Scribd Logo
Upload

Welcome to Scribd!

  • 006 Security Worksheet - Facewoof

    Uploaded by

    cristi
    6 views10 pages
    hvhfv

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    hvhfv

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views10 pages

    006 Security Worksheet - Facewoof

    Uploaded by

    cristi
    hvhfv

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Security Worksheet

    Course: AWS Security Best Practices


    By: Lee Atchison

    Application Information
    Name: FaceWoof
    Scale/Sizing Details
    # Users: __10,000,000 ___________ Facebook for our Canine friends. Share selfies,
    # Daily Sessions: ________________ bios, and stories. Humorous view of our fur-
    # Page Views: __________________ families.
    Data Size: __Billions of Photos _____
    Other: …
    15,000,000 dogs (1.5/user)
    <corporate and application details relavent to
    security goes here>

    Application Interfaces
    Name Usage Private/Public
    Network Access
    Used by
    Public?
    Used by
    Staff?
    Used by
    Management?
    Consumer Website users access Public X
    Consumer Mobile Mobile applications Public X
    Customer Support CS interface Pub/Pvt X
    Operations OPs support Private X
    Reporting Management interface Private X X
    … … …

    Application User Types


    User type Description Public
    Network
    Private
    Network
    End Users Anyone can create an end user account. X
    CS Agent Users that have the ability to perform CS related functions. X
    Management Users that manage the system. X
    Dev/Ops Personnel Users that maintain and scale the infrastructure and applications in production. X
    … …
    Assets
    Asset Name Owner Category Dependencies Liability/Notes

    Usernames, passwords, auths Security Team Security RDS, Encryption, IT Loss of control and trust
    Credit Card Numbers (PCI) E-Commerce Team Essential PCI environment Compliance
    PII for customers CIO Essential RDS, Encryption, IT Loss of trust
    Social data Privacy Team Essential RDS Loss of trust
    Infrastructure OPs Critical AWS Security
    Source code Engineering Software GIT Security
    Corporate systems HR Essential EC2, S3, RDS, IT, 3rd party Compliance, Security
    3rd party systems OPs, Mgmt Critical … Security
    … … … … …
    AWS Information
    Accounts
    Account Name Alias AWS Acct # Production? Owner
    Production facewoofproduction 576555855592 X OPs
    Corporate Facewoofcorporate 576555856493 HR
    Development/QA facewoofdevelopment 576555856828 Engineering
    … … … … …

    Programmatic IAM Users


    Name Component that Groups Assigned Policies Assigned Follows
    Uses PoLP?
    csportal CS Portal Service … … Yes
    idaccess IdentityAccess … … Yes
    Service
    api API Service … … Yes
    report Reporting Service … … Yes
    … … … …

    PoLP – Policy of Least Privilege

    Human IAM Users


    Only describe category of users here…
    User Category Roll that Uses Groups Assigned Policies Assigned Follows PoLP?
    OPs OPs Personal … … Yes
    Devs Development Team … … Yes
    Members
    Management General Mgmt … … Yes
    … … … …

    PoLP – Policy of Least Privilege

    IAM Groups
    Group Name Policies Assigned Follows
    PoLP?
    DataAccess … No?
    LoggerGenerator … Yes
    LogReporter … Yes
    … …

    PoLP – Policy of Least Privilege


    Custom IAM Policies
    Policy Name Policy Summary Follows
    PoLP?
    … …

    PoLP – Policy of Least Privilege

    IAM Roles
    Only describe category of users here…
    Role Name Assigned Entity/Resource Groups Assigned Policies Assigned Follows PoLP?
    DevAccess Corporate Entities <access Dev VPC> …
    StagingAccess Corporate Entities <access Staging VPC> …
    ProdAccess Corporate Entities <access Prod VPC> …
    Staging Systems
    … … … …

    PoLP – Policy of Least Privilege

    VPCs
    Name Region Description Public
    Internet
    IPSec
    Tunnel
    Direct
    Connect
    Use Bastion
    Hosts?
    Production us-east-1 Production resources X
    Staging us-east-1 Staging applications
    Corporate us-east-1 Corporate systems and X X
    resources
    Development us-east-1 Development systems and X X
    tools
    … … …

    Security Zones
    Name of Purpose Security VPCs Used
    Zone
    Public Resources directly accessible Open to internet. ProductionPub
    from internet.
    DMZ Demiliterized zone. Access by resources in Public ProductionDMZ
    zone only.
    Internal Internal Access to resources in DMZ ProductionInternal
    zone only.
    … … … …
    Periphery Systems

    DNS Security
    Public DNS Private DNS
    Use Route 53? __Yes__ Use Route 53? __Yes__
    Description: Description:
    We will use some really neat processes and procedures We will use some really neat processes and procedures
    to make sure our DNS stays secure, and AWS will help to make sure our DNS stays secure, and AWS will help
    us with this! us with this!

