Long living creds in Cloud?

Transcript

1. Long living creds in Cloud DevSecOps Meetup – 27th February,

   2018

2. Who am I? Ashish Rajan https://au.linkedin.com/in/ashishrajan @hashishrajan Security, Startups, Public

   Speaker, Meetup Organiser Trying to make cloud a safer space J Versent – 2nd in the list of fastest growing startup in Australia for 2017 (source: BRW Australia 2017 edition) AWS Security Competency Partner

3. What is covered • What are the kind of creds

   found in Cloud • What does it do? • Are long terms creds the only option?

4. • Email and Password • UserName and Password • API

   Keys (Access Keys) • SSH Keys (Key Pairs) • Windows Password Keys (Key Pairs) • Private keys for SSL certificates What are the kind of creds? (AWS)

5. • O365 Email and Password • Azure AD UserName and

   Password • API Keys (App only Access Token) • API Keys (User + App Access Token) • OS(Windows/Linux) Password • Storage Account Keys • Private keys for SSL certificates What are the kind of creds? (Azure)

6. • Yes, long terms access keys can be a problem?

   Do you see the problem?

7. Problem? http://fortune.com/2018/02/20/tesla-hack-amazon-cloud-cryptocurrency-mining/

8. • Managing credentials at scale • Rotation of credentials •

   Manual cred update process Problem?

9. Solution 1. Use RBAC (Role based Access Control) 2. Linting

   tools to eliminate any secrets in repositories 3. Enable Federation between AWS and your Organisation 4. Short Term API Keys Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

10. Short Term API Keys 1. AWS – AWS STS (Secure

    Token Service) 2. Azure – Azure SAS (Shared Access Signature) Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

11. AWS STS 1. Instance Profile IAM Role 2. Access Keys

    – (Temporary) Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

12. Tools 1. Saml2aws (https://github.com/Versent/saml2aws) 2. AWS MFA (https://github.com/lonelyplanet/aws-mfa) 3. AWS

    + Azure AD (https://github.com/dtjohnson/aws-azure- login) Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

13. Saml2aws - login Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

14. Saml2aws - usage Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan

15. AWS STS – Best Practise 1. Disable STS in all

    region except your own region (us-east is an exception) 2. MFA for the use of API keys 3. Where possible enable Federation for centralised User Management 4. IAM Roles should be defined with the least privilege in mind 5. Where possible, when using IAM Instance Profile – add a conditional statement for SourceIP to prevent possible SSRF/XXE attack vectors 6. Define a Process for compromised creds/Keys - IAM Users and Federated Users and 3rd Party Providers

16. SSRF/XXE attack vectors http://asintsov.blogspot.com.au/2014/08/ssrf-vs-aws-security.html

17. Compromised Keys 1. Detection 2. Notification 3. Process 4. Rehearsal

    5. Feedback learning 6. Repeat

18. Next Evolution of security in creds (AWS) 1. Federation enabled

    but an IAM User is created 2. Root user logs into the Console 3. Root user creates an Access Keys 4. Multiple Failed login attempts by a user 5. Multiple API calls (>5) to non-authorised services Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan
19. None

20. Ashish Rajan Linkedin: https://au.linkedin.com/in/ashishrajan Twitter: @hashishrajan DevSecOps Melbourne Meetup Organiser