Upgrade to Pro — share decks privately, control downloads, hide ads and more …

101 Steps to Avoid a Security Disaster in the Cloud

Philipp Krenn
June 01, 2017
Programming
3
1.5k

101 Steps to Avoid a Security Disaster in the Cloud

Isn't it great how easily you can scale up in the cloud? The only problem is that disaster can strike just as quickly. We will start off by taking a look at some (in-) famous incidents of the past. Then we will discuss 101 steps on how to avoid a security disaster both in general and by using specific services such as AWS and GitHub in specific. This includes considerations for operations and development. Finally, we debate which services and risks you might want to avoid.

PS: Due to time constraints 101 as a binary and not a decimal number.

Philipp Krenn

June 01, 2017
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.9k
360° Monitoring of Your Microservices
xeraa
7
3.2k
Scale Your Metrics with Elasticsearch
xeraa
4
120
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
260
Hands-On ModSecurity and Logging
xeraa
2
120
Centralized Logging Patterns
xeraa
1
920
Dashboards for Your Management with Kibana Canvas
xeraa
1
440
Make Your Data FABulous
xeraa
3
750

Other Decks in Programming

See All in Programming
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
480
コードレビューで学ぶ!Kotlinオブジェクト指向デザインパターン
akkie76
2
170
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
puregoの活用例
aethiopicuschan
0
220
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1.1k
OpenTelemetry のサービスという概念について
azukiazusa1
2
1.1k
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
170
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k
Elm Form Validation
bkuhlmann
0
500
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
SwiftUI Performance 不要なViewの再描画と更新を抑える
bigamitiongit
1
150
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
330

Featured

See All Featured
Clear Off the Table
cherdarchuk
82
310k
Become a Pro
speakerdeck
PRO
9
4.5k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
29
6k
Git: the NoSQL Database
bkeepers
PRO
421
63k
The Mythical Team-Month
searls
214
42k
Thoughts on Productivity
jonyablonski
57
3.8k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
Designing for Performance
lara
601
67k
How to train your dragon (web standard)
notwaldorf
71
5.1k
Why Our Code Smells
bkeepers
PRO
331
56k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Building Applications with DynamoDB
mza
88
5.6k

Transcript

  1. Perils of the ☁ Philipp Krenn̴̴̴̴̴̴@xeraa

  2. ViennaDB Papers We Love Vienna

  3. Infrastructure | Developer Advocate

  4. Who uses AWS, Azure,...?

  5. Does the cloud solve all your security issues?

  6. None

  7. "We can operate more securely on AWS than we can

    in our own data centers" Rob Alexander of CapitalOne #reinvent — Adrian Cockcroft, https://twitter.com/adrianco/status/ 651788241557942272

  8. AWS Security Bulletins https://aws.amazon.com/security/security-bulletins/ Xen, Heartbleed,...

  9. The main problem is...

  10. None

  11. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. — http://www.codespaces.com
  12. None

  13. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. — http://blog.drawquest.com
  14. None

  15. This outage was the result of an attack on our

    systems using a compromised API key. — http://status.bonsai.io/incidents/qt70mqtjbf0s
  16. None

  17. Secure your accounts In 101 steps

  18. 000 Accounts

  19. Lock away your root account and never use it

  20. Always use Identity and Access Management (IAM)

  21. None

  22. One IAM user per service / action or use delegation

  23. 001 Access

  24. Only allow what is necessary Principle of the least access

  25. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": [ "ec2:ReleaseAddress", "route53:DeleteHostedZone" ], "Resource": "*" } ] }

  26. Use groups to manage permissions for users

  27. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }

  28. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }

  29. IAM permissions for few people

  30. 010 Authentication

  31. Use strong passwords

  32. None
  33. None

  34. Use Multi Factor Authentication (MFA)

  35. None
  36. None

  37. Hardware token & fallback questions

  38. 011 Code

  39. Never commit your credentials

  40. 100 Network

  41. Enable IP restrictions

  42. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"] } } } ] }
  43. None

  44. 101 Tools

  45. Enable billing alerts

  46. None

  47. Enable CloudTrail

  48. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2015-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }

  49. Export to an external system

  50. None

  51. Check your security status

  52. None

  53. Premium support: trusted advisor security

  54. None

  55. Custom tools

  56. None
  57. None
  58. None

  59. Attacks

  60. Make money

  61. Destroy competition

  62. Defend yourself

  63. To do and not to do

  64. If a key is compromised rotate it

  65. Store your secrets

  66. 1. Environment variables 2. Encrypted files in SCM 3. Vaults

  67. http://ejohn.org /blog/keeping-passwords-in-source-control/

  68. None

  69. #!/bin/sh FILE=$1 FILENAME=$(basename "$FILE") EXTENSION="${FILENAME##*.}" NAME="${FILENAME%.*}" if [[ "$EXTENSION" !=

    "aes256" ]] then echo "Encrypting $FILENAME and removing the plaintext file" openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256 rm $FILENAME else then echo "Decrypting $FILENAME" openssl aes-256-cbc -d -a -in $FILENAME -out $NAME fi

  70. $ ls truststore.jks.aes256 $ encrypt-decrypt.sh truststore.jks.aes256 Contact [email protected] for the

    password Decrypting truststore.jks.aes256 enter aes-256-cbc decryption password: $ ls truststore.jks truststore.jks.aes256

  71. Vaults HashiCorp Vault Ansible Vault

  72. Check your code https://github.com/michenriksen/gitrob https://github.com/awslabs/git-secrets

  73. Conclusion

  74. There's no ✨

  75. 140 servers running on my AWS account. What? How? I

    only had S3 keys on my GitHub and they where gone within 5 minutes! — http://www.devfactor.net/2014/12/30/2375-amazon- mistake/

  76. How a bug in Visual Studio 2015 exposed my source

    code on GitHub and cost me $6,500 in a few hours — https://www.humankode.com/security/how-a-bug- in-visual-studio-2015-exposed-my-source-code-on- github-and-cost-me-6500-in-a-few-hours
  77. None

  78. Thanks! Questions? Philipp Krenn̴̴̴̴̴̴̴@xeraa

  79. Image Credit → Mobile https://flic.kr/p/j7hLsu → XKCD http://xkcd.com/936/