    For each type of DNS, describe how you are building and securing your DNS system. Are you using Route 53? If not, what are
    you using? What policies are you employing to keep it safe and secure.

    Time Synchronization Security


    Master Production Time Servers External Time Sources
    timeserver1.internal.facewoof.blah Primary: time.nist.gov
    timeserver2.internal.facewoof.blah Backup: pool.ntp.org
    timeserver3.internal.facewoof.blah
    timeserver4.internal.facewoof.blah

    Description:
    We will be very timely in our security plans for our network time service. We will use only the most chlorinated
    time pools.

    List your centralized time servers that all other systems will take their time from. List the trusted external time sources you
    will use to get actual system time. Describe your security plan and what policies you are employing to keep it safe and
    secure.
    Other Periphery Systems
    Periphery System Security Description

    List all other periphery systems that must be secure. What process are you using to maintain security? What policies are you
    employing?

    DoS and DDoS Prevention


    Description:
    The most important aspect of our DoS and DDoS prevention is to monitor for attacks, and keep an open channel
    of communications with AWS. This requires AWS premium support.

    Describe process and best practices used or DoS and DDoS prevention and the process you perform if one is detected and in-
    progress.
    Security Testing
    Type of Testing Testing Process
    External Vulnerability:

    External Penetration:

    Internal Gray/White Box:

    AWS Process:
    (how will we submit testing requests
    to AWS?)

    Describe the process for testing each of the different types of security for your application.
    EC2 and OS Hardening
    Hardening Requirement Process Used and Method of Validation
    Disable root keys on EC2 Chef script automatically removes root keys once primary contact has been
    instances established.

    Key rotation for all We rotate our keys every 90 days and have a policy for follow up by each team
    access keys to make sure it’s been done correctly and timely.

    Protect .pem files

    Delete unused keys

    For each type of hardening, describe what process you use to implement the hardening and any validation you use to make
    sure the process is complete. Add additional OS hardening requirements based on your needs.
    Security Groups
    SG Name VPC Usage Access Access Follows
    Allowed Denied PoLP?
    DeploySvcs Production Used to deploy … … Y
    software to EC2
    instances in this
    VPC.
    … … … … … ?

    PoLP – Policy of Least Privilege

    Custom AMIs
    AMI Name EC2 Usage Private/Public Security Boostrap Security
    Patches? Process Test
    FaceWoofStandard All Instances Private Up to date Chef script Yes

    Custom Software Used


    Software Name Version Patch Level Antivirus? Antispam? Notes
    … … … … … …
    Data
    Data at Rest
    Data Where Read Write/Delete Replication Server-side Client-side
    Type/Name Stored Access Access Encrypted Encrypted
    Dog photos S3 Public Photo service Yes No No
    Credentials DynamoDB Auth Auth service Yes Yes No
    service
    PII DynamoDB Various Various Services Yes No Yes
    Services
    … … … …

    Data in Transit
    Data SSL/TLS? Accidental Data Integrity Peer Identity
    Type/Name Disclosure Security Security Security
    Dog photos No n/a … Inter-service
    Credentials Yes Inter-service … certificate validation is
    encryption. necessary to prevent
    PII Yes Inter-service … man-in-the-middle
    encryption. attacks.
    … … … … …

    Logging
    Log Name Format Source Retention Transport/Storage/Analysis
    Security
    Login attempts … Login Service 90 days …
    Bastion Logins … … 365 days …
    … … … … …
    AWS Security Connection
    Security Concern Plan/Policy/Process
    How do you interact with AWS for security We have premium support plans for all production
    purposes? accounts. We have registered security contact email
    group, and primary AWS support contact email group.
    These groups page the primary oncalls as appropriate.

    What are your established group security Security Contact: security@facewoof.blah


    contact tools and processes? Pager Rotation: aws-page@facewoof.blah
    Security Emergency: +1-425-555-1212

    What is the established process to respond Abuse requests from AWS arrive on
    to abuse warnings from AWS? abuse@facewoof.blah. They are logged as tickets and
    forward to the appropriate oncall for action.

    … …

    You might also like