101 Steps to Avoid a Security Disaster in the Cloud

101 Steps to Avoid a Security Disaster in the Cloud

Isn't it great how easily you can scale up in the cloud? The only problem is that disaster can strike just as quickly. We will start off by taking a look at some (in-) famous incidents of the past. Then we will discuss 101 steps on how to avoid a security disaster both in general and by using specific services such as AWS and GitHub in specific. This includes considerations for operations and development. Finally, we debate which services and risks you might want to avoid.

PS: Due to time constraints 101 as a binary and not a decimal number.

Ce4685da897c912aa41a815435b40a5a?s=128

Philipp Krenn

June 01, 2017
Tweet

Transcript

  1. 6.
  2. 7.

    "We can operate more securely on AWS than we can

    in our own data centers" Rob Alexander of CapitalOne #reinvent — Adrian Cockcroft, https://twitter.com/adrianco/status/ 651788241557942272
  3. 10.
  4. 11.

    [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. — http://www.codespaces.com
  5. 12.
  6. 13.

    The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. — http://blog.drawquest.com
  7. 14.
  8. 15.

    This outage was the result of an attack on our

    systems using a compromised API key. — http://status.bonsai.io/incidents/qt70mqtjbf0s
  9. 16.
  10. 21.
  11. 25.

    { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": [ "ec2:ReleaseAddress", "route53:DeleteHostedZone" ], "Resource": "*" } ] }
  12. 27.

    { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }
  13. 28.

    { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }
  14. 32.
  15. 33.
  16. 35.
  17. 36.
  18. 38.
  19. 42.

    { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"] } } } ] }
  20. 43.
  21. 44.
  22. 46.
  23. 48.

    { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2015-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }
  24. 50.
  25. 52.
  26. 54.
  27. 56.
  28. 57.
  29. 58.
  30. 59.
  31. 68.
  32. 69.

    #!/bin/sh FILE=$1 FILENAME=$(basename "$FILE") EXTENSION="${FILENAME##*.}" NAME="${FILENAME%.*}" if [[ "$EXTENSION" !=

    "aes256" ]] then echo "Encrypting $FILENAME and removing the plaintext file" openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256 rm $FILENAME else then echo "Decrypting $FILENAME" openssl aes-256-cbc -d -a -in $FILENAME -out $NAME fi
  33. 70.

    $ ls truststore.jks.aes256 $ encrypt-decrypt.sh truststore.jks.aes256 Contact operations@xxx.com for the

    password Decrypting truststore.jks.aes256 enter aes-256-cbc decryption password: $ ls truststore.jks truststore.jks.aes256
  34. 75.

    140 servers running on my AWS account. What? How? I

    only had S3 keys on my GitHub and they where gone within 5 minutes! — http://www.devfactor.net/2014/12/30/2375-amazon- mistake/
  35. 76.

    How a bug in Visual Studio 2015 exposed my source

    code on GitHub and cost me $6,500 in a few hours — https://www.humankode.com/security/how-a-bug- in-visual-studio-2015-exposed-my-source-code-on- github-and-cost-me-6500-in-a-few-hours
  36. 77.