101 Steps to Avoid a Security Disaster in the Cloud

101 Steps to Avoid a Security Disaster in the Cloud

Isn't it great how easily you can scale up in the cloud? The only problem is that disaster can strike just as quickly. We will start off by taking a look at some (in-) famous incidents of the past. Then we will discuss 101 steps on how to avoid a security disaster both in general and by using specific services such as AWS and GitHub in specific. This includes considerations for operations and development. Finally, we debate which services and risks you might want to avoid.

PS: Due to time constraints 101 as a binary and not a decimal number.

Ce4685da897c912aa41a815435b40a5a?s=128

Philipp Krenn

June 01, 2017
Tweet

Transcript

  1. Perils of the ☁ Philipp Krenn̴̴̴̴̴̴@xeraa

  2. ViennaDB Papers We Love Vienna

  3. Infrastructure | Developer Advocate

  4. Who uses AWS, Azure,...?

  5. Does the cloud solve all your security issues?

  6. None
  7. "We can operate more securely on AWS than we can

    in our own data centers" Rob Alexander of CapitalOne #reinvent — Adrian Cockcroft, https://twitter.com/adrianco/status/ 651788241557942272
  8. AWS Security Bulletins https://aws.amazon.com/security/security-bulletins/ Xen, Heartbleed,...

  9. The main problem is...

  10. None
  11. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. — http://www.codespaces.com
  12. None
  13. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. — http://blog.drawquest.com
  14. None
  15. This outage was the result of an attack on our

    systems using a compromised API key. — http://status.bonsai.io/incidents/qt70mqtjbf0s
  16. None
  17. Secure your accounts In 101 steps

  18. 000 Accounts

  19. Lock away your root account and never use it

  20. Always use Identity and Access Management (IAM)

  21. None
  22. One IAM user per service / action or use delegation

  23. 001 Access

  24. Only allow what is necessary Principle of the least access

  25. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": [ "ec2:ReleaseAddress", "route53:DeleteHostedZone" ], "Resource": "*" } ] }
  26. Use groups to manage permissions for users

  27. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }
  28. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }
  29. IAM permissions for few people

  30. 010 Authentication

  31. Use strong passwords

  32. None
  33. None
  34. Use Multi Factor Authentication (MFA)

  35. None
  36. None
  37. Hardware token & fallback questions

  38. 011 Code

  39. Never commit your credentials

  40. 100 Network

  41. Enable IP restrictions

  42. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"] } } } ] }
  43. None
  44. 101 Tools

  45. Enable billing alerts

  46. None
  47. Enable CloudTrail

  48. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2015-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }
  49. Export to an external system

  50. None
  51. Check your security status

  52. None
  53. Premium support: trusted advisor security

  54. None
  55. Custom tools

  56. None
  57. None
  58. None
  59. Attacks

  60. Make money

  61. Destroy competition

  62. Defend yourself

  63. To do and not to do

  64. If a key is compromised rotate it

  65. Store your secrets

  66. 1. Environment variables 2. Encrypted files in SCM 3. Vaults

  67. http://ejohn.org /blog/keeping-passwords-in-source-control/

  68. None
  69. #!/bin/sh FILE=$1 FILENAME=$(basename "$FILE") EXTENSION="${FILENAME##*.}" NAME="${FILENAME%.*}" if [[ "$EXTENSION" !=

    "aes256" ]] then echo "Encrypting $FILENAME and removing the plaintext file" openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256 rm $FILENAME else then echo "Decrypting $FILENAME" openssl aes-256-cbc -d -a -in $FILENAME -out $NAME fi
  70. $ ls truststore.jks.aes256 $ encrypt-decrypt.sh truststore.jks.aes256 Contact operations@xxx.com for the

    password Decrypting truststore.jks.aes256 enter aes-256-cbc decryption password: $ ls truststore.jks truststore.jks.aes256
  71. Vaults HashiCorp Vault Ansible Vault

  72. Check your code https://github.com/michenriksen/gitrob https://github.com/awslabs/git-secrets

  73. Conclusion

  74. There's no ✨

  75. 140 servers running on my AWS account. What? How? I

    only had S3 keys on my GitHub and they where gone within 5 minutes! — http://www.devfactor.net/2014/12/30/2375-amazon- mistake/
  76. How a bug in Visual Studio 2015 exposed my source

    code on GitHub and cost me $6,500 in a few hours — https://www.humankode.com/security/how-a-bug- in-visual-studio-2015-exposed-my-source-code-on- github-and-cost-me-6500-in-a-few-hours
  77. None
  78. Thanks! Questions? Philipp Krenn̴̴̴̴̴̴̴@xeraa

  79. Image Credit → Mobile https://flic.kr/p/j7hLsu → XKCD http://xkcd.com/936/