$30 off During Our Annual Pro Sale. View Details »

Beyond the AWS Security Maturity Roadmap

Beyond the AWS Security Maturity Roadmap

Scott (Piper)’s AWS Security Maturity Roadmap is the definitive resource for cloud-native companies to build a security program and posture in AWS. It does an amazing job at providing broadly applicable guidance along the maturity curve. However, for many fwd:cloudsec attendees, the roadmap ends too soon.

In my experience there is a set of technical capabilities and controls that companies should consider once they’ve “shipped the roadmap." In this talk, I’ll take you on a rapid fire tour beyond Scott's paved road, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work.

The goal is to walk away with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

Rami McCarthy

June 12, 2023
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. @ramimccarthy
    Rami McCarthy
    Beyond the

    AWS Security Maturity
    Roadmap

    https://speakerdeck.com/ramimac/fwdcloudsec

    View Slide

  2. $ get-caller-identity
    Security Engineer
    @
    Figma

    figma.fun/seceng




    Infrequent Contributor @ tl;drsec
    https://tldrsec.com/guides/sta
    ff
    eng-security/ https://tldrsec.com/blog/cloud-security-orienteering/

    View Slide

  3. View Slide

  4. @ramimccarthy
    Not All Cloud Security Programs
    • Engineering and Automation oriented


    • “Zero Trust” architecture


    • Software product


    • Maximalist cloud security


    • Guardrails not Gatekeepers
    +
    Paved Roads

    View Slide

  5. View Slide

  6. View Slide

  7. @ramimccarthy
    Build


    vs. Adopt


    vs. Buy

    View Slide

  8. @ramimccarthy
    Build vs. Adopt vs. Buy
    Sabry Tozin (via Roy Rapoport)
    • Are we solving a problem unique to our company?


    • Are we solving a problem at a scale unique to our company?


    • Is the cost and effort of integrating an off-the-shelf solution so large that we
    may as well build one?


    • What are the purchasing/ongoing license costs of the product in comparison to
    building it ourselves?

    View Slide

  9. @ramimccarthy
    Capabilities and
    Controls

    View Slide

  10. @ramimccarthy
    Secrets Management
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.
    Adopt: Options Buy: Options
    • Hashicorp Vault


    • Doppler
    (
    YC W19
    )

    • Infiscal
    (
    YC W23
    )
    • AWS Secrets Manager / AWS KMS
    One Read: “Managing secrets is the biggest risk people aren't talking about”, Strategy of Security
    • mozilla / sops


    • square / keywhiz


    • pinterest / knox


    • lyft / confidant

    View Slide

  11. @ramimccarthy
    Secrets Management
    Build:
    Adopt:
    Not recommended
    Recommended
    • Standardize as early as possible, generally with a thin

    wrapper over CSP services. Focus on DevEx.


    • Revisit every ~year, and layer necessary capabilities
    • Before adopting, be very sure requirements and

    practices 1
    :
    1 match


    • Be wary of premature purchase or deployment of a

    heavy solution
    Buy:
    A mechanism for engineers to easily and securely manage credentials and
    other secrets provided to services in your cloud environment.

    View Slide

  12. @ramimccarthy
    Asset Inventory
    Leverage the CSP control plane to discover and identify cloud assets, and to
    monitor their adherence to configuration standards.
    Adopt: Options Buy: Options
    • Firemon Cloud Defense (fka DisruptOps)*


    • Commercial versions of Steampipe and
    Cloudquery


    • turbot / steampipe


    • cloudquery / cloudquery
    One Read: What should you use
    -
    CloudQuery or Steampipe?, badshah

    View Slide

  13. @ramimccarthy
    Asset Inventory
    Leverage the CSP control plane to discover and identify cloud assets, and to
    monitor their adherence to configuration standards.
    Build:
    Adopt:
    Not recommended
    Recommended
    • You can get far by adopting open source tools


    • You need something, early. Adopt inventory first,

    then add controls in incrementally


    • You probably don’t need a full CSPM

    until later than you’d expect
    • Don’t write anything that calls cloud APIs yourself,

    it’s been done (well)


    • Think critically about what controls matter, and watch out for

    toil and noise
    Buy:

