Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Security: Easy Wins and Enterprise Scale

Rami McCarthy
September 26, 2020

AWS Security: Easy Wins and Enterprise Scale

Presented at BSides Boston 2020

Cloud computing continues its rampant growth, and AWS maintains its lead as the predominant platform. Since the last BSidesBoston in 2017, AWS adoption has gone from 57% to 76% of enterprises (Per RigthScale/Flexera State of the Cloud 2017/2020). Whether your organization has two feet firmly in the cloud, is dipping a toe in the water, or you personally are wondering "where do I even start," it's important to learn to adjust security to cloud environments.

This talk will look at two ends of the spectrum. First, we'll go through the easy wins that almost any one or any organization can identify and apply. Then, we'll pivot to look as the the big picture security problems to consider as either your security maturity or AWS usage grows. We won't be able to go deep into all the weeds of the topic, but instead we'll provide the essential information, and pointers for next steps. No matter the size, complexity, or sophistication of your AWS environment, you should walk away with an idea of where to look for your next actionable improvements.

Rami McCarthy

September 26, 2020


  1. @ramimacisabird Rami McCarthy Amazon Web Services Security Easy Wins and

    Enterprise Scale
  2. @ramimacisabird Rami McCarthy Senior Security Consultant, NCC Group Penetration Tester

    (applications, clouds, code, etc.) AWS Certified Security - Specialty, CCSKv4 Creator: Contributor:
  3. @ramimacisabird Easy Wins / Enterprise Scale

  4. The Cloud

  5. None
  6. @ramimacisabird W hy?

  7. None
  8. @ramimacisabird Key Concepts

  9. @ramimacisabird IAM

  10. @ramimacisabird Principals IAM Users Groups Roles

  11. @ramimacisabird Principals IAM Policies

  12. @ramimacisabird { "Version": "2012-10-17", "Statement": [ { "Effect": “Allow", "Action":

    “ec2:*", "Resource": "*“ }, ] }
  13. @ramimacisabird Principals IAM Policies Credentials

  14. @ramimacisabird please don’t share yours Console Access Programmatic Access Assumable

  15. IAM Policy Evaluation

  16. @ramimacisabird IAM Policy Master

  17. @ramimacisabird Follow up: An AWS IAM Security Tooling Reference https://ramimac.me/cloudsec/security/aws-iam-tool-reference/

  18. @ramimacisabird Networking

  19. • VPC (Virtual Private Cloud): Logically isolated virtual network •

    Subnets: A range of IP addresses within the VPC • Security Groups: Allow firewall rules at the networking interface level • NACLs: Allow/Deny firewall rules at the subnet level Networking Security Groups NACLs Instance Level Subnet Level Allow rules only Allow and deny rules Stateful: return traffic allowed automatically Stateless: return traffic requires explicit allow All rules are evaluated Rules are evaluated in order Must be applied to specific instances Automatically applies to all instances in subnet
  20. @ramimacisabird Easy Wins*** * Let’s be honest, nothing is easy

    at scale ** Within the bounds of the Pareto Principle
  21. @ramimacisabird 80% of the consequences come from 20% of the

    causes Pareto Principle What it says:
  22. @ramimacisabird You can get 80% of the results with 20%

    of the work! Pareto Principle What it means:
  23. @ramimacisabird Security Services

  24. @ramimacisabird Security Services Artifact Inspector GuardDuty Trusted Advisor Config CloudWatch

    CloudTrail SecurityHub
  25. @ramimacisabird Security Services AWS Artifact is a repository of AWS’

    compliance reports Artifact
  26. @ramimacisabird AWS Inspector is a vulnerability scanner for your EC2

    instances Security Services Inspector
  27. @ramimacisabird Security Services AWS GuardDuty is an IDS for your

    AWS account GuardDuty
  28. None
  29. @ramimacisabird Security Services AWS SecurityHub is a single pane for

    your security alerts SecurityHub
  30. None
  31. @ramimacisabird Security Services AWS Config is a configuration monitoring and

    governance tool Config
  32. @ramimacisabird Security Services AWS CloudWatch is a monitoring and observability

    service CloudWatch
  33. @ramimacisabird Security Services AWS CloudTrail is a logging, monitoring, and

    event history center CloudTrail
  34. @ramimacisabird Security Services AWS TrustedAdvisor is a set of guidance

    on best practices (security, and beyond) Trusted Advisor
  35. None
  36. @ramimacisabird Security Services Artifact Inspector GuardDuty Trusted Advisor Config CloudWatch

