Introduction of the AWS Security Best Practices Usage Survey Report I'm going to hit the best practices in the neighborhood ˒ Security-JAWS Management - Hirokazu Yoshida BSides Tokyo 2024 / 2024.3.30

AWSηΩϡϦςΟͷ ϕετϓϥΫςΟεʹؔ͢Δ ར༻࣮ଶௐࠪͷϨϙʔτͷ঺հ ಥܸ˒ྡͷϕετϓϥΫςΟε Security-JAWSӡӦ - ٢ాͻΖ͔ͣ BSides Tokyo 2024 / 2024.3.30

Today's Speaker Materials • I will be speaking in Japanese, but most of what I say is written in the materials, so please enjoy looking at the materials at hand. https://bit.ly/sjaws-bsidestokyo-2024

Who am I !? Hirokazu Yoshida @ CloudNative Inc. Job : Security Engineer & Director Community : Security-JAWS Certi fi cation : ɹɹɹPIIP Recent work : ɹData Governance / Privacy / Security

What are : Security-JAWS ɹJapan AWS User Group ɹSecurity Specialty Chapters Community Size : 4,207 ɹThat’s a number of Security-JAWS ɹMember since 2016! ɹɹ(500+ people than last year)

What are : Objectives of Security JAWS Security is an important factor in utilizing Amazon Web Services (AWS). The purpose of Security-JAWS is to share information on how specialists in various fi elds such as attacks, auditing, and authentication are using AWS to make it even more secure.

What are : Security JAWS ͷ໨త Amazon Web Services(ҎԼAWS)Λ׆༻͢Δ ্ͰηΩϡϦςΟ͸ॏཁͳཁૉͰ͢ɻ Security-JAWSͰ͸ɺ߈ܸɺ؂ࠪɺೝূͳ Ͳɺ༷ʑͳ෼໺ͷεϖγϟϦετୡ͕ɺͲͷ Α͏ʹͯ͠AWSΛ׆༻͍ͯ͠Δͷ͔৘ใΛ ڞ༗͠ɺΑΓҰ૚AWSΛ҆શʹ࢖͑ΔΑ͏ʹ ͍ͯ͘͜͠ͱΛ໨తͱ͍ͯ͠·͢ɻ

What are : 4 regular study sessions a year ɹɹ32nd in February 2024 Held irregularly ɹCollaborative study sessions with ɹother JAWS chapters ɹCTF and hands-on training sessions ɹ2 Days Event (#30 Special Event)

Activities and roadmap for the past year 1 3 5 6 4 2 02: Security-JAWS#28 with NISC 02: Release AWS Security Best Practices Usage Survey Report (Japanese) 03: AWS Security and Risk Management Forum 08: two AWS Security Hero are born from Security-JAWS 08: Security-JAWS#30 (Security JAWS DAYS “Conference Day” & “CTF Day”) 02: Security-JAWS#32 02: AWS Security Best Practices Usage Survey Report targeting Korians (Japanese) 03: mini Security-JAWS Start 04: Release AWS Security Best Practices Usage Survey Report (English) 05: Security-JAWS#29 10: Contribute to AWS Builders Flash 10: Award Winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023 11: Security-JAWS#27 12: SecHack365 05: Security-JAWS#33 ??: Secret Collaboration 2023Q1 08: Security-JAWS#34 7 2023Q2 2023Q3 2023Q4 2024Q1 2024Q2 2024Q3~

2023/10: Award Winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023

Here's what we're introducing today

Here's what we're introducing today

Activities and roadmap for the past year 1 3 5 6 4 2 02: Security-JAWS#28 with NISC 02: Release AWS Security Best Practices Usage Survey Report (Japanese) 03: AWS Security and Risk Management Forum 08: two AWS Security Hero are born from Security-JAWS 08: Security-JAWS#30 (Security JAWS DAYS “Conference Day” & “CTF Day”) 02: Security-JAWS#32 02: AWS Security Best Practices Usage Survey Report targeting Korians (Japanese) 03: mini Security-JAWS Start 04: Release AWS Security Best Practices Usage Survey Report (English) 05: Security-JAWS#29 10: Contribute to AWS Builders Flash 10: Award Winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023 11: Security-JAWS#27 12: SecHack365 05: Security-JAWS#33 ??: Secret Collaboration 2023Q1 08: Security-JAWS#34 7 2023Q2 2023Q3 2023Q4 2024Q1 2024Q2 2024Q3~

No content

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

Always felt a gap

There are many security best practices available from AWS. However, there is a persistent call for best practices to be shared.