    View Slide

  14. @ramimccarthy
    ->
    CSPM
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Adopt: Options Buy: Options
    • Wiz


    • Aqua


    • Orca


    • Lacework


    • Ermetic


    • Lightspin
    (
    Cisco)


    • Prisma Cloud
    • cloud-custodian / cloud-custodian


    • prowler-cloud / prowler


    • Zeus-Labs / ZeusCloud
    One Talk: “Success Criteria for your CSPM”, David White (up next)

    View Slide

  15. @ramimccarthy
    ->
    CSPM
    Continuously assess the security posture by maintaining a current inventory of
    cloud assets, with risk assessment to detect any misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Think about extensibility and integrations


    • Evaluate options based on preset criteria, don’t let
    vendors sell you CNAPP
    + +

    • If you build, only do it on top of an adopted inventory
    platform. Don’t spend your engineer’s time building an
    open source CSPM. It’s undifferentiated and
    commoditized. It’s also a lot of work
    • Don’t let an opinionated CSPM dictate your security program


    • Be thoughtful about dispatching findings to other teams


    • Bundled CSPMs can be thoroughly mediocre
    Buy:

    View Slide

  16. @ramimccarthy
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Adopt: Options Buy: Options
    • Native to your CSPM
    • AWS Config


    • twilio-labs / SOCless


    • cloudconformity / auto-remediate
    One Read: "The Dangers of Corrective Auto Remediation in Your Public Cloud”, Lightspin

    View Slide

  17. @ramimccarthy
    Automated Remediation
    In order to keep up with the rate of change in the cloud, teams reach for
    solutions to automate the immediate resolution of common misconfigurations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • When you’re unable to move to Infrastructure as Code


    • If you lack a chokepoint for changes
    • When preventative controls are feasible


    • As an early control for your program


    • Applied without sufficient context
    Buy:

    View Slide

  18. @ramimccarthy
    Secure IAC Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Adopt: Options Buy: Options
    • asecure.cloud


    • Gruntwork AWS Infrastructure as Code Library


    • Resourcely
    • asecure.cloud


    • Terraform Registry
    Read more: "Why you should pave roads", Eric Hydrick

    View Slide

  19. @ramimccarthy
    Secure IAC Modules
    “Shift-left” secure configuration and empower your developers with secure-
    by-default IAC modules.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Pair with SAST to detect usage of “vanilla” resources


    • Steal undifferentiated examples


    • Commoditize secure architecture as modules
    • Wait for a need to surface before investing in a module
    Buy:

    View Slide

  20. @ramimccarthy
    Infrastructure as Code Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Adopt: Options Buy: Options
    • Native to your CSPM


    • Native to your SAST
    • aquasecurity / tfsec


    • returntocorp / semgrep


    • turbot / steampipe-plugin-terraform


    • bridgecrew / checkov
    One Read: “Shifting Cloud Security Left

    Scanning
    [
    IaC
    ]
    for Security Issues”, Christophe Tafani-Dereeper

    View Slide

  21. @ramimccarthy
    IAC Scanning
    Detect misconfigurations within your infrastructure as code, before they can
    be introduced to your environment
    Build:
    Adopt:
    Not recommended
    Recommended
    • Develop rules based on your specific environment

    and requirements


    • Surface detections, with context, at PR time
    • Rolling out rules in “block” mode


    • Turning on all possible rules
    Buy:

    View Slide

  22. @ramimccarthy
    Deception Engineering
    (
    Honeypots/tokens)
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.
    Adopt: Options Buy: Options
    • Thinkst Canary


    • Native to your CSPM
    • Thinkst Canarytokens.org


    • Basic AWS API Key
    +
    SIEM detection


    • spacesiren / spacesiren (inspired by Atlassian
    Project SPACECRAB
    )
    One Read: “Zero Maintenance AWS Canary Tokens That Scale”, Will Bengston

    View Slide

  23. @ramimccarthy
    Deception Engineering
    (
    Honeypots/tokens)
    Build:
    Adopt:
    Not recommended
    Recommended
    • Deploy the quick and free version in high value targets.

