Gateway to Cloud Security Heaven: Our AWS Expedition

Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut
Senior Cloud Security Engineer

aws sts get-caller-identity senayakut.com sena_yakutt sena-yakut Lyrebird Studio Sena Yakut
Senior Cloud Security Engineer

Let’s assume… We work as Cloud Security Engineers at Healthcare
Tech. Electronic Health Records (EHR) System: Web application for patient health info Telemedicine Platform: Mobile apps for patients to connect with healthcare providers Remote Patient Monitoring Devices: IoT for wearable tech, collects real-time data

Tech Summary of Our Company 1 AWS Account: Dev and
Prod are managed in different regions Privacy violation Reputation damage Patient Death Blackmailing patients Identity theft

Task 1: AWS Accounts Current Status: Our Goal: - 1
AWS account for all development and production process - All risks are in the same AWS account. - Migration can be hard but it’s a requirement. - Security account is essential. - Management account for billing and AWS Organizations.

Task 2: Identity Access Management Current Status: Our Goal: -
Lots of different IAM users, IAM roles, and policies. - The most challenging topic in the cloud. - IAM users' key management is still an issue. - IAM Access Analyzer for roles, policies: - Unused access - External access - Use short-term credentials if possible. - Use service control policies (SCPs). - At least privilege principle!

Task 2: Identity Access Management Current Status: Our Goal: -
IAM users' key management is still an issue. - Lots of IAM users, complex to manage. - Use AWS Identity Center –> SSO. - Centralized management - Short term creds for CLI - Ease of use Blog: AWS IAM Identity Center Configuration for Your Google Workspace

Task 3: Threats, Threats Everywhere! Current Status: Our Goal: -
There is no solution for threat detection for our AWS accounts. - Amazon GuardDuty - Lambda Protection - S3 Protection - Malware Protection - RDS Protection - Delegated Administrator Account – Our Security Account - Deny Disabling GuardDuty with SCPs Blog: Explore Amazon GuardDuty ECS Runtime Monitoring

Task 4: Who, Where, When? Current Status: Our Goal: -
There is no solution for account auditing for our AWS accounts. - AWS CloudTrail - A digital detective for us - Investigate our activities - Security auditing - Detailed info for all your API calls in our account - Enable log file validation - Enable multi-regional trail

Task 5: What about our vulnerabilities? Current Status: Our Goal:
- There is no solution for resource vulnerabilities for our AWS resources like EC2, Lambda. - VM process is essential. - Amazon Inspector - Automated vulnerability management for our workloads - Center for Internet Security (CIS) Benchmark assessments for our OS Scan Your AWS Lambda Functions with Amazon Inspector

Task 6: What about our endpoints? Current Status: Our Goal:
- There is no solution for protecting our endpoints. - There are lots of endpoints in our environment: - Mobile client endpoints, - Web app endpoints, - IoT endpoints - AWS WAF - Customize rules for your environments - Monitor regularly. You don’t want to block legitimate requests - Analyze regularly - Automate as possible

Task 7: What about our data? Current Status: Our Goal:
- Lots of data, - Personal identifiable information, - IoT user data, - Mobile/Web data - There is no protection/detection of data in our environment. - AWS KMS & CloudHSM - Encrypt everything with our keys or AWS KMS - Use the latest encryption algorithms

Task 8: What about our compliance? Current Status: Our Goal:
- Compliance is a requirement for healthcare tech. - AWS Security Hub & AWS Config - Remediation & Alarms

- Amazon EventBridge - Incident Manager - AWS ChatBot Task
9: What about our alarms? Current Status: Our Goal: - No visibility - Data loss - Data breach - Insider threats - Suspicious activities

Our Heaven

Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut
Senior Cloud Security Engineer Thanks!

Gateway to Cloud Security Heaven: Our AWS Exped...

Gateway to Cloud Security Heaven: Our AWS Expedition

Sena Yakut

More Decks by Sena Yakut

Featured

Transcript

Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut

aws sts get-caller-identity senayakut.com sena_yakutt sena-yakut Lyrebird Studio Sena Yakut

Let’s assume… We work as Cloud Security Engineers at Healthcare

Let’s assume… We work as Cloud Security Engineers at Healthcare

Tech Summary of Our Company 1 AWS Account: Dev and

Task 1: AWS Accounts Current Status: Our Goal: - 1

Task 2: Identity Access Management Current Status: Our Goal: -

Task 2: Identity Access Management Current Status: Our Goal: -

Task 3: Threats, Threats Everywhere! Current Status: Our Goal: -

Task 4: Who, Where, When? Current Status: Our Goal: -

Task 5: What about our vulnerabilities? Current Status: Our Goal:

Task 6: What about our endpoints? Current Status: Our Goal:

Task 6: What about our endpoints? Current Status: Our Goal:

Task 7: What about our data? Current Status: Our Goal:

Task 8: What about our compliance? Current Status: Our Goal:

- Amazon EventBridge - Incident Manager - AWS ChatBot Task

Our Heaven

Gateway to Cloud Security Heaven Our AWS Expedition Sena Yakut