Upgrade to Pro — share decks privately, control downloads, hide ads and more …

101 Steps to Avoid a Security Disaster in the Cloud

Philipp Krenn
June 01, 2017
Programming
3
1.5k

101 Steps to Avoid a Security Disaster in the Cloud

Isn't it great how easily you can scale up in the cloud? The only problem is that disaster can strike just as quickly. We will start off by taking a look at some (in-) famous incidents of the past. Then we will discuss 101 steps on how to avoid a security disaster both in general and by using specific services such as AWS and GitHub in specific. This includes considerations for operations and development. Finally, we debate which services and risks you might want to avoid.

PS: Due to time constraints 101 as a binary and not a decimal number.

Philipp Krenn

June 01, 2017
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.8k
360° Monitoring of Your Microservices
xeraa
7
3k
Scale Your Metrics with Elasticsearch
xeraa
4
110
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
250
Hands-On ModSecurity and Logging
xeraa
2
110
Centralized Logging Patterns
xeraa
1
880
Dashboards for Your Management with Kibana Canvas
xeraa
1
430
Make Your Data FABulous
xeraa
3
710

Other Decks in Programming

See All in Programming
AWS SDKのClientは Factory経由で作ろう
iwatatomoya
1
320
第4回 AWSとGitHub勉強会 - GitHub Actionsを使ったCD環境の構築 -
ogiwarat
0
170
サーバーレスで負荷試験を行う必要性と実践的プラクティスの紹介/slsdays-tokyo-2023
slsops
4
860
OpenTelemetryのバックエンドを作ってparquetと戯れている話
mrasu
0
290
Adopting Jetpack Compose Safely (Droidcon Lisbon 2023)
stewemetal
0
110
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
180
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
710
事業成長を加速させるGoのコード品質改善の取り組み / Code quality improvement for Go language
tajimathememer
4
790
安易に前職同僚飲み会に行ったら 売り上げのほぼないスタートアップに入社してた話
yamotuki
0
120
はじめてのPHPコマンドラインオプション〜PHP開発を今よりちょっと楽しくする〜
kotomin_m
2
110
Domain-Driven Design (Tutorial)
hschwentner
13
18k
GDSC NYCU 2023 茶會
rabbitmagician1
1
330

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
236
10k
Embracing the Ebb and Flow
colly
77
3.8k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Building Your Own Lightsaber
phodgson
97
5.2k
Testing 201, or: Great Expectations
jmmastey
26
6k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
GraphQLとの向き合い方2022年版
quramy
25
11k
Web development in the modern age
philhawksworth
200
9.8k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.1k
The Cult of Friendly URLs
andyhume
71
5.4k

Transcript

  1. Perils of the

    Philipp Krenn̴̴̴̴̴̴@xeraa

    View Slide

  2. ViennaDB
    Papers We Love Vienna

    View Slide

  3. Infrastructure | Developer Advocate

    View Slide

  4. Who uses
    AWS, Azure,...?

    View Slide

  5. Does the cloud solve all
    your security issues?

    View Slide

  6. View Slide

  7. "We can operate more
    securely on AWS than we can
    in our own data centers" Rob
    Alexander of CapitalOne
    #reinvent
    — Adrian Cockcroft, https://twitter.com/adrianco/status/
    651788241557942272

    View Slide

  8. AWS Security Bulletins
    https://aws.amazon.com/security/security-bulletins/
    Xen, Heartbleed,...

    View Slide

  9. The main problem is...

    View Slide

  10. View Slide

  11. [...] our data, backups,
    machine configurations and
    offsite backups were either
    partially or completely
    deleted.
    — http://www.codespaces.com

    View Slide

  12. View Slide

  13. The person(s) used our
    account to order hundreds
    of expensive servers, likely
    to mine Bitcoin or other
    cryptocurrencies.
    — http://blog.drawquest.com

    View Slide

  14. View Slide

  15. This outage was the
    result of an attack on our
    systems using a
    compromised API key.
    — http://status.bonsai.io/incidents/qt70mqtjbf0s

    View Slide

  16. View Slide

  17. Secure your
    accounts
    In 101 steps

    View Slide

  18. 000
    Accounts

    View Slide

  19. Lock away your root
    account and never use it

    View Slide

  20. Always use Identity and
    Access Management (IAM)

    View Slide

  21. View Slide

  22. One IAM user per
    service / action or use
    delegation

    View Slide

  23. 001
    Access

    View Slide

  24. Only allow what is
    necessary
    Principle of the least access

    View Slide

  25. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": [
    "ec2:ReleaseAddress",
    "route53:DeleteHostedZone"
    ],
    "Resource": "*"
    }
    ] }

