Slides from my talk at SANS

1. Chris Farris
Cloud Security Lead
Building Your
CLOUD SECURITY
STRATEGY
(for scale)

2. Who Am I?
Cloud Security Lead at WarnerMedia
My job is to keep the Russians off cnn.com and my friends
from downloading Rick & Morty

4. What is “The Cloud”?
NIST Definition:
● On-demand self-service
● Broad Network Access
● Resource Pooling
● Rapid Elasticity
● Measured Service

5. Who is “The Cloud”?

6. Why is it Different?
Life is No Longer
Two Dimensional

7. Firewall, what firewall?
aws ec2 authorize-security-group-
ingress --port 3389 --cidr
0.0.0.0/0

8. AWS Attack Surface
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & content
You

9. To The Cloud!
Lord of the Rings: Return of the King (New Line Cinema 2003)

10. YOU
Born-in-the-Cloud Competition
Infrastructure as a Service
Adv Platforms & Big Data
ML and Predictive Analytics
Cloud Adoption

11. Infrastructure as a Service
Adv Platforms & Big Data
ML and Predictive Analytics
Voice / Recommendations / ?
??
?
??
?
YOU Born-in-the-Cloud
Competition
Cloud Capabilities

12. The Surface Area Of AWS

13. What Security Worries About

14. What Developers Are Excited To Use

15. 300 (Warner Bros. Pictures 2006)

16. Why Do You Need A Strategy?
Game of Thrones (HBO)

17. All Your Data Are Belong To Hackers
14 million customer records leaked
4 million credit cards stolen
Millions of classified images stolen
Open k8s cluster
Cryptomining & data exfil
Elastic Search Cluster open on the Internet
Not to mention people sharing their hard-drives

18. Publicly Writable Buckets!
● LA Times website was tricking readers into mining
cryptocurrency for some guy
● Bucket was left publicly writable
● Miner just uploaded some of his on javascript
● LA Times happily served it out
For Three Weeks

19. Everything can be public
● S3 Buckets
● Container Registries
● Disk Volumes and Boot Images!
● Lambda Executions
● SNS Topics
● SQS Queues
● KMS Keys???
Cloud Security Posture (Your AWS Account 2019)

20. Subdomain Takeovers
● Route53 is your friend!
● Orphaned Aliases
aws route53 list-resource-record-sets --hosted-zone-id Z2WCA2W1V2XMNG --
query "ResourceRecordSets[].[AliasTarget.DNSName,Name]" --output text |
grep s3
s3-website.us-east-2.amazonaws.com. wateringhole.room17.com.
If you don’t own the bucket,
I can for the low low price of nothing!
aws s3 mb wateringhole.room17.com

21. Secrets
● GitHub
● UserData
● Lambda Functions
● Lambda Layers
● Env Vars
● Wide Open k8s
● Your Laptop
Upload
Game of Thrones (HBO)

22. Remember, your keys are in plaintext in
~/.aws/credentials

23. ReadOnlyAccess
● EC2 UserData
● Lambda Code packages
○ aws lambda get-function --function-name YOUR-
FUNCTION_NAME --query Code.Location
● On-Prem VPN configurations
○ defined as CustomerGateways.

24. Account Takeovers
● IAM Users
● KMS Deletions
● Crypto Mining!
● Denial of Wallet
● Account Ransom

25. Capital One
● Metadata Abuse!
● Overly permissive roles!
● Undetected Data Exfiltration!
● Guns!*
● Senate Inquiries!
What's in your dumpster fire?
* Attacker's landlord had illegal firearms which were seized as part of the search

26. Lateral vs Vertical Movement
● Lateral Movement
○ Network to network
○ Cloud account to cloud account
● Vertical movement
○ Use cloud creds to compromise machine
○ Use popped machine to pivot to cloud-layer
Gravity (Warner Bros. Pictures 2013)
https://summitroute.com/blog/2019/02/04/lateral_movement_abusing_trust/
https://www.chrisfarris.com/post/lateral-movement-aws/

27. AWS does a bad job of making it
hard to do stupid things

30. Cloud Security Roadmap
1. Cloud Security Standard
2. Multi-Account Strategy
3. AWS Organizations
4. Security AWS Account
5. Cross-Account Audit Roles
6. Inventory & Management
7. Cloud Security Scorecard

31. Cloud Security Standard
• KISS
• Focus on your risk and your culture
• Define accountability
• CIS Benchmarks are a start
• Consensus Driven
• Requirements “must”
• Best Practices “should”
https://www.chrisfarris.com/post/cloud-security-standard/

32. Multi-account Strategy
Define "Bubble of Accountability"
Reduce Blast Radius
Automate

33. AWS Organizations
AWS Account Governance Service
● Easy to create new accounts
● Consolidated Billing
● Service Control Policies

34. Service Control Policies
SCPs Limit what your child accounts can do.
Examples
- Protect CloudTrail / GuardDuty
- Protect KMS Keys
- Prevent VPC changes
- Block unapproved services
- Leave the organization

35. Security Account
● Audit rights to all accounts
● Manage GuardDuty and other services
● CloudTrail
● Inventory
https://www.chrisfarris.com/post/securityaccount/

37. Inventory
Game of Thrones (HBO)

38. Antiope
● Lots of accounts and lots of regions makes for a big haystack
● Enterprise tools are ridiculously expensive
● AWS Config service doesn’t support all AWS services we use
● Requirement to track (and identify) foreign AWS accounts
● Search engine to help find BGSHs
● Opensource
● Azure & GCP are in progress
● An-Tie-Oh-Pee
https://github.com/turnerlabs/antiope
Robin Wright as Antiope
Wonder Woman 1984 (Warner Bros. Pictures)

39. What It Monitors (Today)
● EC2
● Security Groups
● Elastic Network
Interfaces
● Route 53
Domains
● Route 53 Zones
● ElasticSearch
● ECS Tasks &
Clusters
● ECR Repos
● CloudFront
● CloudFormation
● AMIs
● VPCs, VPN &
Direct connect
● IAM Roles &
Users
● Lambda &
Lambda Layers
● Trusted Advisor
● Support Cases

40. Scorecards
Did ya get that
spreadsheet I
sent you?

42. Cloud Security Scorecards
DynamoDB
Lambda
S3
CloudSploit
Antiope
GRC Register
Executives
Weekly email
With trending
Resource
Inventory
Account
Discovery
Exceptions on a per-resource basis
https://www.chrisfarris.com/post/scorecardsystem/
Cloud Vulnerability Detection

43. Threat Hunting In Antiope
Hypothesis: “Someone has a publicly open AWS
ElasticSearch domain”
Step 1 - Inventory all ElasticSearch domains
Step 2 - ES Query to find access policy with Principal = *
and no Conditions
Step 3 - panic a little
Step 4 - add query to CSS Scorecards

44. Threat Hunting In Antiope II
Hypothesis: “There are CloudFront distributions pointing to
buckets that don’t exist or are controlled by others”
Step 1 - Inventory all CloudFront distributions
Step 2 - ES Query to find distributions with S3 as an origin
Step 3 - ES Query to get all Buckets.
Step 4 - Python script to merge
Step 5 - Hand off results to VM team
Casablanca (Warner Bros. Pictures 1942)

45. Multicloud
● Opensource community is focused on AWS
● Vendors are just starting to “get” Azure
● IAM is vastly different
● Account-governance is vastly different

46. “MULTICLOUD STRATEGY” IS
CODE FOR OFF-PREM VIRTUAL
MACHINES
And legacy architecture
masquerading as the new-hotness

47. Incident Response
Scream (Dimension Films 1996)

48. Prepare
● Capture CloudTrail somewhere safe
● Set your Security Contact
● Work with your SOC to understand CloudTrail
○ Build Detections & Alerts
● IR Permissions in all accounts

49. Identify
● AWS Abuse is usually your IOC
● Monitor the Support tickets
● Or CloudTrail Searches
● GuardDuty can help
○ GuardDuty Severities are not good guidance

50. Containment, Eradication & Recovery
Review CloudTrail
- What user did it?
- Rotate password & access key
- What else did they do?
CloudTrail is the single best tool ever for
account compromise

51. Containment, Eradication & Recovery
● Isolate Instances with IR security groups
● Leverage tools for instance forensics
○ ssm_acquire can be fully automated
○ Threat Response and Margarita Shotgun are good
too

52. https://github.com/turnerlabs/antiope
● @jcfarris
● https://github.com/jchrisfarris
● https://www.linkedin.com/in/jcfarris
● http://www.chrisfarris.com
QUESTIONS?