Securing Your AWS Cloud Infrastructure

Slide 1

Slide 1 text

13 August 2018 • Horangi team • 118A Telok Ayer, Singapore 068587 Securing Your AWS Cloud Infrastructure.

Slide 2

Slide 2 text

Horangi. 01 An introduction to our company and what we do.

Slide 3

Slide 3 text

• Director of Cloud Security Engineering @ Horangi • CloudDevSecOps Fanatic • Progression => UI/UX Designer / Developer => Full Stack Developer => Build & Release Engineer => Infrastructure & Tools Architect • AWS Areas of Interests: AWS Multi-Account Strategy, Cloud Security • Totally uncertified and proud :P Steve “Potay” Teo

Slide 4

Slide 4 text

www.meetup.com/AWS-SG/ www.meetup.com/ Atlassian-User-Group-Singapore/ Communities I serve

Slide 5

Slide 5 text

AWS User Group Singapore - Monthly

Slide 6

Slide 6 text

AWS User Group Singapore - Monthly

Slide 7

Slide 7 text

AWS User Group Singapore - Monthly

Slide 8

Slide 8 text

What Horangi does. We analyze your current security posture and customize the solutions to resolve your situation in a holistic way. PRODUCT SERVICES CONSULT 8

Slide 9

Slide 9 text

Focus. 01. Global Cyber Security Talent Deficit: Insufficient number of professionals to fulfill the demand of all companies regionally and internationally Competent staff locked into a few industries, preventing others to build qualified security teams 02. Relating Cyber Security to Business Priorities: Disconnect between technical and business requirements Improving communication between senior management and operational security roles Horangi has identified two main issues to be solved in today’s security landscape. 9

Slide 10

Slide 10 text

Warden. 05 An overview of our latest product.

Slide 11

Slide 11 text

Warden is a cloud security assessment and monitoring tool that detects misconﬁgurations and vulnerabilities in your cloud infrastructure. 11

Slide 12

Slide 12 text

The Story. 03

Slide 13

Slide 13 text

WHY SECURE YOUR CLOUD INFRASTRUCTURE?

Slide 14

Slide 14 text

Cloud Breaches. Accenture accidentally conﬁgured four AWS S3 buckets to be accessible to the public Uber’s AWS account was hacked, compromising the personal information of 57 million users worldwide, including 600,000 drivers OCT 2017 NOV 2017 An error in GoDaddy’s S3 bucket conﬁguration has led to the exposure of internal information MAR 2018

Slide 15

Slide 15 text

Cloud Breaches. security researcher Bob Diachenko discovered the Dow Jones Watchlist dataset sitting on a public AWS Elasticsearch cluster FEB 2019 Breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records APR 2019

Slide 16

Slide 16 text

Business Impact. LOSS OF REVENUE Small businesses shell out an average of $38,000 to recover from a single data breach in direct expenses alone. LOSS OF TRUST Breaches cause customers and other stakeholders to lose trust in your organization, causing loss of business. INTELLECTUAL PROPERTY THEFT Having trade secrets exposed cause companies to lose their competitive advantage.

Slide 17

Slide 17 text

ON-PREMISE vs. CLOUD SECURITY

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

On-Premise Security. With an on-premise infrastructure, the organization is responsible for the infrastructure’s security end-to-end. It’s almost always IT-driven. (Source)

Slide 20

Slide 20 text

Cloud: Shared Responsibility. The Shared Responsibility Model deﬁnes the responsibility between the cloud provider and its customers. (Source)

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

- Management Layer now exposed to Internet - Traditional Siloed Roles vs new Cloud Roles - Our Talent pool is not all mature enough for the Cloud Shift Other Key Points

Slide 23

Slide 23 text

Every AWS Account is a Blank Cheque

Slide 24

Slide 24 text

AWS Well-Architected Framework. 04

Slide 25

Slide 25 text

RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY AWS Well- Architected Framework. The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efﬁcient infrastructure. COST OPTIMIZATION

Slide 26

Slide 26 text

Slide 27

Slide 27 text

The Security Pillar. 04

Slide 28

Slide 28 text

INFRASTRUCTURE PROTECTION DATA PROTECTION IDENTITY & ACCESS MANAGEMENT DETECTIVE CONTROLS AWS Security Pillar. The AWS Security pillar is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. (Source: AWS Well-Architected Framework) INCIDENT RESPONSE

Slide 29

Slide 29 text

Identity & Access. ● Only give the bare minimum privileges necessary ● Enforce MFA for all users ● Limit use of root account ● Use temporary credentials for programmatic access ● Review your IAM access periodically AWS Identity and Access Management (IAM), AWS Security Token Service (STS) QUESTIONS BEST PRACTICES KEY SERVICES ● How do you manage your credentials? ● How do you control human access? ● How do you control programmatic access?

