Gateway to Cloud Security Heaven: Our AWS Expedition

Transcript

1. Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut

   Senior Cloud Security Engineer

2. aws sts get-caller-identity senayakut.com sena_yakutt sena-yakut Lyrebird Studio Sena Yakut

   Senior Cloud Security Engineer

3. Let’s assume… We work as Cloud Security Engineers at Healthcare

   Tech. Electronic Health Records (EHR) System: Web application for patient health info Telemedicine Platform: Mobile apps for patients to connect with healthcare providers Remote Patient Monitoring Devices: IoT for wearable tech, collects real-time data

4. Let’s assume… We work as Cloud Security Engineers at Healthcare

   Tech. Electronic Health Records (EHR) System: Web application for patient health info Telemedicine Platform: Mobile apps for patients to connect with healthcare providers Remote Patient Monitoring Devices: IoT for wearable tech, collects real-time data

5. Tech Summary of Our Company 1 AWS Account: Dev and

   Prod are managed in different regions Privacy violation Reputation damage Patient Death Blackmailing patients Identity theft

6. Task 1: AWS Accounts Current Status: Our Goal: - 1

   AWS account for all development and production process - All risks are in the same AWS account. - Migration can be hard but it’s a requirement. - Security account is essential. - Management account for billing and AWS Organizations.

7. Task 2: Identity Access Management Current Status: Our Goal: -

   Lots of different IAM users, IAM roles, and policies. - The most challenging topic in the cloud. - IAM users' key management is still an issue. - IAM Access Analyzer for roles, policies: - Unused access - External access - Use short-term credentials if possible. - Use service control policies (SCPs). - At least privilege principle!

8. Task 2: Identity Access Management Current Status: Our Goal: -

   IAM users' key management is still an issue. - Lots of IAM users, complex to manage. - Use AWS Identity Center –> SSO. - Centralized management - Short term creds for CLI - Ease of use Blog: AWS IAM Identity Center Configuration for Your Google Workspace

9. Task 3: Threats, Threats Everywhere! Current Status: Our Goal: -

   There is no solution for threat detection for our AWS accounts. - Amazon GuardDuty - Lambda Protection - S3 Protection - Malware Protection - RDS Protection - Delegated Administrator Account – Our Security Account - Deny Disabling GuardDuty with SCPs Blog: Explore Amazon GuardDuty ECS Runtime Monitoring

10. Task 4: Who, Where, When? Current Status: Our Goal: -

    There is no solution for account auditing for our AWS accounts. - AWS CloudTrail - A digital detective for us - Investigate our activities - Security auditing - Detailed info for all your API calls in our account - Enable log file validation - Enable multi-regional trail

11. Task 5: What about our vulnerabilities? Current Status: Our Goal:

    - There is no solution for resource vulnerabilities for our AWS resources like EC2, Lambda. - VM process is essential. - Amazon Inspector - Automated vulnerability management for our workloads - Center for Internet Security (CIS) Benchmark assessments for our OS Scan Your AWS Lambda Functions with Amazon Inspector

12. Task 6: What about our endpoints? Current Status: Our Goal:

    - There is no solution for protecting our endpoints. - There are lots of endpoints in our environment: - Mobile client endpoints, - Web app endpoints, - IoT endpoints - AWS WAF - Customize rules for your environments - Monitor regularly. You don’t want to block legitimate requests - Analyze regularly - Automate as possible

13. Task 6: What about our endpoints? Current Status: Our Goal:

    - There is no solution for protecting our endpoints. - There are lots of endpoints in our environment: - Mobile client endpoints, - Web app endpoints, - IoT endpoints - AWS WAF - Customize rules for your environments - Monitor regularly. You don’t want to block legitimate requests - Analyze regularly - Automate as possible

14. Task 7: What about our data? Current Status: Our Goal:

    - Lots of data, - Personal identifiable information, - IoT user data, - Mobile/Web data - There is no protection/detection of data in our environment. - AWS KMS & CloudHSM - Encrypt everything with our keys or AWS KMS - Use the latest encryption algorithms

15. Task 8: What about our compliance? Current Status: Our Goal:

    - Compliance is a requirement for healthcare tech. - AWS Security Hub & AWS Config - Remediation & Alarms

16. - Amazon EventBridge - Incident Manager - AWS ChatBot Task

    9: What about our alarms? Current Status: Our Goal: - No visibility - Data loss - Data breach - Insider threats - Suspicious activities

17. Our Heaven

18. Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut

    Senior Cloud Security Engineer Thanks!