SlideShare a Scribd company logo

AWS Architecture Flaws

Apollo Clark
Apollo Clark

AWS Architecture Flaws

Self Improvement
1 of 51
Download to read offline
AWS Architecture Flaws Apollo Clark
• Intro • Multi-tenancy • Logging • Alerts • Secrets Management • IAM Permissions • Questions
Intro
• Web engineer since 2001 • LAMP stacks, PHP, Python, Ruby, Java, … • AWS user since 2010 • Managed 4TB Elasticsearch, 2TB MongoDB • Managed 25,000+ servers, 200+ AWS accounts • Security consultant since 2015
Multi-tenancy
"AWS designed their account security for a single deployment, single environment, in a single region."
• VPC (Virtual Private Cloud) is single-region (ex: us-east, eu-west). • Most resources are tied to a single VPC. • IAM Users, Roles, Groups, and Policies are account-wide. • S3 Buckets are account-wide.
• Use Pacu and Cloudsploit to test AWS Security • https://github.com/RhinoSecurityLabs/pacu • https://github.com/cloudsploit/scans
“Deploy into dedicated AWS accounts.”
Logging
• AWS CloudWatch Logs will log AWS resources like EC2, ELB, RDS. • AWS CloudTrail logs AWS CLI and SDK call requests, sometimes the response. • AWS VPC Flow Logs, logs network 5-tuples between resources.
CloudWatch Log, syslog Jul 11 04:37:01 ip-172-31-9-199 CRON[9575]: (root) CMD (/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1) • You can create a “Log Stream”, to save logs into an S3 bucket, for easier retrieval.
CloudTrail Logs, part 1 { "eventVersion":"1.05", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:apolloclark", "accountId":"123456789012", "accessKeyId":"ASIA1234567890ABCD", "userName":"apolloclark", "sessionContext":{ "attributes":{ "mfaAuthenticated":"true", "creationDate":"2017-08-02T17:51:58Z" } } },
CloudTrail Logs, part 2 "eventTime":"2017-08-02T18:13:23Z", "eventSource":"cloudtrail.amazonaws.com", "eventName":"CreateTrail", "awsRegion":"us-east-1", "sourceIPAddress":"73.0.0.1", "userAgent":"console.amazonaws.com", "requestParameters":{ "enableLogFileValidation":true, "name":"test", "kmsKeyId":"", "includeGlobalServiceEvents":true, "isMultiRegionTrail":true, "s3BucketName":"testbucket" },
CloudTrail Logs, part 3 "responseElements":{ "s3BucketName":"testbucket", "includeGlobalServiceEvents":true, "logFileValidationEnabled":true, "name":"test", "trailARN":"arn:aws:cloudtrail:us-east-1:123456789012:trail/test", "isMultiRegionTrail":true }, "requestID":"4534ea8f-77ae-11e7-93b4-a16934176b9b", "eventID":"05c2522c-4971-4150-96f5-a45cee763a1b", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }
VPC Flow Logs 2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status> • You can’t modify a Flow Log’s configuration after creation. You have to delete it. • Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. • Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity.
Logging Limitations • Default retention is 90 days. • CloudWatch Logs must be configured per Service, ex: Apache, nginx, Tomcat, etc. • CloudTrail Logs will only detect creation of insecure objects, after it was enabled, up to 90 days by default. You need to setup retention. • VPC Flow Logs are unusable for multi-IP EC2 instances.
• Use skew to aggregate AWS resource configs, across multiple accounts, multiple regions. • https://github.com/scopely-devops/skew
Alerts
• All of these use CloudWatch, CloudTrail, VPC Flow Logs, and SSM-Agent or Inspector Agent. • Sep 2013 - AWS Trusted Advisor, basic hygiene. • Nov 2014 - AWS Config, AWS resource configuration. • Oct 2015 - AWS Inspector, EC2 configuration, PCI-DSS, CIS • Aug 2017 - AWS Macie, S3 configuration. • Nov 2017 - AWS GuardDuty, network intrusion detection system • Nov 2018 - AWS Security Hub, aggregates Inspector, Macie, and GuardDuty.
• None of these are free. • Expensive at scale, with 1000+ servers. • Still requires a dedicated SIEM, and SOAR (security orchestration, automation, remediation)
• Still need a SIEM to aggregate the alerts. • ELK, Splunk, LogRhythm, Loggly, SumoLogic, dome9 • Limited automated remediation. • DivvyCloud, Uptycs, Rapid7 InsightConnect, Alienvault, Cyberbit, Swimlane
• Use Argos to automate remediation. • https://github.com/apolloclark/argos
Secrets Management
cloud-init, user data, startup script curl http://169.254.169.254/latest/user-data #!/bin/bash export POSTGRES_HOST=“54.0.0.1" export POSTGRES_USERNAME="pg_admin" export POSTGRES_PASSWORD="5up3r_53cr3t" export AWS_IAM_ACCESS_KEY="AKIA123456780" export AWS_IAM_SECRET_KEY="Qbfaui3289bfaf389" export NESSUS_ACCESS_KEY="abrw31289bfajklfdas"
• Use a dedicated configuration management service. • Ansible Tower, Chef, Puppet, Hashicorp Vault • Use AWS Secrets Manager • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user- data.html
IAM Permissions
IAM Policy, S3 bucket, resource name { "Version": "2012-10-17", "Statement": [ { “Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion” ], "Resource": "arn:aws:s3:*:*:CompanyA/Marketing/*" } ] }
IAM Policy, EBS, resource tag { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": “Marketing"} } } ] }
IAM Policy, RDS { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }
• AWS Managed IAM Policies are too wide-open. • Inline Policies are tedious to manage. • IAM Policies for Describe* are Account-Wide • Unsupported Resource-Level Permissions: • https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePer missions.html#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2- api-unsupported-resource-permissions • Check out Netflix/repokid • https://github.com/Netflix/repokid
• Dedicated AWS Accounts • Logging • Alerts • Secrets Management • IAM Permissions • https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Questions?
AWS Architecture Flaws
AWS Architecture Flaws

