Securing Your AWS Cloud Infrastructure

Transcript

1. 13 August 2018 • Horangi team • 118A Telok Ayer,

   Singapore 068587 Securing Your AWS Cloud Infrastructure.

2. Horangi. 01 An introduction to our company and what we

   do.

3. • Director of Cloud Security Engineering @ Horangi • CloudDevSecOps

   Fanatic • Progression => UI/UX Designer / Developer => Full Stack Developer => Build & Release Engineer => Infrastructure & Tools Architect • AWS Areas of Interests: AWS Multi-Account Strategy, Cloud Security • Totally uncertified and proud :P Steve “Potay” Teo

4. www.meetup.com/AWS-SG/ www.meetup.com/ Atlassian-User-Group-Singapore/ Communities I serve

5. AWS User Group Singapore - Monthly

6. AWS User Group Singapore - Monthly

7. AWS User Group Singapore - Monthly

8. What Horangi does. We analyze your current security posture and

   customize the solutions to resolve your situation in a holistic way. PRODUCT SERVICES CONSULT 8

9. Focus. 01. Global Cyber Security Talent Deficit: Insufficient number of

   professionals to fulfill the demand of all companies regionally and internationally Competent staff locked into a few industries, preventing others to build qualified security teams 02. Relating Cyber Security to Business Priorities: Disconnect between technical and business requirements Improving communication between senior management and operational security roles Horangi has identified two main issues to be solved in today’s security landscape. 9

10. Warden. 05 An overview of our latest product.

11. Warden is a cloud security assessment and monitoring tool that

    detects misconfigurations and vulnerabilities in your cloud infrastructure. 11

12. The Story. 03

13. WHY SECURE YOUR CLOUD INFRASTRUCTURE?

14. Cloud Breaches. Accenture accidentally configured four AWS S3 buckets to

    be accessible to the public Uber’s AWS account was hacked, compromising the personal information of 57 million users worldwide, including 600,000 drivers OCT 2017 NOV 2017 An error in GoDaddy’s S3 bucket configuration has led to the exposure of internal information MAR 2018

15. Cloud Breaches. security researcher Bob Diachenko discovered the Dow Jones

    Watchlist dataset sitting on a public AWS Elasticsearch cluster FEB 2019 Breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records APR 2019

16. Business Impact. LOSS OF REVENUE Small businesses shell out an

    average of $38,000 to recover from a single data breach in direct expenses alone. LOSS OF TRUST Breaches cause customers and other stakeholders to lose trust in your organization, causing loss of business. INTELLECTUAL PROPERTY THEFT Having trade secrets exposed cause companies to lose their competitive advantage.

17. ON-PREMISE vs. CLOUD SECURITY

18. None

19. On-Premise Security. With an on-premise infrastructure, the organization is responsible

    for the infrastructure’s security end-to-end. It’s almost always IT-driven. (Source)

20. Cloud: Shared Responsibility. The Shared Responsibility Model defines the responsibility

    between the cloud provider and its customers. (Source)
21. None

22. - Management Layer now exposed to Internet - Traditional Siloed

    Roles vs new Cloud Roles - Our Talent pool is not all mature enough for the Cloud Shift Other Key Points

23. Every AWS Account is a Blank Cheque

24. AWS Well-Architected Framework. 04

25. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY AWS Well- Architected Framework.

    The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. COST OPTIMIZATION

26. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY AWS Well- Architected Framework.

    The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. COST OPTIMIZATION

27. The Security Pillar. 04

28. INFRASTRUCTURE PROTECTION DATA PROTECTION IDENTITY & ACCESS MANAGEMENT DETECTIVE CONTROLS

    AWS Security Pillar. The AWS Security pillar is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. (Source: AWS Well-Architected Framework) INCIDENT RESPONSE

29. Identity & Access. • Only give the bare minimum privileges

    necessary • Enforce MFA for all users • Limit use of root account • Use temporary credentials for programmatic access • Review your IAM access periodically AWS Identity and Access Management (IAM), AWS Security Token Service (STS) QUESTIONS BEST PRACTICES KEY SERVICES • How do you manage your credentials? • How do you control human access? • How do you control programmatic access?

