Slide 1

Slide 1 text

@ramimacisabird Rami McCarthy Amazon Web Services Security Easy Wins and Enterprise Scale

Slide 2

Slide 2 text

@ramimacisabird Rami McCarthy Senior Security Consultant, NCC Group Penetration Tester (applications, clouds, code, etc.) AWS Certified Security - Specialty, CCSKv4 Creator: Contributor:

Slide 3

Slide 3 text

@ramimacisabird Easy Wins / Enterprise Scale

Slide 4

Slide 4 text

The Cloud

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

@ramimacisabird W hy?

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

@ramimacisabird Key Concepts

Slide 9

Slide 9 text

@ramimacisabird IAM

Slide 10

Slide 10 text

@ramimacisabird Principals IAM Users Groups Roles

Slide 11

Slide 11 text

@ramimacisabird Principals IAM Policies

Slide 12

Slide 12 text

@ramimacisabird { "Version": "2012-10-17", "Statement": [ { "Effect": “Allow", "Action": “ec2:*", "Resource": "*“ }, ] }

Slide 13

Slide 13 text

@ramimacisabird Principals IAM Policies Credentials

Slide 14

Slide 14 text

@ramimacisabird please don’t share yours Console Access Programmatic Access Assumable Roles

Slide 15

Slide 15 text

IAM Policy Evaluation

Slide 16

Slide 16 text

@ramimacisabird IAM Policy Master

Slide 17

Slide 17 text

@ramimacisabird Follow up: An AWS IAM Security Tooling Reference https://ramimac.me/cloudsec/security/aws-iam-tool-reference/

Slide 18

Slide 18 text

@ramimacisabird Networking

Slide 19

Slide 19 text

• VPC (Virtual Private Cloud): Logically isolated virtual network • Subnets: A range of IP addresses within the VPC • Security Groups: Allow firewall rules at the networking interface level • NACLs: Allow/Deny firewall rules at the subnet level Networking Security Groups NACLs Instance Level Subnet Level Allow rules only Allow and deny rules Stateful: return traffic allowed automatically Stateless: return traffic requires explicit allow All rules are evaluated Rules are evaluated in order Must be applied to specific instances Automatically applies to all instances in subnet

Slide 20

Slide 20 text

@ramimacisabird Easy Wins*** * Let’s be honest, nothing is easy at scale ** Within the bounds of the Pareto Principle

Slide 21

Slide 21 text

@ramimacisabird 80% of the consequences come from 20% of the causes Pareto Principle What it says:

Slide 22

Slide 22 text

@ramimacisabird You can get 80% of the results with 20% of the work! Pareto Principle What it means:

Slide 23

Slide 23 text

@ramimacisabird Security Services

Slide 24

Slide 24 text

@ramimacisabird Security Services Artifact Inspector GuardDuty Trusted Advisor Config CloudWatch CloudTrail SecurityHub

Slide 25

Slide 25 text

@ramimacisabird Security Services AWS Artifact is a repository of AWS’ compliance reports Artifact

Slide 26

Slide 26 text

@ramimacisabird AWS Inspector is a vulnerability scanner for your EC2 instances Security Services Inspector

Slide 27

Slide 27 text

@ramimacisabird Security Services AWS GuardDuty is an IDS for your AWS account GuardDuty

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

@ramimacisabird Security Services AWS SecurityHub is a single pane for your security alerts SecurityHub

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

@ramimacisabird Security Services AWS Config is a configuration monitoring and governance tool Config

Slide 32

Slide 32 text

@ramimacisabird Security Services AWS CloudWatch is a monitoring and observability service CloudWatch

Slide 33

Slide 33 text

@ramimacisabird Security Services AWS CloudTrail is a logging, monitoring, and event history center CloudTrail

Slide 34

Slide 34 text

@ramimacisabird Security Services AWS TrustedAdvisor is a set of guidance on best practices (security, and beyond) Trusted Advisor

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

@ramimacisabird Security Services Artifact Inspector GuardDuty Trusted Advisor Config CloudWatch CloudTrail SecurityHub

Slide 37

Slide 37 text

@ramimacisabird Account Best Practices

Slide 38

Slide 38 text

@ramimacisabird Configuration Account ScoutSuite

Slide 39

Slide 39 text

@ramimacisabird

Slide 40

Slide 40 text

@ramimacisabird

Slide 41

Slide 41 text

@ramimacisabird Segmentation Account Least Privilege (Pareto) External Exposure (Pareto) aws_exposable_resources https://github.com/SummitRoute/aws_exposable_resources