    Probably your CI/CD tooling
    • Think about what you’ll do if one goes off before it happens


    • Do your best to tightly each key to a single potential

    vector for compromise


    • Don’t roll out Will’s architecture until you’ve killed

    known attack vectors
    Buy:
    Deploy high-signal, low noise tripwires in your environment. Make attackers
    think twice before using found credentials, and know when someone has tried.

    View Slide

  24. @ramimccarthy
    1. Scaling Granular Access
    Support role-based, least-privileged access across an explosion of roles.
    Adopt: Options Buy: Options (“CIEM”)
    • salesforce / cloudsplaining


    • Netflix / repokid


    • iann0036 / iamlive


    • common-fate / iamzero


    • noqdev / iambic
    Read more: “ConsoleMe: A Central Control Plane for AWS Permissions and Access”, Netflix
    • Ermetic


    • Native to your CNAPP?


    • ???

    View Slide

  25. @ramimccarthy
    2. Scaling Access Management
    Enable a user friendly roll out of granular access by making it easy to
    understand available access and leverage it.
    Adopt: Options Buy: Options
    • Common Fate Cloud


    • Leapp Cloud
    • Netflix / consoleme


    • Noovolari / leapp


    • common-fate / granted
    Read more: “Access Service: Temporary Access to the Cloud”, Segment

    View Slide

  26. @ramimccarthy
    3. Scaling Temporary Access
    Remove risky ambient permissions and allow step-up and break-glass
    authorization.
    Adopt: Options Buy: Options
    • ConductorOne


    • Indent


    • Opal


    • Sym
    • aws-samples / aws-iam-temporary-elevated-
    access-broker


    • ???
    Read more: “Common uses of just-in-time access in the cloud”

    View Slide

  27. @ramimccarthy
    Scaling … Access
    Build:
    Adopt:
    Not recommended
    Recommended
    • Build incrementally, and always keep an eye on

    the user experience


    • Right now,
    ~
    JIT access is about where you should

    really consider buying


    • Partner with other internal stakeholders on a unified

    source of truth for identity and role
    • Trying to preemptively define necessary IAM in a bubble


    • Centralizing all creation of IAM
    Buy:
    1. Support role-based, least-privileged access across an explosion of roles.


    2. Enable a user friendly roll out of granular access by making it easy to understand available access and leverage it.


    3. Remove risky ambient permissions and allow step-up and break-glass authorization.

    View Slide

  28. @ramimccarthy
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Adopt: Options Buy: Options
    • ???
    • org-formation / org-formation-cli


    • rebuy-de / aws-nuke


    • AWS Control Tower
    One Talk: “Reimagining multi-account deployments for security and speed”, Netflix

    View Slide

  29. @ramimccarthy
    Scaling Account Management
    Taking advantage of the inherent blast radius boundary of an Account rapidly
    turns into toil to stand up new accounts and juggle their lifecycle.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Rightsize your investment in automation, “human cron”

    can be a good place to start


    • Find good internal development partners with strong cases

    for investment
    • Don’t wait too long to split out use cases with different

    threat models or administration patterns. Migration across

    accounts is painful, and data gravity can be a blocker.
    Buy:

    View Slide

  30. @ramimccarthy
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Adopt: Options Buy: Options
    • AttackIQ


    • Cymulate


    • SCYTHE


    • Randori
    • awslabs / aws-cloudsaga


    • DataDog / stratus-red-team


    • WithSecureLabs / leonidas
    One Talk: “Adversary emulation for incident-response readiness”, Anna McAbee / Brandon Baxter / Chris Farris

    View Slide

  31. @ramimccarthy
    Control Validation / Attack Simulation
    Test and validate your controls and detections on an automated, ongoing
    basis.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider leveraging internal frameworks and tools for QA


    • Validation at time of creation is likely sufficient for

    commodity controls and medium program maturity
    • Keep a close eye on relative investment in “breaking”

    vs. “building


    • Be deeply skeptical of “automated red teaming” as a product


    • Finding issues is only useful as an effective

    input to mitigation
    Buy:

    View Slide

  32. @ramimccarthy
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Adopt: Options Buy: Options
    • AWS Network Firewall


    • Chaser Systems DiscrimiNAT Firewall


    • Aviatrix
    • stripe / smokescreen
    One Read: “Internet Egress Filtering of Services at Lyft”

