How to Design a Least Privilege

Architecture in AWS

Sponsored by

©2020 SANSTM Institute | www.sans.org Sponsored by:

 Today’s Speakers
• Dave Shackleford – SANS Analyst
• Sagar Khasnis – AWS Partner Solutions Architect

©2020 SANSTM Institute | www.sans.org 2 Sponsored by:

 Today’s Agenda
• Least Privilege Overview
• Identity and Access Management
• Network Segmentation for Access Control
• Cloud Security Posture Management
• A Least Privilege Use Case
• Next Steps
• Solutions in AWS Marketplace
• Customer Success

©2020 SANSTM Institute | www.sans.org 3 Sponsored by:

 Least Privilege Overview
• Consistently implementing least privilege as a best
practice has been a challenge:
– The ability to determine the appropriate “least privilege”
for a given use case is surprisingly complex issue.
– It is easier to allocate more privileges than to limit access.
– The range of permissions and privilege models varies
widely between environments and applications/services.
• Even successful least privilege implementations tend to
shift and drift over time.

©2020 SANSTM Institute | www.sans.org 4 Sponsored by:

 Least Privilege Concepts
in the Cloud
• Security professionals are rethinking the approach to least
privilege security concepts for the public cloud.
• Some key factors to address:
– Vanishing perimeter
– Application workloads
– Trust relationships
• Three pillars of cloud least privilege:
– Identity and access management
– Network access/segmentation
– Cloud security posture management

©2020 SANSTM Institute | www.sans.org 5 Sponsored by:

 Identity and Access Management
• One of the most important aspects of cloud
security is identity and access management (IAM).
• Defining roles, enabling strict access models and
limiting the resources available to users and
systems is a critical step in enabling a sound cloud
security strategy overall.
• Use IAM for enveloping assets, allowing you to
create least privilege architectures with affinity
policies in place.

©2020 SANSTM Institute | www.sans.org 6 Sponsored by:

 IAM: User Relationships
• IAM users are associated with credentials for making API
calls to interact with cloud services and exist only within
the cloud environment itself.
– Directory services like AD can be mapped into groups/roles.
• New IAM users have no permissions (Deny All).
• IAM users can represent any asset/resource.
– Once you create service-oriented users, place them in
defined groups and assign privileges.

©2020 SANSTM Institute | www.sans.org 7 Sponsored by:

 IAM: Service Relationships
• For service interactions within the environment, cloud
security teams should focus on defining specific roles:
– AWS services
– Cross-account access
– Federation
– Identity providers (IdPs)

©2020 SANSTM Institute | www.sans.org 8 Sponsored by:

 Least Privilege IAM for Cloud
• There are several distinct types of identity-focused least privilege
orientation for cloud deployments and infrastructure:
– First, there should be a focus on any privileged users that need
access to the cloud environment for administration, engineering
and security-focused tasks.
– The second major type of least privilege access model that all
organizations need to consider is associated with deployment
pipelines and associated systems and services.
– The third major type of least privilege focus is mapping user,
service and application relationships wholly contained within
the cloud environment.
– Finally, privileges should be carefully reviewed for accounts accessing
other accounts’ services when a multi-account strategy is in place.

©2020 SANSTM Institute | www.sans.org 9 Sponsored by:

 IAM Relationship Mapping
• Organizations need to successfully map cloud user and
service relationships to create the most restrictive
privilege models needed.
– AWS Access Advisor shows AWS services allowed by the
assigned IAM policy, policies assigned that grant specific
permissions and last access times.
– AWS IAM Access Analyzer, a feature within AWS Identity
and Access Management (IAM), performs a more thorough
analysis of privilege models in use.

©2020 SANSTM Institute | www.sans.org 10 Sponsored by:

 Least Privilege: AWS Accounts
• As an isolation and segmentation technique, each
account is a completely isolated set of resources that
can be configured to access resources in other accounts.
• AWS Organizations is a service that organizations can
use to define policies and guardrails to apply across
multiple AWS accounts.
– With AWS Organizations, you can create service
control policies (SCPs) that really govern the use
of other IAM policies.

