Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Cloud Security Fundamentals

AWS Cloud Security Fundamentals

Workshop presented at OWASP BASC 2019 by Rami McCarthy and Joshua Dow


"As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

Security Hub
Trusted Advisor
Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments. "

Rami McCarthy

October 19, 2019

More Decks by Rami McCarthy

Other Decks in Technology


  1. Agenda o Introduction o Hands-on with Built-ins 15 minute break

    o Hands-on Self-Auditing o Cheatsheet o Closing Questions
  2. Logging is a component of compliance with: • ISO 27001

    – A.12.4 • PCI DSS - Requirement 10
  3. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools- @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/