nearly 6 years • Helped architect and build Creative Cloud @ Adobe • Cut my teeth on “the cloud” at Netflix • UNIX and Linux throat beard for >20 years • I now spend half my day talking to people about security, half my day figuring out where to take my product, and half my day writing ruby code (trying to learn more python) 2
root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. ENABLE CLOUDTRAIL
user activity in your AWS accounts • A common task is to lookup the events of an EC2 instance you suspect of having security issues • The recent LookupEvents API call allows us to look up events in CloudTrail within the last 7 days - No more digging through S3 objects!!! https://github.com/EvidentSecurity/codesecurity/blob/master/ ct_instance/ct_instance.rb 10
dev environments on EC2 • IAM users should follow the best practice of ‘Least Privilege’ • Attach a very restrictive policy to IAM users • IAM Roles are easy to use programmatically • STS AssumeRole is your friend https://github.com/EvidentSecurity/codesecurity/blob/master/assume_role/ assume_role.rb 13
= Evident Security Platform (the company I work for) • We believe in actionable security • Alerts in ESP via our SDK can be fed into the AWS SDK for automated resolution • Helps you enable DevSecOps • Example shows how to fix a Security Group with SSH open to the world https://github.com/EvidentSecurity/codesecurity/blob/master/ esp_auto_remediate/esp_auto_remediate_globalssh.rb 16
Security Fundamentals for DevOps Shops https://www.youtube.com/watch?v=24cQlLk28hk On the Marriage of SecOps and DevOps https://www.youtube.com/watch?v=t4m29T0deUE Security Automation for DevOps https://www.youtube.com/watch?v=3MDbnpLGIFg Article: Bridging the gap between DevOps and Security http://devops.com/2015/12/03/bridging-the-gap-between-devops-and-security/ DevOps and Security Case Study https://www.youtube.com/watch?v=VfDdaJCaoe4 https://www.youtube.com/watch?v=Tb9t0xq3TyY