Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Castles in the Cloud: AWS Security and Self-Assessment

A431674e1b362e40786876211b77455e?s=47 Rami McCarthy
November 09, 2019

Building Castles in the Cloud: AWS Security and Self-Assessment

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. As a consultant, I’ve had experience breaking into a AWS environments with varying sophistication of security posture, and then helping those clients patch holes and harden their environments. This talk with lean on those experiences to provide you with a guide on securing your AWS environment, and then validating that security.

We’ll start by walking through AWS’s Shared Responsibility Model. Then we’ll identify the features of AWS that are most important for security, and give tips on best practices and easy wins. After establishing these security standards, we’ll take a quick look at a few (free) tools for auditing AWS configurations, including NCC Group’s own open-source ScoutSuite. You’ll leave this talk with concrete next steps for improving your own cloud security posture.


Rami McCarthy

November 09, 2019

More Decks by Rami McCarthy

Other Decks in Technology


  1. Building Castles in the Cloud: AWS Security and Self-Assessment Rami

    McCarthy @ramimacisabird
  2. Building Castles in the Cloud: AWS Security and Self-Assessment Rami

    McCarthy @ramimacisabird
  3. Bio ( )

  4. https://twitter.com/GooglyInfoSec

  5. Agenda 1. Background 2. AWS Security Best Practices a. Public

    Access/External Exposure b. Access Management c. Monitoring d. Amazon Security Services e. Next Steps 3. (Free) Open Source AWS audit tools
  6. https://www.britannica.com/technology/castle-architecture#/media/1/98652/99675

  7. None
  8. Why AWS?

  9. https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

  10. None
  11. None
  12. None
  13. Key AWS security considerations

  14. Secure Public Access MITRE ATT&CK: T1190

  15. Simple Storage Service (S3)

  16. None
  17. Architecture Secure Public Access MITRE ATT&CK: T1190

  18. Audit Public Access MITRE ATT&CK: T1190

  19. None
  20. None
  21. "… while the Capital One attack happened due to the

    application misconfiguration mentioned above, there are several actions AWS will take to better help our customers ensure their own security. First, we will proactively scan the public IP space for our customers' firewall resources to try and assess whether they may have misconfigurations. ..." - Amazon Letter to Sen Wyden RE Consumer Data
  22. Secure Access Management MITRE ATT&CK: T1078

  23. Graphic via MSP360

  24. AWS Security Token Service

  25. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Root account • User ↔ IAM Account • Groups • STS as arbitration • Least Privilege
  26. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Multi-factor Authentication • Security Tokens • Policy Conditions
  27. • Temporary Credentials • Gitops/DevOps Secure Access Management Access Management

    for Development MITRE ATT&CK: T1078
  28. Secure Access Management Access Management for Applications MITRE ATT&CK: T1078

  29. • Don’t bake-in credentials • AWS SDK→IAM Role • SSRF

    Secure Access Management Access Management for EC2 MITRE ATT&CK: T1078
  30. Secure IAM Basics IAM Roles > IAM Access Keys >

    AWS Credentials
  31. Secure Monitoring

  32. Secure Monitoring

  33. None
  34. Secure Monitoring CloudTrail - Detective • Create a trail •

    All AWS Regions • Log file integrity • CloudWatch
  35. Secure Monitoring CloudTrail - Preventative • Unlinked Account • Least

    Privilege • MFA Delete • AWSCloudTrailFullAccess
  36. None
  37. Secure Monitoring Other Services VPC S3 ELB CloudFront

  38. Enable Amazon Tools

  39. Enable Amazon Tools ❏ CloudTrail ❏ Trusted Advisor ❏ GuardDuty

    ❏ Inspector ❏ Security Hub
  40. Encryption Encrypting everything with AWS - re:Inforce 2019

  41. • Major Pitfalls to Avoid in Performing Digital Forensics and

    Incident Response in AWS - Jonathon Poling • AWS Security Incident Response Guide Prepare for DFIR
  42. AWS Resources for Secure Architecture Well-Architected Framework: Security Pillar AWS

    Cloud Adoption Framework Aligning to NIST Security Documentation by Category
  43. Self-auditing with open-source tools

  44. None
  45. None
  46. None
  47. None
  48. None
  49. CloudMapper

  50. None
  51. None
  52. None
  53. None
  54. None
  55. None
  56. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Andres Riancho - https://andresriancho.com/ Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools - @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/
  57. Thank you! And thank you to the volunteers and organizers

    of BSidesCT! @ramimacisabird