Scribd
Upload
24 views

AWS Startup Security Baseline

Uploaded by

PNg HA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24 views

AWS Startup Security Baseline

Uploaded by

PNg HA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 55

AWS Startup Security Baseline:

Secure your Accounts and


Workloads in the Cloud

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Once we have our product
finished, then we will worry
about security.

Anonymous startup CTO

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing the AWS Startup Security Baseline

• Getting started on the right track

• Starting with a secure foundation

• Specially designed for early


stage startups

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model

Customer data

Platform, applications, identity, and access management

Operating system, network, and firewall configuration


Client-side data encryption & Server-side encryption Network traffic protection
data-integrity authentication (file system and/or data) (encryption/integrity/identity)

Customer is responsible for


security in the cloud Compute Storage Database Networking

Regions
AWS global Edge
infrastructure locations
Availability Zones
Customer
AWS

AWS is responsible for


security of the cloud
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who can access what

Who Can access What

Developers and Permissions Resources


applications
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access in AWS

Your job: AWS’s job:


specify enforce
Access control

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The goal
Adhere to the principle of least privilege (POLP)
Grant users and systems the narrowest set of
privileges to complete required tasks

Goals

Room to innovate Dangerous action prevention


Agility to move fast Accountable security posture
Freedom for builders Cost-effective solutions

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda

Securing your account

Securing your workload

Security growth model

Q&A

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing your account

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting account-level contacts

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting account-level contacts

$ aws account put-alternate-contact \


--account-id 111122223333 \
--alternate-contact-type=SECURITY \
--email-address=security-contact@example.com \
--phone-number="+1(555)555-5555" \
--title="Security Contact" \
--name="Mary Major"

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tips

1. Use a company domain to register your accounts

2. Use email distribution lists for the account contacts

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use of the root user

1. Secure it #root
• Strong password
• Multi-factor authentication (MFA)
• Remove access keys

2. Avoid it
• Set up IAM users and groups
• Set up a password policy
• Use MFA for IAM users

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip

Use a password manager to create and store a


strong password/MFA token for the root account

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configure console access
1. Have an IAM user for each human that accesses AWS
2. Don’t share credentials
3. Require MFA for all
4. Grant access to IAM groups, not users

“Developers” “Developers”
AWS Single
shared IAM user IAM group
Sign-On

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforce a password policy

1. Minimum length

2. Varied characters

3. Expiration

IAM console à Account Settings à Password Policy à Change Password Policy

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging events

1. Create a new AWS CloudTrail

2. Secure the Amazon S3 bucket

AWS CloudTrail Amazon S3

CloudTrail à Create Trail


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip: CloudTrail
Non-production environments Production environments

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prevent public access to private S3 buckets

• Four security settings

• Applicable at the account


level or on individual buckets

• AWS Organizations SCPs to


prevent settings changes

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Prevent public access to private S3 buckets

S3 à Block Public Access settings for this account à Edit


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip

“Authenticated users group” = All authenticated


AWS users, not just users in your AWS account!

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Delete unused resources

1. If you don’t need it,


remove it

2. Avoid using the


default VPC

3. Use EC2-Global View

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Set up AWS Budgets

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip
Turn on AWS Cost Anomaly Detection

AWS Cost Explorer à Cost Anomaly Detection


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty

Amazon Route 53 Amazon VPC AWS CloudTrail Amazon


Resolver logs Flow Logs events GuardDuty

Amazon GuardDuty continuously monitors DNS logs, network


traffic, and CloudTrail events for malicious activity

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How does Amazon GuardDuty work?
Amazon GuardDuty
Data sources Threat Finding types Findings
detection types Examples

Bitcoin
Amazon VPC Flow Logs Threat mining
intelligence Amazon Detective
C&C
DNS logs activity HIGH

AWS Security Hub


MEDIUM
CloudTrail events Unusual user behavior
Anomaly
detection Example CloudWatch event
• Launch instance
(ML) • Change network permissions
LOW
• Alert
S3 data plane events • Remediate
Unusual traffic patterns • Partner solutions
Example • Send to SIEM
• Unusual ports and volume
Amazon EKS control
plane logs

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tips
Script to turn on GuardDuty
in all the Regions
1. Turn on GuardDuty in all the
AWS Regions
2. Turn on protection for
Amazon S3 and Amazon EKS

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Monitor high-risk issues with AWS Trusted Advisor

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing your workload

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use IAM roles for permissions

Amazon EC2 Long-term security User policy Amazon S3


credential

Role

Amazon EC2 Temporary Amazon S3 Amazon S3


security credential policy

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip

Use separate accounts for separate environments

Senior engineer (group) Development AWS account

Tester (role)
Staging AWS account

Engineer (role)
Production AWS account

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use ephemeral secrets

AWS Secrets Manager à Secrets à Store a new secret


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detect and remediate exposed secrets

Amazon CodeGuru à Associate repository and run analysis


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy private resources in private subnets
AWS Cloud

Production VPC

Availability Zone Amazon Route 53

Public subnet Private subnet Private subnet

Auto Scaling Group

AWS Config

Amazon EC2 Amazon RDS


NAT gateway workload primary instance

AWS CloudTrail
Availability Zone
Internet Internet Private subnet
Public subnet Application Private subnet
gateway Load Balancer

Amazon
CloudWatch
Amazon EC2 Amazon RDS
NAT gateway
Users workload read replica

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3
Use AWS Systems Manager instead of SSH or RDP
AWS Cloud

VPC

IAM Private subnet


AWS CLI or Dev team
AWS Management AuthN/AuthZ
Console

Amazon EC2
workload
Internet SSM AWS Systems Manager SSM endpoints
endpoints Session Manager

