Securing Your AWS Cloud Infrastructure v2

© 2019, Amazon Web Services, Inc. or its affiliates. All
rights reserved. DEV DAY Securing Your AWS Cloud Infrastructure Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo B e i j i n g 19.10.19

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Director of Cloud Security Engineering @ Horangi • CloudDevSecOps Fanatic • 4+ years working on AWS • Totally uncertified and proud :P Steve “Potay” Teo

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 2015 – 2016: Migration of 2 AWS Accounts to 40+ AWS Accounts • !! !#!%!"!$ "! !% • 2016 – 2018: Enterprise Architecture for AWS Accounts & VPC • Current: Product Development Lead of AWS-focused Cloud Security Product • Areas of Interests for AWS • # #" "!% " • !! !#!%! !" • "!"! !!" • !! !#!%!!!""!$ "! Background

rights reserved. Let’s Start

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • How many of you are already using AWS? • How many of you are • • • • • How many of you think your AWS Accounts are secure? Questions

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Why secure your cloud infrastructure? • How do these cloud security breaches happen? • What can you do to protect your infrastructure? Agenda

rights reserved. WHY SECURE YOUR CLOUD INFRASTRUCTURE?

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “The reason why Google and Facebook are the most powerful companies in the world is because last year data surpassed oil in value” - Brittany Kaiser (The Great Hack)

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Accenture accidentally configured four AWS S3 buckets to be accessible to the public Uber’s AWS account was hacked, compromising the personal information of 57 million users worldwide, including 600,000 drivers OCT 2017 NOV 2017 An error in GoDaddy’s S3 bucket configuration has led to the exposure of internal information MAR 2018

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud Security Breaches are a constant reality Security researcher Bob Diachenko discovered the Dow Jones Watchlist dataset sitting on a public AWS Elasticsearch cluster FEB 2019 Breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records APR 2019 An unauthorized user accessed data stored in AWS S3 buckets. Loss of over 100 million credit card applications and 100 thousand social security numbers. July 2019

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lost of trust • Loss of revenue • Intellectual property theft • Go out of business Negative Business Impact

rights reserved. Why do these Cloud Security Breaches happen?

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Failure Points of “Security in the Cloud” VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • 165+ Services over 24 categories • Most of them have a configurable security model, but some are really complex (eg. S3) • Requires combination of • • • • • Huge potential of • • Workload – AWS Services & Resources

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Asia faces a critical shortage of security expertise. (ISC)2 research points to a global deficit in cyber security expertise totaling almost 3m roles. Asia Pacific contributes the vast majority of this gap on account of its growing economies and new legislation being enacted in the region. 498k 2.1m 142k 136k Source: (ISC)2 Cybersecurity Workforce Study, 2018 - available at https://www.isc2.org/Research/Workforce-Study

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Lack of mandate, expertise and resources to translate traditional security strategy and policies to those that apply to Public Cloud • Business driven “Shadow IT” Lack of Security Policy Ref: https://accudatasystems.com/why-most-companies-fail-at-cloud-security/ Figure 1: NIST Cybersecurity Framework.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Data Center Public Cloud Changes in environment are usually slow and controlled by few Changes in Environment occurs continuously by many usually Challenge - Shift in Operating Model

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agility leads to more change events Time Change Events (Application / Infrastructure) Public Cloud Traditional Hosting

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lack of Cloud-Specific Security Tools VPC AWS Cloud Availability Zone 1 Auto Scaling group Availability Zone 2 Auto Scaling group NAT Gateway NAT Gateway Instance Instance Instance Instance Amazon EC2 Auto Scaling Complexity - People - Changes

rights reserved. What can you do to protect your Cloud Infrastructure?

