Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your AWS Cloud Infrastructure v2

Steve Teo
October 19, 2019

Securing Your AWS Cloud Infrastructure v2

Presented variants of this deck during AWS DevDay Beijing 2019 and AWS Jakarta User Group October 2019 Meetup

Steve Teo

October 19, 2019
Tweet

More Decks by Steve Teo

Other Decks in Technology

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY Securing Your AWS Cloud Infrastructure Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo B e i j i n g 19.10.19
  2. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Director of Cloud Security Engineering @ Horangi • CloudDevSecOps Fanatic • 4+ years working on AWS • Totally uncertified and proud :P Steve “Potay” Teo
  3. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 2015 – 2016: Migration of 2 AWS Accounts to 40+ AWS Accounts • !!   !#!%!"!$ "! !% • 2016 – 2018: Enterprise Architecture for AWS Accounts & VPC • Current: Product Development Lead of AWS-focused Cloud Security Product • Areas of Interests for AWS •  #  #" "!% " • !!   !#!%! !" •   "!"!   !!" • !!   !#!%!!!""!$ "! Background
  4. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Community https://www.meetup.com/AWS-SG/
  5. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • How many of you are already using AWS? • How many of you are •   •  •    •         • How many of you think your AWS Accounts are secure? Questions
  6. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Why secure your cloud infrastructure? • How do these cloud security breaches happen? • What can you do to protect your infrastructure? Agenda
  7. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. WHY SECURE YOUR CLOUD INFRASTRUCTURE?
  8. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Increasing Usage of the Cloud   """" "! "     #!  
  9. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “The reason why Google and Facebook are the most powerful companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)
  10. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Accenture accidentally configured four AWS S3 buckets to be accessible to the public Uber’s AWS account was hacked, compromising the personal information of 57 million users worldwide, including 600,000 drivers OCT 2017 NOV 2017 An error in GoDaddy’s S3 bucket configuration has led to the exposure of internal information MAR 2018
  11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Security researcher Bob Diachenko discovered the Dow Jones Watchlist dataset sitting on a public AWS Elasticsearch cluster FEB 2019 Breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records APR 2019 An unauthorized user accessed data stored in AWS S3 buckets. Loss of over 100 million credit card applications and 100 thousand social security numbers. July 2019
  12. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lost of trust • Loss of revenue • Intellectual property theft • Go out of business Negative Business Impact
  13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Why do these Cloud Security Breaches happen?
  14. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. By 2020, 95% of cloud security failures will be the customer's fault - Gartner
  15. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Is A Shared Responsibility “Security in the Cloud” “Security of the Cloud”          
  16. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Failure Points of “Security in the Cloud”       VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling
  17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Every AWS Account is a Blank Cheque – Steve Teo
  18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.  AWS Account - The “Castle”
  19. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Account - “Castle” Breach #GGWP
  20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 165+ Services over 24 categories • Most of them have a configurable security model, but some are really complex (eg. S3) • Requires combination of •    •      •    •      • Huge potential of •    •      Workload – AWS Services & Resources
  21. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dissecting The Problem PROCESS TECHNOLOGY PEOPLE
  22. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Asia faces a critical shortage of security expertise. (ISC)2 research points to a global deficit in cyber security expertise totaling almost 3m roles. Asia Pacific contributes the vast majority of this gap on account of its growing economies and new legislation being enacted in the region. 498k 2.1m 142k 136k Source: (ISC)2 Cybersecurity Workforce Study, 2018 - available at https://www.isc2.org/Research/Workforce-Study
  23. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lack of mandate, expertise and resources to translate traditional security strategy and policies to those that apply to Public Cloud • Business driven “Shadow IT” Lack of Security Policy Ref: https://accudatasystems.com/why-most-companies-fail-at-cloud-security/ Figure 1: NIST Cybersecurity Framework.
  24. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Data Center Public Cloud Changes in environment are usually slow and controlled by few Changes in Environment occurs continuously by many usually Challenge - Shift in Operating Model
  25. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agility leads to more change events Time Change Events (Application / Infrastructure) Public Cloud Traditional Hosting
  26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Who makes the changes? Public Cloud Traditional Hosting               
  27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lack of Cloud-Specific Security Tools       VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling Complexity - People - Changes
  28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What can you do to protect your Cloud Infrastructure?
  29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Fixing The Problem PROCESS TECHNOLOGY PEOPLE
  30. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • “Cloud Security Is A Shared Responsibility” • Security Mindset - Security is everyone’s responsibility • Invest in your people - Re-train, upskill, certify • Hire Smart, Hire Right People
  31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Make sure the mandate to secure the Cloud is established • Align security goals with business goals to then secure expertise, resource, budget • Get the best, forward-looking and collaborative people in your organization to work on this. Setting up strategy and policies is not easy work! • AWS Security Whitepapers • https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf • https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf • https://aws.amazon.com/security/security-resources/ • Get Help! Process
