More Related Content Similar to DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected (20) More from Amazon Web Services (20) DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance and Top Security Threats
in the Cloud—Are You Protected?
T E R I R A D I C H E L | @ T E R I R A D I C H E L
B O Y A N D I M I T R O V | @ N A T H A R I E L
N o v e m b e r 2 7 , 2 0 1 7
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RISK-BASED ASSESSMENT
Start by addressing
the risk that is most
likely to occur and
could cause the
most damage to
your business
Severity of consequence
Probabilityoflikelihood
High
High
Medium
Medium
Low
Low
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEAKY AMAZON S3 BUCKETS
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNPROTECTED KEYS AND CREDENTIALS
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BROAD PERMISSION FOR ENGINEERS
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNPATCHED SOFTWARE
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
MALICIOUS SOFTWARE UPDATES
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OPEN NETWORK PORTS
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
FLAT NETWORK
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
BROAD PERMISSION FOR APPLICATION
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
UNAUTHORIZED RESOURCES
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DELETED ASSETS
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DATA EXFILTRATION
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE BLACK SWAN
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CONFIGURATION MANAGEMENT
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WHAT IS PCI-DSS COMPLIANCE?
• Standard for cardholder data
environments composed of security
best practices and controls
• It’s all about maintaining a secure
environment
• If you are handling credit card data,
this applies to you, too
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
PEOPLE SAY “COMPLIANCE != SECURITY”
• Compliance is verified by assessment
done in point of time
• Compliance gives you awareness of
threat levels and security exploits that
one needs to mitigate, and it sets you
on a path for how to get there
• Being secure requires persistence and
continuation
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SECURITY RESPONSIBILITY IN THE CLOUD
https://aws.amazon.com/compliance/shared-responsibility-model/
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A LOT OF BUILDING BLOCKS TO GET YOU STARTED
API GatewayRDS
CloudFront
Route 53
CloudWatch
Logs
Cognito
EMR
DynamoDBECS
EC2 Auto Scaling
ConnectEBSGlacier
Kinesis
Streams
Redshift
SQSS3
SWF
VPC
WorkDocsCloudFormation
CloudHSM
CloudTrail
DMS
Direct Connect
Directory Service
Elastic Beanstalk
KMS
ELB
Lambda
Managed
Services
OpsWorks
WAF
WorkSpaces
Config
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A LOT OF BUILDING BLOCKS TO GET YOU STARTED
API GatewayRDS
CloudFront
Route 53
CloudWatch
Logs
Cognito
EMR
DynamoDBECS
EC2 Auto Scaling
ConnectEBSGlacier
Kinesis
Streams
Redshift
SQSS3
SWF
VPC
WorkDocsCloudFormation
CloudHSM
CloudTrail
DMS
Direct Connect
Directory Service
KMS
ELB
Lambda
Managed
Services
OpsWorks
WAF
WorkSpaces
Config
Elastic Beanstalk
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OUR STRATEGY FOR SECURITY (AND
COMPLIANCE)
Embed security in the foundation of
our environment
Measure and monitor everything
Automate the whole stack
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
LEARNING FROM THE PAST
https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg
Patrick Edwin Moran
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OODA IN AN AWS SECURITY CONTEXT
Observe Orient Decide ACT
VPC flow logs
Inspector agent
CloudWatch
insights
CloudTrail Config
More
CloudWatch
Inspector
Lambda
Shield
ShieldShieldWAF
Machine
Learning
Config
policies
Config
policies
CloudWatchWAF
WAF
SNS
Lambda
Lambda
More MoreMore
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OBSERVE: COLLECT ALL TRAILS
VPC
flow logs
CloudWatch
insights
CloudTrail Config
CloudWatch
Config
policies
Protected accounts Security account
Trails
logs
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORIENT, DECIDE, ACT!
CloudWatch
logs/events
S3
SIEM
OPS
Config
policies
Protectedaccounts
Active
scans
Lambda
Trails
logs
SNS Security
team
Security account
Corrective
actions
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THE CONTROLLING CORE
CloudWatch
logs/events
S3
SIEM
OPS
Config
policies
Protectedaccounts
Active
scans
Lambda
Trails
logs
SNS Security
team
Security account
Corrective
actions
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
EXAMPLE: PROTECTING AGAINST LEAKY BUCKETS
Correct_ACL_Function
Config
Policies
[s3-bucket-public-write-prohibited]
[s3-bucket-public-read-prohibited]
CloudTrail
[PutObjectAcl]
CloudWatch
Events
Scan all account
buckets
Apply corrective
actions
Collect ACL change
API calls
Apply corrective
actions
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORGANIZE YOUR CONTROLS
…
8.1.4 Remove or disable inactive user accounts within 90 days
8.1.6 Limit repeated access attempts by locking out the user
ID after not more than six attempts
8.1.7 Set the lockout duration to a minimum of 30 minutes or
until an administrator enables the user ID
…
https://github.com/awslabs/aws-config-rules
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
INTRODUCING AWS SIMPLE SECURITY
AUTOMATION FRAMEWORK (SSAF)
https://github.com/awslabs/aws-ssaf
Extendable framework for defining security
controls and automation of their lifecycle
Developed by the AWS Professional Services
- Security Practice
Utilizes AWS native services only
CloudWatchLambdaConfig
CloudFormation
templates
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
T E R I R A D I C H E L | @ T E R I R A D I C H E L
B O Y A N D I M I T R O V | @ N A T H A R I E L