30. Multi-Factor Authentication. Configure a MFA device as another barrier of

    defense against attackers.

31. Use IAM Groups. IAM groups allow multiple users to share

    one policy and move users around to other groups as needed.

32. Least Privilege. Only give users the minimum amount of privileges

    necessary to do their job.

33. Use IAM Roles. IAM Roles are a way to give

    permissions to other trusted entities

34. Scale using AWS Organisations

35. Leverage on SSO / Landing Zone

36. Detective Controls. • How do you detect and investigate security

    events? • How do you defend against emerging security threats? • Enable CloudTrail API and multi-region logging • Enable GuardDuty in all accounts and regions • Integrate all your logs in CloudWatch Cloudwatch, CloudTrail, GuardDuty QUESTIONS BEST PRACTICES KEY SERVICES

37. AWS CloudTrail is a service that records activity made on

    your AWS account and delivers log files to your S3 bucket. CloudTrail.

38. CloudTrail Best Practices. • Enable CloudTrail for all regions •

    Enable logging for management events • Log S3 object-level API activity

39. GuardDuty is a threat detection service that continuously monitors for

    malicious activity and unauthorized behavior to protect your AWS accounts and workloads GuardDuty. Source

40. Crowd Source Detective Controls.

41. Infrastructure Protection. • How do you protect your networks? •

    How do you protect your compute resources? • Open only the necessary ports for operation • Automate deployment and maintenance whenever possible • Use IAM to configure user-level access Virtual Private Cloud (VPC) QUESTIONS BEST PRACTICES KEY SERVICES

42. Get your VPC Architecture right (Source)

43. Security Group vs. NACL. • Network Access control lists are

    applied at the subnet level, • Security groups has to be assigned explicitly to the instance.

44. Data Protection. • How do you classify your data? •

    How do you protect your data at rest? • How do you protect your data in transit? • Classify your data using resource tags, IAM policies, etc. • Use tokenization and encryption for highly sensitive information • Define clear protocols for data backup/replication/recovery Key Management System (KMS), S3 DATA PROTECTION BEST PRACTICES KEY SERVICES

45. Data at Rest vs. Data In Transit. Data at Rest

    Data in Transit What it is? Data that persists for any duration Data that gets transmitted from one system to another Where is it stored? Block storage, object storage, databases, archives, and any other storage medium None Why protect it? Reduce the risk of unauthorized access Protect the confidentiality and integrity of the application’s data How to you protect it? Use encryption keys when uploading data Select secure protocols that implement the latest cryptography standards (like TLS)

46. Encryption At Rest. (source)

47. S3 Policies. • Block public access from S3 bucket •

    Enable object-level logging (like GetObject and PutObject) • Enable encryption on the S3 bucket

48. Key Management Use Amazon KMS to create and manage encryption

    keys,, which will then be used to encrypt various AWS resources like S3 objects and database instances.

49. AWS vs. Custom Key Stores. AWS Key store Custom Key

    Manager AWS Customer Advantages Enabled in KMS by default. Less setup time Higher rate limit Automatic key rotation Direct control of key store Compliance for industries that require on-premise hardware security modules (HSMs) Drawbacks Less control of key store Not for industries with stringent auditing requirements Requires at least 2 CloudHSMs. Customer responsible for rotating keys.

50. Incident Response. • How do you respond to an incident?

    • Have a defined incident response policy in place • Use resource tags to organize process • Use the “Clean Room” approach when investigating the root cause • Configure logs to audit as much as possible VPC, IAM, CloudFormation QUESTIONS BEST PRACTICES KEY SERVICES

51. Security Disaster Plan. The security disaster plan is the process

    that describes the different steps to take in case an incident happens. It is different from the disaster recovery plan, which focuses on business continuity. SECURITY PLAN

52. One Last Thing 05

53. Define an AWS Account Strategy Learn more: https://speakerdeck.com/stevepotayteo/architecting-around-multiple-aws-accounts

54. None

55. To know how to secure any cloud provider, you need

    to learn it

56. And automate everything!

57. Every AWS Account is a Blank Cheque

58. Questions?

59. LET’S GO.