Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Security: Easy Wins and Enterprise Scale

Rami McCarthy
September 26, 2020
500

AWS Security: Easy Wins and Enterprise Scale

Presented at BSides Boston 2020

Cloud computing continues its rampant growth, and AWS maintains its lead as the predominant platform. Since the last BSidesBoston in 2017, AWS adoption has gone from 57% to 76% of enterprises (Per RigthScale/Flexera State of the Cloud 2017/2020). Whether your organization has two feet firmly in the cloud, is dipping a toe in the water, or you personally are wondering "where do I even start," it's important to learn to adjust security to cloud environments.

This talk will look at two ends of the spectrum. First, we'll go through the easy wins that almost any one or any organization can identify and apply. Then, we'll pivot to look as the the big picture security problems to consider as either your security maturity or AWS usage grows. We won't be able to go deep into all the weeds of the topic, but instead we'll provide the essential information, and pointers for next steps. No matter the size, complexity, or sophistication of your AWS environment, you should walk away with an idea of where to look for your next actionable improvements.

Rami McCarthy

September 26, 2020
Tweet

Transcript

  1. @ramimacisabird
    Rami McCarthy
    Amazon Web Services Security
    Easy Wins and Enterprise Scale

    View full-size slide

  2. @ramimacisabird
    Rami McCarthy
    Senior Security Consultant, NCC Group
    Penetration Tester (applications, clouds, code, etc.)

    AWS Certified Security - Specialty, CCSKv4

    Creator: Contributor:

    View full-size slide

  3. @ramimacisabird
    Easy Wins / Enterprise Scale

    View full-size slide

  4. @ramimacisabird
    W
    hy?

    View full-size slide

  5. @ramimacisabird
    Key Concepts

    View full-size slide

  6. @ramimacisabird
    IAM

    View full-size slide

  7. @ramimacisabird
    Principals
    IAM
    Users Groups Roles

    View full-size slide

  8. @ramimacisabird
    Principals
    IAM
    Policies

    View full-size slide

  9. @ramimacisabird
    {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Effect": “Allow",

    "Action": “ec2:*",

    "Resource": "*“

    },

    ]

    }

    View full-size slide

  10. @ramimacisabird
    Principals
    IAM
    Policies
    Credentials

    View full-size slide

  11. @ramimacisabird
    please don’t share yours
    Console Access
    Programmatic Access
    Assumable Roles

    View full-size slide

  12. IAM Policy Evaluation

    View full-size slide

  13. @ramimacisabird
    IAM Policy Master

    View full-size slide

  14. @ramimacisabird
    Follow up: An AWS IAM Security Tooling Reference

    https://ramimac.me/cloudsec/security/aws-iam-tool-reference/

    View full-size slide

  15. @ramimacisabird
    Networking

    View full-size slide

  16. • VPC (Virtual Private Cloud): Logically isolated virtual network

    • Subnets: A range of IP addresses within the VPC

    • Security Groups: Allow firewall rules at the networking interface level

    • NACLs: Allow/Deny firewall rules at the subnet level
    Networking
    Security Groups NACLs
    Instance Level Subnet Level
    Allow rules only Allow and deny rules
    Stateful: return traffic allowed automatically Stateless: return traffic requires explicit allow
    All rules are evaluated Rules are evaluated in order
    Must be applied to specific instances Automatically applies to all instances in subnet

    View full-size slide

  17. @ramimacisabird
    Easy Wins***
    * Let’s be honest, nothing is easy at scale
    ** Within the bounds of the Pareto Principle

    View full-size slide

  18. @ramimacisabird
    80% of the consequences come
    from 20% of the causes
    Pareto Principle
    What it says:

    View full-size slide

  19. @ramimacisabird
    You can get 80% of the results with
    20% of the work!
    Pareto Principle
    What it means:

    View full-size slide

  20. @ramimacisabird
    Security Services

    View full-size slide

  21. @ramimacisabird
    Security Services
    Artifact Inspector GuardDuty
    Trusted Advisor
    Config CloudWatch CloudTrail
    SecurityHub

    View full-size slide

  22. @ramimacisabird
    Security Services
    AWS Artifact is a repository of AWS’ compliance reports
    Artifact

    View full-size slide

  23. @ramimacisabird
    AWS Inspector is a vulnerability scanner for your EC2 instances
    Security Services
    Inspector

    View full-size slide

  24. @ramimacisabird
    Security Services
    AWS GuardDuty is an IDS for your AWS account
    GuardDuty

    View full-size slide

  25. @ramimacisabird
    Security Services
    AWS SecurityHub is a single pane for your security alerts
    SecurityHub

    View full-size slide

  26. @ramimacisabird
    Security Services
    AWS Config is a configuration monitoring and governance tool
    Config

    View full-size slide

  27. @ramimacisabird
    Security Services
    AWS CloudWatch is a monitoring and observability service
    CloudWatch

    View full-size slide

  28. @ramimacisabird
    Security Services
    AWS CloudTrail is a logging, monitoring, and event history
    center
    CloudTrail

    View full-size slide

  29. @ramimacisabird
    Security Services
    AWS TrustedAdvisor is a set of guidance on best practices
    (security, and beyond)
    Trusted Advisor

    View full-size slide

  30. @ramimacisabird
    Security Services
    Artifact Inspector GuardDuty
    Trusted Advisor
    Config CloudWatch CloudTrail
    SecurityHub

    View full-size slide

  31. @ramimacisabird
    Account Best Practices

    View full-size slide

  32. @ramimacisabird
    Configuration
    Account
    ScoutSuite

    View full-size slide

  33. @ramimacisabird

    View full-size slide

  34. @ramimacisabird

    View full-size slide

  35. @ramimacisabird
    Segmentation
    Account
    Least Privilege (Pareto)
    External Exposure (Pareto)
    aws_exposable_resources

    https://github.com/SummitRoute/aws_exposable_resources

    View full-size slide

  36. @ramimacisabird
    Watch Out For Common
    Compromise Footholds
    • Credential Exposure
    • Metadata Service
    • Managed Service Data Exposure
    • Hosted Database Brute-force
    • Workstation Compromise

    View full-size slide

  37. @ramimacisabird
    Easy AWS Security Wins
    Enable and configure provided security services

    Take advantage of accounts as segmentation boundaries

    Practice least privilege (and get a handle on IAM)

    Minimize external exposure

    Audit and secure configuration

    IAM best practices (MFA :)! Logging :)!)

    Watch out for common compromise footholds

    View full-size slide

  38. @ramimacisabird

    View full-size slide

  39. @ramimacisabird
    Enterprise Scale

    View full-size slide

  40. @ramimacisabird
    Technical & Political

    View full-size slide

  41. •Pave the road

    •Billing (is a strong lever)

    •Remove responsibilities[1]
    Political
    [1] One good example of this is the Mozilla
    Security CloudTrail Storage System

    View full-size slide

  42. @ramimacisabird
    Multi-Account Architecture

    View full-size slide

  43. @ramimacisabird
    Multi-account

    View full-size slide

  44. @ramimacisabird
    AWS Organizations
    https://aws.amazon.com/organizations/getting-started/best-practices/

    *
    Multi-account

    View full-size slide

  45. @ramimacisabird

    View full-size slide

  46. @ramimacisabird
    Multi-account

    View full-size slide

  47. AWS Organizations - Services
    • CloudTrail

    • Config

    • GuardDuty

    • IAM

    • Security Hub

    • Trusted Advisor

    View full-size slide

  48. @ramimacisabird
    Visibility

    View full-size slide

  49. @ramimacisabird
    The vendor
    model

    View full-size slide

  50. @ramimacisabird
    The vendor
    model

    View full-size slide

  51. @ramimacisabird
    The home-grown
    model

    View full-size slide

  52. Case Study: Antiope
    Chris Farris, Warner Media

    View full-size slide

  53. @ramimacisabird
    The service desk
    model

    View full-size slide

  54. @ramimacisabird
    Governance

    View full-size slide

  55. @ramimacisabird
    Least Privilege (100%)

    View full-size slide

  56. @ramimacisabird
    Access Advisor

    View full-size slide

  57. @ramimacisabird
    Access Analyzer

    View full-size slide

  58. @ramimacisabird
    Policy Sentry

    View full-size slide

  59. @ramimacisabird
    Repo Kid

    View full-size slide

  60. @ramimacisabird
    Secrets Management

    View full-size slide

  61. @ramimacisabird
    Secrets Management

    View full-size slide

  62. @ramimacisabird
    https://www.youtube.com/watch?v=Y3Gn_iP3FlE

    View full-size slide

  63. @ramimacisabird
    Logging, Monitoring, Alerting
    http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale-with-AWS.pdf

    View full-size slide

  64. @ramimacisabird
    Preparing for Incident Response
    Logging/Monitoring/Alerting

    View full-size slide

  65. Logging/Monitoring/Alerting

    View full-size slide

  66. @ramimacisabird
    Tagging

    View full-size slide

  67. @ramimacisabird
    Tagging
    https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-categories

    View full-size slide

  68. • Consistency

    • Less can be more

    • Tag-based access control

    • Automation

    • Cost Exploration
    Tagging

    View full-size slide

  69. @ramimacisabird
    Enterprise Scale AWS Security
    Plan the politics

    Multi-account architecture

    AWS Organizations

    Visibility

    Governance

    Least Privilege (100%)

    Logging, Monitoring, Alerting

    Preparing for incident response

    Tagging

    View full-size slide

  70. @ramimacisabird
    Resources
    • https://research.nccgroup.com/2020/04/24/the-extended-aws-
    security-ramp-up-guide/

    • https://medium.com/swlh/so-you-inherited-an-aws-account-
    e5fe6550607d

    • https://summitroute.com/blog/2020/05/21/
    aws_security_maturity_roadmap_2020/

    • https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/

    View full-size slide

  71. @ramimacisabird
    References
    • https://duo.com/blog/beyond-s3-exposed-resources-on-aws

    • https://blog.coinbase.com/you-need-more-than-one-aws-account-aws-bastions-and-
    assume-role-23946c6dfde3

    • http://london-summit-slides-2017.s3.amazonaws.com/11.50%20-%20Security-at-Scale-
    with-AWS.pdf

    • https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf

    • https://www.youtube.com/watch?v=YQsK4MtsELU - IAM policy master

    • https://ramimac.me/cloudsec/security/aws-iam-tool-reference/

    • https://github.com/nccgroup/ScoutSuite

    • https://github.com/SummitRoute/aws_exposable_resources

    • https://www.blackhillsinfosec.com/wp-content/uploads/2020/05/Breaching-the-Cloud-
    Perimeter-Slides.pdf

    • https://twitter.com/forrestbrazeal/status/1138088894250070017?s=20

    View full-size slide