Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Castles in the Cloud: AWS Security and Self-Assessment

Rami McCarthy
November 09, 2019

Building Castles in the Cloud: AWS Security and Self-Assessment

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. As a consultant, I’ve had experience breaking into a AWS environments with varying sophistication of security posture, and then helping those clients patch holes and harden their environments. This talk with lean on those experiences to provide you with a guide on securing your AWS environment, and then validating that security.

We’ll start by walking through AWS’s Shared Responsibility Model. Then we’ll identify the features of AWS that are most important for security, and give tips on best practices and easy wins. After establishing these security standards, we’ll take a quick look at a few (free) tools for auditing AWS configurations, including NCC Group’s own open-source ScoutSuite. You’ll leave this talk with concrete next steps for improving your own cloud security posture.

Rami McCarthy

November 09, 2019
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. Building Castles in the Cloud:
    AWS Security and Self-Assessment
    Rami McCarthy
    @ramimacisabird

    View full-size slide

  2. Building Castles in the Cloud:
    AWS Security and Self-Assessment
    Rami McCarthy
    @ramimacisabird

    View full-size slide

  3. https://twitter.com/GooglyInfoSec

    View full-size slide

  4. Agenda
    1. Background
    2. AWS Security Best Practices
    a. Public Access/External Exposure
    b. Access Management
    c. Monitoring
    d. Amazon Security Services
    e. Next Steps
    3. (Free) Open Source AWS audit tools

    View full-size slide

  5. https://www.britannica.com/technology/castle-architecture#/media/1/98652/99675

    View full-size slide

  6. https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

    View full-size slide

  7. Key AWS security
    considerations

    View full-size slide

  8. Secure
    Public Access
    MITRE ATT&CK: T1190

    View full-size slide

  9. Simple Storage Service (S3)

    View full-size slide

  10. Architecture
    Secure
    Public Access
    MITRE ATT&CK: T1190

    View full-size slide

  11. Audit
    Public Access
    MITRE ATT&CK: T1190

    View full-size slide

  12. "… while the Capital One attack happened due
    to the application misconfiguration mentioned
    above, there are several actions AWS will take
    to better help our customers ensure their own
    security. First, we will proactively scan the
    public IP space for our customers' firewall
    resources to try and assess whether they may
    have misconfigurations. ..."
    - Amazon Letter to Sen Wyden RE Consumer Data

    View full-size slide

  13. Secure
    Access
    Management
    MITRE ATT&CK: T1078

    View full-size slide

  14. Graphic via MSP360

    View full-size slide

  15. AWS Security Token Service

    View full-size slide

  16. Secure
    Access
    Management
    Access Management for
    Users
    MITRE ATT&CK: T1078
    • Root account
    • User ↔ IAM Account
    • Groups
    • STS as arbitration
    • Least Privilege

    View full-size slide

  17. Secure
    Access
    Management
    Access Management for
    Users
    MITRE ATT&CK: T1078
    • Multi-factor
    Authentication
    • Security Tokens
    • Policy Conditions

    View full-size slide

  18. • Temporary Credentials
    • Gitops/DevOps
    Secure
    Access
    Management
    Access Management for
    Development
    MITRE ATT&CK: T1078

    View full-size slide

  19. Secure
    Access
    Management
    Access Management for
    Applications
    MITRE ATT&CK: T1078

    View full-size slide

  20. • Don’t bake-in
    credentials
    • AWS SDK→IAM Role
    • SSRF
    Secure
    Access
    Management
    Access Management for
    EC2
    MITRE ATT&CK: T1078

    View full-size slide

  21. Secure IAM Basics
    IAM Roles
    > IAM Access Keys
    > AWS Credentials

    View full-size slide

  22. Secure
    Monitoring

    View full-size slide

  23. Secure
    Monitoring

    View full-size slide

  24. Secure
    Monitoring
    CloudTrail - Detective
    • Create a trail
    • All AWS Regions
    • Log file integrity
    • CloudWatch

    View full-size slide

  25. Secure
    Monitoring
    CloudTrail - Preventative
    • Unlinked Account
    • Least Privilege
    • MFA Delete
    • AWSCloudTrailFullAccess

    View full-size slide

  26. Secure
    Monitoring
    Other Services
    VPC S3
    ELB CloudFront

    View full-size slide

  27. Enable
    Amazon
    Tools

    View full-size slide

  28. Enable
    Amazon
    Tools
    ❏ CloudTrail
    ❏ Trusted
    Advisor
    ❏ GuardDuty
    ❏ Inspector
    ❏ Security Hub

    View full-size slide

  29. Encryption
    Encrypting everything with
    AWS
    - re:Inforce 2019

    View full-size slide

  30. • Major Pitfalls to Avoid in
    Performing Digital
    Forensics and Incident
    Response in AWS
    - Jonathon Poling
    • AWS Security Incident
    Response Guide
    Prepare for
    DFIR

    View full-size slide

  31. AWS Resources for Secure Architecture
    Well-Architected Framework: Security Pillar
    AWS Cloud Adoption Framework
    Aligning to NIST
    Security Documentation by Category

    View full-size slide

  32. Self-auditing with
    open-source tools

    View full-size slide

  33. Credit to prior art; check these people out to learn
    more!
    Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig
    Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel
    Scott Piper – https://summitroute.com/ - @0xdabbad00
    Andres Riancho - https://andresriancho.com/
    Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools - @ToniBlyx
    Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws
    Cloudonaut - https://cloudonaut.io/aws-security-primer/

    View full-size slide

  34. Thank you!
    And thank you to the volunteers and organizers of BSidesCT!
    @ramimacisabird

    View full-size slide