©2020 SANSTM Institute | www.sans.org 11 Sponsored by:

 Multi-Account Architecture
• Setting up and configuring multi-account architecture has long
been considered challenging and complicated, especially for
large organizations.
• A sample multi-account framework to start from, called a
“Landing Zone,” has been in place for years.
• A new service called AWS Control Tower can automatically
deploy a multi-account starting architecture.
– Create and implement defensive guardrails like AWS Config
monitoring rules, infrastructure-as-code definitions in AWS
CloudFormation, strict identity policies that restrict permissions
and privileges across accounts, etc.
©2020 SANSTM Institute | www.sans.org 12 Sponsored by:
 Least Privilege: Networking
• The second major component of a traditional least privilege
design model is network segmentation that is closely aligned
with a specific type of system or workload, often termed
microsegmentation.
• A least privilege concept of network segmentation strives to
prevent would-be attackers from using unapproved network
connections to compromise systems, move laterally from a
compromised application or system, or perform any illicit
network activity regardless of environment.

©2020 SANSTM Institute | www.sans.org 13 Sponsored by:

 Microsegmentation with
Cloud-Native Controls
• The first category of focus for any cloud network isolation and
segmentation should be the core network zone associated with
cloud accounts.
– In AWS, this is known as the virtual private cloud (VPC), and
this can contain any number of distinct network subnets.
• AWS has two built-in types of network access and isolation
controls: security groups and network access control lists
(network ACLs).
– Use security groups and network ACLs to control traffic into
and out of network deployments.

©2020 SANSTM Institute | www.sans.org 14 Sponsored by:

 Security Groups vs. NACLs
Security Groups NACLs
Apply to instances Operate on VPC subnets
Only support Allow rules (layered on a Support both allow and deny rules
default Deny)
Are stateful Are not stateful
Are considered in their entirety before Are processed in numerical order
traffic is allowed
Must be associated with an instance Apply automatically to all instances
to apply in a subnet

©2020 SANSTM Institute | www.sans.org 15 Sponsored by:

 Advanced Network Security
Segmentation and Access Controls
• To segment and control traffic at the application layer, or
define policies focused more on application details and
protocols, a third-party solution likely makes more sense.
• Most major cloud providers offer enterprise-class solutions
that are capable of providing more granular policies and
monitoring.
• Today’s next-generation firewall (NGFW) platforms are often
used to provide network intrusion detection and prevention,
traffic inspection and behavioral monitoring, and centralized
configuration and administration.

©2020 SANSTM Institute | www.sans.org 16 Sponsored by:

 Segmentation/Isolation Best
Practices
• Consider what types of architectures make the most sense:
– Subnets vs. VPCs and VPC peering
– VPC peering enables organizations to couple distinct
VPCs together, allowing assets in one network to talk
to assets in another.
• VPC peering is not transitive—that is, it must be specifically
allowed for each VPC peered together.
– In this case another type of platform, called a transit gateway,
can simplify multi-VPC architectures significantly.

©2020 SANSTM Institute | www.sans.org 17 Sponsored by:

 Cloud Security Posture
Management
• Cloud security posture management (CSPM) tools
can assess the actual control plane of the cloud
environments in use for compliance assessment,
operational monitoring, DevOps integrations, risk
identification and risk visualization.
• Because many cloud platform settings relate to
networking and IAM configuration, CSPM continuous
monitoring can be invaluable.

©2020 SANSTM Institute | www.sans.org 18 Sponsored by:

 A Least Privilege Use Case
• For an organization planning on deploying to a platform-
as-a-service (PaaS) or infrastructure-as-a-service (IaaS)
cloud environment with a focus on least privilege, there
are multiple recommended steps:
– Identify roles and responsibilities for team members
requiring access to the cloud infrastructure.
– Determine the type of network access needed.
– Evaluate IAM roles and privilege assignments.
– Monitor the cloud control plane.

