Cloud Security 101

Transcript

1. Cloud Security 101 Andreas Mohrhard, tecRacer Consulting GmbH

2. @amohrhard The S3 Negligence Award goes to…

3. Slide 4 @amohrhard Intro §Andreas Mohrhard [email protected] -@amohrhard on Twitter

   §Consultant @tecRacer §AWS since 2013 §Disclaimer: I‘m not a security expert.

4. @amohrhard Starting off your journey through the clouds

5. @amohrhard

6. @amohrhard

7. @amohrhard What do we need to secure?

8. @amohrhard Security „of the cloud“ vs. Security „in the cloud“

9. Slide 10 @amohrhard Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/

10. Slide 11 @amohrhard AWS Cloud Adoption Framework – Security Perspective

    § Security Controls -Directive -Preventive -Detective -Responsive https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

11. Slide 12 @amohrhard Directive Measures -Come up with a plan

    on how to handle your cloud usage -Define contacts (e-mail groups, security contact, billing contact) -Find or establish a security control framework (CIS? NIST?) -Data locality / Data classification

12. Slide 13 @amohrhard Preventive Measures -Create a strong framework of

    guard rails, best practices, automations -Start with minimum viable implementation and then iterate to improve

13. Slide 14 @amohrhard Detective Measures -Establish monitoring and proactive security

    scanning -Always be able to know: -What has happend (historic state of infrastructure) -What is happening

14. Slide 15 @amohrhard Responsive Measures -Automate responses to security findings

    -Simulate security incidents -Enable the security team to do forensics in case of an incident

15. @amohrhard How to measure cloud security?

16. Slide 17 @amohrhard CIS AWS Foundation Benchmark -Over 40 checks

    for best practices across: -Identity and Access Management -Logging -Monitoring -Networking -Basic security best practices

17. @amohrhard How many accounts do I need?

18. Slide 19 @amohrhard AWS Organizations - How many accounts to

    create? § Provide centralized solution to create accounts in your org (via API!) § Establishes initial trust between accounts § Consolidated Billing § Service Control Policies § Grouping by Org Unit Source: https://aws.amazon.com/answers/account-management/aws-multi-account-billing-strategy/

19. Slide 20 @amohrhard First steps into security -Create at least

    two accounts (master/billing and project) -Don‘t use personal e-mail addresses -Establish password policies -Always use Multi Factor Authentication (MFA) -Create individual users

20. Slide 21 @amohrhard Secure the Root Account § Best Practice

    -NEVER* use the Root Account -Lock away credentials -Do not create API credentials -Always use Multi Factor Authentication -Use virtual device (e.g. Google Authenticator or Authy) -Print the QR code as a backup - www.trek10.com/blog/improving-the-aws-force-mfa-policy-for-IAM-users/

21. @amohrhard How to securely access AWS accounts?

22. @amohrhard Principle of Least Privilege

23. Slide 24 @amohrhard Giving people access: Identity and Access Management

    -Create Users -Allow Users to assume Roles -Attach policies to Roles -References -https://iam.cloudonaut.io -https://amzn.to/2UaxYTW { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::<BUCKET-NAME>/*"] } ] }

24. Slide 25 @amohrhard Example roles -ReadOnlyRole – Everyday use in

    the AWS console -ProjectRole – Everything needed for day to day work -AdminRole – basically Action: “*:*“

25. Slide 26 @amohrhard Identity Federation for IAM – Single Sign

    On § Compatible with SAML § Implement Single Sign On -Option A: Use your on-prem AD -Option B: Use SaaS (e.g. onelogin) -Option C: Use AWS SSO § SAML needs to provide roles that can be assumed by user

26. Slide 27 @amohrhard Giving machines access (EC2/ECS): Roles and Instance

    Profiles curl \ http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE { "Code" : "Success", "LastUpdated" : "2018-12-01T16:39:16Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "Token" : "token", "Expiration" : " 2018-12-01T18:39:16Z “ }

27. Slide 28 @amohrhard Giving AWS access: Service Roles § For

    some services it is necessary to give AWS access to other services -e.g. CloudFormation, Log Delivery, CloudWatch Events § Roles or Service Roles

28. Slide 29 @amohrhard Enforcing Least Privilege -github.com/Netflix/repokid -github.com/Netflix-Skunkworks/aardvark -IAM built-in

    Access Advisor

29. Slide 30 @amohrhard Advanced techniques -Permission Boundaries -Cross Account Roles

    -Conditions -IAM Policies based on tags -Service Control Policies Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

30. @amohrhard Establish visibility.

