Monday, 10 September 2018

This is how Netflix keep their AWS Cloud Credentials locked and secure



Earlier we had discussed as to how Netflix use Application Auto Scaling service for their Video Streaming Company but now we will discuss how Netflix keep their AWS Credentials secure.

Netflix uses Amazon Web Services to leverage their infrastructure and computing resources that they use to operate streaming media services. Netflix is one of the 10th largest Internets by revenue chose to go all-in-the-cloud to AWS Cloud. As AWS is a public cloud, the resources as well as AWS Credentials that are stored in the AWS Storage can be shared which is a risk factor for the large user like Netflix. Cloud Security is the major concern for the first time cloud users and also for AWS Cloud customers.

Will Bengston, Senior software security engineer at Netflix’s security tools and operation team explained that how Netflix takes steps to detect potentials unauthorized or compromised credentials. He said that Netflix has millions of virtual server instances running on the AWS Cloud. So to know when a credential is used when it should not be, they use multiple tools provided by the AWS Cloud including the Amazon GuardDuty, which regularly scans for any potential threats. He added that attack landscape on Netflix is at large and the credentials in the AWS Cloud is created and used speedily. Their major concern was how the AWS Security Token Service is being used because STS provisions credentials for the AWS identify and Access Management.

Amazon CloudTrail Security:

Netflix uses Amazon CloudTrail which is one of the AWS primary security services to keep AWS account and credentials secure. They are using CloudTrail to gain insight over the activity of how things are running.

Bengston explained that Amazon CloudTrail can be used to track and monitor the event history for the AWS Account activity. They have configured the CloudTrail to send logs to the Amazon Simple Storage Service (S3) so that they can evaluate and analyze their AWS Account history. The IT team analyze the IP addresses that are in use by comparing each IP found in the CloudTrail to the list of the IPs in the Netflix to spot any unknown behavior, which is quite a challenging task. Apart from this approach, they are also using other additional steps to detect any credential misuse. 

One of the approaches that they are using is to go through the CloudTrail logs and find “GetCallerIdentiy” function because the attacker utilizes that function to know what account they are in. This same function is not in use in the Netflix system because the access and credentials are already known.

Netflix’s Trailblazer Open source:

As challenging task it seems to go through the CloudTrail logs to compare each IP address to find unauthorized logins, Bengston confirmed that it was not a scalable task by building a new open source tool called Trailblazer. Trailblazer collects all the API Calls that are made through the IP address, assumed role records, instances ID and other related AWS Data to ascertain which AWS API calls are logged by the CloudTrail and what they are logged as.

Security of the Cloud:

The security of the AWS Cloud can be improved more by using the best practices and setting up the right security services. Customers don’t realize that it is a shared responsibility for keeping the data secure. Enterprises should know the overall functioning of the S3 storage by performing quality assurance on policies and configurations, maintaining the access control list and auditing which user is authorized to access what.

Companies can set up AWS Identity Access Manager to solve this issue where they can have the top down policy to lock down all the buckets by default and make exceptions when they want the buckets to go public. The company that has multiple AWS accounts can use AWS organizations to inculcate the practice of central management console. AWS Guard duty can be used to analyze the S3 bucket permission and get notified whenever the bucket is set to go public.  AWS CloudTrail can be used for governance, risk auditing, compliance, and operational auditing.


Managing the whole AWS account cannot be an easy task because there are a lot of things that have to be taken care of. The AWS managed service provider offer you insights as to how best you can use the AWS services. It is always better to let an AWS partner guide you through the AWS Cloud journey so that you don't face any pitfall.

About Cloud.in:

Cloud.in is an AWS Advanced Consulting Partner that delivers AWS managed services that cater every business need and aims in simplifying the AWS Cloud Journey. Our Team is the driving force behind Cloud.in with the experience, knowledge, and the skills that they behold in making cloud computing and AWS Cloud a pleasant experience. 

No comments:

Post a Comment

Serverless Developer Portal introduced by Amazon API Gateway

Amazon API Gateway is an AWS service which allows developers to build, announce, maintain, monitor, and secure APIs at any scale. You can...