Recommended

Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSAmazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security UpdateAmazon Web Services
 
An Overview of AWS IoT (November 2016)
An Overview of AWS IoT (November 2016)An Overview of AWS IoT (November 2016)
An Overview of AWS IoT (November 2016)Julien SIMON
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Amazon Web Services
 
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS Amazon Web Services
 

Recommended

Practical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSPractical Steps to Hackproofing AWS
Practical Steps to Hackproofing AWSAmazon Web Services
 
Practical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSPractical Steps to Hack Proofing AWS
Practical Steps to Hack Proofing AWSAmazon Web Services
 
(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at Okta(SEC401) Encryption Key Storage with AWS KMS at Okta
(SEC401) Encryption Key Storage with AWS KMS at OktaAmazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security UpdateAmazon Web Services
 
An Overview of AWS IoT (November 2016)
An Overview of AWS IoT (November 2016)An Overview of AWS IoT (November 2016)
An Overview of AWS IoT (November 2016)Julien SIMON
 
Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Deep Dive: AWS CloudHSM (Classic)
Deep Dive: AWS CloudHSM (Classic)Amazon Web Services
 
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS
High Performance MongoDB Clusters with Amazon EBS Provisioned IOPS Amazon Web Services
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWSAmazon Web Services
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overviewRyan Hodgin
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Architecting for Resiliency
Architecting for ResiliencyArchitecting for Resiliency
Architecting for ResiliencyAmazon Web Services
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...Steffen Mazanek
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017CloudHesive
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS SecurityAmazon Web Services
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS Code + AWS Device Farm
AWS Code + AWS Device FarmAWS Code + AWS Device Farm
AWS Code + AWS Device FarmAmazon Web Services
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security Amazon Web Services
 
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaFebruary 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaAmazon Web Services
 
AWS Security
AWS SecurityAWS Security
AWS Securityarmincoralic
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWSAWS Riyadh User Group
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWSAmazon Web Services
 
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)Amazon Web Services
 
AWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFrontAWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFrontSzilveszter Molnár
 
Amazon relational database service (rds)
Amazon relational database service (rds)Amazon relational database service (rds)
Amazon relational database service (rds)AWS Riyadh User Group
 
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...Amazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
AWS Lambda at JUST EAT
AWS Lambda at JUST EATAWS Lambda at JUST EAT
AWS Lambda at JUST EATAndrew Brown
 

More Related Content

What's hot

(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWSAmazon Web Services
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overviewRyan Hodgin
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...Steffen Mazanek
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSAkshay Mathur
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response SimulationsAmazon Web Services
 
Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017CloudHesive
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSAmazon Web Services
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security Amazon Web Services
 
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaFebruary 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaAmazon Web Services
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWSAmazon Web Services
 
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)Amazon Web Services
 
AWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFrontAWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFrontSzilveszter Molnár
 
Amazon relational database service (rds)
Amazon relational database service (rds)Amazon relational database service (rds)
Amazon relational database service (rds)AWS Riyadh User Group
 
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...Amazon Web Services
 

What's hot (20)

(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overview
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
 
Architecting for Resiliency
Architecting for ResiliencyArchitecting for Resiliency
Architecting for Resiliency
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...
 