31. @amohrhard CloudTrail

32. @amohrhard { "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "AIDAJXXXXXXXXXXXXXX",

    "arn": "arn:aws:iam::xxxx0077xxxx:user/andreas.mohrhard", "accountId": “xxxx0077xxxx", "userName": "andreas.mohrhard" }, "eventTime": "2018-11-30T12:02:41Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "93.295.294.40", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/iam/home?region=eu-central-1&state=hashArgs%23&isauthcode=true", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "cc39ef16-cf53-488e-ac72-d020fb40a019", "eventType": "AwsConsoleSignIn", "recipientAccountId": "xxxx0077xxxx" }

33. Slide 34 @amohrhard Enable CloudTrail § Best Practice -CloudTrail in

    all regions -Deliver it to a central S3 bucket -Alarm using Metric Filters (e.g. on Root Account Login) § Bonus -Have a separate account that holds all your log files. § Abilities -See what is happening in your account (both your and AWS service triggered actions) -Analyse in CloudWatch Logs, alarm with Metric Filters

34. @amohrhard Enforce basic best practices using AWS Config.

35. Slide 36 @amohrhard Enable Config § Best Practice -Enable AWS

    Config in all regions -Deliver it to a central S3 bucket -Setup rules for all security rules and best practices § Abilities -See which resources there are and how they change over time -Monitor compliance status of infrastructure components

36. Slide 37 @amohrhard Managed Rules – Examples § Compute: approved-amis,

    encrypted-volumes, restricted-ssh, elb-logging- enabled § Databases: db-instance-backup-enabled, rds-storage-encrypted § Management Tools: cloudtrail-enabled, required-tags § Security, Identity & Compliance: iam-password-policy, root-account-mfa- enabled § Storage: s3-bucket-public-read-prohibited, s3-bucket-server-side- encryption-enabled Managed rules exist for most best practices!

37. Slide 38 @amohrhard Enable GuardDuty § Best Practice -Enable AWS

    GuardDuty in all regions -Deliver it to a central S3 bucket -Set up alerting § Abilities -See current threats against your account (suspicious API requests, brute force detection -

38. @amohrhard Enforce basic best practices.

39. Slide 40 @amohrhard Recommendations § Make sure to enable CloudTrail,

    Config and Guard Duty in all regions across your account (There is some cost associated with each service) § Set up lightweight monitoring (e.g. marbot.io, just emails or SaaS solutions like CloudCheckr)

40. @amohrhard AWS_ACCESS_KEY_ID=AKIAIAIQOZ4JVNFI3VUQ AWS_SECRET_ACCESS_KEY=OJ+72v26vKK+hIfqI4ZusLASDQaXSntgH8Q7bOpR

41. @amohrhard Safeguard your security credentials.

42. Slide 43 @amohrhard Safeguard your credentials § Store them encrypted

    (e.g. with https://github.com/99designs/aws-vault) § NEVER commit them to VCS § Only use temporary credentials (AssumeRole or Instance Roles)

43. @amohrhard Keeping your account tidy.

44. Slide 45 @amohrhard Keeping your account tidy. § Best Practice

    -Use resource tagging (at least Name and Owner, maybe classify data PII vs non-PII) -Delete unused resources -Use Infrastructure-as-Code § Bonus -IAM allows usage of tags for controlling permissions § Abilities -Easier to reason about infrastructure if you know the owner.

45. @amohrhard Encrypt everything.

46. Slide 47 @amohrhard KMS – Key Management Service § Manages

    Master Key § Provides Data Keys for Envelope Encryption § Fully integrated into IAM and all services that store data Source: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

47. Slide 48 @amohrhard Encrypt everything. § Best Practice -Encrypt databases,

    queues, images, files § Bonus -No decision if encryption should be enabled or not. Just encrypt it. § Tools -Use AWS Config to monitor compliance -Use IAM policies to force encrypted resources

48. @amohrhard Secure your network.

