Upgrade to Pro — share decks privately, control downloads, hide ads and more …

COM224: How organizations are actually applying...

COM224: How organizations are actually applying AWS security best practices

Other members have also uploaded the same slides.
Shun Yoshie: https://speakerdeck.com/syoshie/how-organizations-are-actually-applying-aws-security-best-practices
===
Material presented as Security-JAWS at re:Inforce 2024.

In this lightning talk, we share our findings and takeaways from our research on AWS security best practices in Japan and South Korea
Learn how you can set your security baseline from the survey responses by comparing it with your own country’s or your own AWS security implementation status, and gain material for considering future measures
This presentation is provided by Security-JAWS (Japan AWS User Group Security Branch) core members
Background of this survey: Although AWS publishes many security best practices, we often hear from customers asking for security best practices when implementing business workloads on AWS

=== 以下日本語訳 ===
re:Inforce 2024でSecurity-JAWSとして登壇した資料です。

本ライトニングトークでは、日本と韓国におけるAWSセキュリティのベストプラクティスに関する調査結果から得られた知見とポイントをご紹介します。
調査回答から、自国や自社のAWSセキュリティ実装状況と比較し、セキュリティベースラインを設定する方法を学び、今後の対策を検討するための材料を得ます。
本講演は、Security-JAWS(日本AWSユーザグループセキュリティ専門支部)のコアメンバーによって提供されます。
本調査の背景 AWSでは多くのセキュリティベストプラクティスを公開していますが、お客様からAWS上に業務ワークロードを実装する際のセキュリティベストプラクティスを教えて欲しいという声をよく聞きます。

