~5 years • Helped architect and build Creative Cloud @ Adobe • Cut my teeth on “the cloud” at Netflix • UNIX and Linux throat beard for >20 years • I now talk to people about security for a living • Random Fact: I have never piloted a drone 2
lately, so all the samples are in Ruby • I’m no Ruby expert, so please take my code and make it better • The AWS SDKs are awesome • If you prefer Javascript / Python / Go or something else: YMMV 4
root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. ENABLE CLOUDTRAIL
our dev environments on EC2 • IAM users should follow the best practice of ‘Least Privilege’ • Attach a very restrictive policy to IAM users • IAM Roles are easy to use programmatically • STS AssumeRole is your friend 7
of user activity in your AWS accounts • A common task is to lookup the events of an EC2 instance you suspect of having security issues • The recent LookupEvents API call allows us to look up events in CloudTrail within the last 7 days - No more digging through S3 objects!!! 9
ESP = Evident Security Platform (the company I work for) • We believe in actionable security • Alerts in ESP via our SDK can be fed into the AWS SDK for automated resolution • Helps you enable DevSecOps • Example shows how to fix a Security Group with SSH open to the world 11
write your own custom checks into the platform • Very useful if you want an engine working on your behalf to add to our already huge list of checks • Example checks for IAM access keys last used and alerts if one was used within the last hour 13