Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Castles in the Cloud: AWS Security and...

Rami McCarthy
November 09, 2019

Building Castles in the Cloud: AWS Security and Self-Assessment

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. As a consultant, I’ve had experience breaking into a AWS environments with varying sophistication of security posture, and then helping those clients patch holes and harden their environments. This talk with lean on those experiences to provide you with a guide on securing your AWS environment, and then validating that security.

We’ll start by walking through AWS’s Shared Responsibility Model. Then we’ll identify the features of AWS that are most important for security, and give tips on best practices and easy wins. After establishing these security standards, we’ll take a quick look at a few (free) tools for auditing AWS configurations, including NCC Group’s own open-source ScoutSuite. You’ll leave this talk with concrete next steps for improving your own cloud security posture.

Rami McCarthy

November 09, 2019
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. Agenda 1. Background 2. AWS Security Best Practices a. Public

    Access/External Exposure b. Access Management c. Monitoring d. Amazon Security Services e. Next Steps 3. (Free) Open Source AWS audit tools
  2. "… while the Capital One attack happened due to the

    application misconfiguration mentioned above, there are several actions AWS will take to better help our customers ensure their own security. First, we will proactively scan the public IP space for our customers' firewall resources to try and assess whether they may have misconfigurations. ..." - Amazon Letter to Sen Wyden RE Consumer Data
  3. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Root account • User ↔ IAM Account • Groups • STS as arbitration • Least Privilege
  4. Secure Access Management Access Management for Users MITRE ATT&CK: T1078

    • Multi-factor Authentication • Security Tokens • Policy Conditions
  5. • Don’t bake-in credentials • AWS SDK→IAM Role • SSRF

    Secure Access Management Access Management for EC2 MITRE ATT&CK: T1078
  6. Secure Monitoring CloudTrail - Detective • Create a trail •

    All AWS Regions • Log file integrity • CloudWatch
  7. Secure Monitoring CloudTrail - Preventative • Unlinked Account • Least

    Privilege • MFA Delete • AWSCloudTrailFullAccess
  8. • Major Pitfalls to Avoid in Performing Digital Forensics and

    Incident Response in AWS - Jonathon Poling • AWS Security Incident Response Guide Prepare for DFIR
  9. AWS Resources for Secure Architecture Well-Architected Framework: Security Pillar AWS

    Cloud Adoption Framework Aligning to NIST Security Documentation by Category
  10. Credit to prior art; check these people out to learn

    more! Corey Quinn - https://www.lastweekinaws.com - @QuinnyPig Teri Radichel - https://2ndsightlab.com/ - @TeriRadichel Scott Piper – https://summitroute.com/ - @0xdabbad00 Andres Riancho - https://andresriancho.com/ Toni de la Fuente - https://github.com/toniblyx/my-arsenal-of-aws-security-tools - @ToniBlyx Rhino Security - https://rhinosecuritylabs.com/blog/?category=aws Cloudonaut - https://cloudonaut.io/aws-security-primer/