Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The best and the worst security practices on AWS

Ben Whaley
February 19, 2019

The best and the worst security practices on AWS

Presented at OWASP Lviv 2019-02-19

Ben Whaley

February 19, 2019
Tweet

More Decks by Ben Whaley

Other Decks in Technology

Transcript

  1. the best and the worst security practices on AWS Ben

    Whaley @iAmTheWhaley OWASP Lviv 2019-02-19
  2. Who the fsck is this guy? • Security, OS, networking

    nerd (since 1995) • Co-author, UNIX & Linux System Administration Handbook (since 2006) • AWS Community Hero (since 2014) • Consultant (T-Mobile, Square, Coinbase, …) (2013-2017) • Engineering @ Kountable (since 2017)
  3. Worst: Monolithic accounts Proliferation of VPCs, security groups, peering connections

    Gnarled mess of IAM policies Complex billing statements, difficult attribution Limited compartmentalization capability
  4. Best: Multi-account security strategy • Bask in the warm light

    of AWS Organizations • Federated cross-account access with single sign-on/IdP • Per account security policies • Per account cost attribution • Compartmentalization limits blast radius • Centralized control with explicit trust relationships
  5. Production Identity Account SAML authentication via IdP AWS Console, API

    access Command & Control Development AssumeRole
  6. { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [

    "cloudtrail:StopLogging", "ec2:DeleteFlowLogs", "logs:DeleteLogGroup", "logs:DeleteLogStream" ], "Resource": "*" } ] } Example Service Control Policy
  7. Worst: Haphazard VPC Design • Uncontrolled subnets and CIDR ranges

    • Ad hoc security groups • Myriad NACLs • Inconsistent service placement • Unclear network security zones
  8. Best: Controlled VPC Design management eu-west-1 10.20.0.0/16 Dev us-west-2 172.21.0.0/16

    Staging us-west-2 172.22.0.0/16 Prod us-west-2 172.23.0.0/16 Dev eu-west-1 10.21.0.0/16 Staging eu-west-1 10.22.0.0/16 Prod eu-west-1 10.23.0.0/16 C&C Development Production management us-west-2 172.20.0.0/16
  9. Best: Controlled VPC Design management us-west-2 172.20.0.0/16 Public Private Data

    us-west-2a 172.20.0.0/24 us-west-2b 172.20.1.0/24 us-west-2c 172.20.2.0/24 us-west-2a 172.20.10.0/24 us-west-2b 172.20.11.0/24 us-west-2c 172.20.12.0/24 us-west-2a 172.20.20.0/24 us-west-2b 172.20.21.0/24 us-west-2c 172.20.22.0/24
  10. Best: Per-service security groups Worst: Many SGs for an instance/service

    EC2 Instance Multiple SGs 22 22, 443 80, 443 EC2 Instance 22, 80, 443 ❌ ✅
  11. Basic IAM hygiene • Obligatory MFA • No static API

    credentials • Services must use roles • Never use the root account • Share root account password, MFA in password manager • AssumeRole for third parties
  12. Best: Use IAM Policy Conditions { "Version": "2012-10-17", "Statement": {

    "Effect": "Allow", "Action": “ec2:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": [ “1.2.3.0/24”, “2001:DB8:1234:5678::/64" ] } } } }
  13. Best: Secure configuration with KMS 1. Generate a password 2.

    Save it as a SecureString in SSM Parameter Store 3. Add policy to read the Parameter Store value 4. Assign policy to a role used by an ECS task/instance 5. Read password from Parameter Store at run time
  14. • The well-architected framework https://aws.amazon.com/architecture/well-architected/ • Solutions https://aws.amazon.com/solutions • Security

    blog https://aws.amazon.com/blogs/security/ • Security Bulletins https://aws.amazon.com/security/security-bulletins/ Do: Learn from the Experts