The best and the worst security practices on AWS

Slide 1

Slide 1 text

the best and the worst security practices on AWS Ben Whaley @iAmTheWhaley OWASP Lviv 2019-02-19

Slide 2

Slide 2 text

Who the fsck is this guy? • Security, OS, networking nerd (since 1995) • Co-author, UNIX & Linux System Administration Handbook (since 2006) • AWS Community Hero (since 2014) • Consultant (T-Mobile, Square, Coinbase, …) (2013-2017) • Engineering @ Kountable (since 2017)

Slide 3

Slide 3 text

Accounts

Slide 4

Slide 4 text

Worst: Monolithic accounts Proliferation of VPCs, security groups, peering connections Gnarled mess of IAM policies Complex billing statements, difﬁcult attribution Limited compartmentalization capability

Slide 5

Slide 5 text

Best: Multi-account security strategy • Bask in the warm light of AWS Organizations • Federated cross-account access with single sign-on/IdP • Per account security policies • Per account cost attribution • Compartmentalization limits blast radius • Centralized control with explicit trust relationships

Slide 6

Slide 6 text

Production Identity Command & Control Development

Slide 7

Slide 7 text

Production Identity Account SAML authentication via IdP AWS Console, API access Command & Control Development AssumeRole

Slide 8

Slide 8 text

Best: Review Trusted Advisor

Slide 9

Slide 9 text

Best: Enable GuardDuty

Slide 10

Slide 10 text

Best: Enable CloudTrail, VPC Flow Logs Worst: Allow users to make changes

Slide 11

Slide 11 text

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "cloudtrail:StopLogging", "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] } Example Service Control Policy

Slide 12

Slide 12 text

Best: Managed services Case in point: CVE-2019-5736 Released: Feb 11 Patched: Feb 13

Slide 13

Slide 13 text

Networking

Slide 14

Slide 14 text

Worst: Haphazard VPC Design • Uncontrolled subnets and CIDR ranges • Ad hoc security groups • Myriad NACLs • Inconsistent service placement • Unclear network security zones

Slide 15

Slide 15 text

Best: Controlled VPC Design management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16 Staging us-west-2 172.22.0.0/16 Prod us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16

Slide 16

Slide 16 text

Best: Controlled VPC Design management us-west-2 172.20.0.0/16 Public Private Data us-west-2a 172.20.0.0/24 us-west-2b 172.20.1.0/24 us-west-2c 172.20.2.0/24 us-west-2a 172.20.10.0/24 us-west-2b 172.20.11.0/24 us-west-2c 172.20.12.0/24 us-west-2a 172.20.20.0/24 us-west-2b 172.20.21.0/24 us-west-2c 172.20.22.0/24

Slide 17

Slide 17 text

Best: Per-service security groups Worst: Many SGs for an instance/service EC2 Instance Multiple SGs 22 22, 443 80, 443 EC2 Instance 22, 80, 443 ❌ ✅

Slide 18

Slide 18 text

Best: Use VPC endpoints S3 Bucket EC2 Instance Internet S3 Bucket VPC Endpoints EC2 Instance

Slide 19

Slide 19 text

Worst: Open outbound SG rules

Slide 20

Slide 20 text

Worst: CIDR range sources in security groups Best: SG ID sources ❌ ✅

Slide 21

Slide 21 text

Best: Monitoring SES reputation

Slide 22

Slide 22 text

Worst: Managing TLS certificates Best: AWS Certificate Manager

Slide 23

Slide 23 text

Identity & Access Management

Slide 24

Slide 24 text

Basic IAM hygiene • Obligatory MFA • No static API credentials • Services must use roles • Never use the root account • Share root account password, MFA in password manager • AssumeRole for third parties

Slide 25

Slide 25 text

Worst: Per-user policies Best: Groups and managed policies

Slide 26

Slide 26 text

Best: Use IAM Policy Conditions { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": “ec2:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": [ “1.2.3.0/24”, “2001:DB8:1234:5678::/64" ] } } } }

Slide 27

Slide 27 text

Worst: “Authenticated Users” permission on S3 buckets

Slide 28

Slide 28 text

Best: Use Key Management Service

Slide 29

Slide 29 text

Best: Secure configuration with KMS 1. Generate a password 2. Save it as a SecureString in SSM Parameter Store 3. Add policy to read the Parameter Store value 4. Assign policy to a role used by an ECS task/instance 5. Read password from Parameter Store at run time

Slide 30

Slide 30 text

Worst: Overly permissive policies for EC2 instances

Slide 31

Slide 31 text

Best: Protect the metadata endpoint

Slide 32

Slide 32 text

Resources

Slide 33

Slide 33 text

• The well-architected framework https://aws.amazon.com/architecture/well-architected/ • Solutions https://aws.amazon.com/solutions • Security blog https://aws.amazon.com/blogs/security/ • Security Bulletins https://aws.amazon.com/security/security-bulletins/ Do: Learn from the Experts

Slide 34

Slide 34 text

Thank you!