Shared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWSShared Security Responsibility Model of AWS
Shared Security Responsibility Model of AWS
 
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
(SEC316) Harden Your Architecture w/ Security Incident Response Simulations
 
Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017Modernizing your AWS Deployment - January 2017
Modernizing your AWS Deployment - January 2017
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Protecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWSProtecting Your Data with Encryption on AWS
Protecting Your Data with Encryption on AWS
 
AWS Code + AWS Device Farm
AWS Code + AWS Device FarmAWS Code + AWS Device Farm
AWS Code + AWS Device Farm
 
AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security AWS Summit Auckland 2014 | Understanding AWS Security
AWS Summit Auckland 2014 | Understanding AWS Security
 
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS LambdaFebruary 2016 Webinar Series - Introducing VPC Support for AWS Lambda
February 2016 Webinar Series - Introducing VPC Support for AWS Lambda
 
AWS Security
AWS SecurityAWS Security
AWS Security
 
Containers on AWS
Containers on AWSContainers on AWS
Containers on AWS
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS
 
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401)
 
AWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFrontAWS VPC, ELB, Route53 and CloudFront
AWS VPC, ELB, Route53 and CloudFront
 
Amazon relational database service (rds)
Amazon relational database service (rds)Amazon relational database service (rds)
Amazon relational database service (rds)
 
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
February 2016 Webinar Series - Use AWS Cloud Storage as the Foundation for Hy...
 

Similar to AWS Architecture Flaws

Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Amazon Web Services
 
AWS Lambda at JUST EAT
AWS Lambda at JUST EATAWS Lambda at JUST EAT
AWS Lambda at JUST EATAndrew Brown
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSAmazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityLalitMohanSharma8
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsAmazon Web Services
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)Amazon Web Services
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessToni de la Fuente
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats CloudCheckr
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Jarrett Plante
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAmazon Web Services
 
Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Kimberly Macias
 
Brief theoretical overview on AWS Components
Brief theoretical overview on AWS ComponentsBrief theoretical overview on AWS Components
Brief theoretical overview on AWS ComponentsTech Tutorials
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 
AWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneAWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneIdan Tohami
 
Cloudifying your Security Operations on AWS
Cloudifying your Security Operations on AWSCloudifying your Security Operations on AWS
Cloudifying your Security Operations on AWSCloudHesive
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 

Similar to AWS Architecture Flaws (20)

Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
AWS Lambda at JUST EAT
AWS Lambda at JUST EATAWS Lambda at JUST EAT
AWS Lambda at JUST EAT
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Hackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 ThreatsHackproof Your Cloud – Responding to 2016 Threats
Hackproof Your Cloud – Responding to 2016 Threats
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
Hack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 ThreatsHack-Proof Your Cloud: Responding to 2016 Threats
Hack-Proof Your Cloud: Responding to 2016 Threats
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
 
AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by Design
 
Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2
 
Brief theoretical overview on AWS Components
Brief theoretical overview on AWS ComponentsBrief theoretical overview on AWS Components
Brief theoretical overview on AWS Components
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
AWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZoneAWS Fundamentals @Back2School by CloudZone
AWS Fundamentals @Back2School by CloudZone
 
[Jun AWS 201] Technical Workshop
[Jun AWS 201] Technical Workshop[Jun AWS 201] Technical Workshop
[Jun AWS 201] Technical Workshop
 
Cloudifying your Security Operations on AWS
Cloudifying your Security Operations on AWSCloudifying your Security Operations on AWS
Cloudifying your Security Operations on AWS
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 

Recently uploaded

Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdf
Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdfExploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdf
Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdfMindful Wellness Journey
 
Emotional Freedom Technique Tapping Points Diagram.pdf
Emotional Freedom Technique Tapping Points Diagram.pdfEmotional Freedom Technique Tapping Points Diagram.pdf
Emotional Freedom Technique Tapping Points Diagram.pdfaprilross605
 
Social Learning Theory presentation.pptx
Social Learning Theory presentation.pptxSocial Learning Theory presentation.pptx
Social Learning Theory presentation.pptxumef01177
 
