Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration Tester | AWS re:Invent 2014

4,379 views

Published on

Enterprises trying to deploy infrastructure to the cloud and independent software companies trying to deliver a service have similar problems to solve. They need to know how to create an environment in AWS that enforces least-privilege access between components while also allowing administration and change management. Amazon Elastic Cloud Compute (EC2) and Identity and Access Management (IAM), coupled with services like AWS Security Token Service (STS), offer the necessary building blocks. In this session, we walk through some of the mechanisms available to control access in an Amazon Virtual Private Cloud (VPC). Next, we focus on using IAM and STS to create a least-privilege access model. Finally, we discuss auditing strategies to catch common mistakes and discuss techniques to audit and maintain your infrastructure.

Published in: Technology
  • Be the first to comment

(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration Tester | AWS re:Invent 2014

  1. 1. November 13, 2014 | Las Vegas, NV Jason Bubolz, iSECPartners
  2. 2. Default Inbound 22 TCP 0.0.0.0/0 80 TCP 0.0.0.0/0 443 TCP 0.0.0.0/0 WebServers-SG Inbound 22 TCP JumpHosts-SG 80 TCP 0.0.0.0/0 443 TCP 0.0.0.0/0 JumpHosts-SG Inbound 22 TCP 192.168.10.0/24
  3. 3. Amazon S3 Administrators
  4. 4. Web Front End Application Layer Data Layer ETL Host Data Warehouse Amazon S3: Storage & Configuration Amazon SNS: Mobile Push Admin Jump Host Amazon DynamoDB: Session Management
  5. 5. Amazon S3: Storage & Configuration Amazon DynamoDB: SessionManagement Amazon SNS: Mobile Push Web Front End Application Layer Data Layer ETL Host Data Warehouse Admin Jump Host
  6. 6. NAT Admin Host Front End ELB ETL Host Data Layer Web Front End App Layer Data Warehouse Monkeybuffer.org VPC private subnet: Data Storage private subnet: Application Servers private subnet: Analytics VPN Connection to Corpnet public subnet: Internet Access Layer Internet Gateway
  7. 7. default In 22 TCP 192.168.10.0/24 In 80 TCP 0.0.0.0/0 In 443 TCP 0.0.0.0/0 In 3306 TCP 192.168.10.0/24 Out ALL TCP 0.0.0.0/0 Web Front End Application Layer Data Warehouse Admin Jump Host
  8. 8. Web Front End Application Layer Data Layer Data Warehouse ETL Host Admin Jump Host Web Front End Data Layer Application Layer Data Warehouse Admin Jump Host ETL Host
  9. 9. HTTP Listener WS Client AWS Client Admin Client Admin Listener Web Front End
  10. 10. Web Front End Application Layer Data Layer ETL Host Data Warehouse Admin Jump Host Admin Client Admin Client Admin Client Admin Client Admin Client Admin Listener HTTP Listener WS Listener Data Client WS Client Data Listener Data Client EDW Client EDW Listener AWS Client AWS Client
  11. 11. Web Front End Application Layer Data Layer ETL Host Data Warehouse Admin Jump Host
  12. 12. aws:SecureTransport Enforce HTTPS use for API access aws:MultiFactorAuthAge Using a Nullcheck comparison, force MFA authentication for sensitive operations (works with AssumeRoleworkflows) aws:CurrentTime Using a DateLessThancomparison, limit the lifetimeof temporary privilege escalations aws:SourceIp Restrict deployment-altering actionsto requests originating from the corporate network
  13. 13. Operations Engineering Business Intelligence Support { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Action": "s3:*", "Effect": "Allow", "Resource": "*" }, { "Action": "dynamodb:*", "Effect": "Allow", "Resource": "*" }, { "Action": "sns:*", "Effect": "Allow", "Resource": "*" }, ] } Initial Engineering Policy Document
  14. 14. EC2 Instance Mgmt EC2 Configuration Readers EC2 Admin S3 Configuration Bucket Readers S3 Writers IAM Readers Engineering User
  15. 15. Web Front End Application Layer
  16. 16. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::monkeybufferfiles"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::monkeybufferfiles/configuration” ] } ] } WebFrontEndInstanceRole Policy Document
  17. 17. { "Id": "Policy1412633321994", "Statement": [ { "Sid": "Stmt1412633314407", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::monkeybufferfiles/configuration", "Principal": { "AWS": [ "arn:aws:iam::accountid:role/WebFrontEndInstance", "arn:aws:iam::accountid:role/AppLayerInstance" ] } } ] } MonkeyBufferFilesS3 Bucket Policy Document
  18. 18. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::accountid:role/WebFrontEndInstance" } ] } PassRoleUser Policy Document
  19. 19. Does the account follow IAM Best Practices? Is CloudTraillogging enabled? Do IAM and resource access policies match requirements and are they minimal? Are AWS access keys, cryptography keys, or other passwords exposed in source or configuration? Does the account follow proper security design for all additional AWS services?
  20. 20. https://github.com/Netflix/security_monkeyhttps://github.com/iSECPartners/Scout2
  21. 21. To Begin •Ensure consistency across regions •Enable CloudTraillogging •Enforce IAM Best Practices: manage user accounts like you would manage your own infrastructure •Limit access to "* on *" policies NextSteps •Match access to roles and requirements •EmployIAM roles and Amazon EC2 instance credentials •Strictly limit policies assigned to static service credentials •Eliminate access to unused AWS services •Lock down storageservices to mitigate information leaks Finally •Establish regularreviews •Investigate changes and challenge expansive privileges
  22. 22. http://bit.ly/awsevals

×