In this video Ben Potter, the security lead of Well Architected Amazon Web Services takes us to a technical tour of AWS Security and shares how to continuously evaluate the architecture against best practices.
It is important to understand that improving security is a continuous process. We need to identify our challenges, know our limits, and develop new security services and features. So, Ben presents here “AWS – Security best practices the well – architected way.”
He begins at 0:11 by emphasizing that taking the learnings from this session we can save our job and the organization. We need to implement what we learn in this session and also share it back to community through open source projects.
He provides 3 key links listed below related to AWS Well Architected:
Introduction: AWS – Well Architected
At 02:04 we get to know about the 5 pillars of Well architected which are operational excellence, security, reliability, performance efficiency and cost optimization Talking about the history at 02:40 he tells us that it started in 2012 as a conversation with the customers which the architects had by asking “Are you well architected?” By gathering this information, they published frameworks in 2015 and came up with Operational Excellence in 2016, APN Partners, lens in 2017 and Self-service, imp. Plans in 2018.
The reason to prefer AWS Well Architected Framework as stated at 03:40 is that it builds and deploy faster, lower or mitigate risks, make informed decisions, and helps to learn AWS best practices.
Discussing the Incident Response, from 07 :14 he explains use of guard duty as a starting point which gives a no. of findings & they automatically get data from the data sources and give actionable insights. One can use the free 30 days trial & check how it works.
The use of guard duty can give you more sleep is Ben’s statement at 8:15 where he explains the pair up of Guard duty with its findings, playbooks, game days and partners. Playbooks defined at 8:50 are rough guidance of what you should do in certain scenarios. To run a game day, he tells at 10:10 to Pick the guard duty findings more relevant for you and your workload & run through them. Practicing them in team will help you to mature with time. Making it a game will make everyone enjoy a lot more.
We learn at 11: 55 that the instant responses is made possible by the Pre provisioned access in which if you have security team or individuals that look after security, they already have access even if it is read only into all your accounts. If you rang them up, they could immediately respond. He also gives a demo at 12: 50 which shows access denied attempt.
The link for AWS new security incident response guide.
AWS Identity & Access Management (IAM)
From 16: 22 Ben gives some tips to look out for related to Identity and Access Management. It starts with Federation tip having an active directory where we can use parameters on the individual users and restrict based on those parameter customs.
To get more info go the link: https://aws.amazon.com/identity/federation/
A new feature of Permission boundaries is introduced at 18:00 which allows to create administrators. This allowed developers to do things freely without pre provisioning all the roles & managing policy for them.
At 19:25 we learn about the automate credential management which is used to disable / delete unused access keys & cleanup after federation, remind people for having access key, remove people who have left the organization and constantly reduce permissions.
A common question of customer about the possibility of a role assuming another role in different account is answered at 21:11 by the use of Lambda function. To significantly improve the security using inbuilt user the best practice explained at 22:40 is single sign on & enforcing MFA.
The Secret’s manager is fairly new service introduced at 23:44 which allows us to store our long live credentials like a data base password & automate the rotation. The AWS code services (25:02) allows us to store all the infrastructure & code in different services.
At 25:31 the use of automation is underlined in cloud formation to turn on all detective controls for us. How to do is on the lab link.
The feature of enabling email alert is highlighted at 26:25. Also Enabling config service will store the history of the configuration of particular items. For more explanation on this we can visit these links:
He further explains at 27:39 about having a messaging system of whatever favorite app we want to use enables everyone to get visibility and you can get immediate insight as well as the team can take immediate action.
We learn about the threat model at 29: 00 which is MOM – method, opportunities & motive.
This tells the user to know if they got their detective & response controls ready. At 33:38 Ben talks about how difficult is to detect a credential stuffing attack today? It is a big Challenge and are we ready for it and how can we deal with it?
An important term: Pwned passwords is defined at 36:27 which is the knowledge of different passwords & checks to know if the passwords that your users have been using have actually been in a password dump. To know more visit:
We should Continuously evaluate what you are doing. So, he talks at 37:18 about using CIS benchmark quick start.
Taking about Xero threat protection zone at 38: 30 for Infrastructure Protection he tells about the launch of transit gateway as a new feature for VPC. The use of single VPC for ingress and services can put the security services in single VPC & can be used across 100’s of accounts. We can centralize the web application files and can do that all in a centralized account and use a transit gateway to share it across different accounts.
The VPC sharing and resource access manager feature explained at 39:55 allows to set an owner of VPC & they do their things to set up the VPC. Then you can share the subnets with different application teams or different owner. At 40:49 he talks about the automate protection to detect http flood attacks and automatically block the IPs that are conducting those flood attacks.
Learn more on AWS WAF automation.
Further at 43:18 he explains some of the not so known tools used for infrastructure protection which include source code & dependency checking and fuzzing which is the ability to go in & try different things in an application.
Ben says at 47:55 that if I was doing my updates in code like if I was prebuilding an amazon machine image, I can actually build that, plug it in to the application layer & it does not need any internet access. We can also use amazon inspector (49:19) so that we can detect vulnerability and automate it to get more grained.
We can get the template for doing layers at:
Keeping people away from data is the main aim of Data Protection but how to do it? At 50:39 answers it by saying do not store & do not grant, encrypt, mask, tokenize & isolate it. This further includes tooling, eliminating, restricting direct access, operations as code and version control. There is different level of data classification for different uses which can be stored in different AWS accounts which is good way of isolating it.
At 51:57 he suggests that if you have your most critical data for which you are paranoid about, then you can actually create an account outside of your organization & that account outside your organization is never touched. That gets a one way copy of your critical data and is termed as Data Bunker. The systems manager (53:55) can control the documents individually that are run & we can predetermine those documents and create them on cloud to get granular control.
From 54:38 to 01:00:08 we get a brief idea about Data Exfiltration, Automatic Detection of Data Leaks and S3 access Logs. Ben explains the new favorite feature of Default Amazon EBS Encryption at 01:01:00 which is made available at no additional cost.
To learn more about the feature visit the AWS Blog.
Concluding the session at 01:01:59 Ben encourages all to act and play with the well architected tool which is free in the console. Learn, measure, and build using architectural best practices.
You can find a compilation of really good solutions at https://aws.amazon.com/solutions