Standard AWS Security by area for DevOps and beyond
DevOps | AWS Platform | Tools from AWS Security White Paper | Comments |
Deploy Operate
(DevOps)
| SSL, CLI, RDP, API, Console,
| HSM Keys IAM roles Tagging Snapshots CloudFormation
| Use Best Practices Templates from other projects
|
Manage
(DevOps & Post DevOps)
| IAM Keys AMI process (2nd page) | STS Roles Groups SAML 2.0 Web Identities Password policies Access Policies
| Standard Patterns AMI build & patch |
Monitor Logs & Audit (Post DevOps) | AWS tools 3rd party plug-ins
| CloudTrail (api) CloudWatch (resources) Trust Advisor Application-DB-OS logs
| Integrated with Splunk, Perhaps PAM
|
Instance
(DevOps) | Keys AMIs (2nd page) Trend Micro Scanning | Elastic Beanstalk rolling patching SSH Keys Server Certificates Bastion Host NATs/Security Groups Autoscaling Instance scanning with TM
| PAM? EB referenced in BAFO Principle of Least Privilege
|
Database
(DevOps) | Encryption RDS patching IAM roles | SSL/TSL Data encryption EBS encryption
| In Patterns |
RDS
(DevOps) | Cryptographic functions: encryption, hashing, compression
Oracle Transparent Data Encryption | MSDN Link for SQL crypto.
AWS RDS for Oracle BYOB encryption
| Add to patterns |
Storage, Content
(DevOps) | IAM & Policies SSL | S3 bucket policies MFA Encryption Lifecycle Object Management Object Metadata Tags Signed URLs (web content)
| Per Application |
Network
(Part of setup)
| Direct Connect VPN | Gateways ELBS, ALBs Security Groups ACLs Routing Tables Subnets SSL Route 53 f/over | Design Patterns |
AWS Security WhitePaper related to DevOps –LINK
The below key processes need to be written out and identified with AMS. Assumption is that AMS security is similar to AWS general-platform security.
The following are quotes taken directly from the AWS Security Best Practices 2016 White Paper.
p. 40 Pre-built AMIs
You can build and test a pre-configured AMI to meet your security requirements.
Recommendations include:
• Disable root API access keys and secret key
• Restrict access to instances from limited IP ranges using Security Groups
• Password protect the .pem file on user machines
• Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access
• Rotate credentials (DB, Access Keys)
• Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
• Use bastion hosts to enforce control and visibility
p. 43 Bootstrapping
After the hardened AMI is instantiated, can edit and update security controls by using bootstrapping applications.
Common bootstrapping applications include Puppet, Chef, Capistrano, Cloud-Init and Cfn-Init.
You can also run custom bootstrapping Bash or Microsoft Windows PowerShell scripts without using third-party tools.
Here are a few bootstrap actions to consider:
• Security software updates install the latest patches, service packs, and critical updates beyond the patch level of the AMI.
• Initial application patches install application level updates, beyond the current application level build as captured in the AMI.
• Contextual data and configuration enables instances to apply configurations specific to the environment in which they are being launched–production, test, or DMZ/internal, for example
• Register instances with remote security monitoring and management systems.
p. 43 Managing Patches
We recommend that you institutionalize patch management and maintain a written procedure.
While you can use third-party patch management systems for operating systems and major applications, it is a good practice to keep an inventory of all software and system components, and to compare the list of security patches installed
Resources:
Tutorial on how to securely share and use public AMIs: http://aws.amazon.com/articles/0155828273219400
AWS Security Centre Resources: https://aws.amazon.com/security/security-resources/