Audit logs Amazon RDS


instance

Amazon CloudWatch logs Amazon S3 bucket

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Log data events for select Amazon S3 buckets

AWS CloudTrail à Trails à Create trail


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pro tip

Use GuardDuty to monitor anomalous S3 activity

Amazon
GuardDuty

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon.com CTO Werner Vogels

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypt Amazon EBS volumes

Amazon EC2 à Launch instance à Storage (volumes) à Advanced


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypt Amazon RDS databases

Amazon RDS à Create a database à Additional configuration

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use security groups to restrict access

Amazon EC2 à Launch instance


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use VPC endpoints to access services
AWS Cloud AWS Cloud

Internet

Amazon Amazon CloudWatch Amazon Amazon Amazon S3 Amazon


Amazon Amazon S3 Amazon
CloudWatch Kinesis DynamoDB Kinesis SQS DynamoDB
SQS

VPC Internet VPC


VPC endpoints Gateway endpoint
gateway

Availability Zone Availability Zone Availability Zone

Public subnet
Public subnet Public subnet

NAT gateway Instance NAT gateway

Private subnet
Private subnet

Instance Instance

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Require HTTPS for all public web endpoints

Step-by-step guidance
on how to enable HTTPS
Amazon CloudFront
on public endpoints

Elastic Load Balancing


SSL/TLS

AWS Amplify

AWS Certificate
Manager (ACM)
Amazon API Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use edge protection services

Amazon CloudFront

Application Load
Balancer

Internet AWS WAF

Amazon API Gateway

Rule Managed rule

AWS AppSync

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security as code (SaC)
Security services and tooling Infra as code (IaC) templates Deployment targets

Dev account

Amazon GuardDuty Amazon Inspector


AWS CloudFormation
Staging account

Amazon Macie AWS Firewall


Manager

Prod account
AWS Cloud Development Kit
(AWS CDK)

AWS Identity and Access AWS Security Hub


Management (IAM)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security growth model

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS foundational and layered security services
AWS
Organizations

AWS
Security Hub

Identify

AWS AWS
Config Trusted
Advisor

AWS Systems AWS Control


Manager Tower

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS foundational and layered security services
AWS
AWS AWS AWS AWS
Organizations
Shield Certificate KMS Network
Manager Firewall

AWS AWS AWS AWS AWS


Security Hub WAF Firewall CloudHSM Secrets
Manager Manager

Identify Protect

AWS AWS Amazon IAM AWS Amazon


Config Trusted Cloud Transit VPC
Advisor Directory Gateway

AWS Systems AWS Control AWS AWS Amazon AWS Amazon


Manager Tower Single Directory VPC Direct Cognito
Sign-On Service PrivateLink Connect
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS foundational and layered security services
AWS Amazon Amazon
AWS AWS AWS AWS GuardDuty Macie
Organizations
Shield Certificate KMS Network
Manager Firewall

AWS AWS AWS AWS Amazon AWS


AWS
WAF Firewall CloudHSM Secrets Inspector Security Hub
Security Hub
Manager Manager

Identify Protect Detect

AWS AWS Amazon IAM AWS Amazon


Config Trusted Cloud Transit VPC
Advisor Directory Gateway

AWS Systems AWS Control AWS AWS Amazon AWS Amazon


Manager Tower Single Directory VPC Direct Cognito
Sign-On Service PrivateLink Connect
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS foundational and layered security services
AWS Amazon Amazon Amazon AWS Step
AWS AWS AWS AWS GuardDuty Macie CloudWatch Functions
Organizations
Shield Certificate KMS Network
Manager Firewall

AWS AWS
Systems Lambda
AWS AWS AWS AWS Amazon AWS Manager
AWS
WAF Firewall CloudHSM Secrets Inspector Security Hub
Security Hub
Manager Manager
Automate
Identify Protect Detect Respond
Investigate

AWS AWS Amazon


Amazon IAM AWS Amazon
Config Trusted CloudWatch
Cloud Transit VPC
Advisor Directory Gateway Amazon
Detective

AWS
CloudTrail
AWS Systems AWS Control AWS AWS Amazon AWS Amazon
Manager Tower Single Directory VPC Direct Cognito
Sign-On Service PrivateLink Connect
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS foundational and layered security services
AWS Amazon Amazon Amazon AWS Step AWS
AWS AWS AWS AWS GuardDuty Macie CloudWatch Functions CDK
Organizations
Shield Certificate KMS Network
Manager Firewall

AWS AWS AWS


Systems Lambda CloudFormation
AWS AWS AWS AWS Amazon AWS Manager
AWS
WAF Firewall CloudHSM Secrets Inspector Security Hub
Security Hub
Manager Manager
Automate
Detect Respond Recover
Identify Protect
Investigate

Amazon S3
Glacier

AWS AWS Amazon


Amazon IAM AWS Amazon
Config Trusted CloudWatch
Cloud Transit VPC
Advisor Directory Gateway Amazon
Detective AWS Elastic
Disaster Recovery

AWS
CloudTrail
AWS Systems AWS Control AWS AWS Amazon AWS Amazon
Manager Tower Single Directory VPC Direct Cognito
Sign-On Service PrivateLink Connect Snapshot Archive

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS SRA
AWS SRA whitepaper

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Following the AWS Startup Security Baseline, we enabled
Amazon GuardDuty in our account and it detected outside IPs
trying to access our servers via Secure Shell (SSH). We removed
port 22 (SSH) from all of our security groups and switched to
using AWS Systems Manager to access our EC2 instances now.

With these changes, we no longer see attempts being made by


these external actors. This is just the first big benefit we received
from following the recommendations in the guide!

Bob Lee III


Co-Founder & CTO | ConnectCareHero

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Summary

AWS Startup Security Baseline AWS Security Reference


Architecture

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy