COM224: How organizations are actually applying AWS security best practices

© 2024, Amazon Web Services, Inc. or its affiliates. All
rights reserved.

rights reserved. © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. How organizations are actually applying AWS security best practices Shun Yoshie COM224 Security Consultant AWS Security Hero Nomura Research Institute, Ltd. Keisuke Usuda Hirokazu Yoshida Solutions Architect AWS Security Hero Classmethod, Inc. Security Engineer CloudNative Inc.

rights reserved. Session summary In this lightning talk, we share our ﬁndings and takeaways from our research on AWS security best practices in Japan and South Korea Learn how you can set your security baseline from the survey responses by comparing it with your own country’s or your own AWS security implementation status, and gain material for considering future measures This presentation is provided by Security-JAWS (Japan AWS User Group Security Branch) core members Background of this survey: Although AWS publishes many security best practices, we often hear from customers asking for security best practices when implementing business workloads on AWS

rights reserved. Report summary Summary and detailed analysis of survey results Consideration and conclusion We are Security-JAWS Agenda

rights reserved. Survey method and survey period • Used questionnaire on Google Forms (anonymous voting) • Publicized the survey online, on Amazon SNS, and at seminars and events • Gave rewards for survey participants • Anonymized survey response raw data Survey period: 2022/5/30 – 2022/7/31

rights reserved. Survey target • This survey is open to anyone in Japan who is involved in any way with their company’s use of AWS as part of their work • No selection was made based on industry, job title, position, company size, or employment status

rights reserved. Report summary n = 162

rights reserved. Report summary • Over 130 pages • 30 questions analyzed from multiple perspectives, 20 interesting trends for 16 questions • Security-JAWS recommendations based on the insights gained from the analysis

rights reserved. What official AWS documents do you refer to when designing and conﬁguring your AWS environment?

rights reserved. What official AWS documents do you refer to when designing and conﬁguring your AWS environment? ANALYSIS RESULTS • (1)–(4) were the main references, with usage rates increasing with years of experience • Among these, (3) AWS Well-Architected was used by 100% of those with 10 or more years of experience using AWS DISCUSSION • (2) AWS security best practices are archived, but the ease of hit at the top of searches is likely responsible for the high usage rate

rights reserved. In your role within the organization, who keeps up with AWS security best practices?

rights reserved. In your role within the organization, who keeps up with AWS security best practices? ANALYSIS RESULTS • The ﬁnancial services industry is led by the security department to catch up on security best practices, but other departments are also involved • Other industries tended to catch up on security best practices, led by those directly involved in handling AWS environments DISCUSSION • Financial services is the closest to “security is all hands on deck”

rights reserved. Do you conduct a (continuous) risk assessment after conﬁguring a system using the AWS environment?

rights reserved. Do you conduct a (continuous) risk assessment after conﬁguring a system using the AWS environment? ANALYSIS RESULTS • About half of medium and larger companies perform continuous risk assessments for their speciﬁc production environments • As company size increases, fewer companies do not perform continuous risk assessments DISCUSSION • Smaller companies are less likely to conduct continuous risk assessments, but the reason may simply be that they have been in business for a shorter period of time

rights reserved. What methods do your engineers and operators use to access your AWS environment?

rights reserved. What methods do your engineers and operators use to access your AWS environment? ANALYSIS RESULTS • 50% of companies of all sizes are using “MFA + Switch role” and 70% of companies with 301–500 employees are doing so • Among companies with 5,001 or more employees, the ratio of companies that only use “ID + password” authentication was twice as high as that of companies of other sizes DISCUSSION • Given these trends, “MFA + Switch role” is the standard method of logging in to the AWS environment; there is plenty of room for larger companies to promote the standard

rights reserved. Please select what you are doing for “Infrastructure protection” COMPANY SIZE

rights reserved. Please select what you are doing for “Infrastructure protection” COMPANY SIZE ANALYSIS RESULTS • VPC subnet division and access restriction from speciﬁc networks had a high penetration rate of 80% in most companies • About 50% of medium-sized or larger companies use AWS WAF DISCUSSION • A basic best practice is recognized as having a high penetration rate • This is probably because AWS WAF is the minimum required function for DDoS countermeasures • That’s too low considering Amazon EC2 usage, but the survey responses didn’t provide any insight into explaining these trends

rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment

rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • About half of companies of all business sizes use AWS Organizations to create AWS accounts • About half of all ﬁrms of all sizes create their AWS accounts using AWS Organizations DISCUSSION • The best practice of using AWS Organizations is widespread • It appeared that mid-sized companies are beginning to use AWS Control Tower

rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • The baseline environment is automatically generated using IaC, mainly for medium-sized companies; on the other hand, no ﬁrms were found to evaluate their settings using IaC DISCUSSION • This is probably because the people who evaluate the settings are different from those who use IaC

rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • Although there are differences depending on the size of the company, about 30% of survey respondents tended to consciously use encryption when storing data DISCUSSION • Encryption during data storage is easy to implement, but the reason for the low implementation rate may be a lack of understanding of accountability for data retention

rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment EXCERPTS FROM FREE RESPONSES • Prior to the release of AWS Organizations, baseline policies were applied at account creation and account distribution • Restrictions on launching metal instances, etc., accept those deployed with SCP • When dealing with risk data, consider it according to the target, and do not implement it uniformly • Assign an “IAM user for auditing” to each account issued for each product or purpose, and notify the company that it is being audited on a regular basis

rights reserved. Please select which AWS services you use as “detective controls”

