Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gateway to Cloud Security Heaven: Our AWS Exped...

Sena Yakut
May 19, 2024
270

Gateway to Cloud Security Heaven: Our AWS Expedition

Sena Yakut

May 19, 2024
Tweet

Transcript

  1. Let’s assume… We work as Cloud Security Engineers at Healthcare

    Tech. Electronic Health Records (EHR) System: Web application for patient health info Telemedicine Platform: Mobile apps for patients to connect with healthcare providers Remote Patient Monitoring Devices: IoT for wearable tech, collects real-time data
  2. Let’s assume… We work as Cloud Security Engineers at Healthcare

    Tech. Electronic Health Records (EHR) System: Web application for patient health info Telemedicine Platform: Mobile apps for patients to connect with healthcare providers Remote Patient Monitoring Devices: IoT for wearable tech, collects real-time data
  3. Tech Summary of Our Company 1 AWS Account: Dev and

    Prod are managed in different regions Privacy violation Reputation damage Patient Death Blackmailing patients Identity theft
  4. Task 1: AWS Accounts Current Status: Our Goal: - 1

    AWS account for all development and production process - All risks are in the same AWS account. - Migration can be hard but it’s a requirement. - Security account is essential. - Management account for billing and AWS Organizations.
  5. Task 2: Identity Access Management Current Status: Our Goal: -

    Lots of different IAM users, IAM roles, and policies. - The most challenging topic in the cloud. - IAM users' key management is still an issue. - IAM Access Analyzer for roles, policies: - Unused access - External access - Use short-term credentials if possible. - Use service control policies (SCPs). - At least privilege principle!
  6. Task 2: Identity Access Management Current Status: Our Goal: -

    IAM users' key management is still an issue. - Lots of IAM users, complex to manage. - Use AWS Identity Center –> SSO. - Centralized management - Short term creds for CLI - Ease of use Blog: AWS IAM Identity Center Configuration for Your Google Workspace
  7. Task 3: Threats, Threats Everywhere! Current Status: Our Goal: -

    There is no solution for threat detection for our AWS accounts. - Amazon GuardDuty - Lambda Protection - S3 Protection - Malware Protection - RDS Protection - Delegated Administrator Account – Our Security Account - Deny Disabling GuardDuty with SCPs Blog: Explore Amazon GuardDuty ECS Runtime Monitoring
  8. Task 4: Who, Where, When? Current Status: Our Goal: -

    There is no solution for account auditing for our AWS accounts. - AWS CloudTrail - A digital detective for us - Investigate our activities - Security auditing - Detailed info for all your API calls in our account - Enable log file validation - Enable multi-regional trail
  9. Task 5: What about our vulnerabilities? Current Status: Our Goal:

    - There is no solution for resource vulnerabilities for our AWS resources like EC2, Lambda. - VM process is essential. - Amazon Inspector - Automated vulnerability management for our workloads - Center for Internet Security (CIS) Benchmark assessments for our OS Scan Your AWS Lambda Functions with Amazon Inspector
  10. Task 6: What about our endpoints? Current Status: Our Goal:

    - There is no solution for protecting our endpoints. - There are lots of endpoints in our environment: - Mobile client endpoints, - Web app endpoints, - IoT endpoints - AWS WAF - Customize rules for your environments - Monitor regularly. You don’t want to block legitimate requests - Analyze regularly - Automate as possible
  11. Task 6: What about our endpoints? Current Status: Our Goal:

    - There is no solution for protecting our endpoints. - There are lots of endpoints in our environment: - Mobile client endpoints, - Web app endpoints, - IoT endpoints - AWS WAF - Customize rules for your environments - Monitor regularly. You don’t want to block legitimate requests - Analyze regularly - Automate as possible
  12. Task 7: What about our data? Current Status: Our Goal:

    - Lots of data, - Personal identifiable information, - IoT user data, - Mobile/Web data - There is no protection/detection of data in our environment. - AWS KMS & CloudHSM - Encrypt everything with our keys or AWS KMS - Use the latest encryption algorithms
  13. Task 8: What about our compliance? Current Status: Our Goal:

    - Compliance is a requirement for healthcare tech. - AWS Security Hub & AWS Config - Remediation & Alarms
  14. - Amazon EventBridge - Incident Manager - AWS ChatBot Task

    9: What about our alarms? Current Status: Our Goal: - No visibility - Data loss - Data breach - Insider threats - Suspicious activities