©2020 SANSTM Institute | www.sans.org 19 Sponsored by:

 Next Steps
• A least privilege cloud architecture should include authentication
and authorization controls, network access and inspection
controls, and monitoring/enforcement controls for both the
network and workloads.
– To implement a least privilege cloud environment, start with
user and administrative access, followed by multi-account
identity management, if applicable.
– From there, focus on network architecture and access
control design.
– Once the cloud environment is up and running, a CSPM
platform may make sense.

©2020 SANSTM Institute | www.sans.org 20 Sponsored by:

 Designing a least privilege
architecture in AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that enable network segmentation

AWS AWS AWS Transit Amazon Cloud Amazon Amazon

Security Hub Organizations Gateway Amazon VPC Directory GuardDuty Macie

AWS Amazon VPC

AWS Resource
Access AWS
Automate
Control Tower PrivateLink Security Hub
Manager

Identify Protect Detect Respond Recover

AWS Identity
and Access
Investigate
Management

AWS Well-
AWS Firewall
Architected
Tool
Manager

Amazon
Detective

Snapshot Archive

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Implementing least privilege with AWS IAM Access Analyzer

Account
Resource-based policies Findings

Who has access

to what

IAM Roles S3 Buckets Lambda KMS Keys SQS Queues

Functions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leveraging VPC Traffic Mirroring for network segmentation

Remote
AWS Cloud Administration

VPC Internet

• Enhance monitoring of gateway

traffic patterns and flow Availability zone Availability zone

within your environment Subnet 10.88.2.0/24 Subnet 10.88.2.0/24

• Enable inspection of Source Instance Destination

inbound and outbound Instance

traffic
Traffic
eth0 Mirroring ens5

eth1 ens6

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Palo Alto Networks?

Provide complete
visibility into traffic
through Layer 7

Verify all users, devices

and applications

Enforce policies
consistently to aid
segmentation

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Western Asset Management mitigates risk
With Prisma Cloud by Palo Alto Networks

Benefits:
• Full network visibility
• Incident and
misconfiguration
response times reduced
from days to minutes
• Built-in compliance
reporting eliminates
manually sifting through
audit files

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FNTS achieves secure network segmentation
Utilizing VM-series firewalls by Palo Alto Networks

Benefits:
• Enhanced protection of
inbound, outbound, and
east-west network traffic
• Achieved a single,
consistent management
console across entire
environment
• Gained ability to auto-
scale provisioning and
de-provisioning

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Epsilon boosts network visibility and control
Leveraging Aviatrix’s Secure Networking Platform

Benefits:
• Increased visibility and
troubleshooting
• Established profile-based
remote user access
control
• Secured connectivity
between Amazon VPCs
and on-premises
resources

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vonage prevents lateral threats
Using Edgewise Zero Trust Auto-Segmentation

Benefits:
• Fully automated micro-
segmentation
• Environment can now be
mapped out in 20
minutes vs. 2 months
• Increased lateral
protection across its
networks

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?

Flexible consumption Quick and Helpful humans

and contract models easy deployment to support you

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find Buy Deploy

A breadth of security Through flexible With multiple

solutions: pricing options: deployment options:

Free trial Software as a Service (SaaS)

Pay-as-you-go Amazon Machine Image (AMI)
Hourly | Monthly | Annual | AWS CloudFormation (Infrastructure as
Multi-Year Code)
Bring Your Own License (BYOL) Amazon Elastic Container Service (ECS)
Seller Private Offers
Amazon Elastic Kubernetes Service (EKS)
Channel Partner Private Offers

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webinar summary

Consider combining network segmentation with a least privilege architecture to

boost your security controls in AWS.

Leverage AWS Services that integrate with your AWS environment and can
enhance your network segmentation capabilities.

Current tools? Bring your own license to leverage benefits of AWS Marketplace.

New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Q&A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.

Send to “Organizers” and tell us if

it’s for a specific panelist.

©2020 SANSTM Institute | www.sans.org 33 Sponsored by:

 Acknowledgments
Thanks to our sponsor:

To our special guest: Sagar Khasnis

And to our attendees, thank you for joining us today!

©2020 SANSTM Institute | www.sans.org 34 Sponsored by: