3. Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon Web Services (AWS)
Regions Worldwide (11)
o Availability Zones (2-3 per Region)
Edge Locations (50+)
Behind the
Cloud…
4. Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon Web Services (AWS)
Regions Worldwide (11)
o Availability Zones (2-3 per Region)
Edge Locations (50+)
5. Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
SaaS
Provider
Yours
Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
6. Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
PaaS
Provider
Yours Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
7. Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
IaaS
Provider
Yours
Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
8. Amazon Web Services (AWS)
IaaS: flexible & complex
AWS offers IaaS, PaaS, and SaaS solutions
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
IaaS
PaaS
9. Evaluating Risk
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Where are the
biggest risks?
Data Verizon DBIR 2014
Incident Classification:
Web App Attacks (35%)
Extern Discovery (88%)
Cyber-Espionage (22%)
Extern Discovery (85%)
Actions:
Stolen Creds (1)(3)(3)
Export Data (2)(7)(4)
Source:
www.verizonenterprise.com/DBIR/2014/
DevOps Users
14. Security in the Cloud
Monitor, Assess, Defend (MAD)
Monitor
o Detection is important
o Built on a foundation of logs
Assess / Test
o Evaluate security controls
o Dangerous ground when scanning your app on provider’s
infrastructure
Defend
o Prevent security incidents from occurring
o Raise the bar Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
16. Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
Web Application Firewall (WAF)
o Bursting thresholds
o OWASP Top 10
o Tuned to the application
Application, RDS logs
o AuthN/Z
o Security related
o Anomaly detection
ELB – Log user requests
o Anomaly detection
17. Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
S3 Access Logging
o If there is sensitive information in
S3 buckets (S3 access logs not
part of CloudTrail)
CloudWatch
o Availability & performance of EC2
instances
18. Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
CloudTrail – AWS account actions
o Any root account activity
o StopLogging / UpdateTrail
o Create/DeleteVPC
o CreateAccessKey
o Privileged Role assignments
o DeleteHostedZone
o ChangeResourceRecordSet
o RunInstance (dramatic change)
o Public Security Group modification
IAM
o AWS Access Keys
o Inventory (owner) / Last recycle date
Security
19. Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
OS / Instances
o “Treat them as cattle, not pets”
o One of these things is not like the
others
o Update FIM snapshot
• New AMI
• New Code
o Collect Syslogs / Event logs
(forensics)
FIM FIM
FIM FIM
20. Event Monitoring System
Collect & correlate
logs to detect
security events
o Oh $4!#! principle
Amazon
CloudWatch
22. Assess / Test
Do you like working with technology, or would you rather make
license plates, do laundry, and be watched 24/7 by armed
guards…
o TALK WITH YOUR CLOUD PROVIDER BEFORE DOING SECURITY TESTING!
o GET WRITTEN PERMISSION!
23. Assess / Test
Static code analysis
o Secure coding practices
o Plain text credentials
o AWS access keys
Security architecture reviews
o Dev – Sec – Ops?
Cloud Formation Templates
o Review before running in production Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
24. Assess / Test
IAM
o Roles
• Responsibility
o Users / Instances with privileged
roles
o Separation of duties
EC2 AMIs that are in use
Security Group Configuration
Trusted Advisor Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
Security
27. Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
Contractual agreements
Vendor attestations
Resilient architecture
o Decoupled
o Auto-Scaling
o Multi-AZ
o Secure
o Automation
o Snapshots/backups
• EBS, RDS, S3
Users
AWS
CloudFormation
Amazon
CloudWatch
Priv. Subnet
28. Defense
Encryption: Amazon Key
Management Service (KMS)
o Centralized key management
(CloudTrail)
o Encrypt Elastic Block Storage
(EBS) without impacting
performance
o Encrypt credentials or other
sensitive data
http://aws.amazon.com/kms/
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
29. Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
Web Application Firewall (WAF)
o Tune and re-tune it
o Block malicious traffic
o Turn on rate limiting to save $
Evaluate WAF effectiveness by
reviewing HTTP request logs
Amazon
CloudWatch
30. Defense
Use Your Identity Provider
o AssumeRoleWithSAML()
o Does anyone have time to manage
two IdPs?
Limit creation of AWS Access Keys
o DevOps – temporary access keys
o Applications – EC2 instance roles
o Permanent – least privilege
• Rotate keys regularly
• Scour code and configs
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
31. Defense
AWS Access Keys Anyone?
o “When I got to GitHub, I checked … and sure enough it [had] my API
keys…crap!”
o “I reverted the last few commits, and deleted all traces from GitHub …
within about 5 minutes.”
o “When I woke up the next morning I had four emails from Amazon AWS
and a missed phone call … something about 140 servers running on my
AWS account.”
o “Boom! A $2375 bill”
o “Amazon was kind enough to drop the charges this time!”
Source: http://www.devfactor.net/2014/12/30/2375-amazon-mistake/
IAM
32. Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
MFA on AWS root and highly privileged accounts
Separation of Duties & Least Privilege
o IAM, VPC Privileges, Route53, etc.
o Access to backups and snapshots need special protection
CodeSpaces
o “Code Spaces will not be able to operate beyond this point”
o “upon seeing us make the attempted recovery of the account
[attacker] proceeded to randomly delete artifacts”
o “[attacker deleted] all EBS snapshots, S3 buckets, all AMI's, some EBS
instances and several machine instances”
Source: http://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/d-
id/1278743
IAM
33. Defense: Incident Response
Investigate without tipping off the attacker
Automate your response, assume the attacker has automated his
34. Defense
OS / AMI
o Use trusted, securely configured
AMIs - Update Often (patching)
o AWS Marketplace has DISA STIG
compliant AMIs
o If FIM tests fail: investigate, new
instance, isolate old (SG)
o Auto-scaling will use the AMI(s) you
configure – make sure it’s the right
one
o SSH Keys / Admin Passwords
o Bastion
o Prod and non-prod
o Managed in your custom AMIs
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
FIM FIM
FIM FIM
35. Defense
NACLs
o IPv4
o Stateless
o Inbound/Outbound
o Soft Limit of 20/20 per subnet
o Block 22, 3389, etc.
o (Don’t lose hope yet)
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
NACL
36. Defense
Security Groups
o IPv4
o Stateful
o Inbound/Outbound
o Apply to an instance or group of
instances (across AZ)
o AWS limits on the number of
security groups and rules per
security group
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
Security Groups
38. Defense: Security Groups
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon
CloudWatch
Source
(in)
Protocol Port(s) Comment
BAST_SG ANY All Admin
SG_IN_ELB TCP 8888 Internal
Default Deny
Dest (out) Protocol Port(s) Comment
SG_DB TCP 1433
Default Deny
39. Defense
Bastion Host
o Leave it off (Stopped) until you
need it
Amazon
CloudWatch
AWS
CloudFormation
40. Cloud Nirvana
Do you need admin access to production?
o AWS or Bastion
o Automation -> APIs, CloudFormationTemplates, Logs
41. Additional Resources
AWS Security Whitepapers
o http://aws.amazon.com/whitepapers/
Re:Invent 2014 - Building a DDoS Resilient Architecture with AWS
o https://www.youtube.com/watch?v=OT2y3DzMEmQ
AWS Key Management System
o http://aws.amazon.com/kms/
RDS Logging
o http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
AWS QwikLABS
o https://run.qwiklab.com/