2023 - Between Philosophy and Practice: Introducing Yoga
2023 - Between Philosophy and Practice: Introducing Yoga2023 - Between Philosophy and Practice: Introducing Yoga
2023 - Between Philosophy and Practice: Introducing YogaRaphaël Semeteys
 
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptx
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptxSIKP311 Sikolohiyang Pilipino - Ginhawa.pptx
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptxStephenMino
 
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...Cara Menggugurkan Kandungan 087776558899
 
February 2024 Recommendations for newsletter
February 2024 Recommendations for newsletterFebruary 2024 Recommendations for newsletter
February 2024 Recommendations for newsletterssuserdfec6a
 
communication-skills-training-excerpt.pdf
communication-skills-training-excerpt.pdfcommunication-skills-training-excerpt.pdf
communication-skills-training-excerpt.pdfErmiyas33
 
March 2023 Recommendations for newsletter
March 2023 Recommendations for newsletterMarch 2023 Recommendations for newsletter
March 2023 Recommendations for newsletterssuserdfec6a
 

Recently uploaded (9)

Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdf
Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdfExploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdf
Exploring Stoic Philosophy From Ancient Wisdom to Modern Relevance.pdf
 
Emotional Freedom Technique Tapping Points Diagram.pdf
Emotional Freedom Technique Tapping Points Diagram.pdfEmotional Freedom Technique Tapping Points Diagram.pdf
Emotional Freedom Technique Tapping Points Diagram.pdf
 
Social Learning Theory presentation.pptx
Social Learning Theory presentation.pptxSocial Learning Theory presentation.pptx
Social Learning Theory presentation.pptx
 
2023 - Between Philosophy and Practice: Introducing Yoga
2023 - Between Philosophy and Practice: Introducing Yoga2023 - Between Philosophy and Practice: Introducing Yoga
2023 - Between Philosophy and Practice: Introducing Yoga
 
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptx
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptxSIKP311 Sikolohiyang Pilipino - Ginhawa.pptx
SIKP311 Sikolohiyang Pilipino - Ginhawa.pptx
 
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...
KLINIK BATA Jual obat penggugur kandungan 087776558899 ABORSI JANIN KEHAMILAN...
 
February 2024 Recommendations for newsletter
February 2024 Recommendations for newsletterFebruary 2024 Recommendations for newsletter
February 2024 Recommendations for newsletter
 
communication-skills-training-excerpt.pdf
communication-skills-training-excerpt.pdfcommunication-skills-training-excerpt.pdf
communication-skills-training-excerpt.pdf
 
March 2023 Recommendations for newsletter
March 2023 Recommendations for newsletterMarch 2023 Recommendations for newsletter
March 2023 Recommendations for newsletter
 

