Application Security Best Practices
Application Security Best Practices Matt Tavis | Principal Solutions Architect
Application Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications – See Architecting for the Cloud
• Most traditional best practices still apply • There are ways AWS can help
Built Around the Shared Responsibility Model…
AWS
• • • • •
Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
…and AWS Certifications • AWS Environment – SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA)
• Customers have deployed various compliant applications: – – – –
Sarbanes-Oxley (SOX) HIPAA (healthcare) FISMA (US Federal Government) DIACAP MAC III Sensitive IATO
Resources and data are in your control • Specify what Region and AZ to launch in • Customize your AMIs • Create distinct Security Groups groups of EC2 Instances – use rules for controlling access between layers – restrict external access to specific IP ranges
• Use AWS Identity & Access Management (IAM) – upload your own keys – use MultiFactor Authentication (MFA)
• AWS personnel can’t login to your Instances
Protect your data with encryption • Encrypt data “in-transit” (SSL/TLS) • Encrypt data “at-rest” – Encrypt records before writing in database – Encrypt objects before storing them – Consider encrypted file systems for sensitive data • • • •
Windows Bitlocker Truecrypt dm-crypt SafeNet
Traditional Network Topologies in VPC • Create multiple Subnets – specify IP Ranges
• Specify Instance private IP Address • Manage Routing • Inbound & Outbound filters – Security Groups: stateful – Network Access Control Lists (ACLs): stateless
• Use NAT Instances – Enhance NAT Instances with software VPNs, IDS, logging, etc…
Security best practices still apply • Secure coding standards
• Perform penetration testing – http://aws.amazon.com/security/penetration-testing/
• Antivirus where appropriate • Intrusion Detection – Host-based Intrusion Detection (e.g., OSSEC)
• Log events • Role-based access control – AWS Identity & Access Management – LDAP and/or Active Directory for Operating Systems & Applications
AWS Credential and Key Management Tips • Create limited IAM Users for application needs
• Don’t package privileged key in Instance • Periodic key rotation • One way to pass the application key to an Instance – On the Instance • Decryption key • IAM User with read-only access to a private S3 Bucket that contains the encrypted key
– Retrieve the full key and then decrypt it – Use Bucket Logging to monitor attempts to access the key
Extend Your Credentials into AWS • Often done in VPC – easier with static IP for DCs – use egress control
• Use Read-only Domain Controllers to scale better • Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/E C2_ADFS_howto_2.0.pdf
New Security Opportunities Arise on AWS Issue
Opportunity
Spending too much time troubleshooting issues?
Throw it away and just replace it.
Found questionable log entries?
Launch an EMR job and find correlating events.
Tired of patching?
Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements.
High risk site in your datacenter?
Move it to AWS and reduce threat vectors to other applications.
Security Belongs In Every Layer
Using AWS Account Isolation to Protect Resources • Environment – development, test, integration, performance, production
• • • •
Major system Line of business / function Customer Risk level
Consolidated Billing lets you bring it all together under one bill!
Leverage Multiple Layers of Defense Feature
Standard EC2
Virtual Private Cloud
Security Groups
Inbound
Inbound and Outbound
Network ACLs
n/a
Inbound and Outbound
Operating System firewalls
Use as-is
Use as-is
Border firewall
Manual configuration*
NAT Instance
VPN
Manual configuration*
VPN Gateway
Bastion Host
Enforce via Security Groups
Enforce via Security Groups or Network ACLs
IDS
HIDS*
HIDS* & NAT Instance
* Third-party tools / solutions
Public EC2 Multi-tier Security Group Approach Web Tier
Application & Bastion Tier
ssh
ssh
Database Tier
Ports 80 and 443 only open to the Internet
Engineering staff have ssh
Amazon EC2 Security Group Firewall
Sync with on-premises database
All other Internet ports blocked by default
You may still need to patch! • Most traditional tools will work • Emerging options – – – –
puppet (www.puppetlabs.com) chef (www.opscode.com/chef/) fabric/cuisine (www.fabfile.org) capistrano (https://github.com/capistrano/capistrano/wiki)
Monitoring Tools • Cloud Watch (now with console!) • Application Monitoring – Cacti – CloudWatch User Metrics
• Instance Monitoring – CloudWatch – Nagios • Nagios CloudWatch plugin https://github.com/j3tm0t0/check_cloudwatch
Approaches to Log Management • Distributed Approach – Highly scalable, but not always real-time – Instance-based (push to S3) – Facebook’s Scribe
• Centralized Approach – Real-time, but not highly scalable – syslog – Windows Event Logging Service
• Analytics – Custom EMR jobs – Splunk (www.splunk.com)
Example Application www.example.com DNS (Route 53) ELB
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server Tomcat
App Server
App Server Tomcat
Auto-scaling group : App Tier
Auto-scaling group : App Tier
RDS Master
RDS Slave
Availability Zone #1
Availability Zone #2
Availability Zone #n
Cloud Front
S3
Example: Build Security into Every Layer www.example.com DNS (Route 53)
HA Architecture ELB
Security Characteristics: - Route 53 (highly scalable DNS) - Autoscaling Groups - Security Groups - ELB Security Group - OS Firewalls (on Instances) - RDS - DB Security Groups - backup window - snapshots - multi-AZ - CloudFront - Private Distribution - pre-signed URLs - S3 Bucket Policies - private bucket
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server Tomcat
App Server
App Server Tomcat
Auto-scaling group : App Tier
Auto-scaling group : App Tier
RDS Master
RDS Slave
Availability Zone #1
Availability Zone #2
Availability Zone #n
Cloud Front
S3
Thank You! • More reading: – Security Center: http://aws.amazon.com/security
