Securing Your AWS Cloud Infrastructure v2

Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY Securing Your AWS Cloud Infrastructure Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo B e i j i n g 19.10.19

Slide 2

Slide 2 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Director of Cloud Security Engineering @ Horangi • CloudDevSecOps Fanatic • 4+ years working on AWS • Totally uncertified and proud :P Steve “Potay” Teo

Slide 3

Slide 3 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 2015 – 2016: Migration of 2 AWS Accounts to 40+ AWS Accounts • !! !#!%!"!$ "! !% • 2016 – 2018: Enterprise Architecture for AWS Accounts & VPC • Current: Product Development Lead of AWS-focused Cloud Security Product • Areas of Interests for AWS • # #""!% " • !! !#!%! !" • "!"! !!" • !! !#!%!!!""!$ "! Background

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • How many of you are already using AWS? • How many of you are • • • • • How many of you think your AWS Accounts are secure? Questions

Slide 7

Slide 7 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Why secure your cloud infrastructure? • How do these cloud security breaches happen? • What can you do to protect your infrastructure? Agenda

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “The reason why Google and Facebook are the most powerful companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Accenture accidentally configured four AWS S3 buckets to be accessible to the public Uber’s AWS account was hacked, compromising the personal information of 57 million users worldwide, including 600,000 drivers OCT 2017 NOV 2017 An error in GoDaddy’s S3 bucket configuration has led to the exposure of internal information MAR 2018

Slide 12

Slide 12 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Security researcher Bob Diachenko discovered the Dow Jones Watchlist dataset sitting on a public AWS Elasticsearch cluster FEB 2019 Breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records APR 2019 An unauthorized user accessed data stored in AWS S3 buckets. Loss of over 100 million credit card applications and 100 thousand social security numbers. July 2019

Slide 13

Slide 13 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lost of trust • Loss of revenue • Intellectual property theft • Go out of business Negative Business Impact

Slide 14

Slide 14 text

Slide 15

Slide 15 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. By 2020, 95% of cloud security failures will be the customer's fault - Gartner

Slide 16

Slide 16 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Is A Shared Responsibility “Security in the Cloud” “Security of the Cloud”

Slide 17

Slide 17 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Failure Points of “Security in the Cloud” VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling

Slide 18

Slide 18 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Every AWS Account is a Blank Cheque – Steve Teo

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 165+ Services over 24 categories • Most of them have a configurable security model, but some are really complex (eg. S3) • Requires combination of • • • • • Huge potential of • • Workload – AWS Services & Resources

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dissecting The Problem PROCESS TECHNOLOGY PEOPLE

Slide 23

Slide 23 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Asia faces a critical shortage of security expertise. (ISC)2 research points to a global deficit in cyber security expertise totaling almost 3m roles. Asia Pacific contributes the vast majority of this gap on account of its growing economies and new legislation being enacted in the region. 498k 2.1m 142k 136k Source: (ISC)2 Cybersecurity Workforce Study, 2018 - available at https://www.isc2.org/Research/Workforce-Study

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lack of mandate, expertise and resources to translate traditional security strategy and policies to those that apply to Public Cloud • Business driven “Shadow IT” Lack of Security Policy Ref: https://accudatasystems.com/why-most-companies-fail-at-cloud-security/ Figure 1: NIST Cybersecurity Framework.

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Data Center Public Cloud Changes in environment are usually slow and controlled by few Changes in Environment occurs continuously by many usually Challenge - Shift in Operating Model

Slide 26

Slide 26 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agility leads to more change events Time Change Events (Application / Infrastructure) Public Cloud Traditional Hosting

Slide 27

Slide 27 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Who makes the changes? Public Cloud Traditional Hosting

Slide 28

Slide 28 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lack of Cloud-Specific Security Tools VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling Complexity - People - Changes

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • “Cloud Security Is A Shared Responsibility” • Security Mindset - Security is everyone’s responsibility • Invest in your people - Re-train, upskill, certify • Hire Smart, Hire Right People

Slide 32

Slide 32 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Make sure the mandate to secure the Cloud is established • Align security goals with business goals to then secure expertise, resource, budget • Get the best, forward-looking and collaborative people in your organization to work on this. Setting up strategy and policies is not easy work! • AWS Security Whitepapers • https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf • https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf • https://aws.amazon.com/security/security-resources/ • Get Help! Process

Slide 33

Slide 33 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Understand Security In and Of the Cloud • “Shift left” • Automate Continuous Scanning and Auditing • Integrates into modern development workflows • Accessible to All What to look for in Cloud Security Tools Figure 1: NIST Cybersecurity Framework.