    CloudTrail SecurityHub
  37. @ramimacisabird Account Best Practices

  38. @ramimacisabird Configuration Account ScoutSuite

  39. @ramimacisabird

  40. @ramimacisabird

  41. @ramimacisabird Segmentation Account Least Privilege (Pareto) External Exposure (Pareto) aws_exposable_resources

  42. @ramimacisabird Watch Out For Common Compromise Footholds • Credential Exposure

    • Metadata Service • Managed Service Data Exposure • Hosted Database Brute-force • Workstation Compromise
  43. @ramimacisabird Easy AWS Security Wins Enable and configure provided security

    services Take advantage of accounts as segmentation boundaries Practice least privilege (and get a handle on IAM) Minimize external exposure Audit and secure configuration IAM best practices (MFA :)! Logging :)!) Watch out for common compromise footholds
  44. @ramimacisabird

  45. @ramimacisabird Enterprise Scale

  46. @ramimacisabird Technical & Political

  47. •Pave the road •Billing (is a strong lever) •Remove responsibilities[1]

    Political [1] One good example of this is the Mozilla Security CloudTrail Storage System
  48. None
  49. @ramimacisabird Multi-Account Architecture

  50. @ramimacisabird Multi-account

  51. @ramimacisabird AWS Organizations https://aws.amazon.com/organizations/getting-started/best-practices/ * Multi-account

  52. @ramimacisabird

  53. @ramimacisabird Multi-account

  54. AWS Organizations - Services • CloudTrail • Config • GuardDuty

    • IAM • Security Hub • Trusted Advisor
  55. @ramimacisabird Visibility

  56. @ramimacisabird The vendor model

  57. @ramimacisabird The vendor model

  58. @ramimacisabird The home-grown model

  59. Case Study: Antiope Chris Farris, Warner Media

  60. @ramimacisabird The service desk model

  61. @ramimacisabird Governance

  62. @ramimacisabird Least Privilege (100%)

  63. @ramimacisabird Access Advisor

  64. @ramimacisabird Access Analyzer

  65. @ramimacisabird Policy Sentry

  66. @ramimacisabird Repo Kid

  67. @ramimacisabird Secrets Management

  68. @ramimacisabird Secrets Management

  69. @ramimacisabird https://www.youtube.com/watch?v=Y3Gn_iP3FlE

  70. @ramimacisabird Logging, Monitoring, Alerting http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale-with-AWS.pdf

  71. None
  72. @ramimacisabird Preparing for Incident Response Logging/Monitoring/Alerting

  73. Logging/Monitoring/Alerting

  74. @ramimacisabird Tagging

  75. @ramimacisabird Tagging https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-categories

  76. • Consistency • Less can be more • Tag-based access

    control • Automation • Cost Exploration Tagging
  77. @ramimacisabird Enterprise Scale AWS Security Plan the politics Multi-account architecture

    AWS Organizations Visibility Governance Least Privilege (100%) Logging, Monitoring, Alerting Preparing for incident response Tagging
  78. @ramimacisabird Resources • https://research.nccgroup.com/2020/04/24/the-extended-aws- security-ramp-up-guide/ • https://medium.com/swlh/so-you-inherited-an-aws-account- e5fe6550607d • https://summitroute.com/blog/2020/05/21/

    aws_security_maturity_roadmap_2020/ • https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
  79. @ramimacisabird References • https://duo.com/blog/beyond-s3-exposed-resources-on-aws • https://blog.coinbase.com/you-need-more-than-one-aws-account-aws-bastions-and- assume-role-23946c6dfde3 • http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale- with-AWS.pdf

    • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://www.youtube.com/watch?v=YQsK4MtsELU - IAM policy master • https://ramimac.me/cloudsec/security/aws-iam-tool-reference/ • https://github.com/nccgroup/ScoutSuite • https://github.com/SummitRoute/aws_exposable_resources • https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud- Perimeter-Slides.pdf • https://twitter.com/forrestbrazeal/status/1138088894250070017?s=20