Standard AWS Security by area for DevOps and beyond
| DevOps | AWS Platform | Tools from AWS Security White Paper | Comments |
| Deploy
Operate
(DevOps)
|
SSL, CLI, RDP, API,
Console,
|
HSM
Keys IAM roles Tagging Snapshots CloudFormation
|
Use Best Practices Templates from other projects
|
| Manage
(DevOps & Post DevOps)
|
IAM
Keys AMI process (2nd page) |
STS
Roles Groups SAML 2.0 Web Identities Password policies Access Policies
|
Standard Patterns
AMI build & patch |
| Monitor
Logs & Audit (Post DevOps) |
AWS tools
3rd party plug-ins
|
CloudTrail (api)
CloudWatch (resources) Trust Advisor Application-DB-OS logs
|
Integrated with Splunk, Perhaps PAM
|
| Instance
(DevOps) |
Keys
AMIs (2nd page) Trend Micro Scanning |
Elastic Beanstalk rolling patching
SSH Keys Server Certificates Bastion Host NATs/Security Groups Autoscaling Instance scanning with TM
|
PAM?
Principle of Least Privilege
|
| Database
(DevOps) |
Encryption
RDS patching IAM roles |
SSL/TSL
Data encryption EBS encryption
|
In Patterns |
| RDS
(DevOps) |
Cryptographic functions: encryption, hashing, compression
Oracle Transparent Data Encryption |
MSDN Link for SQL crypto.
AWS RDS for Oracle BYOB encryption
|
Add to patterns |
| Storage, Content
(DevOps) |
IAM & Policies
SSL |
S3 bucket policies
MFA Encryption Lifecycle Object Management Object Metadata Tags Signed URLs (web content)
|
Per Application |
| Network
(Part of setup)
|
Direct Connect
VPN |
Gateways
ELBS, ALBs Security Groups ACLs Routing Tables Subnets SSL Route 53 f/over |
Design Patterns |
AWS Security WhitePaper related to DevOps –LINK
The below key processes need to be written out and identified with AMS. Assumption is that AMS security is similar to AWS general-platform security.
The following are quotes taken directly from the AWS Security Best Practices 2016 White Paper.
- p. 40 Pre-built AMIs
You can build and test a pre-configured AMI to meet your security requirements https://gutepotenz.de.
Recommendations include:
- Disable root API access keys and secret key
- Restrict access to instances from limited IP ranges using Security Groups
- Password protect the .pem file on user machines
- Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access
- Rotate credentials (DB, Access Keys)
- Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
- Use bastion hosts to enforce control and visibility
2. p. 43 Bootstrapping
- After the hardened AMI is instantiated, can edit and update security controls by using bootstrapping applications.
- Common bootstrapping applications include Puppet, Chef, Capistrano, Cloud-Init and Cfn-Init.
- You can also run custom bootstrapping Bash or Microsoft Windows PowerShell scripts without using third-party tools.
Here are a few bootstrap actions to consider:
- Security software updates install the latest patches, service packs, and critical updates beyond the patch level of the AMI.
- Initial application patches install application level updates, beyond the current application level build as captured in the AMI.
- Contextual data and configuration enables instances to apply configurations specific to the environment in which they are being launched–production, test, or DMZ/internal, for example
- Register instances with remote security monitoring and management systems.
3. p. 43 Managing Patches
We recommend that you institutionalize patch management and maintain a written procedure.
While you can use third-party patch management systems for operating systems and major applications, it is a good practice to keep an inventory of all software and system components, and to compare the list of security patches installed
Resources:
Tutorial on how to securely share and use public AMIs: http://aws.amazon.com/articles/0155828273219400
AWS Security Centre Resources: https://aws.amazon.com/security/security-resources/
===END