fnifni

July 13, 2024
Tweet

More Decks by fnifni

Other Decks in Technology

Transcript

  1. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. How organizations are actually applying AWS security best practices Shun Yoshie COM224 Security Consultant AWS Security Hero Nomura Research Institute, Ltd. Keisuke Usuda Hirokazu Yoshida Solutions Architect AWS Security Hero Classmethod, Inc. Security Engineer CloudNative Inc.
  2. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Session summary In this lightning talk, we share our findings and takeaways from our research on AWS security best practices in Japan and South Korea Learn how you can set your security baseline from the survey responses by comparing it with your own country’s or your own AWS security implementation status, and gain material for considering future measures This presentation is provided by Security-JAWS (Japan AWS User Group Security Branch) core members Background of this survey: Although AWS publishes many security best practices, we often hear from customers asking for security best practices when implementing business workloads on AWS
  3. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary Summary and detailed analysis of survey results Consideration and conclusion We are Security-JAWS Agenda
  4. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Survey method and survey period • Used questionnaire on Google Forms (anonymous voting) • Publicized the survey online, on Amazon SNS, and at seminars and events • Gave rewards for survey participants • Anonymized survey response raw data Survey period: 2022/5/30 – 2022/7/31
  5. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Survey target • This survey is open to anyone in Japan who is involved in any way with their company’s use of AWS as part of their work • No selection was made based on industry, job title, position, company size, or employment status
  6. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary n = 162
  7. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary • Over 130 pages • 30 questions analyzed from multiple perspectives, 20 interesting trends for 16 questions • Security-JAWS recommendations based on the insights gained from the analysis
  8. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary Summary and detailed analysis of survey results Consideration and conclusion We are Security-JAWS Agenda
  9. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What official AWS documents do you refer to when designing and configuring your AWS environment?
  10. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What official AWS documents do you refer to when designing and configuring your AWS environment? ANALYSIS RESULTS • (1)–(4) were the main references, with usage rates increasing with years of experience • Among these, (3) AWS Well-Architected was used by 100% of those with 10 or more years of experience using AWS DISCUSSION • (2) AWS security best practices are archived, but the ease of hit at the top of searches is likely responsible for the high usage rate
  11. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. In your role within the organization, who keeps up with AWS security best practices?
  12. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. In your role within the organization, who keeps up with AWS security best practices? ANALYSIS RESULTS • The financial services industry is led by the security department to catch up on security best practices, but other departments are also involved • Other industries tended to catch up on security best practices, led by those directly involved in handling AWS environments DISCUSSION • Financial services is the closest to “security is all hands on deck”
  13. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Do you conduct a (continuous) risk assessment after configuring a system using the AWS environment?
  14. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Do you conduct a (continuous) risk assessment after configuring a system using the AWS environment? ANALYSIS RESULTS • About half of medium and larger companies perform continuous risk assessments for their specific production environments • As company size increases, fewer companies do not perform continuous risk assessments DISCUSSION • Smaller companies are less likely to conduct continuous risk assessments, but the reason may simply be that they have been in business for a shorter period of time
  15. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What methods do your engineers and operators use to access your AWS environment?
  16. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What methods do your engineers and operators use to access your AWS environment? ANALYSIS RESULTS • 50% of companies of all sizes are using “MFA + Switch role” and 70% of companies with 301–500 employees are doing so • Among companies with 5,001 or more employees, the ratio of companies that only use “ID + password” authentication was twice as high as that of companies of other sizes DISCUSSION • Given these trends, “MFA + Switch role” is the standard method of logging in to the AWS environment; there is plenty of room for larger companies to promote the standard
  17. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select what you are doing for “Infrastructure protection” COMPANY SIZE
  18. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select what you are doing for “Infrastructure protection” COMPANY SIZE
  19. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select what you are doing for “Infrastructure protection” COMPANY SIZE ANALYSIS RESULTS • VPC subnet division and access restriction from specific networks had a high penetration rate of 80% in most companies • About 50% of medium-sized or larger companies use AWS WAF DISCUSSION • A basic best practice is recognized as having a high penetration rate • This is probably because AWS WAF is the minimum required function for DDoS countermeasures • That’s too low considering Amazon EC2 usage, but the survey responses didn’t provide any insight into explaining these trends
  20. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment
  21. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • About half of companies of all business sizes use AWS Organizations to create AWS accounts • About half of all firms of all sizes create their AWS accounts using AWS Organizations DISCUSSION • The best practice of using AWS Organizations is widespread • It appeared that mid-sized companies are beginning to use AWS Control Tower
  22. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • The baseline environment is automatically generated using IaC, mainly for medium-sized companies; on the other hand, no firms were found to evaluate their settings using IaC DISCUSSION • This is probably because the people who evaluate the settings are different from those who use IaC
  23. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment ANALYSIS RESULTS • Although there are differences depending on the size of the company, about 30% of survey respondents tended to consciously use encryption when storing data DISCUSSION • Encryption during data storage is easy to implement, but the reason for the low implementation rate may be a lack of understanding of accountability for data retention
  24. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select the initiatives for applying “preventive control” in the AWS environment EXCERPTS FROM FREE RESPONSES • Prior to the release of AWS Organizations, baseline policies were applied at account creation and account distribution • Restrictions on launching metal instances, etc., accept those deployed with SCP • When dealing with risk data, consider it according to the target, and do not implement it uniformly • Assign an “IAM user for auditing” to each account issued for each product or purpose, and notify the company that it is being audited on a regular basis
