The best and the worst security practices on AWS

Transcript

1. the best and the worst security practices on AWS Ben

   Whaley @iAmTheWhaley OWASP Lviv 2019-02-19

2. Who the fsck is this guy? • Security, OS, networking

   nerd (since 1995) • Co-author, UNIX & Linux System Administration Handbook (since 2006) • AWS Community Hero (since 2014) • Consultant (T-Mobile, Square, Coinbase, …) (2013-2017) • Engineering @ Kountable (since 2017)

3. Accounts

4. Worst: Monolithic accounts Proliferation of VPCs, security groups, peering connections

   Gnarled mess of IAM policies Complex billing statements, difficult attribution Limited compartmentalization capability

5. Best: Multi-account security strategy • Bask in the warm light

   of AWS Organizations • Federated cross-account access with single sign-on/IdP • Per account security policies • Per account cost attribution • Compartmentalization limits blast radius • Centralized control with explicit trust relationships

6. Production Identity Command & Control Development

7. Production Identity Account SAML authentication via IdP AWS Console, API

   access Command & Control Development AssumeRole

8. Best: Review Trusted Advisor

9. Best: Enable GuardDuty

10. Best: Enable CloudTrail, VPC Flow Logs Worst: Allow users to

    make changes

11. { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [

    "cloudtrail:StopLogging", "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] } Example Service Control Policy

12. Best: Managed services Case in point: CVE-2019-5736 Released: Feb 11

    Patched: Feb 13

13. Networking

14. Worst: Haphazard VPC Design • Uncontrolled subnets and CIDR ranges

    • Ad hoc security groups • Myriad NACLs • Inconsistent service placement • Unclear network security zones

15. Best: Controlled VPC Design management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16

    Staging us-west-2 172.22.0.0/16 Prod us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16

16. Best: Controlled VPC Design management us-west-2 172.20.0.0/16 Public Private Data

    us-west-2a 172.20.0.0/24 us-west-2b 172.20.1.0/24 us-west-2c 172.20.2.0/24 us-west-2a 172.20.10.0/24 us-west-2b 172.20.11.0/24 us-west-2c 172.20.12.0/24 us-west-2a 172.20.20.0/24 us-west-2b 172.20.21.0/24 us-west-2c 172.20.22.0/24

17. Best: Per-service security groups Worst: Many SGs for an instance/service

    EC2 Instance Multiple SGs 22 22, 443 80, 443 EC2 Instance 22, 80, 443 ❌ ✅

18. Best: Use VPC endpoints S3 Bucket EC2 Instance Internet S3

    Bucket VPC Endpoints EC2 Instance

19. Worst: Open outbound SG rules

20. Worst: CIDR range sources in security groups Best: SG ID

    sources ❌ ✅

21. Best: Monitoring SES reputation

22. Worst: Managing TLS certificates Best: AWS Certificate Manager

23. Identity & Access Management

24. Basic IAM hygiene • Obligatory MFA • No static API

    credentials • Services must use roles • Never use the root account • Share root account password, MFA in password manager • AssumeRole for third parties

25. Worst: Per-user policies Best: Groups and managed policies

26. Best: Use IAM Policy Conditions { "Version": "2012-10-17", "Statement": {

    "Effect": "Allow", "Action": “ec2:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": [ “1.2.3.0/24”, “2001:DB8:1234:5678::/64" ] } } } }

27. Worst: “Authenticated Users” permission on S3 buckets

28. Best: Use Key Management Service

29. Best: Secure configuration with KMS 1. Generate a password 2.

    Save it as a SecureString in SSM Parameter Store 3. Add policy to read the Parameter Store value 4. Assign policy to a role used by an ECS task/instance 5. Read password from Parameter Store at run time

30. Worst: Overly permissive policies for EC2 instances

31. Best: Protect the metadata endpoint

32. Resources

33. • The well-architected framework https://aws.amazon.com/architecture/well-architected/ • Solutions https://aws.amazon.com/solutions • Security

    blog https://aws.amazon.com/blogs/security/ • Security Bulletins https://aws.amazon.com/security/security-bulletins/ Do: Learn from the Experts

34. Thank you!