Slide 30

Slide 30 text

Multi-Factor Authentication. Conﬁgure a MFA device as another barrier of defense against attackers.

Slide 31

Slide 31 text

Use IAM Groups. IAM groups allow multiple users to share one policy and move users around to other groups as needed.

Slide 32

Slide 32 text

Least Privilege. Only give users the minimum amount of privileges necessary to do their job.

Slide 33

Slide 33 text

Use IAM Roles. IAM Roles are a way to give permissions to other trusted entities

Slide 34

Slide 34 text

Scale using AWS Organisations

Slide 35

Slide 35 text

Leverage on SSO / Landing Zone

Slide 36

Slide 36 text

Detective Controls. ● How do you detect and investigate security events? ● How do you defend against emerging security threats? ● Enable CloudTrail API and multi-region logging ● Enable GuardDuty in all accounts and regions ● Integrate all your logs in CloudWatch Cloudwatch, CloudTrail, GuardDuty QUESTIONS BEST PRACTICES KEY SERVICES

Slide 37

Slide 37 text

AWS CloudTrail is a service that records activity made on your AWS account and delivers log ﬁles to your S3 bucket. CloudTrail.

Slide 38

Slide 38 text

CloudTrail Best Practices. ● Enable CloudTrail for all regions ● Enable logging for management events ● Log S3 object-level API activity

Slide 39

Slide 39 text

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads GuardDuty. Source

Slide 40

Slide 40 text

Crowd Source Detective Controls.

Slide 41

Slide 41 text

Infrastructure Protection. ● How do you protect your networks? ● How do you protect your compute resources? ● Open only the necessary ports for operation ● Automate deployment and maintenance whenever possible ● Use IAM to conﬁgure user-level access Virtual Private Cloud (VPC) QUESTIONS BEST PRACTICES KEY SERVICES

Slide 42

Slide 42 text

Get your VPC Architecture right (Source)

Slide 43

Slide 43 text

Security Group vs. NACL. ● Network Access control lists are applied at the subnet level, ● Security groups has to be assigned explicitly to the instance.

Slide 44

Slide 44 text

Data Protection. ● How do you classify your data? ● How do you protect your data at rest? ● How do you protect your data in transit? ● Classify your data using resource tags, IAM policies, etc. ● Use tokenization and encryption for highly sensitive information ● Deﬁne clear protocols for data backup/replication/recovery Key Management System (KMS), S3 DATA PROTECTION BEST PRACTICES KEY SERVICES

Slide 45

Slide 45 text

Data at Rest vs. Data In Transit. Data at Rest Data in Transit What it is? Data that persists for any duration Data that gets transmitted from one system to another Where is it stored? Block storage, object storage, databases, archives, and any other storage medium None Why protect it? Reduce the risk of unauthorized access Protect the conﬁdentiality and integrity of the application’s data How to you protect it? Use encryption keys when uploading data Select secure protocols that implement the latest cryptography standards (like TLS)

Slide 46

Slide 46 text

Encryption At Rest. (source)

Slide 47

Slide 47 text

S3 Policies. ● Block public access from S3 bucket ● Enable object-level logging (like GetObject and PutObject) ● Enable encryption on the S3 bucket

Slide 48

Slide 48 text

Key Management Use Amazon KMS to create and manage encryption keys,, which will then be used to encrypt various AWS resources like S3 objects and database instances.

Slide 49

Slide 49 text

AWS vs. Custom Key Stores. AWS Key store Custom Key Manager AWS Customer Advantages Enabled in KMS by default. Less setup time Higher rate limit Automatic key rotation Direct control of key store Compliance for industries that require on-premise hardware security modules (HSMs) Drawbacks Less control of key store Not for industries with stringent auditing requirements Requires at least 2 CloudHSMs. Customer responsible for rotating keys.

Slide 50

Slide 50 text

Incident Response. ● How do you respond to an incident? ● Have a deﬁned incident response policy in place ● Use resource tags to organize process ● Use the “Clean Room” approach when investigating the root cause ● Conﬁgure logs to audit as much as possible VPC, IAM, CloudFormation QUESTIONS BEST PRACTICES KEY SERVICES

Slide 51

Slide 51 text

Security Disaster Plan. The security disaster plan is the process that describes the different steps to take in case an incident happens. It is different from the disaster recovery plan, which focuses on business continuity. SECURITY PLAN

Slide 52

Slide 52 text

One Last Thing 05

Slide 53

Slide 53 text

Deﬁne an AWS Account Strategy Learn more: https://speakerdeck.com/stevepotayteo/architecting-around-multiple-aws-accounts