Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The best and the worst security practices on AWS

41412a40b6ba18ba3e82a887a4f2e0de?s=47 Ben Whaley
February 19, 2019

The best and the worst security practices on AWS

Presented at OWASP Lviv 2019-02-19

41412a40b6ba18ba3e82a887a4f2e0de?s=128

Ben Whaley

February 19, 2019
Tweet

Transcript

  1. the best and the worst security practices on AWS Ben

    Whaley @iAmTheWhaley OWASP Lviv 2019-02-19
  2. Who the fsck is this guy? • Security, OS, networking

    nerd (since 1995) • Co-author, UNIX & Linux System Administration Handbook (since 2006) • AWS Community Hero (since 2014) • Consultant (T-Mobile, Square, Coinbase, …) (2013-2017) • Engineering @ Kountable (since 2017)
  3. Accounts

  4. Worst: Monolithic accounts Proliferation of VPCs, security groups, peering connections

    Gnarled mess of IAM policies Complex billing statements, difficult attribution Limited compartmentalization capability
  5. Best: Multi-account security strategy • Bask in the warm light

    of AWS Organizations • Federated cross-account access with single sign-on/IdP • Per account security policies • Per account cost attribution • Compartmentalization limits blast radius • Centralized control with explicit trust relationships
  6. Production Identity Command & Control Development

  7. Production Identity Account SAML authentication via IdP AWS Console, API

    access Command & Control Development AssumeRole
  8. Best: Review Trusted Advisor

  9. Best: Enable GuardDuty

  10. Best: Enable CloudTrail, VPC Flow Logs Worst: Allow users to

    make changes
  11. { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [

    "cloudtrail:StopLogging", "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] } Example Service Control Policy
  12. Best: Managed services Case in point: CVE-2019-5736 Released: Feb 11

    Patched: Feb 13
  13. Networking

  14. Worst: Haphazard VPC Design • Uncontrolled subnets and CIDR ranges

    • Ad hoc security groups • Myriad NACLs • Inconsistent service placement • Unclear network security zones
  15. Best: Controlled VPC Design management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16

    Staging us-west-2 172.22.0.0/16 Prod us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16
  16. Best: Controlled VPC Design management us-west-2 172.20.0.0/16 Public Private Data

    us-west-2a 172.20.0.0/24 us-west-2b 172.20.1.0/24 us-west-2c 172.20.2.0/24 us-west-2a 172.20.10.0/24 us-west-2b 172.20.11.0/24 us-west-2c 172.20.12.0/24 us-west-2a 172.20.20.0/24 us-west-2b 172.20.21.0/24 us-west-2c 172.20.22.0/24
  17. Best: Per-service security groups Worst: Many SGs for an instance/service

    EC2 Instance Multiple SGs 22 22, 443 80, 443 EC2 Instance 22, 80, 443 ❌ ✅
  18. Best: Use VPC endpoints S3 Bucket EC2 Instance Internet S3

    Bucket VPC Endpoints EC2 Instance
  19. Worst: Open outbound SG rules

  20. Worst: CIDR range sources in security groups Best: SG ID

    sources ❌ ✅
  21. Best: Monitoring SES reputation

  22. Worst: Managing TLS certificates Best: AWS Certificate Manager

  23. Identity & Access Management

  24. Basic IAM hygiene • Obligatory MFA • No static API

    credentials • Services must use roles • Never use the root account • Share root account password, MFA in password manager • AssumeRole for third parties
  25. Worst: Per-user policies Best: Groups and managed policies

  26. Best: Use IAM Policy Conditions { "Version": "2012-10-17", "Statement": {

    "Effect": "Allow", "Action": “ec2:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": [ “1.2.3.0/24”, “2001:DB8:1234:5678::/64" ] } } } }
  27. Worst: “Authenticated Users” permission on S3 buckets

  28. Best: Use Key Management Service

  29. Best: Secure configuration with KMS 1. Generate a password 2.

    Save it as a SecureString in SSM Parameter Store 3. Add policy to read the Parameter Store value 4. Assign policy to a role used by an ECS task/instance 5. Read password from Parameter Store at run time
  30. Worst: Overly permissive policies for EC2 instances

  31. Best: Protect the metadata endpoint

  32. Resources

  33. • The well-architected framework https://aws.amazon.com/architecture/well-architected/ • Solutions https://aws.amazon.com/solutions • Security

    blog https://aws.amazon.com/blogs/security/ • Security Bulletins https://aws.amazon.com/security/security-bulletins/ Do: Learn from the Experts
  34. Thank you!