Gefahren der Cloud

Transcript

1. Gefahren der Cloud Philipp Krenn̴̴̴̴̴̴̴̴@xeraa

2. None

3. ViennaDB Papers We Love Vienna

4. Wer verwendet AWS, Azure,...?

5. Löst die Cloud alle Security-Probleme?

6. None

7. "We can operate more securely on AWS than we can

   in our own data centers" Rob Alexander of CapitalOne #reinvent — Adrian Cockcroft, https://twitter.com/adrianco/status/ 651788241557942272
8. None
9. None

10. AWS Security Bulletins https://aws.amazon.com/security/security-bulletins/ Xen, Heartbleed,...

11. Infrastruktur

12. VPC Virtual Private Cloud

13. EC2 Classic Private und öffentliche IPs für jede Instanz

14. None
15. None

16. Netzwerk /16 Produktion 10.0.*.* Entwicklung 10.1.*.*

17. Verfügbarkeitszonen /18 A 10.*.0.0/18 B 10.*.64.0/18 Reserve 10.*.128.0/18 10.*.192.0/18

18. Subnetze /20 A öffentlich 10.*.0.0/20 A privat 10.*.16.0/20 A Reserve

    10.*.32.0/20 10.*.48.0/20

19. PS: Netzwerk Keine Broadcasts oder Multicasts Noch kein IPv6

20. Sicherheitsgruppen Pro Instanz

21. None

22. Netzwerk ACL Pro Subnetz (optional)

23. Verschlüsselung At Rest

24. S3, EBS, RDS,... Transparentes Key Management

25. None

26. Microservices Technologie & AWS Konto pro Team OAuth für interne

    & externe Kommunikation

27. Konten

28. Aber das Hauptproblem sind...

29. ✋

30. None

31. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. — http://www.codespaces.com

32. Code Spaces has a full recovery plan that has been

    proven to work and is, in fact, practiced.
33. None

34. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. — http://blog.drawquest.com
35. None

36. This outage was the result of an attack on our

    systems using a compromised API key. — http://status.bonsai.io/incidents/qt70mqtjbf0s
37. None

38. 1001 einfache Schritte für mehr Sicherheit

39. 0000 root Konto wegsperren

40. 0001 Immer IAM verwenden Identity and Access Management

41. None

42. 0010 Nur notwendige Rechte

43. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": [ "ec2:ReleaseAddress", "route53:DeleteHostedZone" ], "Resource": "*" } ] }

44. 0011 Starke Passworte

45. None

46. 0100 Multi Factor Authentication (MFA)

47. None
48. None

49. Hardware Token Sicherheitsfragen merken (und verteilen)

50. 0101 Niemals Zugangsdaten commiten

51. Nur wohin?

52. 1. Umgebungsvariablen

53. 2. Verschlüsselte Dateien in SCM

54. http://ejohn.org /blog/keeping-passwords-in-source-control/

55. None

56. #!/bin/sh FILE=$1 FILENAME=$(basename "$FILE") EXTENSION="${FILENAME##*.}" NAME="${FILENAME%.*}" if [[ "$EXTENSION" !=

    "aes256" ]] then echo "Encrypting $FILENAME and removing the plaintext file" openssl aes-256-cbc -e -a -in $FILENAME -out ${FILENAME}.aes256 rm $FILENAME else then echo "Decrypting $FILENAME" openssl aes-256-cbc -d -a -in $FILENAME -out $NAME fi

57. $ ls truststore.jks.aes256 $ encrypt-decrypt.sh truststore.jks.aes256 Contact [email protected] for the

    password Decrypting truststore.jks.aes256 enter aes-256-cbc decryption password: $ ls truststore.jks truststore.jks.aes256

58. 3. Spezielle Tools

59. Ansible Vault HashiCorp Vault Friedlander Secrets Pit

60. Eigenen Code prüfen https://github.com/michenriksen/gitrob

61. 0110 IP Restriktionen

62. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["1.2.3.4/24", "5.6.7.8/28"] } } } ] }
63. None

64. 0111 Billing Alerts

65. None

66. 1000 CloudTrail

67. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2015-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ...

68. 1001 Security Status

69. None

70. Abschluss

71. Es gibt keine ✨

72. 140 servers running on my AWS account. What? How? I

    only had S3 keys on my GitHub and they where gone within 5 minutes! — http://www.devfactor.net/2014/12/30/2375-amazon- mistake/

73. Kompromittierte Keys rotieren

74. How a bug in Visual Studio 2015 exposed my source

    code on GitHub and cost me $6,500 in a few hours — https://www.humankode.com/security/how-a-bug-in- visual-studio-2015-exposed-my-source-code-on-github-and- cost-me-6500-in-a-few-hours

75. Keine Zugangsdaten commiten

76. Danke! Fragen? Philipp Krenn̴̴̴̴̴̴̴̴@xeraa