Building Castles in the Cloud: AWS Security and Self-Assessment

Transcript

1. Building Castles in the Cloud: AWS Security and Self-Assessment Rami

   McCarthy @ramimacisabird

2. Building Castles in the Cloud: AWS Security and Self-Assessment Rami

   McCarthy @ramimacisabird

3. Bio ( )

4. https://twitter.com/GooglyInfoSec

5. Agenda 1. Background 2. AWS Security Best Practices a. Public

   Access/External Exposure b. Access Management c. Monitoring d. Amazon Security Services e. Next Steps 3. (Free) Open Source AWS audit tools

6. https://www.britannica.com/technology/castle-architecture#/media/1/98652/99675

7. None

8. Why AWS?

9. https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

10. None
11. None
12. None

13. Key AWS security considerations

14. Secure Public Access MITRE ATT&CK: T1190

15. Simple Storage Service (S3)

16. None

17. Architecture Secure Public Access MITRE ATT&CK: T1190

18. Audit Public Access MITRE ATT&CK: T1190

19. None
20. None

21. "… while the Capital One attack happened due to the

    application misconfiguration mentioned above, there are several actions AWS will take to better help our customers ensure their own security. First, we will proactively scan the public IP space for our customers' firewall resources to try and assess whether they may have misconfigurations. ..." - Amazon Letter to Sen Wyden RE Consumer Data

22. Secure Access Management MITRE ATT&CK: T1078

23. Graphic via MSP360

24. AWS Security Token Service

25. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Root account • User ↔ IAM Account • Groups • STS as arbitration • Least Privilege

26. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Multi-factor Authentication • Security Tokens • Policy Conditions

27. • Temporary Credentials • Gitops/DevOps Secure Access Management Access Management

    for Development MITRE ATT&CK: T1078

28. Secure Access Management Access Management for Applications MITRE ATT&CK: T1078

29. • Don’t bake-in credentials • AWS SDK→IAM Role • SSRF

    Secure Access Management Access Management for EC2 MITRE ATT&CK: T1078

30. Secure IAM Basics IAM Roles > IAM Access Keys >

    AWS Credentials

31. Secure Monitoring

32. Secure Monitoring

33. None

34. Secure Monitoring CloudTrail - Detective • Create a trail •

    All AWS Regions • Log file integrity • CloudWatch

35. Secure Monitoring CloudTrail - Preventative • Unlinked Account • Least

    Privilege • MFA Delete • AWSCloudTrailFullAccess
36. None

37. Secure Monitoring Other Services VPC S3 ELB CloudFront

38. Enable Amazon Tools

39. Enable Amazon Tools ❏ CloudTrail ❏ Trusted Advisor ❏ GuardDuty

    ❏ Inspector ❏ Security Hub

40. Encryption Encrypting everything with AWS - re:Inforce 2019

41. • Major Pitfalls to Avoid in Performing Digital Forensics and

    Incident Response in AWS - Jonathon Poling • AWS Security Incident Response Guide Prepare for DFIR

42. AWS Resources for Secure Architecture Well-Architected Framework: Security Pillar AWS

    Cloud Adoption Framework Aligning to NIST Security Documentation by Category

43. Self-auditing with open-source tools

44. None
45. None
46. None
47. None
48. None

49. CloudMapper

50. None
51. None
52. None
53. None
54. None
55. None

56. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Andres Riancho - https://andresriancho.com/ Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools - @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/

57. Thank you! And thank you to the volunteers and organizers

    of BSidesCT! @ramimacisabird