Workshop presented at OWASP BASC 2019 by Rami McCarthy and Joshua Dow
"As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.
First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.
Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:
Macie (and why it's probably wrong for you!)
We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments. "
AWS: Cloud Security
o Hands-on with Built-ins
15 minute break
o Hands-on Self-Auditing
o Closing Questions
The "Big Three"
aws iam list-users –output table
Logging is a component of compliance
• ISO 27001 – A.12.4
• PCI DSS - Requirement 10
Get on your balaclavas
Credit to prior art; check these people out to learn more!
Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig
Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel
Scott Piper – https://summitroute.com/ - @0xdabbad00
Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools- @ToniBlyx
Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws
Cloudonaut - https://cloudonaut.io/aws-security-primer/
AWS resources for secure architecture
Well-Architected Framework: Security Pillar
AWS Cloud Adoption Framework
Aligning to NIST
Come chat at the Social Hour