At Foghorn, we spend lots of time helping design and build secure infrastructure running on AWS. Heck, we’ve got an entire security practice devoted to it. What we designed in 2012 looked a lot different than what we design today. The biggest change is not the industry but rather a wealth of new features and services that are natively available directly from AWS. I thought I’d take a quick moment to share with you how Foghorn is currently leveraging these features to help companies gain HIPAA compliance, HITRUST certification, or just to ensure that their cloud security hygiene is up to snuff. I look forward to reviewing this post in a few years and considering it “old-school” as AWS will undoubtably advanced far beyond this architecture by then..
Before we implement anything on AWS, we need to decide how we will provision. Will we pop into the console and start clicking away to build out our designs? Absolutely not! A key tenet of a secure infrastructure is one that is well documented and controlled. There is no better way to accomplish this than to build all of our infrastructure using version controlled infrastructure as code, and deploying via a pipeline that centralizes control of provisioning and changes. Foghorn leverages several tools here, including CloudFormation or Terraform as our provisioning tool, GitHub or CodeCommit for our source code, and some CD tool. Most customers have preferred Jenkins as their teams have existing skills and implementations here. Recently we’ve recently enjoyed using Drone.
The most basic foundational element of a secure cloud infrastructure is the network. We have a wealth of pre-defined AWS VPC (Virtual Private Cloud) configurations already coded up that meet best practices for many scenarios. The other two aspects of network would include Ingress/Egress to the public internet, and back end connectivity to the management or corporate network. Amazon has a great tool for Ingress which is maturing quickly, AWS WAF. The secret to a strong WAF? The rules it enforces. We love managed rules from Alert Logic. This Web Application Firewall can quickly add a layer of security to your existing apps with little effort. Egress is often critical when domain based whitelisting or DLP are required, especially when attempting to achieve HITRUST certification. We use a combination of EC2, Load Balancing and Squid Proxy to create an ICAP capable, horizontally scalable network appliance to log and control egress traffic.
Finally, how you integrate your VPC with your datacenter can be critical to ensure both a secure as well as performant environment, especially for hybrid applications. We leverage Direct Connect whenever possible, either via leased line or SDN. We partner with Megaport, who has some great options here.
We like to follow the advice of smart people, like Werner Vogels, CTO of AWS. He tells us to encrypt everything, and that is exactly what we do! From an encryption at rest perspective, the biggest pain point for most of our customers was key management. With the release of KMS, AWS made the complexity of key management disappear. It’s deep integration with other AWS services make KMS extremely valuable. Our favorite feature of KMS is the ability for rights to use keys to be shared with other AWS accounts. This allows a customer of a service provider, for example, to upload data to a vendor’s S3 bucket, which is entirely encrypted with customer owned keys. The customer can be certain that access to that data can be turned on an off without worrying about whether the service provider deleted the data.
Understanding that a single Access Key / Secret Key with the correct permissions is effectively the ‘keys to the datacenter’, Amazon has built out an extensive set of logging capabilities at many levels, and deliver great value at an extremely competitive price. First things first, we need to log API calls, and this is as easy as flipping a switch and turning on CloudTrail, the AWS API logging tool. After a few minutes you’ll see logs begin trickling into the assigned S3 bucket. To control integrity of those logs, we like to store them in a separate AWS account. This ensures that if credentials for an account are compromised, the bad guys can’t cover their tracks by modifying log files after the fact.
As you may know, if you want to see all of the network traffic going through the VPC at the packet level, you can’t simply pop a sniffer on the network and watch. The virtual networking of AWS ensures that you’ll still only see traffic intended for the IP address of the security appliance, which doesn’t do much good. So AWS launched FlowLogs, which allows us to log every packet that flows through a VPC, either for compliance or for troubleshooting. Be careful here, the logs can get quite large, but the tool is incredibly valuable.
Logging is great, but who’s reading the logs? In order to leverage those logs to improve your real-time security posture, you need to automate the monitoring and alerting on specific events that may be considered a risk, so that security can further evaluate. The tooling we use here is pretty simple. We configure CloudWatch Events to notify us on risky issues. Sometimes we wire these notifications into our chat tool (Slack), other times they trigger full escalation paths through tools like PagerDuty. We’ve also leveraged AWS Config, AWS Config rules, and Inspector where appropriate. Some of these tools have overlap of functionality, and we love that. It allows us a wealth of tools in the toolbox, as each customer requirement is a little different.
Sometimes event evaluation isn’t necessary, instead we can immediately automate responses to these events. When we know we want to take immediate action, we wire those events up to some python code running via a lambda function. This gives us highly reliable monitoring and alerting on security events that is also very cost effective and takes no real ongoing management effort, other than iterating on what events we want to monitor, and automating the responses to those events when necessary.
In summary, keep your eyes peeled for new security services and features, and don’t be afraid to rip out custom tools that you created and replace them with native services. Custom tools are fun, but expensive to build and maintain. Better to focus your energies elsewhere once AWS or another 3rd Party provider (Alert Logic, Hashicorp, etc.) has done the heavy lifting. So, are you using any of these tools? Got questions or other solutions? Give us a ring!