Slide 1

Slide 1 text

Building Castles in the Cloud: AWS Security and Self-Assessment Rami McCarthy @ramimacisabird

Slide 2

Slide 2 text

Building Castles in the Cloud: AWS Security and Self-Assessment Rami McCarthy @ramimacisabird

Slide 3

Slide 3 text

Bio ( )

Slide 4

Slide 4 text

https://twitter.com/GooglyInfoSec

Slide 5

Slide 5 text

Agenda 1. Background 2. AWS Security Best Practices a. Public Access/External Exposure b. Access Management c. Monitoring d. Amazon Security Services e. Next Steps 3. (Free) Open Source AWS audit tools

Slide 6

Slide 6 text

https://www.britannica.com/technology/castle-architecture#/media/1/98652/99675

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Why AWS?

Slide 9

Slide 9 text

https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Key AWS security considerations

Slide 14

Slide 14 text

Secure Public Access MITRE ATT&CK: T1190

Slide 15

Slide 15 text

Simple Storage Service (S3)

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Architecture Secure Public Access MITRE ATT&CK: T1190

Slide 18

Slide 18 text

Audit Public Access MITRE ATT&CK: T1190

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

"… while the Capital One attack happened due to the application misconfiguration mentioned above, there are several actions AWS will take to better help our customers ensure their own security. First, we will proactively scan the public IP space for our customers' firewall resources to try and assess whether they may have misconfigurations. ..." - Amazon Letter to Sen Wyden RE Consumer Data

Slide 22

Slide 22 text

Secure Access Management MITRE ATT&CK: T1078

Slide 23

Slide 23 text

Graphic via MSP360

Slide 24

Slide 24 text

AWS Security Token Service

Slide 25

Slide 25 text

Secure Access Management Access Management for Users MITRE ATT&CK: T1078 • Root account • User ↔ IAM Account • Groups • STS as arbitration • Least Privilege

Slide 26

Slide 26 text

Secure Access Management Access Management for Users MITRE ATT&CK: T1078 • Multi-factor Authentication • Security Tokens • Policy Conditions

Slide 27

Slide 27 text

• Temporary Credentials • Gitops/DevOps Secure Access Management Access Management for Development MITRE ATT&CK: T1078

Slide 28

Slide 28 text

Secure Access Management Access Management for Applications MITRE ATT&CK: T1078

Slide 29

Slide 29 text

• Don’t bake-in credentials • AWS SDK→IAM Role • SSRF Secure Access Management Access Management for EC2 MITRE ATT&CK: T1078

Slide 30

Slide 30 text

Secure IAM Basics IAM Roles > IAM Access Keys > AWS Credentials

Slide 31

Slide 31 text

Secure Monitoring

Slide 32

Slide 32 text

Secure Monitoring

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Secure Monitoring CloudTrail - Detective • Create a trail • All AWS Regions • Log file integrity • CloudWatch

Slide 35

Slide 35 text

Secure Monitoring CloudTrail - Preventative • Unlinked Account • Least Privilege • MFA Delete • AWSCloudTrailFullAccess

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Secure Monitoring Other Services VPC S3 ELB CloudFront

Slide 38

Slide 38 text

Enable Amazon Tools

Slide 39

Slide 39 text

Enable Amazon Tools ❏ CloudTrail ❏ Trusted Advisor ❏ GuardDuty ❏ Inspector ❏ Security Hub

Slide 40

Slide 40 text

Encryption Encrypting everything with AWS - re:Inforce 2019

Slide 41

Slide 41 text

• Major Pitfalls to Avoid in Performing Digital Forensics and Incident Response in AWS - Jonathon Poling • AWS Security Incident Response Guide Prepare for DFIR

Slide 42

Slide 42 text

AWS Resources for Secure Architecture Well-Architected Framework: Security Pillar AWS Cloud Adoption Framework Aligning to NIST Security Documentation by Category

Slide 43

Slide 43 text

Self-auditing with open-source tools

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

CloudMapper

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Credit to prior art; check these people out to learn more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Andres Riancho - https://andresriancho.com/ Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools - @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/

Slide 57

Slide 57 text

Thank you! And thank you to the volunteers and organizers of BSidesCT! @ramimacisabird