Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Improve your security posture with AWS CloudFormation

Improve your security posture with AWS CloudFormation

There are many ways to improve your security controls in AWS accounts. In this session, we'll cover how to leverage guidelines from the Center of Internet Security (CIS), how to augment security checks, and how to build and secure AWS resources with additional tools. Armed with the information in this session, you will be able to harden new AWS accounts and implement security best practices from Day One.

Luis Colon @ AWS

December 11, 2018
Tweet

More Decks by Luis Colon @ AWS

Other Decks in Technology

Transcript

  1. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Improve your security posture with AWS CloudFormation Luis Colon
 Sr Developer Advocate
 AWS CloudFormation D E V 3 4 1 Anuradha Garg
 Sw Development Engineer
 AWS CloudFormation Sam Hennessy Solutions Architect
 AWS
  2. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Agenda Improving your security posture Guidelines from the Center of Internet Security Demo: CLI tool to run checks Demo: Use CFN to deploy equivalent Config Rules AWS CloudFormation
  3. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Before We Start… Be aware of a few basic things… What are the typical vulnerabilities? Are you writing secure code? How’s your monitoring game?
  4. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Common Vulnerabilities: OWASP Top 10
  5. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Common Vulnerabilities: PureSec Top 10
  6. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Avoiding Injection
  7. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Avoiding Injection
  8. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd Party Dependencies
  9. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 3rd Party Dependencies 2 Direct 19 Indirect ~191k LOC
  10. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules •AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own
  11. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Monitoring & Logging • AWS CloudWatch • AWS CloudTrail • AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie •Dashbird • …no need to write your own
  12. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS AWS Foundations
  13. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Rules • Prowler • Checks CIS • Adds other rules • Check per account/region
  14. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/
  15. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark on AWS https://aws.amazon.com/quickstart/architecture/compliance-cis-benchmark/ Delivered to CloudWatch Logs S3 Bucket encrypted with AWS KMS Alarms Events Rules Custom Lambda Functions Lambda Functions Custom AWS Config Rules AWS Config Rules Email Notifications •Some controls implemented as custom AWS Config rules •CloudWatch alarms and custom log metric filters for continuous monitoring •CloudWatch event rules •Lambda functions back all custom AWS Config and CloudWatch events •CloudWatch rules and events depend on CloudTrail
  16. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark: Deploying with CloudFormation • Select Profile Level (1 or 2) • Enable CloudWatch and CloudTrail • Implemented as a nested stack • Requires email for CloudWatch notifications • over 90 resources are implemented
  17. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. CIS Benchmark: Deploying with CloudFormation
  18. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Generated AWS CloudWatch Rules
  19. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Generated AWS Config Rules
  20. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Lambda Functions for Rules • Inspect the code • Customize it!
  21. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Additional Advice • Reuse existing authentication systems • AWS Cognito, Auth0, JWT • Least Privilege • No * in IAM policies • No individual permissions (use roles/groups) • Make policies per function, not a global one • Protect secrets • Don’t expose in logs, code or alerts • Extract parameters - use SSM Parameter Store • Encryption • Rotate keys to mitigate events • Use Secrets Manager •Use the tools at your disposal •Don't create new tools if you don’t have to! •Your own audits •Log logins, failed logins, account changes (password changes, email changes), confirm db transactions… • have thresholds on logins from an address, db connections, queries per second •DoS becomes DoW •Rotate credentials •Separate credentials and policies for different functions •Harden accounts and environments •Automate your controls
  22. Thank you! © 2018, Amazon Web Services, Inc. or its

    affiliates. All rights reserved. Luis Colon
 Sr Developer Advocate
 AWS CloudFormation Anuradha Garg
 Sw Development Engineer
 AWS CloudFormation Sam Hennessy Solutions Architect
 AWS
  23. Please complete the session survey in the mobile app. !

    © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.