  25. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select which AWS services you use as “detective controls”
  26. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select which AWS services you use as “detective controls” ANALYSIS RESULTS • For all services, use was low in small companies, but there was no correlation in usage rates in medium and larger companies • AWS Security Hub and AWS Identity and Access Management Access Analyzer are only used at around 20-30% of the total usage. DISCUSSION • We believe that AWS Security Hub and AWS Identity and Access Management Access Analyzer are both indispensable services for implementing detective controls, and we expect their further spread
  27. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Please select which AWS services you use as “detective controls” EXCERPTS FROM FREE RESPONSES In addition, the following answers were given as third-party tools used as detective controls • VMware Secure State/Prisma Cloud/FutureVuls/Orca Security • Trend Micro Cloud One • Includes deep security/workload security • ELK/SIEM on Amazon OpenSearch Service
  28. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE
  29. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE ANALYSIS RESULTS • Inexperienced users only use the AWS CloudTrail console, but veterans also use Amazon Athena and Amazon GuardDuty DISCUSSION • Veterans can take advantage of more convenient services
  30. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Which service will you use to analyze CloudTrail? YEARS OF EXPERIENCE EXCERPTS FROM FREE RESPONSES • Use of SIEM such as Splunk/Azure Sentinel/Elastic Cloud • Use of AWS services such as Amazon CloudWatch Logs Insights/Amazon Detective • Prisma Cloud – Seen as an answer close to entrusting it to Amazon GuardDuty
  31. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What do you do when you dispose of critical data in your AWS environment?
  32. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What do you do when you dispose of critical data in your AWS environment? ANALYSIS RESULTS • Regarding the disposal of important data, there was a certain amount of response to simply deleting resources, regardless of the level of importance, regardless of the scale of the business DISCUSSION • The shared responsibility model and the data disposal policy of AWS seem to be a movement to trust the platform to some extent • However, in the shared responsibility model, the data management is the responsibility of the user, so it is hard to say that the responsibility is being fulfilled
  33. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What do you do when you dispose of critical data in your AWS environment? DISCUSSION • On the other hand, although technical measures such as deletion and invalidation of encryption keys and storage of deletion logs are generally slow, it is believed that they are additionally implemented according to the rules
  34. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What do you do when you dispose of critical data in your AWS environment? EXCERPTS FROM FREE RESPONSES • Get a backup • Since it is encrypted, AWS KMS can be discarded due to the mechanism, but it has not been considered • Delete encrypted Amazon EBS or Amazon S3 as it is
  35. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary Summary and detailed analysis of survey results Consideration and conclusion We are Security-JAWS Agenda
  36. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Consideration KEISUKE USUDA • From the results, it became clear that more specific information on implementing difficult best practices is necessary • I aim to disseminate information to enable easy implementation of challenging practices like least privilege and multi-account management • Additionally, since the Amazon GuardDuty usage rate was not 100%, I will continue missionary activities to achieve full adoption • While AWS managed services offer many conveniences, there is still room for improvement
  37. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Consideration HIROKAZU YOSHIDA • In Korea, a specific department is responsible for keeping up to date with security best practice, and organizations conduct rigorous risk assessments in an organized and controlled manner • However, Korean AWS users often use AWS in a traditional on-premises manner, with low adoption rates for useful security features such as Amazon GuardDuty and AWS Security Hub • We suggest that traditional enterprise AWS users similar to these utilize organizational controls to encourage the use of these useful AWS security features
  38. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Consideration SHUN YOSHIE • There are many things that we do not have the opportunity to see or hear about the difference between the availability of documents, frameworks, and services, and we think that it is necessary to communicate more so that they can be used • I wondered if services that didn’t need to be replaced by other services, or services that were delayed in updating, weren't being used overseas as well – (AWS CloudTrail Lake, AWS CAF, etc.) • Based on this result, we are looking forward to the next action by the people of AWS, and we need to continue to support them
  39. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Conclusion • The results clearly showed a gap between the practices that were implemented and those that were not, depending on the difficulty level of the best practices • If you feel that your company is lagging behind in implementation compared to these results, use this report to convince management to take action • The agility of mid-sized companies is something that we should all emulate
  40. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Report summary Summary and detailed analysis of survey results Consideration and conclusion We are Security-JAWS Agenda
  41. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Authors and researchers of this survey   SECURITY-JAWS (JAWS-UG SECURITY BRANCH) Hirokazu Yoshida Security Engineer Lifework: Realizing operational and implementable security Like: Amazon Security Lake Keisuke Usuda Solutions Architect AWS Security Hero Amazon GuardDuty is my wife Days with her flew by, and 5 years passed unnoticed Takamasa Ohtake Alliance Lead Specialized area is high availability in the cloud Like: Amazon S3 Shun Yoshie Security Consultant AWS Security Hero Interests: Multicloud, auditing, CNAPP, observability Like: Amazon CloudWatch
  42. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Summary of objectives and activities Summary of activities 4 regular study sessions a year (recent: 33rd May 2024 ) Held irregularly • Collaborative study sessions with other JAWS chapters • CTF and hands-on training sessions • 2-day events (#30 special event) Objectives of Security-JAWS The purpose of Security-JAWS is to share information on how specialists in various fields such as attacks, auditing, and authentication are using AWS to make it even more secure
  43. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. 2023/10: Award winner “APJ User Group of the Year” at APJ Community Leaders Summit 2023
  44. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. You can find us at X (Twitter): @security_jaws Email: [email protected] URL: s-jaws.doorkeeper.jp Full report
  45. © 2024, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you! © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you! Please complete the session survey in the mobile app Keisuke Usuda Hirokazu Yoshida X: ke_ni_ LN: keisuke usuda X: hirokazu0021 LN: hirokazu yoshida X: Typhon666_death LN: shun yoshie Shun Yoshie