AWS Cloud Security Fundamentals

AWS Cloud Security Fundamentals

Workshop presented at OWASP BASC 2019 by Rami McCarthy and Joshua Dow

Abstract:

"As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

Security Hub
Trusted Advisor
CloudTrail
Inspector
GuardDuty
Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments. "

A431674e1b362e40786876211b77455e?s=128

Rami McCarthy

October 19, 2019
Tweet

Transcript

  1. AWS: Cloud Security Fundamentals Josh Dow Rami McCarthy

  2. This Workshop

  3. Agenda o Introduction o Hands-on with Built-ins 15 minute break

    o Hands-on Self-Auditing o Cheatsheet o Closing Questions
  4. The Cloud

  5. The "Big Three"

  6. Why focus on AWS? https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

  7. http://www.chriswatterston.com

  8. None
  9. •Services •Regions AWS

  10. •Encryption •External Exposure •IAM •Logging/Auditing AWS Security

  11. https://cloudonaut.io/aws-security-primer/

  12. None
  13. Environment Access

  14. aws iam list-users –output table

  15. AWS Built-in Security Tools

  16. None
  17. None
  18. None
  19. Logging is a component of compliance with: • ISO 27001

    – A.12.4 • PCI DSS - Requirement 10
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. AWS Configuration Easy Wins

  32. Enable Amazon Tools

  33. Secure Logging

  34. Secure Public Access

  35. Secure Authentication

  36. Secure MFA

  37. None
  38. Third-Party Tools

  39. Free Third-Party Tools

  40. https://github.com/toniblyx/prowler​

  41. https://github.com/nccgroup/scoutsuite

  42. https://github.com/duo-labs/cloudmapper

  43. Get on your balaclavas

  44. CloudGoat Walkthrough

  45. Cheatsheet

  46. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools- @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/
  47. AWS resources for secure architecture Well-Architected Framework: Security Pillar AWS

    Cloud Adoption Framework Aligning to NIST
  48. Questions? Come chat at the Social Hour (we're sponsoring!)