Standard AWS Security by area for DevOps and beyond

DevOps

AWS Platform

Tools from AWS Security White Paper

Comments

Deploy

Operate

 

(DevOps)

 

 

SSL, CLI, RDP, API,

Console,

 

 

HSM

Keys

IAM roles

Tagging

Snapshots

CloudFormation

 

Use Best Practices Templates from other projects

 

 

Manage

 

(DevOps & Post DevOps)

 

 

 

IAM

Keys

AMI process (2nd page)

STS

Roles

Groups

SAML 2.0

Web Identities

Password policies

Access Policies

 

Standard Patterns

AMI build & patch

Monitor

Logs & Audit

(Post DevOps)

AWS tools

3rd party plug-ins

 

CloudTrail (api)

CloudWatch (resources)

Trust Advisor

Application-DB-OS logs

 

Integrated with Splunk, Perhaps PAM

 

Instance

 

(DevOps)

Keys

AMIs (2nd page)

Trend Micro

Scanning

Elastic Beanstalk rolling patching

SSH Keys

Server Certificates

Bastion Host

NATs/Security Groups

Autoscaling

Instance scanning with TM

 

PAM?

EB referenced in BAFO

Principle of Least Privilege

 

Database

 

(DevOps)

Encryption

RDS patching

IAM roles

SSL/TSL

Data encryption

EBS encryption

 

In Patterns

RDS

 

(DevOps)

Cryptographic functions: encryption, hashing, compression

 

Oracle Transparent Data Encryption

MSDN Link for SQL crypto.

 

AWS RDS for Oracle BYOB encryption

 

 

 

Add to patterns

Storage, Content

 

(DevOps)

IAM & Policies

SSL

S3 bucket policies

MFA

Encryption

Lifecycle Object Management

Object Metadata

Tags

Signed URLs (web content)

 

Per Application

Network

 

(Part of setup)

 

Direct Connect

VPN

Gateways

ELBS, ALBs

Security Groups

ACLs

Routing Tables

Subnets

SSL

Route 53 f/over

Design Patterns

 

AWS Security WhitePaper related to DevOps –LINK

 

The below key processes need to be written out and identified with AMS.  Assumption is that AMS security is similar to AWS general-platform security. 

 

The following are quotes taken directly from the AWS Security Best Practices 2016 White Paper.

 

p. 40 Pre-built AMIs

 

You can build and test a pre-configured AMI to meet your security requirements.

 

Recommendations include:

• Disable root API access keys and secret key

• Restrict access to instances from limited IP ranges using Security Groups

• Password protect the .pem file on user machines

• Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access

• Rotate credentials (DB, Access Keys)

• Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys

• Use bastion hosts to enforce control and visibility

 

p. 43 Bootstrapping

After the hardened AMI is instantiated, can edit and update security controls by using bootstrapping applications.

 

Common bootstrapping applications include Puppet, Chef, Capistrano, Cloud-Init and Cfn-Init.

You can also run custom bootstrapping Bash or Microsoft Windows PowerShell scripts without using third-party tools.

 

Here are a few bootstrap actions to consider:

• Security software updates install the latest patches, service packs, and critical updates beyond the patch level of the AMI.

• Initial application patches install application level updates, beyond the current application level build as captured in the AMI.

• Contextual data and configuration enables instances to apply configurations specific to the environment in which they are being launched–production, test, or DMZ/internal, for example

• Register instances with remote security monitoring and management systems.

 

p. 43 Managing Patches

We recommend that you institutionalize patch management and maintain a written procedure.

 

While you can use third-party patch management systems for operating systems and major applications, it is a good practice to keep an inventory of all software and system components, and to compare the list of security patches installed

 

Resources:

Tutorial on how to securely share and use public AMIs: http://aws.amazon.com/articles/0155828273219400

AWS Security Centre Resources:  https://aws.amazon.com/security/security-resources/