Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Security: Easy Wins and Enterprise Scale

Rami McCarthy
September 26, 2020

AWS Security: Easy Wins and Enterprise Scale

Presented at BSides Boston 2020

Cloud computing continues its rampant growth, and AWS maintains its lead as the predominant platform. Since the last BSidesBoston in 2017, AWS adoption has gone from 57% to 76% of enterprises (Per RigthScale/Flexera State of the Cloud 2017/2020). Whether your organization has two feet firmly in the cloud, is dipping a toe in the water, or you personally are wondering "where do I even start," it's important to learn to adjust security to cloud environments.

This talk will look at two ends of the spectrum. First, we'll go through the easy wins that almost any one or any organization can identify and apply. Then, we'll pivot to look as the the big picture security problems to consider as either your security maturity or AWS usage grows. We won't be able to go deep into all the weeds of the topic, but instead we'll provide the essential information, and pointers for next steps. No matter the size, complexity, or sophistication of your AWS environment, you should walk away with an idea of where to look for your next actionable improvements.

Rami McCarthy

September 26, 2020


  1. @ramimacisabird Rami McCarthy Senior Security Consultant, NCC Group Penetration Tester

    (applications, clouds, code, etc.) AWS Certified Security - Specialty, CCSKv4 Creator: Contributor:
  2. • VPC (Virtual Private Cloud): Logically isolated virtual network •

    Subnets: A range of IP addresses within the VPC • Security Groups: Allow firewall rules at the networking interface level • NACLs: Allow/Deny firewall rules at the subnet level Networking Security Groups NACLs Instance Level Subnet Level Allow rules only Allow and deny rules Stateful: return traffic allowed automatically Stateless: return traffic requires explicit allow All rules are evaluated Rules are evaluated in order Must be applied to specific instances Automatically applies to all instances in subnet
  3. @ramimacisabird Easy Wins*** * Let’s be honest, nothing is easy

    at scale ** Within the bounds of the Pareto Principle
  4. @ramimacisabird 80% of the consequences come from 20% of the

    causes Pareto Principle What it says:
  5. @ramimacisabird You can get 80% of the results with 20%

    of the work! Pareto Principle What it means:
  6. @ramimacisabird Security Services AWS TrustedAdvisor is a set of guidance

    on best practices (security, and beyond) Trusted Advisor
  7. @ramimacisabird Watch Out For Common Compromise Footholds • Credential Exposure

    • Metadata Service • Managed Service Data Exposure • Hosted Database Brute-force • Workstation Compromise
  8. @ramimacisabird Easy AWS Security Wins Enable and configure provided security

    services Take advantage of accounts as segmentation boundaries Practice least privilege (and get a handle on IAM) Minimize external exposure Audit and secure configuration IAM best practices (MFA :)! Logging :)!) Watch out for common compromise footholds
  9. •Pave the road •Billing (is a strong lever) •Remove responsibilities[1]

    Political [1] One good example of this is the Mozilla Security CloudTrail Storage System
  10. AWS Organizations - Services • CloudTrail • Config • GuardDuty

    • IAM • Security Hub • Trusted Advisor
  11. • Consistency • Less can be more • Tag-based access

    control • Automation • Cost Exploration Tagging
  12. @ramimacisabird Enterprise Scale AWS Security Plan the politics Multi-account architecture

    AWS Organizations Visibility Governance Least Privilege (100%) Logging, Monitoring, Alerting Preparing for incident response Tagging
  13. @ramimacisabird References • https://duo.com/blog/beyond-s3-exposed-resources-on-aws • https://blog.coinbase.com/you-need-more-than-one-aws-account-aws-bastions-and- assume-role-23946c6dfde3 • http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale- with-AWS.pdf

    • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf • https://www.youtube.com/watch?v=YQsK4MtsELU - IAM policy master • https://ramimac.me/cloudsec/security/aws-iam-tool-reference/ • https://github.com/nccgroup/ScoutSuite • https://github.com/SummitRoute/aws_exposable_resources • https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud- Perimeter-Slides.pdf • https://twitter.com/forrestbrazeal/status/1138088894250070017?s=20