rights reserved. Please select which AWS services you use as “detective controls” ANALYSIS RESULTS • For all services, use was low in small companies, but there was no correlation in usage rates in medium and larger companies • AWS Security Hub and AWS Identity and Access Management Access Analyzer are only used at around 20-30% of the total usage. DISCUSSION • We believe that AWS Security Hub and AWS Identity and Access Management Access Analyzer are both indispensable services for implementing detective controls, and we expect their further spread

rights reserved. Please select which AWS services you use as “detective controls” EXCERPTS FROM FREE RESPONSES In addition, the following answers were given as third-party tools used as detective controls • VMware Secure State/Prisma Cloud/FutureVuls/Orca Security • Trend Micro Cloud One • Includes deep security/workload security • ELK/SIEM on Amazon OpenSearch Service

rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE

rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE ANALYSIS RESULTS • Inexperienced users only use the AWS CloudTrail console, but veterans also use Amazon Athena and Amazon GuardDuty DISCUSSION • Veterans can take advantage of more convenient services

rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE EXCERPTS FROM FREE RESPONSES • Use of SIEM such as Splunk/Azure Sentinel/Elastic Cloud • Use of AWS services such as Amazon CloudWatch Logs Insights/Amazon Detective • Prisma Cloud – Seen as an answer close to entrusting it to Amazon GuardDuty

rights reserved. What do you do when you dispose of critical data in your AWS environment?

rights reserved. What do you do when you dispose of critical data in your AWS environment? ANALYSIS RESULTS • Regarding the disposal of important data, there was a certain amount of response to simply deleting resources, regardless of the level of importance, regardless of the scale of the business DISCUSSION • The shared responsibility model and the data disposal policy of AWS seem to be a movement to trust the platform to some extent • However, in the shared responsibility model, the data management is the responsibility of the user, so it is hard to say that the responsibility is being fulﬁlled

rights reserved. What do you do when you dispose of critical data in your AWS environment? DISCUSSION • On the other hand, although technical measures such as deletion and invalidation of encryption keys and storage of deletion logs are generally slow, it is believed that they are additionally implemented according to the rules

rights reserved. What do you do when you dispose of critical data in your AWS environment? EXCERPTS FROM FREE RESPONSES • Get a backup • Since it is encrypted, AWS KMS can be discarded due to the mechanism, but it has not been considered • Delete encrypted Amazon EBS or Amazon S3 as it is

rights reserved. Consideration KEISUKE USUDA • From the results, it became clear that more speciﬁc information on implementing difficult best practices is necessary • I aim to disseminate information to enable easy implementation of challenging practices like least privilege and multi-account management • Additionally, since the Amazon GuardDuty usage rate was not 100%, I will continue missionary activities to achieve full adoption • While AWS managed services offer many conveniences, there is still room for improvement

rights reserved. Consideration HIROKAZU YOSHIDA • In Korea, a speciﬁc department is responsible for keeping up to date with security best practice, and organizations conduct rigorous risk assessments in an organized and controlled manner • However, Korean AWS users often use AWS in a traditional on-premises manner, with low adoption rates for useful security features such as Amazon GuardDuty and AWS Security Hub • We suggest that traditional enterprise AWS users similar to these utilize organizational controls to encourage the use of these useful AWS security features

rights reserved. Consideration SHUN YOSHIE • There are many things that we do not have the opportunity to see or hear about the difference between the availability of documents, frameworks, and services, and we think that it is necessary to communicate more so that they can be used • I wondered if services that didn’t need to be replaced by other services, or services that were delayed in updating, weren't being used overseas as well – (AWS CloudTrail Lake, AWS CAF, etc.) • Based on this result, we are looking forward to the next action by the people of AWS, and we need to continue to support them

rights reserved. Conclusion • The results clearly showed a gap between the practices that were implemented and those that were not, depending on the difficulty level of the best practices • If you feel that your company is lagging behind in implementation compared to these results, use this report to convince management to take action • The agility of mid-sized companies is something that we should all emulate

rights reserved. Authors and researchers of this survey 　 SECURITY-JAWS (JAWS-UG SECURITY BRANCH) Hirokazu Yoshida Security Engineer Lifework: Realizing operational and implementable security Like: Amazon Security Lake Keisuke Usuda Solutions Architect AWS Security Hero Amazon GuardDuty is my wife Days with her ﬂew by, and 5 years passed unnoticed Takamasa Ohtake Alliance Lead Specialized area is high availability in the cloud Like: Amazon S3 Shun Yoshie Security Consultant AWS Security Hero Interests: Multicloud, auditing, CNAPP, observability Like: Amazon CloudWatch

rights reserved. Summary of objectives and activities Summary of activities 4 regular study sessions a year (recent: 33rd May 2024 ) Held irregularly • Collaborative study sessions with other JAWS chapters • CTF and hands-on training sessions • 2-day events (#30 special event) Objectives of Security-JAWS The purpose of Security-JAWS is to share information on how specialists in various ﬁelds such as attacks, auditing, and authentication are using AWS to make it even more secure

rights reserved. 2023/10: Award winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023

rights reserved. You can ﬁnd us at X (Twitter): @security_jaws Email: [email protected] URL: s-jaws.doorkeeper.jp Full report

rights reserved. Thank you! © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! Please complete the session survey in the mobile app Keisuke Usuda Hirokazu Yoshida X: ke_ni_ LN: keisuke usuda X: hirokazu0021 LN: hirokazu yoshida X: Typhon666_death LN: shun yoshie Shun Yoshie

COM224: How organizations are actually applying...

COM224: How organizations are actually applying AWS security best practices

More Decks by fnifni

Other Decks in Technology

Featured

Transcript