  32. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Understand Security In and Of the Cloud • “Shift left” • Automate Continuous Scanning and Auditing • Integrates into modern development workflows • Accessible to All What to look for in Cloud Security Tools Figure 1: NIST Cybersecurity Framework.
  33. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Warden – Cloud Security Configuration Checker https://www.horangi.com/products/warden/
  34. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Getting Your Security Architecture Right
  35. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Architecture - Layered Defense in Depth
  36. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY COST OPTIMIZATION The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. AWS Well-Architected Framework.
  37. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY COST OPTIMIZATION The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. AWS Well-Architected Framework.
  38. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. INFRASTRUCTURE PROTECTION DATA PROTECTION IDENTITY & ACCESS MANAGEMENT DETECTIVE CONTROLS INCIDENT RESPONSE AWS Security Pillar. The AWS Security pillar is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
  39. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you manage credentials? • How do you control human access? • How do you control programmatic access? • Key AWS Services • AWS Identity and Access Management (IAM) • AWS Security Token Service (STS) Identity & Access Management IDENTITY & ACCESS MANAGEMENT
  40. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multi-Factor Authentication. Configure a MFA device as another barrier of defense against attackers.
  41. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle of Least Privilege. Only give users the minimum amount of privileges necessary to do their job.
  42. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use IAM Groups. IAM groups allow multiple users to share one policy and move users around to other groups as needed.
  43. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use IAM Roles. IAM Roles are a way to give permissions to other trusted entities
  44. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Define an AWS Account Strategy.  AWS Cloud AWS Cloud AWS Cloud AWS Cloud AWS Cloud                     Vs
  45. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage on Bastion Account or Single Sign On. AWS Account AWS Account AWS Account Bastion AWS Account
  46. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scale using AWS Organisations           
  47. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you detect and investigate security events? • How do you defend against emerging security threats? • Key AWS Services • CloudTrail • Config • CloudWatch Alarms Detective Controls DETECTIVE CONTROLS
  48. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adopt CloudTrail Best Practices. • Enable CloudTrail for all regions • Log management events • Record Global Services (eg. IAM)
  49. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Turn on AWS Config - Record, audit and evaluate configurations of your AWS resources
  50. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. GuardDuty.
  51. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you protect networks and hosts? • How do you protect services you consume? • Key AWS Services • Virtual Private Cloud (VPC) • Systems Manager • CloudFormation • IAM Infrastructure Protection INFRASTRUCTURE PROTECTION
  52. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Get your VPC Architecture right (Source)
  53. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Restrict Your Security Groups • Security groups has to be assigned explicitly to the resource or ENI
  54. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure your S3 Buckets • Block public access where possible • Understand the difference between • S3 ACL • S3 Bucket Policy • IAM Policy for S3 • Block public access
  55. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Systems Manager for Automation across Hosts
  56. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you classify your data? • How do you protect your data at rest? • How do you protect your data in transit? • Key AWS Services • Key Management System (KMS) • Elastic Load Balancer • CloudFront • API Gateway Data Protection DATA PROTECTION
  57. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understand Data at Rest vs. Data In Transit. Data at Rest Data in Transit What it is? Data that persists for any duration Data that gets transmitted from one system to another Where is it stored? Block storage, object storage, databases, archives, and any other storage medium None Why protect it? Reduce the risk of unauthorized access Protect the confidentiality and integrity of the application’s data How to you protect it? Use encryption keys when uploading data Select secure protocols that implement the latest cryptography standards (like TLS)
  58. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encryption At Rest. 
  59. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you respond to an incident? • Do you have enough to respond to an incident? • Key AWS Services • IAM • CloudTrail Incident Response INCIDENT RESPONSE
  60. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Disaster Plan. The security disaster plan is the process that describes the different steps to take in case an incident happens. • Have a defined incident response policy in place • Use resource tags to limit process • Use the “Clean Room” approach when investigating the root cause • Configure logs to audit as much as possible
  61. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. • CIS Benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. • Have 49 recommendations that covers the following areas • Identity and Access Management • Logging • Monitoring • Networking Quick Start: CIS–AWS Benchmark Ref: https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  62. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Quick Start: CIS–AWS Benchmark
  63. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To know how to secure AWS, you need to learn AWS • Invest in your people, build a right security mindset culture • Make sure the mandate to secure the Cloud is established • Use security tools and automate where possible to avoid undifferentiated heavy lifting! • Adopt the Security Pillar of the AWS Well Architected Framework Key Takeaways
  64. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Every AWS Account is a Blank Cheque – Steve Teo
  65. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you! Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo