Security on AWS Amazon Web Services Kyungsoo Lee Partner Solutions Architect Kyungsol@amazon.com
전통적인방식 정적인시스템 Firewall/NG Firewall : 방화벽 IPS/IDS : 침입탐지 / 방지시스템 NAC : 네트워크접근제어 WAF : 웹방화벽 Anti-Spam : 스팸차단장비 Web 서버 App/DB 서버 2
AWS 의유연성 / 가변성 Cloud applications have amorphous, polymorphic attack surfaces. - Jason Chan Director of Engineering, Cloud Security Netflix 3
기존데이터센터를보면 한눈에전체상황이다 들어오는것같지만, 그이면은 4
AWS 의가시성 / 제어성 AWS IAM Amazon CloudWatch AWS CloudTrail AWS Config AWS CloudFormation AWS Trusted Advisor 5
기존데이타센터내네트워크보안솔루션구성방식 Router Span/Tab 트래픽경로를벗어나구성 모니터링 ( 스캐닝 ) 이필요한 트래픽에대한선별적포워딩 One-Arm 구성 Servers Corporate Data center 6
유연성, 가시성, 네트워크환경이다름 7
Security is our #1 priority 8
To this This 9
보안은 AWS 의최우선순위과제입니다! 고객층의증가와더불어더나은서비스제공을위해보안, 규제 / 감사, 거버넌스관련다양한업데이트를빠르게진행 722 보안, 거버넌스, 컴플라이언스, 감사관련신규서비스출시및업데이트 기타신규서비스출시및업데이트 514 269 (37%) 48 61 82 159 280 2007 2008 2009 2010 2011 2012 2013 2014 2015 2015 년에는전년대비 40% 증가한, 722 건의새로운서비스및기능을출시 10
Shared Security Responsibility 11
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE 12
WHAT WE DO WHAT YOU HAVE TO DO 13
Customers AWS 와고객이보안에대한책임분담 Customer content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption AWS Foundation Services Server-side Data Encryption Network Traffic Protection Compute Storage Database Networking AWS Global Infrastructure Availability Zones Regions Edge Locations Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud 14
Customers 모든고객은동일한 AWS 보안기초위에 Customer content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Customers are responsible for their security IN the Cloud Independent validation by experts Every AWS Region is in scope SOC 1 (SSAE 16 & ISAE 3402) Type II SOC 2 Type II and public SOC 3 report ISO 27001 Certification Certified PCI DSS Level 1 Service Provider FedRAMP Certification, HIPAA capable 15
Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data center Tom Soderstrom CTO NASA JPL 16
Network Security Data security Physical System security 심층방어 Hardened AMIs AWS compliance program Third-party attestations OS and app patch mgmt. IAM roles for EC2 IAM credentials Security groups VPC configuration Web application firewalls Bastion hosts Encryption in-transit Logical access controls User authentication Encryption at-rest 17
AWS 의보안은여러분이지금수행하고있는것과같은익숙함을제공하기위해서지속적으로노력하고있습니다. 가시성 (Visibility) 제어 (Controllability) 감사기능 (Auditability) 18
더나은제어 (DATA, USER, NETWORK) 19
컴퓨팅과스토리지의위치를고객이직접선택가능 AWS 클라우드는전세계 16 개지리적 Region 내에 42 개의 Availability Zone 을 운영 20
AWS 리젼과가용영역 AWS Regions US East (VA) US West (CA) EU (Ireland) EU (Frankfurt) AZ A AZ E AZ B AZ A AZ B AZ A AZ B AZ A AZ B AZ C AZ D AZ C AZ C US West (OR) GovCloud (US) S. America (Sao Paulo) China (Beijing)* AZ A AZ B AZ A AZ B AZ A AZ B AZ A AZ C Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia China Pacific (Bejing) (Sydney) Asia China Pacific (Bejing) (Seoul) AZ A AZ B AZ A AZ B AZ A AZ B AZ A AZ B AZ C *A limited preview of the China (Beijing) Region is available to a select group of China-based and multinational companies with customers in China. These customers are required to create a AWS Account, with a set of credentials that are distinct and separate from other global AWS Accounts. 21
AWS 리젼과가용영역 Encryption In-Transit HTTPS SSH SSL/TLS VPN Object Encryption At-Rest Object Database Filesystem Disk Details about encryption can be found in the AWS Whitepaper, Securing Data at Rest with Encryption. 22
