Security on AWS - San Diego AWS Meetup 2016-03-15

Transcript

1. Security on AWS San Diego AWS Meetup John Martinez March

   15, 2016

2. About Me • Been doing DevOps and Cloud stuff for

   nearly 6 years • Helped architect and build Creative Cloud @ Adobe • Cut my teeth on “the cloud” at Netflix • UNIX and Linux throat beard for >20 years • I now spend half my day talking to people about security and half my day figuring out how to do latte art 2

3. What am I doing here? We’re here to talk about

   patterns in doing Secure DevOps on AWS …and maybe even check out a few code snippets… 3

4. 4 Top 10 AWS Security Best Practices (recap) 1. Disable

   root API access key and secret key 2. Enable MFA tokens everywhere 3. Reduce number of IAM users with Admin rights 4. Use Roles for EC2 5. Least privilege: limit what IAM entities can do with strong/ explicit policies 6. Rotate all the keys regularly 7. Use IAM roles with STS AssumeRole where possible 8. Use AutoScaling to dampen DDoS effects 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it 10. Watch world-readable/listable S3 bucket policies 0. ENABLE CLOUDTRAIL

5. Needs of Dev and DevOps 5 All managed by a

   tool chain

6. Needs of IT and Security 6 Mostly seen as the

   people that say “NO”

7. A Converged World 7

8. Pattern #1 - Visibility 8

9. Visibility Traits • Security is a shared responsibility, so give

   everyone visibility • Centralized application, activity and network logging • Off-host and off-network automated security analysis 9

10. Example: CloudTrail Events • CloudTrail is the recorded history of

    user activity in your AWS accounts • A common task is to lookup the events of an EC2 instance you suspect of having security issues • The recent LookupEvents API call allows us to look up events in CloudTrail within the last 7 days - No more digging through S3 objects!!! https://github.com/EvidentSecurity/codesecurity/blob/master/ ct_instance/ct_instance.rb 10

11. Pattern #2 - Identity Management 11

12. Identity Management Traits • Temporary credentials • Non-static API keys

    for applications • Identity federation • Policies reflect “lest privilege” 12

13. Example: Using IAM Roles • We don’t always have our

    dev environments on EC2 • IAM users should follow the best practice of ‘Least Privilege’ • Attach a very restrictive policy to IAM users • IAM Roles are easy to use programmatically • STS AssumeRole is your friend https://github.com/EvidentSecurity/codesecurity/blob/master/assume_role/ assume_role.rb 13

14. Pattern #3 - Automated Response Techniques 14

15. Automated Response Traits • Tighten up window of opportunity •

    Event-driven response • Fix at 2:00am, sort the consequences in the morning 15

16. Example: Auto-remediation of Security Issues found by ESP • ESP

    = Evident Security Platform (the company I work for) • We believe in actionable security • Alerts in ESP via our SDK can be fed into the AWS SDK for automated resolution • Helps you enable DevSecOps • Example shows how to fix a Security Group with SSH open to the world https://github.com/EvidentSecurity/codesecurity/blob/master/ esp_auto_remediate/esp_auto_remediate_globalssh.rb 16 LAMBDA FUNCTION IN PROGRESS

17. Pattern #4 - Secure Proactively 17

18. Proactive Security Traits • Secure before it’s even a problem

    • Incorporate security into your CI/CD workflows • Automated test deployments • reject if insecure || approve if secure 18

19. Example: Jobvite on DevOps Security • Success story for secure

    Devops https://evident.io/resources/jobvite-on- devops-security/ 19

20. What to Take Away 20 Don’t wait for security to

    come to you – chase it 1 Automate your security behaviors 2 Champion the marriage of DevOps & Security 3

21. Additional Resources 21 evident.io Blog: https://blog.evident.io/ DevOps and Security Webinars

    Security Fundamentals for DevOps Shops https://www.youtube.com/watch?v=24cQlLk28hk On the Marriage of SecOps and DevOps https://www.youtube.com/watch?v=t4m29T0deUE Security Automation for DevOps https://www.youtube.com/watch?v=3MDbnpLGIFg Article: Bridging the gap between DevOps and Security http://devops.com/2015/12/03/bridging-the-gap-between-devops-and-security/ DevOps and Security Case Study https://www.youtube.com/watch?v=VfDdaJCaoe4 https://www.youtube.com/watch?v=Tb9t0xq3TyY

22. John Martinez [email protected] • @johnmartinez • LinkedIn 22 We’re Hiring!

    [email protected] http://speakerdeck.com/johnmartinez