Report Summary

Report Summary

We got a lot of cooperation. • Security-JAWS#22 participants • OWASP WASNight 2022 Spring • JAWS Core Members Slack • SNS ( X, facebook, LinkedIn etc…)

We got a lot of cooperation. • Security-JAWS#22 participants • OWASP WASNight 2022 Spring • JAWS Core Members Slack • SNS ( X, facebook, LinkedIn etc…) It is possible that this survey was answered by people who are relatively security-conscious.

Report Summary

Aim of the Question Structure • To ensure comprehensiveness, the questions are based on security best practices for each pillar of the AWS Well- Architected Framework. • Survey respondents can expect to gain insight and understanding of best practices by answering the questions.

Aim of the Question Structure • ઃ໰͸ɺ໢ཏੑΛ୲อ͢ΔͨΊʹɺ AWS Well-Architected Frameworkͷ֤பͷ ηΩϡϦςΟϕετϓϥΫςΟεΛ୊ࡐ͍ͯ͠Δ • Ξϯέʔτճ౴ऀ͸ɺઃ໰ʹճ౴͢Δ͜ͱͰɺϕετϓϥΫ ςΟε΁ͷཧղ΍ؾ͖ͮΛಘΒΕΔ͜ͱ͕ظ଴Ͱ͖Δߏ੒

What is AWS Well-Architected Framework? • It provides consistent best practices for evaluating the architecture and questions to assess how well the architecture adheres to AWS best practices. • The pillars of the AWS Well- Architected Framework Operational excellence Security Reliability Performance ef fi ciency Cost optimization Sustainability Identity and access management Detection Infrastructure protection Data protection Incident response https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html

What is AWS Well-Architected Framework? • ΞʔΩςΫνϟΛධՁ͢ΔͨΊͷҰ؏ͨ͠ϕετϓϥΫςΟε ΍ɺΞʔΩςΫνϟ͕ AWS ͷϕετϓϥΫςΟεʹͲΕ͚ͩ ४ڌ͍ͯ͠Δͷ͔ΛධՁ͢ΔͨΊͷ࣭໰Λఏڙ͍ͯ͠·͢ɻ • ϑϨʔϜϫʔΫͷப ӡ༻ͷ༏लੑ ηΩϡϦςΟ ৴པੑ ύϑΥʔϚϯεޮ཰ ίετ࠷దԽ αεςΟφϏϦςΟ IDͱΞΫηε؅ཧ ݕ஌ ΠϯϑϥετϥΫνϟอޢ σʔλอޢ ΠϯγσϯτରԠ https://docs.aws.amazon.com/ja_jp/wellarchitected/latest/framework/welcome.html

Report Summary n = 162

Trends in Attributes of Survey Respondents • The number of responses, 162, is not an extremely small number to assess trends and tendencies among AWS users. • Note that there is some bias in terms of company size, industry, and role of respondents.

Trends in Attributes of Survey Respondents • ճ౴਺͸162Ͱ͋ΓɺAWSϢʔβʔͷ܏޲΍܏޲Λ೺Ѳ͢Δ্ Ͱ͸ۃ୺ʹগͳ͍਺Ͱ͸ͳ͍ɻ • ͳ͓ɺճ౴ऀͷاۀن໛ɺۀछɺ໾ׂʹ͸एׯͷภΓ͕͋Δɻ

Report Summary • Over 130 pages. • 30 questions analyzed from multiple perspectives, 20 interesting trends for 16 questions. • Security-JAWS recommendations based on the insights gained from the analysis.

Report Summary • 130ϖʔδ௒ͷେϘϦϡʔϜ • 30ͷઃ໰Λෳ਺ͷ؍఺Ͱ෼ੳ͠ɺ 16ͷઃ໰ʹରͯ͠ڵຯਂ͍܏޲͕ݟΒΕͨ20ͷ෼ੳ݁ՌΛܝࡌ • ෼ੳͰಘΒΕͨಎ࡯Λ΋ͱʹɺSecurity-JAWS͔ΒͷఏݴΛ ·ͱΊͯ·͢

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

No content

No content

No content

About each document • FSBP is a list of controls provided by the AWS Security Hub. • AWS Security Best Practices is a collection of archived security best practices. It is not wrong to refer to them, but it is recommended to catch up on the latest best practices as well. • CAF outlines a framework for cloud deployments, which will be covered in detail in the AWS consultation.

