Upgrade to Pro — share decks privately, control downloads, hide ads and more …

101 Steps to Avoid a Security Disaster in the Cloud

101 Steps to Avoid a Security Disaster in the Cloud

Isn't it great how easily you can scale up in the cloud? The only problem is that disaster can strike just as quickly. We will start off by taking a look at some (in-) famous incidents of the past. Then we will discuss 101 steps on how to avoid a security disaster both in general and by using specific services such as AWS and GitHub in specific. This includes considerations for operations and development. Finally, we debate which services and risks you might want to avoid.

PS: Due to time constraints 101 as a binary and not a decimal number.

Philipp Krenn

June 01, 2017
Tweet

More Decks by Philipp Krenn

Other Decks in Programming

Transcript

  1. Perils of the

    Philipp Krenn̴̴̴̴̴̴@xeraa

    View full-size slide

  2. ViennaDB
    Papers We Love Vienna

    View full-size slide

  3. Infrastructure | Developer Advocate

    View full-size slide

  4. Who uses
    AWS, Azure,...?

    View full-size slide

  5. Does the cloud solve all
    your security issues?

    View full-size slide

  6. "We can operate more
    securely on AWS than we can
    in our own data centers" Rob
    Alexander of CapitalOne
    #reinvent
    — Adrian Cockcroft, https://twitter.com/adrianco/status/
    651788241557942272

    View full-size slide

  7. AWS Security Bulletins
    https://aws.amazon.com/security/security-bulletins/
    Xen, Heartbleed,...

    View full-size slide

  8. The main problem is...

    View full-size slide

  9. [...] our data, backups,
    machine configurations and
    offsite backups were either
    partially or completely
    deleted.
    — http://www.codespaces.com

    View full-size slide

  10. The person(s) used our
    account to order hundreds
    of expensive servers, likely
    to mine Bitcoin or other
    cryptocurrencies.
    — http://blog.drawquest.com

    View full-size slide

  11. This outage was the
    result of an attack on our
    systems using a
    compromised API key.
    — http://status.bonsai.io/incidents/qt70mqtjbf0s

    View full-size slide

  12. Secure your
    accounts
    In 101 steps

    View full-size slide

  13. Lock away your root
    account and never use it

    View full-size slide

  14. Always use Identity and
    Access Management (IAM)

    View full-size slide

  15. One IAM user per
    service / action or use
    delegation

    View full-size slide

  16. Only allow what is
    necessary
    Principle of the least access

    View full-size slide

  17. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": [
    "ec2:ReleaseAddress",
    "route53:DeleteHostedZone"
    ],
    "Resource": "*"
    }
    ] }

    View full-size slide

  18. Use groups to manage
    permissions for users

    View full-size slide

  19. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View full-size slide

  20. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View full-size slide

  21. IAM permissions for few
    people

    View full-size slide

  22. 010
    Authentication

    View full-size slide

  23. Use strong passwords

    View full-size slide

  24. Use Multi Factor
    Authentication (MFA)

    View full-size slide

  25. Hardware token &
    fallback questions

    View full-size slide

  26. Never commit your
    credentials

    View full-size slide

  27. Enable IP restrictions

    View full-size slide

  28. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "NotIpAddress": {
    "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"]
    }
    }
    }
    ] }

    View full-size slide

  29. Enable billing alerts

    View full-size slide

  30. Enable CloudTrail

    View full-size slide

  31. { "Records": [
    {
    "eventVersion": "1.0",
    "userIdentity": {
    "type": "IAMUser",
    "principalId": "EX_PRINCIPAL_ID",
    "arn": "arn:aws:iam::123456789012:user/Alice",
    "accountId": "123456789012",
    "accessKeyId": "EXAMPLE_KEY_ID",
    "userName": "Alice"
    },
    "eventTime": "2015-09-09T19:01:59Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StopInstances",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "205.251.233.176",
    "userAgent": "ec2-api-tools 1.6.12.2",
    "requestParameters": {
    "instancesSet": {
    "items": [
    { "instanceId": "i-ebeaf9e2" }
    ]
    },
    "force": false
    },
    ...
    },
    ...
    ] }

    View full-size slide

  32. Export to an external
    system

    View full-size slide

  33. Check your security
    status

    View full-size slide

  34. Premium support:
    trusted advisor security

    View full-size slide

  35. Custom tools

    View full-size slide

  36. Destroy competition

    View full-size slide

  37. Defend yourself

    View full-size slide

  38. To do and
    not to do

    View full-size slide

  39. If a key is compromised
    rotate it

    View full-size slide

  40. Store your secrets

    View full-size slide

  41. 1. Environment variables
    2. Encrypted files in SCM
    3. Vaults

    View full-size slide

  42. http://ejohn.org
    /blog/keeping-passwords-in-source-control/

    View full-size slide

  43. #!/bin/sh
    FILE=$1
    FILENAME=$(basename "$FILE")
    EXTENSION="${FILENAME##*.}"
    NAME="${FILENAME%.*}"
    if [[ "$EXTENSION" != "aes256" ]]
    then
    echo "Encrypting $FILENAME and removing the plaintext file"
    openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256
    rm $FILENAME
    else
    then
    echo "Decrypting $FILENAME"
    openssl aes-256-cbc -d -a -in $FILENAME -out $NAME
    fi

    View full-size slide

  44. $ ls
    truststore.jks.aes256
    $ encrypt-decrypt.sh truststore.jks.aes256
    Contact [email protected] for the password
    Decrypting truststore.jks.aes256
    enter aes-256-cbc decryption password:
    $ ls
    truststore.jks truststore.jks.aes256

    View full-size slide

  45. Vaults
    HashiCorp Vault
    Ansible Vault

    View full-size slide

  46. Check your code
    https://github.com/michenriksen/gitrob
    https://github.com/awslabs/git-secrets

    View full-size slide

  47. There's no ✨

    View full-size slide

  48. 140 servers running on my
    AWS account. What? How? I
    only had S3 keys on my
    GitHub and they where gone
    within 5 minutes!
    — http://www.devfactor.net/2014/12/30/2375-amazon-
    mistake/

    View full-size slide

  49. How a bug in Visual Studio
    2015 exposed my source
    code on GitHub and cost me
    $6,500 in a few hours
    — https://www.humankode.com/security/how-a-bug-
    in-visual-studio-2015-exposed-my-source-code-on-
    github-and-cost-me-6500-in-a-few-hours

    View full-size slide

  50. Thanks!
    Questions?
    Philipp Krenn̴̴̴̴̴̴̴@xeraa

    View full-size slide

  51. Image Credit
    → Mobile https://flic.kr/p/j7hLsu
    → XKCD http://xkcd.com/936/

    View full-size slide