49. @amohrhard

50. Slide 51 @amohrhard Security Group Best Practices § Don‘t allow

    ssh from public internet § Prefer security group references over private IP ranges

51. @amohrhard Network Access Control Lists (NACLs)

52. @amohrhard VPC Flow Logs

53. @amohrhard Use Bastion hosts. But how to manage SSH keys?

54. Slide 55 @amohrhard Options for Bastion Hosts § Option A:

    Single instance in an AutoScaling Group (set up manually) § Option B: AutoScaling Group for Bastion hosts (e.g. https://github.com/widdix/aws-cf-templates) § Option C: On Demand Bastion using Fargate (https://github.com/alex0ptr/fargate-bastion) § Option D: Why enable SSH at all? Use SSM instead.

55. Slide 56 @amohrhard VPN as alternative to Bastion hosts §

    Create a tunnel from your office or your machine to your AWS network § Different solutions, for example: -OpenVPN Access Server -Sophos UTM -AWS Client VPN (coming soon)

56. @amohrhard Secure your buckets.

57. Slide 58 @amohrhard Secure S3 § Best Practice -Only use

    explicit IAM policies and Bucket Policies -Use Public Access Block -Data Security: MFA Delete / Object Locks / Versioning -Access Logging + CloudTrail Data Events for critical data

58. @amohrhard Automate all the things.

59. Slide 60 @amohrhard Automate all the things! § Best Practice

    -Compliance-as-Code (pacbot, cloud custodian, AWS Config) -Create all configs through code -Automate actions to mitigate risks (-> responsive controls) -Use StackSets to configure multiple accounts / regions at once -Make sure that your $BUILD_SERVER is secure!

60. Slide 61 @amohrhard Automate all the things! § Resources -docs.cloudposse.com

    -github.com/widdix/aws-cf-templates -asecure.cloud

61. @amohrhard More Multi Account Strategies

62. Slide 63 @amohrhard Multi Account Strategies – User Account Source:

    https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

63. Slide 64 @amohrhard Multi Account Strategies – Security Account Source:

    https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

64. Slide 65 @amohrhard Multi Account Strategies – Logging Account Source:

    https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

65. @amohrhard Landing Zones

66. Slide 67 @amohrhard Landing Zone – “Account Vending Machine” Source:

    https://aws.amazon.com/answers/aws-landing-zone/ Coming soon: AWS Control Tower

67. @amohrhard How to assess security in an existing account?

68. Slide 69 @amohrhard How to assess security in an existing

    account? § Prowler § Scout2 § Pacbot § AWS Security Hub (coming soon) § https://github.com/toniblyx/my-arsenal-of-aws-security-tools -Defensive and offensive tools -Good resource on possible attack angles

69. @amohrhard Things not covered today IAM Permission Boundaries, Cross Account

    Roles, Trusted Advisor, Cross Account Resource Sharing, VPC VPN Gateways, S3 Client Side Encryption, Lambda Permissions, IoT, Glacier Vault Locks, S3 ACLs, SQS Queue Policies, S3 Pre-Signed URLs, CloudFront URL signing, API Gateway Custom Authorizer, Cognito, Trust Policies, Password Management with SSM, Secrets Manager, Inspector, Security Monkey, AWS Shield, WAF, CloudHSM, Managed Policies, SSM Automated Patching, Cross Account Resource Sharing, KMS Grants, KMS Key Policies, Secure Network Design, IAM Authentication for RDS And many more.

70. @amohrhard Take-aways

71. Slide 72 @amohrhard Take-aways § Start small, expand incrementally §

    Principle of Least Privilege § Establish observability and alerts § Use public S3 buckets with extreme care

72. @amohrhard Multi strategy. Source: https://lastweekinaws.com/blog/s3-bucket-responsibility.html <your name here>?

73. Andreas Mohrhard | Cloud Consultant | @amohrhard

74. Slide 75 @amohrhard Resources § https://github.com/toniblyx/my-arsenal-of-aws-security-tools § AWS Documentation on

    the mentioned services § Well Architected Framework § CIS AWS Foundations Benchmark § https://aws.amazon.com/blogs/security/