Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Â
Europe Cloud Summit - Security hardening of public cloud services
1. Security Hardening â Public Cloud Services
22-OCT-2020 | EUROPE CLOUDS SUMMIT Runcy Oommen
2. |Todayâs Agenda|
ïŒGeneric cloud security overview
ïŒSecurity services from GCP, AWS & Azure
ïŒShared Responsibility Model
ïŒCategories of services for hardening
ï±Cloud OS
ï±Load Balancer
ï±DNS Security
ï±API Gateway
ï±Platform (PaaS)
ï±Serverless (FaaS)
3. Career
ï Principal SDE, SONICWALL, 17+ yrs. industry experience
primarily in systems, cloud (private/public), security, networking
ï 10x multi-cloud certified (GCP, AWS, Azure, CNCF)
ï Patent (India) in cloud security around distributed data storage
ï Interested in serverless, containers and cloud native offerings.
Firm believer of a multi-hybrid cloud future
Community
ï Organizer of GDG Cloud, AWS user Group and Cloud Native
meetup groups in Bangalore
ï Regular speaker at domestic and international cloud, tech &
security conferences
ï Multiple hackathon wins in cloud/security topics.
ï Recognized by Google as a community influencer
[~]$ whoami
runcyoomme
n
https://runcy.
me
roommen
4. Letâs define âCloud
securityâ
Cloud Security refers to a broad set of policies,
technologies, applications and controls utilized to
protect virtualized IP, data, applications, services and
the associated infrastructure of cloud computing
Reference:
https://en.wikipedia.org/wiki/Cloud_computing_secur
8. So, how exactly should cloud
security differ from traditional
network security?
9. Ubiquitous
The cloud is always reachable
from anywhere, any time, any
device
Scalable
You can add new features and
thousands of users without breaking
a sweat
Integrated
Security and other services talk
to each other for full visibility
Comprehensive
The Cloud scans every byte â
ingress and egress â including SSL
& CDN
Intelligent
The cloud learns from every user and
connection; any new threat is blocked for
all
Important facets of
cloud
18. Hardening #1 â Cloud OS:
Amazon Linux 2, Google Container Optimized OS & Cloud Shell is
shipped with OpenSSH v7.4/v7.5 which is outdated and vulnerable to
multiple attacks
22. What to do now? Hereâs the elaborate
wayâŠ
Default package managers from AWS & GCP
does not even have a higher version of SSH!!!
ï Extract the contents
ï Install the compiled package to upgrade
ï Install all the relevant dependencies
ï Compile package from
source
ï Download the latest package from openbsd.org
runcyoomme
23. Amazon Linux 2
Google Cloud Shell
Get the scripts - https://tinyurl.com/sshupdate runcyoomme
24.
25. Hardening #2 â SSH Settings:
Default SSH settings (Ciphers & Key Exchange algorithms)
in Google Cloud Shell & Amazon Linux are deprecated and
weak
26. Confirming the presence of weak/deprecated Ciphers & Key
Exchanges
Amazon Linux 2
Google Cloud Shell
Amazon Linux
27. Search for âCiphersâ & âKexAlgorithmsâ in the man
page
Solution:
Check for new ciphers and kex after OpenSSH
upgrade
runcyoomme
28. ï Edit the /etc/ssh/sshd_config file
ï Add default Ciphers and KexAlgorithms in preferred
order
Restart the sshd service
runcyoomme
33. ï Select a stricter and recent security policy for the ELB
Solution:
ï Force the latest âsecurity policyâ on the Elastic Load
Balancer, instead of the default lenient one
ï Navigate to Load Balancer (EC2) ï Listeners (tab)
ï Edit
runcyoomme
34. Reference chart
of security
policies with
SSL Options
and Ciphers
Reference:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-
37. Hardening #4 â DNS Security:
Certificates generated by ACM or Google Trust
Services and managed by Route53 or Cloud DNS
does not force create a âCAAâ record to prevent re-
issuance
38. Solution:
Create an entry in Route 53 for CAA when
certificates are issued by Amazon Certificate
Manager (ACM)
Equivalent entry to be created in Cloud DNS for CAA
record when certificates are issued by Google Trust
Services
Re-run a SSL scan (Qualys online SSL should be
sufficient)
runcyoomme
39.
40. Hardening #5 â API Gateway:
AWS API Gateway by default, provides
support for TLS 1.0 and TLS 1.1 with weak
cipher suites
41. ï Pick and choose the minimum required SSL for CloudFront
ï Select the appropriate security policy for strong cipher
selection
ï Create a CloudFront distribution with the âOrigin Domain
Nameâ as the API Gateway stage
Solution:
ï Donât serve the traffic directly from the API Gateway URL
runcyoomme
42.
43. Hardening #6 â Platform (PaaS):
AWS BeanStalk and Google AppEngine supports
TLS 1.0/1.1 and TLS 1.2 with weak cipher suites
by default to ensure backward compatibility with
older clients
44. Solution:
ï For AWS BeanStalk, solution would be place it behind a
ELB and attach stricter/recent TLS policy as discussed
previously
ï For Google AppEngine, create a
custom policy that supports just
TLS 1.2 and strong cipher suites
ï Now attach these with the Cloud
LB which will server traffic for
AppEngine runcyoomme
45.
46. Hardening #7 â Serverless
(FaaS):
Incorrect or non-existent input validations, might
lead to elevated privileges in FaaS configuration
ï Sub-process invocation at will from the execution context
ï Access function handler of serverless function
ï Access to /tmp to manipulate contents during execution time
ï Full internet access from within FaaS environment
ï Execution of os.system() commands at will
47. ï± Resources provisioned in cloud reside inside a Virtual
Private Cloud (VPC)
ï± FaaS should also be provisioned within this SDN
wrapper dictated by network routes/configs/firewall rules
48.
49. Functionality
CV filtering app that accepts
PDF file to perform text
analysis
Assumption
Users will provide legitimate
PDF filenames for processing
Weakness
Filename embedded into shell
for direct shell command
invocations
https://tinyurl.com/infoleaksample runcyoomme
Exploit Example
50. (Sub-process invocation at will from the execution context)
AWS
Lambda
Google Cloud
Function
https://tinyurl.com/faasexploits runcyoomme
51. (Access function handler of serverless function)
AWS
Lambda
(Access to /tmp to manipulate contents during execution time)
Google Cloud
Function
https://tinyurl.com/faasexploits
52. Letâs do some âMonkey Patchingâ
What?
Technique to dynamically
update the behavior of a piece
of code
Why?
Extend the behavior of modules,
classes or methods without
actual modification of source
code
When?
âą Extend or modify behavior at
runtime of libraries/methods
âą During testing to mock
behavior of libs, modules,
objs
âą Quickly fix issues, if we donât
have resources to roll proper
fix
runcyoomme
53. https://tinyurl.com/faasexploits
ï Eclipsed the original
definition of os.system()
with a custom one
ï Created a new safe
os.system() which is
known only by us
ï Repeat this for other
definitions that are not
required to be
supported for your FaaS
runcyoomme