9. "AWS designed their account security
for a single deployment, single
environment, in a single region."
10.
11. • VPC (Virtual Private Cloud) is single-region (ex:
us-east, eu-west).
• Most resources are tied to a single VPC.
• IAM Users, Roles, Groups, and Policies are
account-wide.
• S3 Buckets are account-wide.
12. • Use Pacu and Cloudsploit to test AWS Security
• https://github.com/RhinoSecurityLabs/pacu
• https://github.com/cloudsploit/scans
17. • AWS CloudWatch Logs will log AWS resources
like EC2, ELB, RDS.
• AWS CloudTrail logs AWS CLI and SDK call
requests, sometimes the response.
• AWS VPC Flow Logs, logs network 5-tuples
between resources.
18. CloudWatch Log, syslog
Jul 11 04:37:01 ip-172-31-9-199 CRON[9575]: (root) CMD
(/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1)
• You can create a “Log Stream”, to save logs into
an S3 bucket, for easier retrieval.
22. VPC Flow Logs
2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249
1418530010 1418530070 ACCEPT OK
<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport>
<dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>
• You can’t modify a Flow Log’s configuration after creation. You have to
delete it.
• Network interfaces with multiple IP addresses will have data logged only
for the primary IP as the destination address.
• Flow Logs exclude traffic related to DHCP requests and Amazon DNS
activity.
23. Logging Limitations
• Default retention is 90 days.
• CloudWatch Logs must be configured per Service,
ex: Apache, nginx, Tomcat, etc.
• CloudTrail Logs will only detect creation of
insecure objects, after it was enabled, up to 90
days by default. You need to setup retention.
• VPC Flow Logs are unusable for multi-IP EC2
instances.
24. • Use skew to aggregate AWS resource configs,
across multiple accounts, multiple regions.
• https://github.com/scopely-devops/skew
29. • All of these use CloudWatch, CloudTrail, VPC Flow Logs, and
SSM-Agent or Inspector Agent.
• Sep 2013 - AWS Trusted Advisor, basic hygiene.
• Nov 2014 - AWS Config, AWS resource configuration.
• Oct 2015 - AWS Inspector, EC2 configuration, PCI-DSS, CIS
• Aug 2017 - AWS Macie, S3 configuration.
• Nov 2017 - AWS GuardDuty, network intrusion detection system
• Nov 2018 - AWS Security Hub, aggregates Inspector, Macie,
and GuardDuty.
30. • None of these are free.
• Expensive at scale, with 1000+ servers.
• Still requires a dedicated SIEM, and SOAR
(security orchestration, automation, remediation)
31. • Still need a SIEM to aggregate the alerts.
• ELK, Splunk, LogRhythm, Loggly, SumoLogic,
dome9
• Limited automated remediation.
• DivvyCloud, Uptycs, Rapid7 InsightConnect,
Alienvault, Cyberbit, Swimlane
32. • Use Argos to automate remediation.
• https://github.com/apolloclark/argos
45. • AWS Managed IAM Policies are too wide-open.
• Inline Policies are tedious to manage.
• IAM Policies for Describe* are Account-Wide
• Unsupported Resource-Level Permissions:
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePer
missions.html#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-
api-unsupported-resource-permissions
• Check out Netflix/repokid
• https://github.com/Netflix/repokid