Slide 1
Slide 1 text
Gefahren
der Cloud
Philipp Krenn̴̴̴̴̴̴̴̴@xeraa
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
ViennaDB
Papers We Love Vienna
Slide 4
Slide 4 text
Wer verwendet
AWS, Azure,...?
Slide 5
Slide 5 text
Löst die Cloud alle
Security-Probleme?
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
"We can operate more securely
on AWS than we can in our own
data centers" Rob Alexander
of CapitalOne #reinvent
— Adrian Cockcroft, https://twitter.com/adrianco/status/
651788241557942272
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
AWS Security Bulletins
https://aws.amazon.com/security/security-bulletins/
Xen, Heartbleed,...
Slide 11
Slide 11 text
Infrastruktur
Slide 12
Slide 12 text
VPC
Virtual Private Cloud
Slide 13
Slide 13 text
EC2 Classic
Private und öffentliche IPs für jede Instanz
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
Netzwerk /16
Produktion 10.0.*.*
Entwicklung 10.1.*.*
Slide 17
Slide 17 text
Verfügbarkeitszonen /18
A 10.*.0.0/18
B 10.*.64.0/18
Reserve 10.*.128.0/18
10.*.192.0/18
Slide 18
Slide 18 text
Subnetze /20
A öffentlich 10.*.0.0/20
A privat 10.*.16.0/20
A Reserve 10.*.32.0/20
10.*.48.0/20
Slide 19
Slide 19 text
PS: Netzwerk
Keine Broadcasts oder Multicasts
Noch kein IPv6
Slide 20
Slide 20 text
Sicherheitsgruppen
Pro Instanz
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Netzwerk ACL
Pro Subnetz (optional)
Slide 23
Slide 23 text
Verschlüsselung
At Rest
Slide 24
Slide 24 text
S3, EBS, RDS,...
Transparentes Key Management
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
Microservices
Technologie & AWS Konto pro Team
OAuth für interne & externe
Kommunikation
Slide 27
Slide 27 text
Konten
Slide 28
Slide 28 text
Aber das Hauptproblem
sind...
Slide 29
Slide 29 text
✋
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
[...] our data, backups,
machine configurations and
offsite backups were either
partially or completely
deleted.
— http://www.codespaces.com
Slide 32
Slide 32 text
Code Spaces has a full
recovery plan that has
been proven to work and
is, in fact, practiced.
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
The person(s) used our
account to order hundreds of
expensive servers, likely to
mine Bitcoin or other
cryptocurrencies.
— http://blog.drawquest.com
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
This outage was the
result of an attack on our
systems using a
compromised API key.
— http://status.bonsai.io/incidents/qt70mqtjbf0s
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
1001
einfache Schritte für mehr Sicherheit
Slide 39
Slide 39 text
0000
root Konto wegsperren
Slide 40
Slide 40 text
0001
Immer IAM verwenden
Identity and Access Management
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
0010
Nur notwendige Rechte
Slide 43
Slide 43 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:ReleaseAddress",
"route53:DeleteHostedZone"
],
"Resource": "*"
}
] }
Slide 44
Slide 44 text
0011
Starke Passworte
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
0100
Multi Factor
Authentication (MFA)
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
Hardware Token
Sicherheitsfragen merken (und verteilen)
Slide 50
Slide 50 text
0101
Niemals Zugangsdaten
commiten
Slide 51
Slide 51 text
Nur wohin?
Slide 52
Slide 52 text
1. Umgebungsvariablen
Slide 53
Slide 53 text
2. Verschlüsselte Dateien
in SCM
Slide 54
Slide 54 text
http://ejohn.org
/blog/keeping-passwords-in-source-control/
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
#!/bin/sh
FILE=$1
FILENAME=$(basename "$FILE")
EXTENSION="${FILENAME##*.}"
NAME="${FILENAME%.*}"
if [[ "$EXTENSION" != "aes256" ]]
then
echo "Encrypting $FILENAME and removing the plaintext file"
openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256
rm $FILENAME
else
then
echo "Decrypting $FILENAME"
openssl aes-256-cbc -d -a -in $FILENAME -out $NAME
fi
Slide 57
Slide 57 text
$ ls
truststore.jks.aes256
$ encrypt-decrypt.sh truststore.jks.aes256
Contact [email protected] for the password
Decrypting truststore.jks.aes256
enter aes-256-cbc decryption password:
$ ls
truststore.jks truststore.jks.aes256
Slide 58
Slide 58 text
3. Spezielle Tools
Slide 59
Slide 59 text
Ansible Vault
HashiCorp Vault
Friedlander Secrets Pit
Slide 60
Slide 60 text
Eigenen Code prüfen
https://github.com/michenriksen/gitrob
Slide 61
Slide 61 text
0110
IP Restriktionen
Slide 62
Slide 62 text
{ "Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"]
}
}
}
] }
Slide 63
Slide 63 text
No content
Slide 64
Slide 64 text
0111
Billing Alerts
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
1000
CloudTrail
Slide 67
Slide 67 text
{ "Records": [
{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2015-09-09T19:01:59Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "eu-west-1",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [
{ "instanceId": "i-ebeaf9e2" }
]
},
"force": false
},
...
Slide 68
Slide 68 text
1001
Security Status
Slide 69
Slide 69 text
No content
Slide 70
Slide 70 text
Abschluss
Slide 71
Slide 71 text
Es gibt keine ✨
Slide 72
Slide 72 text
140 servers running on my AWS
account. What? How? I only had
S3 keys on my GitHub and they
where gone within 5 minutes!
— http://www.devfactor.net/2014/12/30/2375-amazon-
mistake/
Slide 73
Slide 73 text
Kompromittierte Keys
rotieren
Slide 74
Slide 74 text
How a bug in Visual Studio
2015 exposed my source code
on GitHub and cost me $6,500
in a few hours
— https://www.humankode.com/security/how-a-bug-in-
visual-studio-2015-exposed-my-source-code-on-github-and-
cost-me-6500-in-a-few-hours
Slide 75
Slide 75 text
Keine Zugangsdaten
commiten
Slide 76
Slide 76 text
Danke!
Fragen?
Philipp Krenn̴̴̴̴̴̴̴̴@xeraa