▪ About Evident.io ▪ Security incident checklist What you are responsible for in AWS What AWS will be looking for from you ▪ Top 10 Security Best Practices ▪ How Evident.io Can Help 2
long-time UNIX/Linux geek that cut his teeth in the cloud at an entertainment company in Los Gatos. I’ve worked on another large-scale cloud implementation at a large software company in downtown San Jose. I now work for the best security start-up in the world and love to help our customers get and stay secure. 2/9/15 3
forged from decades of information security experience by a team that is hyper-focused on the security challenges facing cloud businesses. We are the experts in Cloud Security, so you don't have to be. 2/9/15 4
get a call, what do you do? Evaluate the situation Stop the bleeding Secure the site/isolate the damage Start the breathing Get the business running again Protect the wound Investigate root cause Treat for Shock Make it better (so it does not happen again) 6
You 1. What you are responsible to AWS Have both a plan and tools (and have tested them) Sleuthkit, Autopsy, SIFT AMI, Etc Define what and when it happened and/or Define what and when is was not happening Initial triage of the problem The more detail you can collect, the better Scale up - Scale out - Isolate the issue Logs, logs, logs - Review CloudTrail Logs, S3 Logs, ELB Logs, Host Logs Snapshot/DD effected resources Open a support case with AWS early Update Often 7
AWS 1. What will AWS do with you Communicate via Support Ticket Can provide you guidance on: Scaling up Scaling out Isolating the issue May shift traffic to help Can provide you forensic image For analysis in AWS 8
to Implement 1. Disable root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 10