Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017

1,287 views

Published on

AWS provides a killer feature for security operations teams: Access Advisor. In this session, we discuss how Access Advisor shows the services to which an IAM policy grants access and provides a timestamp for the last time that the role authenticated against that service. At Netflix, we use this valuable data to automatically remove permissions that are no longer used. By continually removing excess permissions, we can achieve a balance of empowering developers and maintaining a best-practice, secure environment.

  • Be the first to comment

Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Using Access Advisor to Strike the Balance Between Security and Usability Patrick Kelley + Travis McPeak, Netflix Security S I D 3 1 6 N o v e m b e r 2 9 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Le t me te ll you a story ab ou t a big bad hacker...
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Patrick Kelley ● Netflix for five years ● Security Monkey ● CloudAux ● PolicyUniverse ● Aardvark ● Repokid
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Travis McPeak ● Netflix for one year ● Previously: IBM, Symantec, HP, Initech, Death Star ● Bandit ● Aardvark ● Repokid ● OWASP Bay Area
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Least privilege Too many permissions: ● Developers Happy ● Security Unhappy ● Attackers Happy Too few permissions: ● Developers Unhappy ● Security Happy ● Attackers Unhappy Just Right Getting Permissions Just Right: ● Developers Happy ● Security Happy ● Attackers… not so much
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Assigning the correct permissions is hard 3,200 unique permissions 100+ services
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption Problem scope
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. RDS Snapshot EBS Snapshot AMI IAM User Inline Policy IAM Role Inline Policy IAM Group Inline Policy Managed Policy Organization Policies Security Groups (Classic + VPC) Network ACLs S3 SNS Glacier Elasticsearch KMS Lambda Function SQS Role Trust Policy SSL/TLS Certificates ACM Certificates ELB/ALB Listener Protocols ELB/ALB Listener Policies Problem scope Other Resources IAM Policies Other Policies Networking Resource Policies Transit Encryption
  10. 10. Possible solutions The way
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Creation Access Profiling Accommodate New Features & Permissions Cleanup Service permission lifecycle
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Aardvark Aardvark is Access Advisor !
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid It’s been 90 days, you going to use those permissions?
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A role is born
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The great balancing act
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Role childhood
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy anatomy { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example" } }
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Repokid and data sources { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:CreateVolume"] "Resource": "*" }, { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"] "Resource": "*" "arn:aws:s3:::my_bucket_name" }, { "Effect": "Allow", "Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"] "Resource": "*" }
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Young role
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mature role
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Retired role
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works • Update • Schedule • Repo • Rollback
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—update
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—schedule
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—repo
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How it all works—rollback
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Permissions over time
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Recap of challenges
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ● Wanna chat? • https://gitter.im/netflix-repokid/Lobby ● Twitter ● @MonkeySecurity ● @travismcpeak ● Contribute • https://github.com/Netflix-Skunkworks/aardvark • https://github.com/Netflix/repokid Thanks!

×