About each document • FSBP͸ɺݱࡏ͸AWS Security Hub͕ఏڙ͢ΔίϯτϩʔϧͷϦετ • AWS Security Best Practices͸ɺΞʔΧΠϒ͞ΕͨηΩϡϦςΟϕε τϓϥΫςΟεूɻࢀর͢Δͷ͸ؒҧ͍ͬͯͳ͍͕ɺ࠷৽ͷϕετϓ ϥΫςΟε΋ΩϟονΞοϓ͢Δ͜ͱΛਪ঑͢Δɻ • CAF͸ɺΫϥ΢υಋೖʹ͓͚ΔϑϨʔϜϫʔΫͷ֓ཁΛࣔ͢ AWSʹΑΔίϯαϧςΟϯάʹͯͦͷৄࡉ͕ѻΘΕΔ

No content

No content

No content

No content

No content

No content

No content

No content

No content

No content

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

Report Summary n = 22 Security Policy Of fi cer The number of responses is very small and does not provide an accurate picture of the actual status of AWS users as a whole. Note that there are some biases in terms of company size, industry, and roles of respondents.

Korea Japan AWS account is created from AWS Organizations AWS Organizations' Service Control Policy (SCP) prohibits dangerous operations. Using prede fi ned rule sets, such as AWS Control Tower guardrail settings and Baseline Environment on AWS. AWS account is created from AWS Organizations AWS Organizations' Service Control Policy (SCP) prohibits dangerous operations. Using prede fi ned rule sets, such as AWS Control Tower guardrail settings and Baseline Environment on AWS.

Please select the initiatives for applying "preventive Control” in the AWS environment. • In Korea, 30% of organizations responding to the survey create AWS accounts using AWS Organization, but little control is exercised by organizations of any size using Service Control Policy (SCP) or AWS Control Tower In Japan, the survey was completed by a number of organizations. • In Japan, half of the organizations that responded to the survey created accounts with AWS Organization, and about half of them use SCP or AWS Control Tower to control their AWS accounts.

glossary • AWS Organizations provides the ability to manage AWS accounts used by an organization. • Service Control Policy (SCP) provides centralized control over permissions and maximum available permissions for AWS accounts managed in AWS Organizations. • AWS ControlTower applies preventive and detective controls (guardrails) to AWS accounts managed in AWS Organizations to ensure that organizations and accounts do not deviate from best practices. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-CTower.html

glossary • AWS Organizations͸ɺ૊৫Ͱར༻͢ΔAWSΞΧ΢ϯτΛ؅ཧ͢ΔػೳΛఏڙ͢Δ • Service Control Policy (SCP) ͸ɺAWS OrganizationsͰ؅ཧ͢ΔAWSΞΧ΢ϯτ ʹରͯ͠ɺڐՄ΍࢖༻Մೳͳ࠷େΞΫηεڐՄΛҰݩతʹ੍ޚ͢Δ • AWS ControlTower͸ɺAWS OrganizationsͰ؅ཧ͢ΔAWSΞΧ΢ϯτʹରͯ͠ɺ ༧๷త͓Αͼݕग़త੍ޚ (ΨʔυϨʔϧ) Λద༻͠ɺ૊৫ͱΞΧ΢ϯτ͕ϕετϓϥ ΫςΟε͔Βҳ୤͠ͳ͍Α͏ʹ͢Δ https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-CTower.html

Preventative controls • Preventative controls are security controls that are designed to prevent an event from occurring. • Objective Segregation of duties – Preventative controls can establish logical boundaries that limit privileges, allowing permissions to perform only speci fi c tasks in designated accounts or environments. Access control – Preventative controls can consistently grant or deny access to resources and data in the environment. Enforcement – Preventative controls can help your company adhere to its policies, guidelines, and standards. https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/preventative-controls.html

