Improve your security posture with AWS CloudFormation

Transcript

1. None

2. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Improve your security posture with AWS CloudFormation Luis Colon
 Sr Developer Advocate
 AWS CloudFormation D E V 3 4 1 Anuradha Garg
 Sw Development Engineer
 AWS CloudFormation Sam Hennessy Solutions Architect
 AWS

3. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Agenda Improving your security posture Guidelines from the Center of Internet Security Demo: CLI tool to run checks Demo: Use CFN to deploy equivalent Config Rules AWS CloudFormation

4. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Before We Start… Be aware of a few basic things… What are the typical vulnerabilities? Are you writing secure code? How’s your monitoring game?

5. What are typical vulnerabilities?

6. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Common Vulnerabilities: OWASP Top 10

7. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Common Vulnerabilities: PureSec Top 10

8. Are you writing secure code?

9. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Avoiding Injection

10. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Avoiding Injection
11. None

12. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd Party Dependencies

13. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd Party Dependencies 2 Direct 19 Indirect ~191k LOC

14. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Flow Manipulation

15. How’s your monitoring game?

16. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules •AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own

18. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie •Dashbird • …no need to write your own

19. Automating Controls

20. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

21. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS AWS Foundations

22. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Rules • Prowler • Checks CIS • Adds other rules • Check per account/region

23. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/

24. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/ Delivered to CloudWatch Logs S3 Bucket encrypted with AWS KMS Alarms Events Rules Custom Lambda Functions Lambda Functions Custom AWS Config Rules AWS Config Rules Email Notifications •Some controls implemented as custom AWS Config rules •CloudWatch alarms and custom log metric filters for continuous monitoring •CloudWatch event rules •Lambda functions back all custom AWS Config and CloudWatch events •CloudWatch rules and events depend on CloudTrail

25. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark: Deploying with CloudFormation • Select Profile Level (1 or 2) • Enable CloudWatch and CloudTrail • Implemented as a nested stack • Requires email for CloudWatch notifications • over 90 resources are implemented

26. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark: Deploying with CloudFormation

27. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Generated AWS CloudWatch Rules

28. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Generated AWS Config Rules

29. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Lambda Functions for Rules • Inspect the code • Customize it!

30. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Additional Advice • Reuse existing authentication systems • AWS Cognito, Auth0, JWT • Least Privilege • No * in IAM policies • No individual permissions (use roles/groups) • Make policies per function, not a global one • Protect secrets • Don’t expose in logs, code or alerts • Extract parameters - use SSM Parameter Store • Encryption • Rotate keys to mitigate events • Use Secrets Manager •Use the tools at your disposal •Don't create new tools if you don’t have to! •Your own audits •Log logins, failed logins, account changes (password changes, email changes), confirm db transactions… • have thresholds on logins from an address, db connections, queries per second •DoS becomes DoW •Rotate credentials •Separate credentials and policies for different functions •Harden accounts and environments •Automate your controls

31. Thank you! © 2018, Amazon Web Services, Inc. or its

    affiliates. All rights reserved. Luis Colon
 Sr Developer Advocate
 AWS CloudFormation Anuradha Garg
 Sw Development Engineer
 AWS CloudFormation Sam Hennessy Solutions Architect
 AWS

32. Please complete the session survey in the mobile app. !

    © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.