@ramimacisabird
Follow up: An AWS IAM Security Tooling Reference
https://ramimac.me/cloudsec/security/aws-iam-tool-reference/
Slide 18
Slide 18 text
@ramimacisabird
Networking
Slide 19
Slide 19 text
• VPC (Virtual Private Cloud): Logically isolated virtual network
• Subnets: A range of IP addresses within the VPC
• Security Groups: Allow firewall rules at the networking interface level
• NACLs: Allow/Deny firewall rules at the subnet level
Networking
Security Groups NACLs
Instance Level Subnet Level
Allow rules only Allow and deny rules
Stateful: return traffic allowed automatically Stateless: return traffic requires explicit allow
All rules are evaluated Rules are evaluated in order
Must be applied to specific instances Automatically applies to all instances in subnet
Slide 20
Slide 20 text
@ramimacisabird
Easy Wins***
* Let’s be honest, nothing is easy at scale
** Within the bounds of the Pareto Principle
Slide 21
Slide 21 text
@ramimacisabird
80% of the consequences come
from 20% of the causes
Pareto Principle
What it says:
Slide 22
Slide 22 text
@ramimacisabird
You can get 80% of the results with
20% of the work!
Pareto Principle
What it means:
@ramimacisabird
Watch Out For Common
Compromise Footholds
• Credential Exposure
• Metadata Service
• Managed Service Data Exposure
• Hosted Database Brute-force
• Workstation Compromise
Slide 43
Slide 43 text
@ramimacisabird
Easy AWS Security Wins
Enable and configure provided security services
Take advantage of accounts as segmentation boundaries
Practice least privilege (and get a handle on IAM)
Minimize external exposure
Audit and secure configuration
IAM best practices (MFA :)! Logging :)!)
Watch out for common compromise footholds
Slide 44
Slide 44 text
@ramimacisabird
Slide 45
Slide 45 text
@ramimacisabird
Enterprise Scale
Slide 46
Slide 46 text
@ramimacisabird
Technical & Political
Slide 47
Slide 47 text
•Pave the road
•Billing (is a strong lever)
•Remove responsibilities[1]
Political
[1] One good example of this is the Mozilla
Security CloudTrail Storage System