Programmatic Security AWS NY Loft 2015-10-22

Transcript

1. Programmatic Security AWS Pop-Up Loft NY John Martinez October 22,

   2015

2. About Me • Been doing DevOps and Cloud stuff for

   ~5 years • Helped architect and build Creative Cloud @ Adobe • Cut my teeth on “the cloud” at Netflix • UNIX and Linux throat beard for >20 years • I now talk to people about security for a living • Random Fact: I have never piloted a drone 2

3. What am I doing here? We’re here to scratch the

   surface of what we can do with the AWS API and ESP to help you with security operations. If you have to do it more than once, automate! 3

4. Stuff to Know Up-front • I’ve been coding in Ruby

   lately, so all the samples are in Ruby • I’m no Ruby expert, so please take my code and make it better • The AWS SDKs are awesome • If you prefer Javascript / Python / Go or something else: YMMV 4

5. 5 Top 10 AWS Security Best Practices (recap) 1. Disable

   root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. ENABLE CLOUDTRAIL

6. Your code should support your goal of bringing security issues

   to 0 6 0

7. Example #1: Using IAM Roles • We don’t always have

   our dev environments on EC2 • IAM users should follow the best practice of ‘Least Privilege’ • Attach a very restrictive policy to IAM users • IAM Roles are easy to use programmatically • STS AssumeRole is your friend 7

8. Example #1: Using IAM Roles Live Demo Sample: https://github.com/EvidentSecurity/codesecurity/blob/master/ assume_role/assume_role.rb

   8

9. Example #2: CloudTrail Events • CloudTrail is the recorded history

   of user activity in your AWS accounts • A common task is to lookup the events of an EC2 instance you suspect of having security issues • The recent LookupEvents API call allows us to look up events in CloudTrail within the last 7 days - No more digging through S3 objects!!! 9

10. Example #2: CloudTrail Events Live Demo Sample: https://github.com/EvidentSecurity/codesecurity/blob/master/ ct_instance/ct_instance.rb 10

11. Example #3: Auto-remediation of Security Issues found by ESP •

    ESP = Evident Security Platform (the company I work for) • We believe in actionable security • Alerts in ESP via our SDK can be fed into the AWS SDK for automated resolution • Helps you enable DevSecOps • Example shows how to fix a Security Group with SSH open to the world 11

12. Example #3: Auto-remediation of Security Issues found by ESP Live

    Demo Sample: https://github.com/EvidentSecurity/codesecurity/blob/master/ esp_auto_remediate/esp_auto_remediate_globalssh.rb 12

13. Example #4: ESP Custom Signatures • ESP allows you to

    write your own custom checks into the platform • Very useful if you want an engine working on your behalf to add to our already huge list of checks • Example checks for IAM access keys last used and alerts if one was used within the last hour 13

14. Example #4: ESP Custom Signatures Live Demo Sample: https://github.com/EvidentSecurity/custom_signatures/blob/master/ iam_access_keys_last_used.rb

    14

15. Links AWS SDK for Ruby (v2) API Reference http://aws.amazon.com/documentation/sdk-for-ruby/ Evident.io

    Custom Signatures https://github.com/EvidentSecurity/custom_signatures/ CloudTrail API Reference http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/ Welcome.html Evident.io SDK for Ruby https://github.com/EvidentSecurity/esp_sdk Tonight’s Code Security Samples https://github.com/EvidentSecurity/codesecurity 15

16. [email protected] • [email protected] @johnmartinez • LinkedIn 16