@ramimccarthy Rami McCarthy Beyond the 
 AWS Security Maturity Roadmap 
 https://speakerdeck.com/ramimac/fwdcloudsec

$ get-caller-identity Security Engineer @ Figma 
 figma.fun/seceng 
 
 Infrequent Contributor @ tl;drsec https://tldrsec.com/guides/sta ff eng-security/ https://tldrsec.com/blog/cloud-security-orienteering/

No content

@ramimccarthy Not All Cloud Security Programs • Engineering and Automation oriented • “Zero Trust” architecture • Software product • Maximalist cloud security • Guardrails not Gatekeepers + Paved Roads

No content

No content

@ramimccarthy Build vs. Adopt vs. Buy

@ramimccarthy Build vs. Adopt vs. Buy Sabry Tozin (via Roy Rapoport) • Are we solving a problem unique to our company? • Are we solving a problem at a scale unique to our company? • Is the cost and effort of integrating an off-the-shelf solution so large that we may as well build one? • What are the purchasing/ongoing license costs of the product in comparison to building it ourselves?

@ramimccarthy Capabilities and Controls

@ramimccarthy Secrets Management A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment. Adopt: Options Buy: Options • Hashicorp Vault • Doppler ( YC W19 ) • Infiscal ( YC W23 ) • AWS Secrets Manager / AWS KMS One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security • mozilla / sops • square / keywhiz • pinterest / knox • lyft / confidant

@ramimccarthy Secrets Management Build: Adopt: Not recommended Recommended • Standardize as early as possible, generally with a thin 
 wrapper over CSP services. Focus on DevEx. • Revisit every ~year, and layer necessary capabilities • Before adopting, be very sure requirements and 
 practices 1 : 1 match • Be wary of premature purchase or deployment of a 
 heavy solution Buy: A mechanism for engineers to easily and securely manage credentials and other secrets provided to services in your cloud environment.

@ramimccarthy Asset Inventory Leverage the CSP control plane to discover and identify cloud assets, and to monitor their adherence to configuration standards. Adopt: Options Buy: Options • Firemon Cloud Defense (fka DisruptOps)* • Commercial versions of Steampipe and Cloudquery • turbot / steampipe • cloudquery / cloudquery One Read: What should you use - CloudQuery or Steampipe?, badshah

@ramimccarthy Asset Inventory Leverage the CSP control plane to discover and identify cloud assets, and to monitor their adherence to configuration standards. Build: Adopt: Not recommended Recommended • You can get far by adopting open source tools • You need something, early. Adopt inventory first, 
 then add controls in incrementally • You probably don’t need a full CSPM 
 until later than you’d expect • Don’t write anything that calls cloud APIs yourself, 
 it’s been done (well) • Think critically about what controls matter, and watch out for 
 toil and noise Buy:

@ramimccarthy -> CSPM Continuously assess the security posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Adopt: Options Buy: Options • Wiz • Aqua • Orca • Lacework • Ermetic • Lightspin ( Cisco) • Prisma Cloud • cloud-custodian / cloud-custodian • prowler-cloud / prowler • Zeus-Labs / ZeusCloud One Talk: “Success Criteria for your CSPM”, David White (up next)

@ramimccarthy -> CSPM Continuously assess the security posture by maintaining a current inventory of cloud assets, with risk assessment to detect any misconfigurations. Build: Adopt: Not recommended Recommended • Think about extensibility and integrations • Evaluate options based on preset criteria, don’t let vendors sell you CNAPP + + • If you build, only do it on top of an adopted inventory platform. Don’t spend your engineer’s time building an open source CSPM. It’s undifferentiated and commoditized. It’s also a lot of work • Don’t let an opinionated CSPM dictate your security program • Be thoughtful about dispatching findings to other teams • Bundled CSPMs can be thoroughly mediocre Buy:

@ramimccarthy Automated Remediation In order to keep up with the rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Adopt: Options Buy: Options • Native to your CSPM • AWS Config • twilio-labs / SOCless • cloudconformity / auto-remediate One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin

@ramimccarthy Automated Remediation In order to keep up with the rate of change in the cloud, teams reach for solutions to automate the immediate resolution of common misconfigurations. Build: Adopt: Not recommended Recommended • When you’re unable to move to Infrastructure as Code • If you lack a chokepoint for changes • When preventative controls are feasible • As an early control for your program • Applied without sufficient context Buy:

@ramimccarthy Secure IAC Modules “Shift-left” secure configuration and empower your developers with secure- by-default IAC modules. Adopt: Options Buy: Options • asecure.cloud • Gruntwork AWS Infrastructure as Code Library • Resourcely • asecure.cloud • Terraform Registry Read more: "Why you should pave roads", Eric Hydrick

@ramimccarthy Secure IAC Modules “Shift-left” secure configuration and empower your developers with secure- by-default IAC modules. Build: Adopt: Not recommended Recommended • Pair with SAST to detect usage of “vanilla” resources • Steal undifferentiated examples • Commoditize secure architecture as modules • Wait for a need to surface before investing in a module Buy:

@ramimccarthy Infrastructure as Code Scanning Detect misconfigurations within your infrastructure as code, before they can be introduced to your environment Adopt: Options Buy: Options • Native to your CSPM • Native to your SAST • aquasecurity / tfsec • returntocorp / semgrep • turbot / steampipe-plugin-terraform • bridgecrew / checkov One Read: “Shifting Cloud Security Left — Scanning [ IaC ] for Security Issues”, Christophe Tafani-Dereeper

@ramimccarthy IAC Scanning Detect misconfigurations within your infrastructure as code, before they can be introduced to your environment Build: Adopt: Not recommended Recommended • Develop rules based on your specific environment 
 and requirements • Surface detections, with context, at PR time • Rolling out rules in “block” mode • Turning on all possible rules Buy:

@ramimccarthy Deception Engineering ( Honeypots/tokens) Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried. Adopt: Options Buy: Options • Thinkst Canary • Native to your CSPM • Thinkst Canarytokens.org • Basic AWS API Key + SIEM detection • spacesiren / spacesiren (inspired by Atlassian Project SPACECRAB ) One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston

@ramimccarthy Deception Engineering ( Honeypots/tokens) Build: Adopt: Not recommended Recommended • Deploy the quick and free version in high value targets. 
 Probably your CI/CD tooling • Think about what you’ll do if one goes off before it happens • Do your best to tightly each key to a single potential 
 vector for compromise • Don’t roll out Will’s architecture until you’ve killed 
 known attack vectors Buy: Deploy high-signal, low noise tripwires in your environment. Make attackers think twice before using found credentials, and know when someone has tried.

@ramimccarthy 1. Scaling Granular Access Support role-based, least-privileged access across an explosion of roles. Adopt: Options Buy: Options (“CIEM”) • salesforce / cloudsplaining • Netflix / repokid • iann0036 / iamlive • common-fate / iamzero • noqdev / iambic Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix • Ermetic • Native to your CNAPP? • ???

@ramimccarthy 2. Scaling Access Management Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. Adopt: Options Buy: Options • Common Fate Cloud • Leapp Cloud • Netflix / consoleme • Noovolari / leapp • common-fate / granted Read more: “Access Service: Temporary Access to the Cloud”, Segment

@ramimccarthy 3. Scaling Temporary Access Remove risky ambient permissions and allow step-up and break-glass authorization. Adopt: Options Buy: Options • ConductorOne • Indent • Opal • Sym • aws-samples / aws-iam-temporary-elevated- access-broker • ??? Read more: “Common uses of just-in-time access in the cloud”

@ramimccarthy Scaling … Access Build: Adopt: Not recommended Recommended • Build incrementally, and always keep an eye on 
 the user experience • Right now, ~ JIT access is about where you should 
 really consider buying • Partner with other internal stakeholders on a unified 
 source of truth for identity and role • Trying to preemptively define necessary IAM in a bubble • Centralizing all creation of IAM Buy: 1. Support role-based, least-privileged access across an explosion of roles. 2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it. 3. Remove risky ambient permissions and allow step-up and break-glass authorization.

@ramimccarthy Scaling Account Management Taking advantage of the inherent blast radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Adopt: Options Buy: Options • ??? • org-formation / org-formation-cli • rebuy-de / aws-nuke • AWS Control Tower One Talk: “Reimagining multi-account deployments for security and speed”, Netflix

@ramimccarthy Scaling Account Management Taking advantage of the inherent blast radius boundary of an Account rapidly turns into toil to stand up new accounts and juggle their lifecycle. Build: Adopt: Not recommended Recommended • Rightsize your investment in automation, “human cron” 
 can be a good place to start • Find good internal development partners with strong cases 
 for investment • Don’t wait too long to split out use cases with different 
 threat models or administration patterns. Migration across 
 accounts is painful, and data gravity can be a blocker. Buy:

@ramimccarthy Control Validation / Attack Simulation Test and validate your controls and detections on an automated, ongoing basis. Adopt: Options Buy: Options • AttackIQ • Cymulate • SCYTHE • Randori • awslabs / aws-cloudsaga • DataDog / stratus-red-team • WithSecureLabs / leonidas One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris

@ramimccarthy Control Validation / Attack Simulation Test and validate your controls and detections on an automated, ongoing basis. Build: Adopt: Not recommended Recommended • Consider leveraging internal frameworks and tools for QA • Validation at time of creation is likely sufficient for 
 commodity controls and medium program maturity • Keep a close eye on relative investment in “breaking” 
 vs. “building • Be deeply skeptical of “automated red teaming” as a product • Finding issues is only useful as an effective 
 input to mitigation Buy:

@ramimccarthy Egress Monitoring and Filtering Make attackers lives harder post-compromise by filtering egress traffic from your services and alerting on anomalous destinations. Adopt: Options Buy: Options • AWS Network Firewall • Chaser Systems DiscrimiNAT Firewall • Aviatrix • stripe / smokescreen One Read: “Internet Egress Filtering of Services at Lyft”

@ramimccarthy Egress Monitoring and Filtering Make attackers lives harder post-compromise by filtering egress traffic from your services and alerting on anomalous destinations. Build: Adopt: Not recommended Recommended • Consider when modifying network architecture • “Monitor” mode can be cheap to deploy • Reliability is huge if you place this on the critical path • A hamster wheel of pain is likely if you’re not thoughtful 
 about how new, valid connections will be 
 identified and allowlisted Buy:

@ramimccarthy Infrastructure Access Adopt: Options Buy: Options • Teleport • StrongDM • BastionZero • Cloudflare Access • Tailscale (and other Wireguard-based VPNs) • AWS SSM + IAM Authentication for < SERVICE > • Tailscale (and other Wireguard-based VPNs) • Teleport (open source) One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments” Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

@ramimccarthy Infrastructure Access Build: Adopt: Not recommended Recommended • Move from SSH to SSM (or equivalent) early • Get alignment on “what good looks like” • You won’t get anywhere stopping your coworkers 
 from doing their jobs • Think about what it will take to get logging to a place 
 that could power real-time detections Buy: Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide least privilege, auditability, support dual control, and can constrain data ingress and egress.

@ramimccarthy Data Perimeter Install guardrails that only allow access for trusted identities, accessing trusted resources, on expected networks. Adopt: Options Buy: Options • InstaSecure • Native services One Read: “Building a Data Perimeter on AWS”

@ramimccarthy Data Perimeter Install guardrails that only allow access for trusted identities, accessing trusted resources, on expected networks. Build: Adopt: Not recommended Recommended • Start small - one example would be “we never call 
 s3 : PutObject outside our organization” • Make sure to test your controls, edge cases 
 on condition support can create surprise gaps • Be careful, AWS doesn’t offer safe ways to roll out SCPs Buy:

@ramimccarthy Cut for time •Vulnerability Management •Detection Engineering & Security Data Lakes •Continuous Compliance / Compliance Automation •DFIR preparedness •Runtime Security •Service to Service Authentication

@ramimccarthy • Prioritization is inherently custom to your risk and business • Don’t do everything, everywhere, all at once • But, conversely, uneven application of controls can be ineffective and impractical • Scaling program requires increasing investment to maintain and avoid regression in current controls Keep in Mind 
 https://speakerdeck.com/ramimac/fwdcloudsec

@ramimccarthy Cut for time (speed round) • Vulnerability Management • Shared concern with AppSec, generally • ASPMs are rapidly bringing in cloud context • Detection Engineering • Security Data Lakes are an emerging trend • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond," • Continuous Compliance / Compliance Automation • Vanta / Drata on one end, JupiterOne on the other • DFIR preparedness • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws-automated- incident-response-and-forensics • Cado, Mitiga

@ramimccarthy Cut for time (speed round) • Runtime Security • auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime Monitoring ( EKS ) • Sysdig or Isovalent, or whatever comes with your CNAPP • Chainguard for a different part of the problem • Service to Service Authentication • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora • If you can get this for free with a Service Mesh, you probably should • This gets talked about more than it gets implemented (well) • Basic shared secrets can provide initial answers here