Slide 42

Slide 42 text

@ramimacisabird Watch Out For Common Compromise Footholds • Credential Exposure • Metadata Service • Managed Service Data Exposure • Hosted Database Brute-force • Workstation Compromise

Slide 43

Slide 43 text

@ramimacisabird Easy AWS Security Wins Enable and configure provided security services Take advantage of accounts as segmentation boundaries Practice least privilege (and get a handle on IAM) Minimize external exposure Audit and secure configuration IAM best practices (MFA :)! Logging :)!) Watch out for common compromise footholds

Slide 44

Slide 44 text

@ramimacisabird

Slide 45

Slide 45 text

@ramimacisabird Enterprise Scale

Slide 46

Slide 46 text

@ramimacisabird Technical & Political

Slide 47

Slide 47 text

•Pave the road •Billing (is a strong lever) •Remove responsibilities[1] Political [1] One good example of this is the Mozilla Security CloudTrail Storage System

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

@ramimacisabird Multi-Account Architecture

Slide 50

Slide 50 text

@ramimacisabird Multi-account

Slide 51

Slide 51 text

@ramimacisabird AWS Organizations https://aws.amazon.com/organizations/getting-started/best-practices/ * Multi-account

Slide 52

Slide 52 text

@ramimacisabird

Slide 53

Slide 53 text

@ramimacisabird Multi-account

Slide 54

Slide 54 text

AWS Organizations - Services • CloudTrail • Config • GuardDuty • IAM • Security Hub • Trusted Advisor

Slide 55

Slide 55 text

@ramimacisabird Visibility

Slide 56

Slide 56 text

@ramimacisabird The vendor model

Slide 57

Slide 57 text

@ramimacisabird The vendor model

Slide 58

Slide 58 text

@ramimacisabird The home-grown model

Slide 59

Slide 59 text

Case Study: Antiope Chris Farris, Warner Media

Slide 60

Slide 60 text

@ramimacisabird The service desk model

Slide 61

Slide 61 text

@ramimacisabird Governance

Slide 62

Slide 62 text

@ramimacisabird Least Privilege (100%)

Slide 63

Slide 63 text

@ramimacisabird Access Advisor

Slide 64

Slide 64 text

@ramimacisabird Access Analyzer

Slide 65

Slide 65 text

@ramimacisabird Policy Sentry

Slide 66

Slide 66 text

@ramimacisabird Repo Kid

Slide 67

Slide 67 text

@ramimacisabird Secrets Management

Slide 68

Slide 68 text

@ramimacisabird Secrets Management

Slide 69

Slide 69 text

@ramimacisabird https://www.youtube.com/watch?v=Y3Gn_iP3FlE

Slide 70

Slide 70 text

@ramimacisabird Logging, Monitoring, Alerting http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale-with-AWS.pdf

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

@ramimacisabird Preparing for Incident Response Logging/Monitoring/Alerting

Slide 73

Slide 73 text

Logging/Monitoring/Alerting

Slide 74

Slide 74 text

@ramimacisabird Tagging

Slide 75

Slide 75 text

@ramimacisabird Tagging https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-categories

Slide 76

Slide 76 text

• Consistency • Less can be more • Tag-based access control • Automation • Cost Exploration Tagging

Slide 77

Slide 77 text

@ramimacisabird Enterprise Scale AWS Security Plan the politics Multi-account architecture AWS Organizations Visibility Governance Least Privilege (100%) Logging, Monitoring, Alerting Preparing for incident response Tagging

Slide 78

Slide 78 text

@ramimacisabird Resources • https://research.nccgroup.com/2020/04/24/the-extended-aws- security-ramp-up-guide/ • https://medium.com/swlh/so-you-inherited-an-aws-account- e5fe6550607d • https://summitroute.com/blog/2020/05/21/ aws_security_maturity_roadmap_2020/ • https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/

Slide 79

Slide 79 text

@ramimacisabird References • https://duo.com/blog/beyond-s3-exposed-resources-on-aws • https://blog.coinbase.com/you-need-more-than-one-aws-account-aws-bastions-and- assume-role-23946c6dfde3 • http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale- with-AWS.pdf • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://www.youtube.com/watch?v=YQsK4MtsELU - IAM policy master • https://ramimac.me/cloudsec/security/aws-iam-tool-reference/ • https://github.com/nccgroup/ScoutSuite • https://github.com/SummitRoute/aws_exposable_resources • https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud- Perimeter-Slides.pdf • https://twitter.com/forrestbrazeal/status/1138088894250070017?s=20