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • “Cloud Security Is A Shared Responsibility” • Security Mindset - Security is everyone’s responsibility • Invest in your people - Re-train, upskill, certify • Hire Smart, Hire Right People

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Make sure the mandate to secure the Cloud is established • Align security goals with business goals to then secure expertise, resource, budget • Get the best, forward-looking and collaborative people in your organization to work on this. Setting up strategy and policies is not easy work! • AWS Security Whitepapers • https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf • https://d0.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf • https://aws.amazon.com/security/security-resources/ • Get Help! Process

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Understand Security In and Of the Cloud • “Shift left” • Automate Continuous Scanning and Auditing • Integrates into modern development workflows • Accessible to All What to look for in Cloud Security Tools Figure 1: NIST Cybersecurity Framework.

rights reserved. Getting Your Security Architecture Right

rights reserved.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. RELIABILITY PERFORMANCE EFFICIENCY OPERATIONAL EXCELLENCE SECURITY COST OPTIMIZATION The AWS Well-Architected Framework is a framework developed to help AWS cloud architects build secure, high-performing, resilient, and efficient infrastructure. AWS Well-Architected Framework.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. INFRASTRUCTURE PROTECTION DATA PROTECTION IDENTITY & ACCESS MANAGEMENT DETECTIVE CONTROLS INCIDENT RESPONSE AWS Security Pillar. The AWS Security pillar is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you manage credentials? • How do you control human access? • How do you control programmatic access? • Key AWS Services • AWS Identity and Access Management (IAM) • AWS Security Token Service (STS) Identity & Access Management IDENTITY & ACCESS MANAGEMENT

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principle of Least Privilege. Only give users the minimum amount of privileges necessary to do their job.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use IAM Groups. IAM groups allow multiple users to share one policy and move users around to other groups as needed.

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Leverage on Bastion Account or Single Sign On. AWS Account AWS Account AWS Account Bastion AWS Account

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you detect and investigate security events? • How do you defend against emerging security threats? • Key AWS Services • CloudTrail • Config • CloudWatch Alarms Detective Controls DETECTIVE CONTROLS

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Adopt CloudTrail Best Practices. • Enable CloudTrail for all regions • Log management events • Record Global Services (eg. IAM)

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you protect networks and hosts? • How do you protect services you consume? • Key AWS Services • Virtual Private Cloud (VPC) • Systems Manager • CloudFormation • IAM Infrastructure Protection INFRASTRUCTURE PROTECTION

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure your S3 Buckets • Block public access where possible • Understand the difference between • S3 ACL • S3 Bucket Policy • IAM Policy for S3 • Block public access

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you classify your data? • How do you protect your data at rest? • How do you protect your data in transit? • Key AWS Services • Key Management System (KMS) • Elastic Load Balancer • CloudFront • API Gateway Data Protection DATA PROTECTION

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understand Data at Rest vs. Data In Transit. Data at Rest Data in Transit What it is? Data that persists for any duration Data that gets transmitted from one system to another Where is it stored? Block storage, object storage, databases, archives, and any other storage medium None Why protect it? Reduce the risk of unauthorized access Protect the confidentiality and integrity of the application’s data How to you protect it? Use encryption keys when uploading data Select secure protocols that implement the latest cryptography standards (like TLS)

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Key Questions • How do you respond to an incident? • Do you have enough to respond to an incident? • Key AWS Services • IAM • CloudTrail Incident Response INCIDENT RESPONSE

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Disaster Plan. The security disaster plan is the process that describes the different steps to take in case an incident happens. • Have a defined incident response policy in place • Use resource tags to limit process • Use the “Clean Room” approach when investigating the root cause • Configure logs to audit as much as possible

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. • CIS Benchmarks have been the de facto standard for prescriptive, industry-accepted best practices for securely configuring traditional IT components. • Have 49 recommendations that covers the following areas • Identity and Access Management • Logging • Monitoring • Networking Quick Start: CIS–AWS Benchmark Ref: https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

rights reserved. DEV DAY © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • To know how to secure AWS, you need to learn AWS • Invest in your people, build a right security mindset culture • Make sure the mandate to secure the Cloud is established • Use security tools and automate where possible to avoid undifferentiated heavy lifting! • Adopt the Security Pillar of the AWS Well Architected Framework Key Takeaways

rights reserved. Thank you! Steve Teo Director of Cloud Security Engineering Horangi Cyber Security www.linkedin.com/in/steveteo

Securing Your AWS Cloud Infrastructure v2

Securing Your AWS Cloud Infrastructure v2

More Decks by Steve Teo

Other Decks in Technology

Featured

Transcript