    View Slide

  26. Use groups to manage
    permissions for users

    View Slide

  27. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View Slide

  28. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View Slide

  29. IAM permissions for few
    people

    View Slide

  30. 010
    Authentication

    View Slide

  31. Use strong passwords

    View Slide

  32. View Slide

  33. View Slide

  34. Use Multi Factor
    Authentication (MFA)

    View Slide

  35. View Slide

  36. View Slide

  37. Hardware token &
    fallback questions

    View Slide

  38. 011
    Code

    View Slide

  39. Never commit your
    credentials

    View Slide

  40. 100
    Network

    View Slide

  41. Enable IP restrictions

    View Slide

  42. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "NotIpAddress": {
    "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"]
    }
    }
    }
    ] }

    View Slide

  43. View Slide

  44. 101
    Tools

    View Slide

  45. Enable billing alerts

    View Slide

  46. View Slide

  47. Enable CloudTrail

    View Slide

  48. { "Records": [
    {
    "eventVersion": "1.0",
    "userIdentity": {
    "type": "IAMUser",
    "principalId": "EX_PRINCIPAL_ID",
    "arn": "arn:aws:iam::123456789012:user/Alice",
    "accountId": "123456789012",
    "accessKeyId": "EXAMPLE_KEY_ID",
    "userName": "Alice"
    },
    "eventTime": "2015-09-09T19:01:59Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StopInstances",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "205.251.233.176",
    "userAgent": "ec2-api-tools 1.6.12.2",
    "requestParameters": {
    "instancesSet": {
    "items": [
    { "instanceId": "i-ebeaf9e2" }
    ]
    },
    "force": false
    },
    ...
    },
    ...
    ] }

    View Slide

  49. Export to an external
    system

    View Slide

  50. View Slide

  51. Check your security
    status

    View Slide

  52. View Slide

  53. Premium support:
    trusted advisor security

    View Slide

  54. View Slide

  55. Custom tools

    View Slide

  56. View Slide

  57. View Slide

  58. View Slide

  59. Attacks

    View Slide

  60. Make money

    View Slide

  61. Destroy competition

    View Slide

  62. Defend yourself

    View Slide

  63. To do and
    not to do

    View Slide

  64. If a key is compromised
    rotate it

    View Slide

  65. Store your secrets

    View Slide

  66. 1. Environment variables
    2. Encrypted files in SCM
    3. Vaults

    View Slide

  67. http://ejohn.org
    /blog/keeping-passwords-in-source-control/

    View Slide

  68. View Slide

  69. #!/bin/sh
    FILE=$1
    FILENAME=$(basename "$FILE")
    EXTENSION="${FILENAME##*.}"
    NAME="${FILENAME%.*}"
    if [[ "$EXTENSION" != "aes256" ]]
    then
    echo "Encrypting $FILENAME and removing the plaintext file"
    openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256
    rm $FILENAME
    else
    then
    echo "Decrypting $FILENAME"
    openssl aes-256-cbc -d -a -in $FILENAME -out $NAME
    fi

    View Slide

  70. $ ls
    truststore.jks.aes256
    $ encrypt-decrypt.sh truststore.jks.aes256
    Contact [email protected] for the password
    Decrypting truststore.jks.aes256
    enter aes-256-cbc decryption password:
    $ ls
    truststore.jks truststore.jks.aes256

    View Slide

  71. Vaults
    HashiCorp Vault
    Ansible Vault

    View Slide

  72. Check your code
    https://github.com/michenriksen/gitrob
    https://github.com/awslabs/git-secrets

    View Slide

  73. Conclusion

    View Slide

  74. There's no ✨

    View Slide

  75. 140 servers running on my
    AWS account. What? How? I
    only had S3 keys on my
    GitHub and they where gone
    within 5 minutes!
    — http://www.devfactor.net/2014/12/30/2375-amazon-
    mistake/

    View Slide

  76. How a bug in Visual Studio
    2015 exposed my source
    code on GitHub and cost me
    $6,500 in a few hours
    — https://www.humankode.com/security/how-a-bug-
    in-visual-studio-2015-exposed-my-source-code-on-
    github-and-cost-me-6500-in-a-few-hours

    View Slide

  77. View Slide

  78. Thanks!
    Questions?
    Philipp Krenn̴̴̴̴̴̴̴@xeraa

    View Slide

  79. Image Credit
    → Mobile https://flic.kr/p/j7hLsu
    → XKCD http://xkcd.com/936/

    View Slide