Preventative controls • ༧๷త౷੍͸ɺΠϕϯτͷൃੜΛ๷͙Α͏ʹઃܭ͞Εͨ ηΩϡϦςΟ੍ޚͰ͢ɻ • ໨త ৬຿ͷ෼཭ – ༧๷త੍ޚʹΑΓɺಛݖΛ੍ݶ͢Δ࿦ཧڥքΛཱ֬͠ɺࢦఆ͞ ΕͨΞΧ΢ϯτ·ͨ͸؀ڥͰಛఆͷλεΫͷΈΛ࣮ߦ͢ΔݖݶΛڐՄͰ͖· ΞΫηε੍ޚ – ༧๷੍ޚʹΑΓɺ؀ڥ಺ͷϦιʔε͓Αͼσʔλ΁ͷΞΫη εΛҰ؏ͯ͠ڐՄ·ͨ͸ڋ൱Ͱ͖·͢ɻ ࢪߦ – ༧๷؅ཧ͸ɺاۀ͕ϙϦγʔɺΨΠυϥΠϯɺج४Λ९क͢Δͷʹ໾ ཱͪ·͢ɻ https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/preventative-controls.html

Korea Japan

Please select which AWS services you use as “detective controls" • In South Korea, organizations are implementing heuristic controls mainly with AWS CloudTrail logs and Amazon Cloudwatch, but services that can be used simply by enabling them, such as Amazon GuardDuty and AWS Security Hub, were low. • In Japan, Amazon GuardDuty was used by 60% of respondents, and AWS Security Hub was used by more than 30% of organizations.

glossary • GuardDuty combines machine learning (ML), anomaly detection, and malicious fi le discovery, using both AWS and industry-leading third-party sources to help protect your AWS accounts, workloads, and data. • GuardDuty is capable of analyzing tens of billions of events across multiple AWS data sources. • including AWS CloudTrail logs, Amazon VPC Flow Logs, and DNS query logs.Amazon S3 data events, Amazon Aurora login events, and runtime activity for Amazon EKS, and Amazon ECS, AWS Fargate. https://aws.amazon.com/guardduty/features/

glossary • GuardDuty ͸ɺAWS ͱۀքΛϦʔυ͢ΔαʔυύʔςΟʔͷ྆ํͷιʔε Λ࢖༻ͯ͠ɺػցֶशɺҟৗݕ஌ɺωοτϫʔΫϞχλϦϯάɺѱҙͷ͋Δ ϑΝΠϧͷݕग़Λ૊Έ߹ΘͤͯɺAWS ্ͷϫʔΫϩʔυͱσʔλͷอޢΛࢧ ԉ͢Δ • GuardDuty ͸ɺAWS CloudTrail ϩάɺVPC Flow LogsɺAmazon EKS ؂ࠪ ϩά͓ΑͼγεςϜϨϕϧϩάɺDNS ΫΤϦϩάͳͲɺෳ਺ͷ AWS σʔλ ιʔεશମͰԿඦԯ݅΋ͷΠϕϯτΛ෼ੳ͢Δ https://aws.amazon.com/guardduty/features/

Detective controls • Detective controls are security controls that are designed to detect, log, and alert after an event has occurred. • Objective Detective controls help you improve security operations processes and quality processes. Detective controls help you meet regulatory, legal, or compliance obligations. Detective controls provide security operations teams with visibility to respond to security issues, including advanced threats that bypass the preventative controls. https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/detective-controls.html Detective controls can help you identify the appropriate response to security issues and potential threats.

Detective controls • ൃݟత౷੍͸ɺΠϕϯτͷൃੜޙʹݕग़ɺه࿥ɺܯࠂ͢ΔΑ͏ ʹઃܭ͞ΕͨηΩϡϦςΟ੍ޚͰ͢ɻ • ໨త ݕग़੍ޚ͸ɺηΩϡϦςΟӡ༻ϓϩηεͱ඼࣭ϓϩηεͷվળʹ໾ཱͪ·͢ɻ ݕग़੍ޚ͸ɺن੍ɺ๏཯ɺ·ͨ͸ίϯϓϥΠΞϯεͷٛ຿ΛՌͨ͢ͷʹ໾ཱͪ·͢ɻ ݕग़੍ޚʹΑΓɺηΩϡϦςΟӡ༻νʔϜ͸ɺ༧๷੍ޚΛճආ͢Δߴ౓ͳڴҖͳͲͷηΩϡϦ ςΟ໰୊ʹରԠ͢ΔͨΊͷՄࢹੑΛఏڙ͠·͢ɻ https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-security-controls/detective-controls.html ݕग़੍ޚ͸ɺηΩϡϦςΟ໰୊΍જࡏతͳڴҖʹର͢Δద੾ͳରԠΛಛఆ͢Δͷʹ໾ཱͪ· ͢ɻ

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

General Comments and Recommendations • Through the results of the questionnaire, some of the items taken up as best practices showed a high implementation rate regardless of business scale or industry. • On the other hand, even if it was listed as a best practice, the parts that were considered dif fi cult and the parts where the method was not widely used were generally low.

• Ξϯέʔτ݁ՌΛ௨ͯ͡ɺϕετϓϥΫςΟεͱͯ͠औΓ্͛ ΒΕΔ߲໨ͷҰ෦ʹ͍ͭͯ͸ɺࣄۀن໛ɾۀछ໰Θ࣮ͣࢪ཰͕ ߴ͍݁ՌͰ͋ͬͨɻ • ҰํͰɺϕετϓϥΫςΟεʹڍ͛ΒΕ͍ͯΔ΋ͷͰ΋ɺ೉͠ ͍ͱߟ͑ΒΕ͍ͯΔ෦෼΍ɺ΍Γํ͕ීٴ͍ͯ͠ͳ͍෦෼͸ɺ ૯ͯ͡௿ௐͰ͋ͬͨɻ General Comments and Recommendations

• From the perspective of data governance and data management, the next few parts were generally weak. • “Taking data sovereignty” including data disposal, control of cryptographic keys, and identi fi cation of critical data. • “Attack surface reduction” inside EC2. • Incident response training, etc. • These measures are important for managing important data on your own responsibility, so they should be implemented regardless of the scale of your business. General Comments and Recommendations

• σʔλΨόφϯεɾσʔλϚωδϝϯτͷ؍఺Ͱɺσʔλͷഇغ ΍҉߸伴ͷίϯτϩʔϧɾॏཁσʔλͷࣝผͳͲͷʮσʔλͷओ ݖΛѲΔʯ෦෼΍ɺEC2಺෦ʹ͓͚Δʮ߈ܸ໘ͷ࡟ݮʯɺΠϯγ σϯτରԠ܇࿅ͳͲز͔ͭͷ෦෼͸ɺ૯ͯ͡௿ௐͰ͋ͬͨɻ • ͜ΕΒͷࢪࡦ͸ɺॏཁͳσʔλΛࣗ਎ͷ੹೚ͱͯ͠؅ཧ͢Δ ্Ͱॏཁͳ΋ͷͰ͋ΔͨΊɺࣄۀن໛໰Θ࣮ͣࢪ͢Δ΂͖Ͱ ͋Δɻ General Comments and Recommendations

• Korea was signi fi cantly less likely to use services like Amazon GuardDuty and AWS Security Hub, which work to some extent by enabling features. • These can detect events and signs of a breach that are dif fi cult to fi nd with AWS CloudTrail and Amazon Cloudwatch. • We expect that organizational control will be used to deploy the use of these services to improve the security of the AWS environment. General Comments and Recommendations

• ؖࠃ͸ɺAmazon GuardDuty΍AWS Security HubͷΑ͏ʹɺػೳΛ༗ޮ ʹ͢Δ͜ͱͰ͋Δఔ౓ػೳ͢ΔαʔϏεΛར༻͢Δճ౴͕ஶ͘͠௿͔ͬ ͨɻ • ͜ΕΒ͸ɺAWS CloudTrailͱAmazon CloudwatchͰ͸ݟ͚ͭΔ͜ͱ͕ ೉͍͠ࣄ৅΍৵֐ͷ༧ஹΛݕग़Ͱ͖Δɻ • ૊৫తͳ౷੍ྗΛ׆͔ͯ͠ɺ͜ΕΒͷ׆༻Λల։͠ɺAWS؀ڥͷη ΩϡϦςΟΛ޲্͍ͯ͘͜͠ͱʹظ଴͢Δɻ General Comments and Recommendations

Today’s Agenda • Introduction ~ Report Summary • Excerpts from the Japanese survey results • Korea-Japan Comparison • General Comments and Recommendations • FAQ

FAQ • Q. What was the most dif fi cult thing? • A. Since the number of questions was 30, it was dif fi cult to increase the number of survey responses. The appeal at the event was able to convey the enthusiasm and we received many responses. On the other hand, simply asking people to spread the word, as we did in Korea, did not increase the number of responses.

FAQ • Q. I would like to fi ll out the survey • A. We are very happy to do so, but the survey is currently closed. We had plans to tabulate it globally, but we are at a standstill because we do not have the means to get enough responses.

FAQ • Q. I would like to read the full report. • A. Please access the QR code on the next slide! The report of the survey compiled in Korea is available in Japanese only.

• AWS Security Best Practices Usage Survey Report (English)