Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hackproof Your Cloud: Responding to 2016 Threats

530 views

Published on

Migrating from the data center to the cloud requires users to rethink much of what they do to secure their applications. CloudCheckr CTO Aaron Newman will highlight effective strategies and tools that AWS users can employ to improve their security posture. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, users need to adapt their security architecture to face both compliance and security threats. Specific emphasis will be placed upon leveraging native AWS services and the talk will include concrete steps that users can begin employing immediately. Session sponsored by CloudCheckr.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hackproof Your Cloud: Responding to 2016 Threats

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aaron Newman, CloudCheckr August 11, 2016 Hackproof Your Cloud: Responding to 2016 Threats
  2. 2. Changing Your Perspective Moving to the Cloud = rethinking your perimeter security How do I secure my business applications on AWS? Rethink how you perform most security tasks: • Network-based IPS/IDS • Network scanning • Penetration tests • Vulnerability assessments Focus on securing cloud workloads • Not on securing the cloud
  3. 3. In the Data Center Setting Up Perimeter Security: • Setting up your infrastructure • Setting up access points to the Internet • Configuring firewall, IDS, IPS, etc., at the access points Auditing Your Perimeter Security: • Gather set of IP address blocks to poke at • Do a port scan (using tools such as Nmap) • Determine which ports are open on the target • Try various exploits on the open ports • Sniff lots of packets • Dig around to make sure there are no back doors into the network • Wireless access points, secondary T1 lines, DSL connections • VPN access from some other network
  4. 4. AWS: What’s Different? The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. ~ Physical assets secured at the AWS Availability Zone ~ ~ Must guard the AWS API ~ ~ AWS Identity and Access Management (IAM) access is your new physical security ~
  5. 5. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Network Security Inventory & Config Customer Applications & Content You get to define your controls IN the Cloud AWS takes care of the security OF the Cloud You AWS and You Share Responsibility for Security Data Security Access Control AWS
  6. 6. Minimizing Attack Vectors Principles don’t change • Reduce your surface area! • Defense-in-depth Some attack vectors don’t change • Application level • User-privilege escalation, web app vulns, XSS • Operating system vulnerabilities • Database vulnerabilities Some attack vectors change • Homogeneous environment • Polymorphic targets/mapping • Reduced network sniffing Security Hardening Configure and manage user privileges Remove unused user accounts Close unused open network ports Enforce password complexity & policies Remove unwanted services Patch all known vulnerabilities
  7. 7. Give me your network block • Nmap • Port scans • Ping sweeps • Etc. Perimeter Assessments in the Cloud How do I assess the perimeter of my cloud? Let me see your configuration • List of publicly accessible resources • Security groups (EC2-Classic, EC2-VPC, Amazon Redshift, Amazon RDS, etc.) • Routing tables, network ACL • VPC, subnets • Amazon S3 buckets and permissions • IAM policies OLD WORLD NEW WORLD
  8. 8. Virtual Private Clouds (VPCs) Default VPC is created in every region • VPCs are wide open by default VPC is composed of: • Internet and VPN gateways – connect to the rest of the world • 1+ subnet(s) • Routing table – how to move traffic around the VPC • Network ACLs – a firewall, but stateless • Security groups – host-based firewall, stateful • Resources – Amazon EC2, RDS, Amazon Redshift, Amazon ElastiCache
  9. 9. Network Security in a VPC Network ACLs • Virtual firewalls assigned to VPC/subnets • Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa) • Rules evaluated numerical ascending – DENY can be overridden by ALLOW • Watch for INEFFECTIVE rules Security Groups • Host-based firewalls assigned to instances • Stateful – responses to allowed inbound traffic are not subjected to the rules for outbound traffic • Rules are cumulative – DENY always overrides ALLOW • Assigning wrong security group to an instance exposes the entire VPC http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
  10. 10. Complex Connections to EC2 EC2 instance can be run inside VPCs •Legacy capability to run outside VPCs •Instance ID: i-001bac39 •Friendly name (implemented as a tag): ISS-V2-API1 EC2 instance can be given one or more private IP addresses •For example: 172.12.6.186 •This generates a DNS name ip-172-12-6-186.us-west- 2.compute.internal EC2 instance can be given one or more public IP addresses •For example: 52.24.201.167 •This generates a DNS name ec2-52-24-201-167.us-west- 2.compute.amazonaws.com EC2 instance can be attached to an Elastic IP address (EIP) •For example: 107.20.135.132
  11. 11. Running VA in Cloud Environments How do I run vulnerability assessments? Gather the list of public IPs and EIPs of all resources Do I need to scan the private IP addresses and instances? Scanning an AMI Spin up a new instance, run a scan on the new instance Mark everything based on this AMI as “scanned” What about when an instance “drifts” from the original AMI? Someone can reconfigure settings, install new software In an elastic, ephemeral, auto-scaling environment, clouds can have tens of thousands of instances