Slide 34

Slide 34 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Warden – Cloud Security Configuration Checker https://www.horangi.com/products/warden/

Slide 35

Slide 35 text

Slide 36

Slide 36 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Architecture - Layered Defense in Depth

Slide 37

Slide 37 text

Slide 38

Slide 38 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY COST OPTIMIZATION The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. AWS Well-Architected Framework.

Slide 39

Slide 39 text

Slide 40

Slide 40 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. INFRASTRUCTURE PROTECTION DATA PROTECTION IDENTITY & ACCESS MANAGEMENT DETECTIVE CONTROLS INCIDENT RESPONSE AWS Security Pillar. The AWS Security pillar is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Slide 41

Slide 41 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you manage credentials? • How do you control human access? • How do you control programmatic access? • Key AWS Services • AWS Identity and Access Management (IAM) • AWS Security Token Service (STS) Identity & Access Management IDENTITY & ACCESS MANAGEMENT

Slide 42

Slide 42 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Factor Authentication. Configure a MFA device as another barrier of defense against attackers.

Slide 43

Slide 43 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle of Least Privilege. Only give users the minimum amount of privileges necessary to do their job.

Slide 44

Slide 44 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use IAM Groups. IAM groups allow multiple users to share one policy and move users around to other groups as needed.

Slide 45

Slide 45 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use IAM Roles. IAM Roles are a way to give permissions to other trusted entities

Slide 46

Slide 46 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Define an AWS Account Strategy. AWS Cloud AWS Cloud AWS Cloud AWS Cloud AWS Cloud Vs

Slide 47

Slide 47 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage on Bastion Account or Single Sign On. AWS Account AWS Account AWS Account Bastion AWS Account

Slide 48

Slide 48 text

Slide 49

Slide 49 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you detect and investigate security events? • How do you defend against emerging security threats? • Key AWS Services • CloudTrail • Config • CloudWatch Alarms Detective Controls DETECTIVE CONTROLS

Slide 50

Slide 50 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adopt CloudTrail Best Practices. ● Enable CloudTrail for all regions ● Log management events ● Record Global Services (eg. IAM)

Slide 51

Slide 51 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Turn on AWS Config - Record, audit and evaluate configurations of your AWS resources

Slide 52

Slide 52 text

Slide 53

Slide 53 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you protect networks and hosts? • How do you protect services you consume? • Key AWS Services • Virtual Private Cloud (VPC) • Systems Manager • CloudFormation • IAM Infrastructure Protection INFRASTRUCTURE PROTECTION

Slide 54

Slide 54 text

Slide 55

Slide 55 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Restrict Your Security Groups ● Security groups has to be assigned explicitly to the resource or ENI

Slide 56

Slide 56 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure your S3 Buckets ● Block public access where possible ● Understand the difference between ● S3 ACL ● S3 Bucket Policy ● IAM Policy for S3 ● Block public access

Slide 57

Slide 57 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Systems Manager for Automation across Hosts

Slide 58

Slide 58 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you classify your data? • How do you protect your data at rest? • How do you protect your data in transit? • Key AWS Services • Key Management System (KMS) • Elastic Load Balancer • CloudFront • API Gateway Data Protection DATA PROTECTION

Slide 59

Slide 59 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understand Data at Rest vs. Data In Transit. Data at Rest Data in Transit What it is? Data that persists for any duration Data that gets transmitted from one system to another Where is it stored? Block storage, object storage, databases, archives, and any other storage medium None Why protect it? Reduce the risk of unauthorized access Protect the confidentiality and integrity of the application’s data How to you protect it? Use encryption keys when uploading data Select secure protocols that implement the latest cryptography standards (like TLS)

Slide 60

Slide 60 text

Slide 61

Slide 61 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you respond to an incident? • Do you have enough to respond to an incident? • Key AWS Services • IAM • CloudTrail Incident Response INCIDENT RESPONSE

Slide 62

Slide 62 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Disaster Plan. The security disaster plan is the process that describes the different steps to take in case an incident happens. • Have a defined incident response policy in place • Use resource tags to limit process • Use the “Clean Room” approach when investigating the root cause • Configure logs to audit as much as possible

Slide 63

Slide 63 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. • CIS Benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. • Have 49 recommendations that covers the following areas • Identity and Access Management • Logging • Monitoring • Networking Quick Start: CIS–AWS Benchmark Ref: https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Slide 64

Slide 64 text

Slide 65

Slide 65 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To know how to secure AWS, you need to learn AWS • Invest in your people, build a right security mindset culture • Make sure the mandate to secure the Cloud is established • Use security tools and automate where possible to avoid undifferentiated heavy lifting! • Adopt the Security Pillar of the AWS Well Architected Framework Key Takeaways