七个原则
- 健壮的身份验证体系,实现最小权限原则
- 实现可追溯性,集成日志和指标,并实现自动调查和采取措施(警告)
- 在所有层面应用安全措施
- 借助软件实施自动化安全机制
- 保护动态数据和静态数据
- 限制对数据的访问
- 做好应对安全性事件的准备
身份识别与访问管理
Principle of Least Privilege
People (or processes) can perform all activities they need to perform, and no more.
Manage AWS access key
- Use different access keys for different applications
- Rotate access keys periodically
- Remove passwords and access keys when users no longer need them.
- Do not generate access keys for your AWS account root user.
- Create IAM roles and generate temporary security credentials (IAM roles) instead of long-term access keys
- Don't embed access keys directly into code. Put access keys in The AWS credentials file or environment variables
- AWS recommends that you attach your policies to a group and then make users members of the appropriate groups instead of attaching a managed policy directly to the user.
Do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation.
密码规则和强制执行MFA
Use managed policies instead of inline policies
Use access levels to review IAM permissions.
If you allow your users to change their own passwords, configure a strong password policy for them
Use roles for delegate permissions and applications that run on Amazon EC2 instances
To the extent that it's practical, define the conditions under which your IAM policies allow access to a resource. The conditions can be a range of IP addresses or a range of date that a request must come from.
Remove unnecessary credentials and rotate credentials regularly
Monitor activity in your AWS account
基础设施保护
Available Zone
Q. Does traffic go over the internet when two instances communicate using public IP addresses?
Traffic between two EC2 instances in the same AWS Region stays within the AWS network, even when it goes over public IP addresses.
Traffic between EC2 instances in different AWS Regions stays within the AWS network, if there is an Inter-Region VPC Peering connection between the VPCs where the two instances reside.
Traffic between EC2 instances in different AWS Regions where there is no Inter-Region VPC Peering connection between the VPCs where these instances reside, is not guaranteed to stay within the AWS network.
Route 53
多层设防
– 网关(IGW–internet网关、VPG–虚拟私有网关)的添加
– 公网到VPC的路由规则设置
– VPC各个子网间的路由表设置
– 弹性IP和公有IP
– NACLs(网络访问规则)
– 安全组
– OS层面的防火墙
AWS EC2 的安全配置可以捆绑到AMI上,在scaling的时候可以让此AMI启动的所有EC2获得相同设定
Disable password-based logins for instances launched from your AMI. Passwords can be found or cracked, and are a security risk.
Data Protection 数据保护
Data protection refers to protecting data while in-transit (as it travels to and from resources) and at rest (while it is stored on disks or file systems).
分为静态数据保护和动态数据保护
Protection at rest
- Encrypt by AES 256 / SHA 256
- Do not collect more information than need
Protection in transit
- Encrypt request by Secure Socket Layer / Transport Layer Security protocol (SSL/TLS)
- Encrypt request by HTTPS
- Sign request by access key id and access key secret
-- Client-side encryption: require API clients to support cipher suites with perfect forward secrecy (PFS) - VPC Endpoints
数据分为不同关键性和敏感等级
数据加密(自动定期密钥轮换)
数据版本控制和备份
多重防护
在ELB上实现为HTTPS加密的SSL终端
Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
Use AWS encryption solutions, along with all default security controls within AWS services.
Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
事件响应
事件发生前准备好措施,使系统可以自行隔离并自行捕捉数据与状态
实现事故后的自动响应
使用AWS CloudFormation预先配置工具和一个“清洁屋”。这样就可以在安全隔离的环境下进行取证。
Key Management Service
AWS CloudHSM (hardware-based key management)
Shared Responsibility Model
Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely.
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
References
Security Group VS NACL
Best practices for managing AWS access keys
网友评论