNS) IF – Any Root-Account does log in – Any IAM-Master does log in – Billing/CloudTrail accounts do have more than a single S3 Bucket – IAM-User has any resource (does generate a bill) – IAM-User has CT Events besides assume-role and console login – IAM-User login to Ressource-Accounts (besides IAM-Manager) – Ressource-Account has IAM-Users (besides IAM-Master/IAM-Manager)
AWS CloudTrail collects new data
CT Data with full content
Trigger over S3 put object
Use Lambda
CT Bucket with livecycle policy for delete
Amazon Lambda with CT-anonymize-Function
CT Data with reduced content
LT Bucket gor long term storage/analyzing
PLACE