AWS Architecture Flaws

  • 2.
  • 3. • Intro • Multi-tenancy • Logging • Alerts • Secrets Management • IAM Permissions • Questions
  • 5. • Web engineer since 2001 • LAMP stacks, PHP, Python, Ruby, Java, … • AWS user since 2010 • Managed 4TB Elasticsearch, 2TB MongoDB • Managed 25,000+ servers, 200+ AWS accounts • Security consultant since 2015
  • 6.
  • 7.
  • 9. "AWS designed their account security for a single deployment, single environment, in a single region."
  • 10.
  • 11. • VPC (Virtual Private Cloud) is single-region (ex: us-east, eu-west). • Most resources are tied to a single VPC. • IAM Users, Roles, Groups, and Policies are account-wide. • S3 Buckets are account-wide.
  • 12. • Use Pacu and Cloudsploit to test AWS Security • https://github.com/RhinoSecurityLabs/pacu • https://github.com/cloudsploit/scans
  • 13. “Deploy into dedicated AWS accounts.”
  • 14.
  • 16.
  • 17. • AWS CloudWatch Logs will log AWS resources like EC2, ELB, RDS. • AWS CloudTrail logs AWS CLI and SDK call requests, sometimes the response. • AWS VPC Flow Logs, logs network 5-tuples between resources.
  • 18. CloudWatch Log, syslog Jul 11 04:37:01 ip-172-31-9-199 CRON[9575]: (root) CMD (/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1) • You can create a “Log Stream”, to save logs into an S3 bucket, for easier retrieval.
  • 19. CloudTrail Logs, part 1 { "eventVersion":"1.05", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:apolloclark", "accountId":"123456789012", "accessKeyId":"ASIA1234567890ABCD", "userName":"apolloclark", "sessionContext":{ "attributes":{ "mfaAuthenticated":"true", "creationDate":"2017-08-02T17:51:58Z" } } },
  • 20. CloudTrail Logs, part 2 "eventTime":"2017-08-02T18:13:23Z", "eventSource":"cloudtrail.amazonaws.com", "eventName":"CreateTrail", "awsRegion":"us-east-1", "sourceIPAddress":"73.0.0.1", "userAgent":"console.amazonaws.com", "requestParameters":{ "enableLogFileValidation":true, "name":"test", "kmsKeyId":"", "includeGlobalServiceEvents":true, "isMultiRegionTrail":true, "s3BucketName":"testbucket" },
  • 21. CloudTrail Logs, part 3 "responseElements":{ "s3BucketName":"testbucket", "includeGlobalServiceEvents":true, "logFileValidationEnabled":true, "name":"test", "trailARN":"arn:aws:cloudtrail:us-east-1:123456789012:trail/test", "isMultiRegionTrail":true }, "requestID":"4534ea8f-77ae-11e7-93b4-a16934176b9b", "eventID":"05c2522c-4971-4150-96f5-a45cee763a1b", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }
  • 22. VPC Flow Logs 2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status> • You can’t modify a Flow Log’s configuration after creation. You have to delete it. • Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. • Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity.
  • 23. Logging Limitations • Default retention is 90 days. • CloudWatch Logs must be configured per Service, ex: Apache, nginx, Tomcat, etc. • CloudTrail Logs will only detect creation of insecure objects, after it was enabled, up to 90 days by default. You need to setup retention. • VPC Flow Logs are unusable for multi-IP EC2 instances.
  • 24. • Use skew to aggregate AWS resource configs, across multiple accounts, multiple regions. • https://github.com/scopely-devops/skew
  • 25.
  • 26.
  • 28.
  • 29. • All of these use CloudWatch, CloudTrail, VPC Flow Logs, and SSM-Agent or Inspector Agent. • Sep 2013 - AWS Trusted Advisor, basic hygiene. • Nov 2014 - AWS Config, AWS resource configuration. • Oct 2015 - AWS Inspector, EC2 configuration, PCI-DSS, CIS • Aug 2017 - AWS Macie, S3 configuration. • Nov 2017 - AWS GuardDuty, network intrusion detection system • Nov 2018 - AWS Security Hub, aggregates Inspector, Macie, and GuardDuty.
  • 30. • None of these are free. • Expensive at scale, with 1000+ servers. • Still requires a dedicated SIEM, and SOAR (security orchestration, automation, remediation)
  • 31. • Still need a SIEM to aggregate the alerts. • ELK, Splunk, LogRhythm, Loggly, SumoLogic, dome9 • Limited automated remediation. • DivvyCloud, Uptycs, Rapid7 InsightConnect, Alienvault, Cyberbit, Swimlane
  • 32. • Use Argos to automate remediation. • https://github.com/apolloclark/argos
  • 33.
  • 34.
  • 36.
  • 37. cloud-init, user data, startup script curl http://169.254.169.254/latest/user-data #!/bin/bash export POSTGRES_HOST=“54.0.0.1" export POSTGRES_USERNAME="pg_admin" export POSTGRES_PASSWORD="5up3r_53cr3t" export AWS_IAM_ACCESS_KEY="AKIA123456780" export AWS_IAM_SECRET_KEY="Qbfaui3289bfaf389" export NESSUS_ACCESS_KEY="abrw31289bfajklfdas"
  • 38. • Use a dedicated configuration management service. • Ansible Tower, Chef, Puppet, Hashicorp Vault • Use AWS Secrets Manager • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user- data.html
  • 39.
  • 41.
  • 42. IAM Policy, S3 bucket, resource name { "Version": "2012-10-17", "Statement": [ { “Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion” ], "Resource": "arn:aws:s3:*:*:CompanyA/Marketing/*" } ] }
  • 43. IAM Policy, EBS, resource tag { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": “Marketing"} } } ] }
  • 44. IAM Policy, RDS { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }
  • 45. • AWS Managed IAM Policies are too wide-open. • Inline Policies are tedious to manage. • IAM Policies for Describe* are Account-Wide • Unsupported Resource-Level Permissions: • https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePer missions.html#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2- api-unsupported-resource-permissions • Check out Netflix/repokid • https://github.com/Netflix/repokid
  • 46.
  • 47. • Dedicated AWS Accounts • Logging • Alerts • Secrets Management • IAM Permissions • https://github.com/toniblyx/my-arsenal-of-aws-security-tools
  • 48.