Slide 1
Slide 1 text
Perils of the
☁
Philipp Krenn̴̴̴̴̴̴@xeraa
Slide 2
Slide 2 text
ViennaDB
Papers We Love Vienna
Slide 3
Slide 3 text
Infrastructure | Developer Advocate
Slide 4
Slide 4 text
Who uses
AWS, Azure,...?
Slide 5
Slide 5 text
Does the cloud solve all
your security issues?
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
"We can operate more
securely on AWS than we can
in our own data centers" Rob
Alexander of CapitalOne
#reinvent
— Adrian Cockcroft, https://twitter.com/adrianco/status/
651788241557942272
Slide 8
Slide 8 text
AWS Security Bulletins
https://aws.amazon.com/security/security-bulletins/
Xen, Heartbleed,...
Slide 9
Slide 9 text
The main problem is...
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
[...] our data, backups,
machine configurations and
offsite backups were either
partially or completely
deleted.
— http://www.codespaces.com
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
The person(s) used our
account to order hundreds
of expensive servers, likely
to mine Bitcoin or other
cryptocurrencies.
— http://blog.drawquest.com
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
This outage was the
result of an attack on our
systems using a
compromised API key.
— http://status.bonsai.io/incidents/qt70mqtjbf0s
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
Secure your
accounts
In 101 steps
Slide 18
Slide 18 text
000
Accounts
Slide 19
Slide 19 text
Lock away your root
account and never use it
Slide 20
Slide 20 text
Always use Identity and
Access Management (IAM)
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
One IAM user per
service / action or use
delegation
Slide 23
Slide 23 text
001
Access
Slide 24
Slide 24 text
Only allow what is
necessary
Principle of the least access
Slide 25
Slide 25 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:ReleaseAddress",
"route53:DeleteHostedZone"
],
"Resource": "*"
}
] }
Slide 26
Slide 26 text
Use groups to manage
permissions for users
Slide 27
Slide 27 text
{ "Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::com.example.backup/*"
}
] }
Slide 28
Slide 28 text
{ "Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::com.example.backup/*"
}
] }
Slide 29
Slide 29 text
IAM permissions for few
people
Slide 30
Slide 30 text
010
Authentication
Slide 31
Slide 31 text
Use strong passwords
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
Use Multi Factor
Authentication (MFA)
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
No content
Slide 37
Slide 37 text
Hardware token &
fallback questions
Slide 38
Slide 38 text
011
Code
Slide 39
Slide 39 text
Never commit your
credentials
Slide 40
Slide 40 text
100
Network
Slide 41
Slide 41 text
Enable IP restrictions
Slide 42
Slide 42 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"]
}
}
}
] }
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
101
Tools
Slide 45
Slide 45 text
Enable billing alerts
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
Enable CloudTrail
Slide 48
Slide 48 text
{ "Records": [
{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2015-09-09T19:01:59Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [
{ "instanceId": "i-ebeaf9e2" }
]
},
"force": false
},
...
},
...
] }
Slide 49
Slide 49 text
Export to an external
system
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
Check your security
status
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
Premium support:
trusted advisor security
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
Custom tools
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
No content
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
Attacks
Slide 60
Slide 60 text
Make money
Slide 61
Slide 61 text
Destroy competition
Slide 62
Slide 62 text
Defend yourself
Slide 63
Slide 63 text
To do and
not to do
Slide 64
Slide 64 text
If a key is compromised
rotate it
Slide 65
Slide 65 text
Store your secrets
Slide 66
Slide 66 text
1. Environment variables
2. Encrypted files in SCM
3. Vaults
Slide 67
Slide 67 text
http://ejohn.org
/blog/keeping-passwords-in-source-control/
Slide 68
Slide 68 text
No content
Slide 69
Slide 69 text
#!/bin/sh
FILE=$1
FILENAME=$(basename "$FILE")
EXTENSION="${FILENAME##*.}"
NAME="${FILENAME%.*}"
if [[ "$EXTENSION" != "aes256" ]]
then
echo "Encrypting $FILENAME and removing the plaintext file"
openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256
rm $FILENAME
else
then
echo "Decrypting $FILENAME"
openssl aes-256-cbc -d -a -in $FILENAME -out $NAME
fi
Slide 70
Slide 70 text
$ ls
truststore.jks.aes256
$ encrypt-decrypt.sh truststore.jks.aes256
Contact [email protected] for the password
Decrypting truststore.jks.aes256
enter aes-256-cbc decryption password:
$ ls
truststore.jks truststore.jks.aes256
Slide 71
Slide 71 text
Vaults
HashiCorp Vault
Ansible Vault
Slide 72
Slide 72 text
Check your code
https://github.com/michenriksen/gitrob
https://github.com/awslabs/git-secrets
Slide 73
Slide 73 text
Conclusion
Slide 74
Slide 74 text
There's no ✨
Slide 75
Slide 75 text
140 servers running on my
AWS account. What? How? I
only had S3 keys on my
GitHub and they where gone
within 5 minutes!
— http://www.devfactor.net/2014/12/30/2375-amazon-
mistake/
Slide 76
Slide 76 text
How a bug in Visual Studio
2015 exposed my source
code on GitHub and cost me
$6,500 in a few hours
— https://www.humankode.com/security/how-a-bug-
in-visual-studio-2015-exposed-my-source-code-on-
github-and-cost-me-6500-in-a-few-hours
Slide 77
Slide 77 text
No content
Slide 78
Slide 78 text
Thanks!
Questions?
Philipp Krenn̴̴̴̴̴̴̴@xeraa
Slide 79
Slide 79 text
Image Credit
→ Mobile https://flic.kr/p/j7hLsu
→ XKCD http://xkcd.com/936/