AWS KMS - 암호화키생성 / 보관 / 관리 Centralized Key Management for use with AWS: Customer Master Key(s) EBS S3 Redshift AWS SDK AWS CloudTrail Data Key 1 Data Key 2 Data Key 3 Data Key 4 Encrypted Data S3 Object EBS Volume Redshift Cluster Data Key + Encrypted Data Key KMS Application or AWS Service Master Key(s) in Customer s Account Details about security controls can be found in the AWS Whitepaper: KMS Cryptographic Details. 23
AWS Key Management Service Integrated with Amazon EBS 24
USER 에대한더나은제어 25
AWS IAM : Identity + Authentication + Authorization Account Owner ID (Root Account) Access to all subscribed services. Access to billing. Access to console and APIs. Access to Customer Support. IAM Users, Groups and Roles Access to specific services. Access to console and/or APIs. Access to Customer Support (Business and Enterprise). Temporary Security Credentials Access to specific services. Access to console and/or APIs. AWS Account Owner (Root) AWS IAM User Temporary Security Credentials 26
27
NETWORK 에대한더나은제어 28
가용영역 A 가용영역 B AWS Cloud 내에격리된사설네트워크를생성 AWS Virtual Private Cloud 논리적으로분리된일종의가상사설망을제공 VPC상에서사설 IP대역을선택 적절하게서브넷팅하고 EC2 인스턴스를배치 AWS network security AWS 는 IP Spoofing과같은레이어 2 공격차단 소유하지않은 EC2인스턴스에대한스니핑불가 외부와의모든라우팅과연결을통제 29
애플리케이션아키텍쳐에맞게 VPC 를서브넷으로분리 Web App Web DB 30
각서브넷에네트워크액세서제어목록 (NACL) 사용 Web App Allow Web Deny all traffic DB 31
각 EC2 인스턴스에보안그룹 (Security Group) 방화벽사용 Web Port 443 App Port 443 Web Deny all traffic DB 32
VPC 보안통제 VPC 10.1.0.0/16 라우팅테이블 가상라우터 라우팅테이블 인터넷게이트웨이 가상사설게이트웨이 33
[WAF] AWS WAF (WAF on CDN) legitimate traffic CloudFront edge 단에서 WAF 가 monitor & filter 처리 WEB WAS WEB WAS Safe Traffic Edge Location Edge Location 54 edges WAF WAF SQL Injection, XSS,.. site scripting users hackers Bad bots 분산된 edge에서처리되어 scaling에대한부담없음 SQL injection, XSS 룰셋기본제공 www.a.com WAF on CloudFront edges CloudFront 사용이전제됨 34
더나은가시성 (NETWORK, SYSTEM, AUDIT) 35
가시성 : 보안의기본속성 여러분의데이터센터를보면 한눈에전체의상황이다들어오는것을원하시겠지만, 보통이런그림을보시게됩니다. 36
가시성 : 보안의기본속성 AWS IAM Amazon CloudWatch AWS 는이분야에혁신적인 개선과진보된 IT Governance 서비스들을가지고있습니다. AWS CloudTrail AWS Config AWS AWS Trusted CloudFormation Advisor 37
취합과추적항목들 AWS CloudWatch AWS 리소스와 AWS 기반어플리케이션에대한모니터링서비스 EC2 ELB Route 53 EBS AutoScaling Custom EMR SNS SQS EBS Storage Gateway CloudFront DynamoDB ElastiCache 빌링 RDS 모니터링과로그저장 경보설정 그래프와통계조회 38
AWS Trusted Advisor Security 39
40
AWS Inspector Agent 기반 - 어플리케이션보안수준진단 보안진단결과 가이드제공 API를통한자동화 Rule Package CVE (common vulnerabilities and exposures) 수천개항목 Network security best practices 4개항목 Authentication best practices 9개항목 Operating system security best practices 4개항목 Application security best practices 2개항목 PCI DSS 3.0 readiness 25개항목 41
더나은감사기능 (COMPLIANCE, HISTORY, LOG) 42
43
44
AWS CloudTrail AWS 상의모든관리작업에대한로깅 모든작업은 API 콜로처리됨... 사용하는서비스와인스턴스들이늘어남에따라 CloudTrail 은계속해서모든 API 요청들에대해신뢰성있는기록을수행 CloudTrail 이제공하는정보 : API 호출한사용자정보 ( 누가 ) API call 이발생한시간 ( 언제 ) API 호출한사용자의 IP 주소 ( 어디서 ) 요청파라미터값 ( 무엇을 ) AWS 서비스에서반환한응답 ( 결과 ) 45
AWS CloudTrail AWS 상의모든관리작업에대한로깅 CloudWatch Logs 내 CloudTrail 로그활용 46
AWS Config/Rules AWS 리소스에대한인벤토리관리와구성정보변경관리및통보 (AWS SNS) ConfigRules 의 custom rule 지원 특정변경이력의실시간 / 주기적감시 / 통보 Lambda blueprint 내관련참조소스제공 GitHub내관련 Lambda 소스공개 보안분석 감사컴플라이언스 변경관리 Troubleshooting Discovery 47
관리자 CloudFormation 템플릿 AWS Service Catalog AWS 리소스생성및관리용셀프서비스포털 포트폴리오와퍼미션설정 Service Catalog Product A Product B Product 조회 생성 Product 등록 포트폴리오 Product 기동 사용자 통지 배치된스택 통지 승인된리소스카탈로그를생성하고관리. 사용자는셀프서비스포털에서필요한 Product 을찾고기동. 관련컴플라이언스나규제항목에따라어플리케이션혹은 AWS 리소스에대한사용자접근을통제함 API 를통해셀프서비스기능확장가능 48
WHAT WE DO WHAT YOU HAVE TO DO 49
THANK YOU Amazon Web Services Kyungsoo Lee