    View Slide

  33. @ramimccarthy
    Egress Monitoring and Filtering
    Make attackers lives harder post-compromise by filtering egress traffic from
    your services and alerting on anomalous destinations.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Consider when modifying network architecture


    • “Monitor” mode can be cheap to deploy
    • Reliability is huge if you place this on the critical path


    • A hamster wheel of pain is likely if you’re not thoughtful

    about how new, valid connections will be

    identified and allowlisted
    Buy:

    View Slide

  34. @ramimccarthy
    Infrastructure Access
    Adopt: Options Buy: Options
    • Teleport


    • StrongDM


    • BastionZero


    • Cloudflare Access


    • Tailscale (and other
    Wireguard-based
    VPNs)
    • AWS SSM
    +
    IAM Authentication for
    <
    SERVICE
    >

    • Tailscale (and other Wireguard-based VPNs)


    • Teleport (open source)
    One Talk: “Zero Touch Prod: Towards Safer and More Secure Production Environments”
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.

    View Slide

  35. @ramimccarthy
    Infrastructure Access
    Build:
    Adopt:
    Not recommended
    Recommended
    • Move from SSH to SSM (or equivalent) early


    • Get alignment on “what good looks like”
    • You won’t get anywhere stopping your coworkers

    from doing their jobs


    • Think about what it will take to get logging to a place

    that could power real-time detections
    Buy:
    Move beyond pervasive raw-SSH access to patterns for getting shells in services that provide
    least privilege, auditability, support dual control, and can constrain data ingress and egress.

    View Slide

  36. @ramimccarthy
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Adopt: Options Buy: Options
    • InstaSecure
    • Native services
    One Read: “Building a Data Perimeter on AWS”

    View Slide

  37. @ramimccarthy
    Data Perimeter
    Install guardrails that only allow access for trusted identities, accessing trusted
    resources, on expected networks.
    Build:
    Adopt:
    Not recommended
    Recommended
    • Start small - one example would be “we never call

    s3
    :
    PutObject outside our organization”
    • Make sure to test your controls, edge cases

    on condition support can create surprise gaps


    • Be careful, AWS doesn’t offer safe ways to roll out SCPs
    Buy:

    View Slide

  38. @ramimccarthy
    Cut for time
    •Vulnerability Management


    •Detection Engineering & Security Data Lakes


    •Continuous Compliance / Compliance Automation


    •DFIR preparedness


    •Runtime Security


    •Service to Service Authentication


    View Slide

  39. @ramimccarthy
    • Prioritization is inherently custom to your risk and business


    • Don’t do everything, everywhere, all at once


    • But, conversely, uneven application of controls can be ineffective
    and impractical


    • Scaling program requires increasing investment to maintain and avoid
    regression in current controls
    Keep in Mind

    https://speakerdeck.com/ramimac/fwdcloudsec

    View Slide

  40. @ramimccarthy
    Cut for time (speed round)
    • Vulnerability Management


    • Shared concern with AppSec, generally


    • ASPMs are rapidly bringing in cloud context


    • Detection Engineering


    • Security Data Lakes are an emerging trend


    • See: brex / substrate, BSidesSF 2023’s “To Normalized Logs, and Beyond,"


    • Continuous Compliance / Compliance Automation


    • Vanta / Drata on one end, JupiterOne on the other


    • DFIR preparedness


    • Netflix-Skunkworks / diffy, google / cloud-forensics-utils, awslabs / aws-automated-
    incident-response-and-forensics


    • Cado, Mitiga

    View Slide

  41. @ramimccarthy
    Cut for time (speed round)
    • Runtime Security


    • auditd [blog], OSQuery, Falco, or cilium / tetragon, GuardDuty Runtime
    Monitoring
    (
    EKS
    )

    • Sysdig or Isovalent, or whatever comes with your CNAPP


    • Chainguard for a different part of the problem


    • Service to Service Authentication


    • Start with: A Child’s Garden of Inter-Service Authentication Schemes, Latacora


    • If you can get this for free with a Service Mesh, you probably should


    • This gets talked about more than it gets implemented (well)


    • Basic shared secrets can provide initial answers here

    View Slide