Application Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications – See Architecting for the Cloud
• Most traditional best practices still apply • There are ways AWS can help
Built Around the Shared Responsibility Model…
AWS
• • • • •
Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure
Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management
…and AWS Certifications • AWS Environment – SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA)
• Customers have deployed various compliant applications: – – – –
Sarbanes-Oxley (SOX) HIPAA (healthcare) FISMA (US Federal Government) DIACAP MAC III Sensitive IATO
Resources and data are in your control • Specify what Region and AZ to launch in • Customize your AMIs • Create distinct Security Groups groups of EC2 Instances – use rules for controlling access between layers – restrict external access to specific IP ranges
• Use AWS Identity & Access Management (IAM) – upload your own keys – use MultiFactor Authentication (MFA)
• AWS personnel can’t login to your Instances
Protect your data with encryption • Encrypt data “in-transit” (SSL/TLS) • Encrypt data “at-rest” – Encrypt records before writing in database – Encrypt objects before storing them – Consider encrypted file systems for sensitive data • • • •
Windows Bitlocker Truecrypt dm-crypt SafeNet
Traditional Network Topologies in VPC • Create multiple Subnets – specify IP Ranges
• Specify Instance private IP Address • Manage Routing • Inbound & Outbound filters – Security Groups: stateful – Network Access Control Lists (ACLs): stateless
• Use NAT Instances – Enhance NAT Instances with software VPNs, IDS, logging, etc…
Security best practices still apply • Secure coding standards
• Perform penetration testing – http://aws.amazon.com/security/penetration-testing/
• Antivirus where appropriate • Intrusion Detection – Host-based Intrusion Detection (e.g., OSSEC)
• Log events • Role-based access control – AWS Identity & Access Management – LDAP and/or Active Directory for Operating Systems & Applications
AWS Credential and Key Management Tips • Create limited IAM Users for application needs
• Don’t package privileged key in Instance • Periodic key rotation • One way to pass the application key to an Instance – On the Instance • Decryption key • IAM User with read-only access to a private S3 Bucket that contains the encrypted key
– Retrieve the full key and then decrypt it – Use Bucket Logging to monitor attempts to access the key
Extend Your Credentials into AWS • Often done in VPC – easier with static IP for DCs – use egress control
• Use Read-only Domain Controllers to scale better • Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/E C2_ADFS_howto_2.0.pdf
New Security Opportunities Arise on AWS Issue
Opportunity
Spending too much time troubleshooting issues?
Throw it away and just replace it.
Found questionable log entries?
Launch an EMR job and find correlating events.
Tired of patching?
Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements.
High risk site in your datacenter?
Move it to AWS and reduce threat vectors to other applications.
Security Belongs In Every Layer
Using AWS Account Isolation to Protect Resources • Environment – development, test, integration, performance, production
• • • •
Major system Line of business / function Customer Risk level
Consolidated Billing lets you bring it all together under one bill!
Leverage Multiple Layers of Defense Feature
Standard EC2
Virtual Private Cloud
Security Groups
Inbound
Inbound and Outbound
Network ACLs
n/a
Inbound and Outbound
Operating System firewalls
Use as-is
Use as-is
Border firewall
Manual configuration*
NAT Instance
VPN
Manual configuration*
VPN Gateway
Bastion Host
Enforce via Security Groups
Enforce via Security Groups or Network ACLs
IDS
HIDS*
HIDS* & NAT Instance
* Third-party tools / solutions
Public EC2 Multi-tier Security Group Approach Web Tier
Application & Bastion Tier
ssh
ssh
Database Tier
Ports 80 and 443 only open to the Internet
Engineering staff have ssh
Amazon EC2 Security Group Firewall
Sync with on-premises database
All other Internet ports blocked by default
You may still need to patch! • Most traditional tools will work • Emerging options – – – –
puppet (www.puppetlabs.com) chef (www.opscode.com/chef/) fabric/cuisine (www.fabfile.org) capistrano (https://github.com/capistrano/capistrano/wiki)
Monitoring Tools • Cloud Watch (now with console!) • Application Monitoring – Cacti – CloudWatch User Metrics
• Instance Monitoring – CloudWatch – Nagios • Nagios CloudWatch plugin https://github.com/j3tm0t0/check_cloudwatch
Approaches to Log Management • Distributed Approach – Highly scalable, but not always real-time – Instance-based (push to S3) – Facebook’s Scribe
• Centralized Approach – Real-time, but not highly scalable – syslog – Windows Event Logging Service
• Analytics – Custom EMR jobs – Splunk (www.splunk.com)
Example Application www.example.com DNS (Route 53) ELB
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server Tomcat
App Server
App Server Tomcat
Auto-scaling group : App Tier
Auto-scaling group : App Tier
RDS Master
RDS Slave
Availability Zone #1
Availability Zone #2
Availability Zone #n
Cloud Front
S3
Example: Build Security into Every Layer www.example.com DNS (Route 53)
HA Architecture ELB
Security Characteristics: - Route 53 (highly scalable DNS) - Autoscaling Groups - Security Groups - ELB Security Group - OS Firewalls (on Instances) - RDS - DB Security Groups - backup window - snapshots - multi-AZ - CloudFront - Private Distribution - pre-signed URLs - S3 Bucket Policies - private bucket
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server
Auto-scaling group : Web Tier
Web Server
Web Server
SLB
App Server Tomcat
App Server
App Server Tomcat
Auto-scaling group : App Tier
Auto-scaling group : App Tier
RDS Master
RDS Slave
Availability Zone #1
Availability Zone #2
Availability Zone #n
Cloud Front
S3
Thank You! • More reading: – Security Center: http://aws.amazon.com/security
