Slide 1
Slide 1 text
Survival Guide
Philipp Krenn̴̴̴̴̴̴̴̴̴̴̴̴̴̴̴̴̴̴@xeraa
Slide 2
Slide 2 text
Electronic Data
Interchange (EDI)
Slide 3
Slide 3 text
ViennaDB
Papers We Love Vienna
Slide 4
Slide 4 text
Who uses
AWS, Azure,...?
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
Does the cloud solve all
your security issues?
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
"We can operate more
securely on AWS than we can
in our own data centers" Rob
Alexander of CapitalOne
#reinvent
— Adrian Cockcroft, https://twitter.com/adrianco/status/
651788241557942272
Slide 9
Slide 9 text
AWS Security Bulletins
https://aws.amazon.com/security/security-bulletins/
Xen, Heartbleed,...
Slide 10
Slide 10 text
Securing your
Infrastructure
Account
Slide 11
Slide 11 text
Infrastructure
Slide 12
Slide 12 text
VPC
Virtual Private Cloud
Slide 13
Slide 13 text
EC2 Classic
Private and public IP on every instance
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
Network /16
Production 10.0.*.*
Development 10.1.*.*
...
Slide 17
Slide 17 text
Availability Zones /18
A 10.*.0.0/18
B 10.*.64.0/18
Spare 10.*.128.0/18 & 10.*.192.0/18
Slide 18
Slide 18 text
Subnets /20
A public 10.*.0.0/20
A private 10.*.16.0/20
A spare 10.*.32.0/20 & 10.*.48.0/20
B public 10.*.64.0/20
B private 10.*.80.0/20
B spare 10.*.96.0/20 & 10.*.112.0/20
Slide 19
Slide 19 text
PS: Networking
No broadcasts or multicasts
No IPv6 yet
Slide 20
Slide 20 text
Security Group
Per instance
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Network ACL
Per subnet (optional)
Slide 23
Slide 23 text
Second layer of defense
Default allow incoming & outgoing
Allow and deny
Order matters
Stateless
Slide 24
Slide 24 text
IAM
Identity and Access
Management
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
Users are managed in Groups
AWS services are assigned Roles
Policies define permissions
Slide 27
Slide 27 text
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
}
]
}
Slide 28
Slide 28 text
Create an IAM user / role
for every person, service,
and action
Slide 29
Slide 29 text
https://awspolicygen.s3.amazonaws.com/
policygen.html
Slide 30
Slide 30 text
Encryption
at rest
Slide 31
Slide 31 text
S3, EBS, RDS,...
Transparent key management
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
Microservices
Technologies & AWS
account per team
OAuth for internal & external
communication
Slide 34
Slide 34 text
Account
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
[...] our data, backups,
machine configurations and
offsite backups were either
partially or completely
deleted.
— http://www.codespaces.com
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
The person(s) used our
account to order hundreds
of expensive servers, likely
to mine Bitcoin or other
cryptocurrencies.
— http://blog.drawquest.com
Slide 39
Slide 39 text
No content
Slide 40
Slide 40 text
This outage was the
result of an attack on our
systems using a
compromised API key.
— http://status.bonsai.io/incidents/qt70mqtjbf0s
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
1001 easy steps
Slide 43
Slide 43 text
0000
Lock away your root
account and never use it
Slide 44
Slide 44 text
0001
Always use an IAM
account
Slide 45
Slide 45 text
0010
Only allow what is
necessary
Principle of the least access
Slide 46
Slide 46 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:ReleaseAddress",
"route53:DeleteHostedZone"
],
"Resource": "*"
}
] }
Slide 47
Slide 47 text
0011
Use strong passwords
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
0100
Use Multi Factor
Authentication (MFA)
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
0101
Never commit your
credentials
Slide 53
Slide 53 text
Where to keep your
secrets?
Slide 54
Slide 54 text
1. Environment variables
2. Encrypted files in SCM
3. Fancy tools
Slide 55
Slide 55 text
http://ejohn.org
/blog/keeping-passwords-in-source-control/
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
#!/bin/sh
FILE=$1
FILENAME=$(basename "$FILE")
EXTENSION="${FILENAME##*.}"
NAME="${FILENAME%.*}"
if [[ "$EXTENSION" != "aes256" ]]
then
echo "Encrypting $FILENAME and removing the plaintext file"
openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256
rm $FILENAME
else
then
echo "Decrypting $FILENAME"
openssl aes-256-cbc -d -a -in $FILENAME -out $NAME
fi
Slide 58
Slide 58 text
$ ls
truststore.jks.aes256
$ encrypt-decrypt.sh truststore.jks.aes256
Contact [email protected] for the password
Decrypting truststore.jks.aes256
enter aes-256-cbc decryption password:
$ ls
truststore.jks truststore.jks.aes256
Slide 59
Slide 59 text
Tools
Ansible Vault, HashiCorp
Vault,...
Slide 60
Slide 60 text
Check your code
https://github.com/michenriksen/gitrob
Slide 61
Slide 61 text
0110
Enable IP restrictions
Slide 62
Slide 62 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"]
}
}
}
] }
Slide 63
Slide 63 text
No content
Slide 64
Slide 64 text
0111
Enable billing alerts
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
1000
Enable CloudTrail
Slide 67
Slide 67 text
{ "Records": [
{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2015-09-09T19:01:59Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [
{ "instanceId": "i-ebeaf9e2" }
]
},
"force": false
},
...
},
...
] }
Slide 68
Slide 68 text
1001
Check Your Security
Status
Slide 69
Slide 69 text
No content
Slide 70
Slide 70 text
Bonus
Premium Support:
Trusted Advisor Security
Slide 71
Slide 71 text
No content
Slide 72
Slide 72 text
Conclusion
Slide 73
Slide 73 text
No Magic
Just do your homework
Slide 74
Slide 74 text
140 servers running on my
AWS account. What? How? I
only had S3 keys on my
GitHub and they where gone
within 5 minutes!
— http://www.devfactor.net/2014/12/30/2375-amazon-
mistake/
Slide 75
Slide 75 text
If a key is compromised,
rotate it!
Slide 76
Slide 76 text
How a bug in Visual Studio
2015 exposed my source
code on GitHub and cost me
$6,500 in a few hours
— https://www.humankode.com/security/how-a-bug-
in-visual-studio-2015-exposed-my-source-code-on-
github-and-cost-me-6500-in-a-few-hours
Slide 77
Slide 77 text
And never commit your
credentials!
Slide 78
Slide 78 text
Thank you!
Questions?
@xeraa