  12. 12. Patching Strategies for AWS “No Patch” Strategy • Stay away from patching live systems • Focus on patching templates/AMIs • Deliver patches by redeploying workloads • Dependent on adopting pure cloud architectures Look at AWS OS Templates • Patched by Amazon Systematic Workload Reprovisioning • Based on high-assurance repositories • Effective battling advanced persistent threats (APTs)
  13. 13. What Are We Missing? Don’t assume attacks only happen against EC2 AWS has many moving parts and dimensions Over 50 different AWS services • Many have unique access control systems You will have 100s of AWS accounts We need a complete inventory • All publicly accessible endpoints and resources Security breaches can happen with a single weak link
  14. 14. Amazon RDS Location • Within a VPC or not, multi-AZ or not Security options: • DB security groups (if not in a VPC) or EC2-VPC security groups • Select a non-default database port Only port RDS listens on is the database port • Shut down on all other ports (publicly, I’m sure AWS team can access the OS) Publicly accessible option • Not a good idea, but if you do this: • Make sure you use security groups to restrict source IP address • Make sure you have latest patches applied Secure your database snapshots • Keys to the kingdom if someone can get a copy • Brute-force passwords, restore to their own account
  15. 15. Amazon S3 Up to 1,000 buckets in an account • Unlimited number of objects (billions is not uncommon) Location • Within a region, across multi-AZs, not housed in a VPC • Can’t sit between client and storage Security • Access control through IAM policies, bucket policies, ACLs, and query string authentication • Server-side Encryption, HTTPS support • Server-access logs (does not integrate with CloudTrail) Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!! Create an inventory of your sensitive data
  16. 16. Amazon SQS Where does SQS live? • Within a region, not within a VPC • Uses a URL such as: https://sqs.us-east-1.amazonaws.com/123456789012/MySQS Security based on policy documents: { "Version": "2008-10-17", "Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy", "Statement": [ { "Sid": "Sid1415217272568", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SQS:ReceiveMessage", "SQS:SendMessage" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS" },
  17. 17. Amazon SNS SNS does not live inside your VPC Permissions based on topic policies:
  18. 18. Using AWS CloudTrail An AWS service that records each time the AWS API is called • Currently supports most AWS services • http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html Conveniently, everything in AWS goes through the API • Even actions in the AWS Management Console go through the API CloudTrail writes files into an S3 bucket • Near real time (every five minutes) • Files are in JSON format Get started at http://aws.amazon.com/cloudtrail/
  19. 19. Using Amazon CloudWatch Logs Simple method of monitoring operating system logs • Ship Windows event logs and syslogs to CloudWatch Types of use cases: • Account Login Failure, Account Login Success, New local account creation, Excessive Login Failure (Configurable) • Unauthorized Windows Admin Logon, Windows Account Lockout Attempt, Windows Computer Account Changes • Windows Audit Policy Changes, Windows Event Log Cleared • Non-Windows - Account Locked Out, Non-Windows - Account Unlocked, Changes to System or Audit log Get started at: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudW atchLogs.html
  20. 20. Using Amazon VPC Flow Logs An AWS service that records each time packets enter or leave a VPC • http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html Security team comes to you and says: • We need logs going to instance 1-0123456 from IP address ranges 52.205.16.0 - 52.205.31.255 Monitor for DENY connections • Gives you both security group and network ACL denies Announcement: https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazon- vpc-flow-logs/
  21. 21. Tools for Configuring AWS Securely & Cost Effectively Generic tools fall short Purpose-built, not cloud-washed • Make sure tools don’t fall over in the cloud • Tools have to understand dynamic, ephemeral IPs Need a deep understanding of AWS • What does this mean? • Context is important • Actionable intelligence
  22. 22. Leveraging AWS data – CloudTrail, AWS Config, Amazon VPC Flow Logs, CloudWatch logs, DBR, and more metrics Providing complete transparency – into 1 or across 1,000s of AWS accounts Automating security, configuration, and activity monitoring and alerting Continuous monitoring of configurations, resources, and permissions Active optimization, sophisticated allocation, and simplified invoicing for enterprise cloud cost management Monitoring, Reporting & Optimization Enterprise Security & Cost Management from CloudCheckr
  23. 23. Questions?
  24. 24. Remember to complete your evaluations!
  25. 25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aaron Newman, Founder of CloudCheckr aaron.newman@cloudcheckr.com www.cloudcheckr.com Thank you!

×