Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Cloud Security Fundamentals

Rami McCarthy
October 19, 2019
Technology
0
640

AWS Cloud Security Fundamentals

Workshop presented at OWASP BASC 2019 by Rami McCarthy and Joshua Dow

Abstract:

"As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

Security Hub
Trusted Advisor
CloudTrail
Inspector
GuardDuty
Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments. "

Rami McCarthy

October 19, 2019
Tweet

More Decks by Rami McCarthy

See All by Rami McCarthy
How to 10X Your Cloud Security (Without the Series D)
ramimac
0
2.2k
The Path to Zero Touch Production
ramimac
0
2k
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
530
Beyond the AWS Security Maturity Roadmap
ramimac
4
3.1k
Buying Security
ramimac
1
200
Learning from AWS Customer Security Incidents [2022]
ramimac
0
3.7k
Cloud Security Orienteering
ramimac
1
3.7k
Learning from AWS (Customer) Security Incidents
ramimac
1
5.2k
AWS Security: Easy Wins and Enterprise Scale
ramimac
0
660

Other Decks in Technology

See All in Technology
Lexical Analysis
shigashiyama
1
150
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
110
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
600
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
Lambdaと地方とコミュニティ
miu_crescent
2
370
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
160
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
240
TypeScript、上達の瞬間
sadnessojisan
46
13k
Application Development WG Intro at AppDeveloperCon
salaboy
0
190
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240

Featured

See All Featured
KATA
mclloyd
29
14k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Ruby is Unlike a Banana
tanoku
97
11k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
GitHub's CSS Performance
jonrohan
1030
460k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
A Philosophy of Restraint
colly
203
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k

Transcript

  1. AWS: Cloud Security Fundamentals Josh Dow Rami McCarthy

  2. This Workshop

  3. Agenda o Introduction o Hands-on with Built-ins 15 minute break

    o Hands-on Self-Auditing o Cheatsheet o Closing Questions

  4. The Cloud

  5. The "Big Three"

  6. Why focus on AWS? https://www.parkmycloud.com/blog/aws-vs-azure-vs-google-cloud-market-share/

  7. http://www.chriswatterston.com

  8. None

  9. •Services •Regions AWS

  10. •Encryption •External Exposure •IAM •Logging/Auditing AWS Security

  11. https://cloudonaut.io/aws-security-primer/

  12. None

  13. Environment Access

  14. aws iam list-users –output table

  15. AWS Built-in Security Tools

  16. None
  17. None
  18. None

  19. Logging is a component of compliance with: • ISO 27001

    – A.12.4 • PCI DSS - Requirement 10
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None

  31. AWS Configuration Easy Wins

  32. Enable Amazon Tools

  33. Secure Logging

  34. Secure Public Access

  35. Secure Authentication

  36. Secure MFA

  37. None

  38. Third-Party Tools

  39. Free Third-Party Tools

  40. https://github.com/toniblyx/prowler​

  41. https://github.com/nccgroup/scoutsuite

  42. https://github.com/duo-labs/cloudmapper

  43. Get on your balaclavas

  44. CloudGoat Walkthrough

  45. Cheatsheet

  46. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools- @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/

  47. AWS resources for secure architecture Well-Architected Framework: Security Pillar AWS

    Cloud Adoption Framework Aligning to NIST

  48. Questions? Come chat at the Social Hour (we're sponsoring!)