SlideShare a Scribd company logo

Core strategies to develop defense in depth in AWS

S
Shane Peden

Information security guidance and strategies for securing cloud infrastructure in Amazon Web Services, presented by risk3sixty LLC and Afonza. Atlanta based cyber risk management.

Technology
1 of 13
Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
Core Strategy #5 –Layered Defense Model Continued…
Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty

Recommended

Docker by Example - Quiz
Docker by Example - QuizDocker by Example - Quiz
Docker by Example - Quiz
CodeOps Technologies LLP
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & Kibana
Amazee Labs
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0
Marc-André Tousignant
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPABuilding an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPA
Neo4j
 

Recommended

Docker by Example - Quiz
Docker by Example - QuizDocker by Example - Quiz
Docker by Example - Quiz
CodeOps Technologies LLP
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & Kibana
Amazee Labs
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0Introduction oauth 2.0 et openid connect 1.0
Introduction oauth 2.0 et openid connect 1.0
Marc-André Tousignant
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPABuilding an Authorization Solution for Microservices Using Neo4j and OPA
Building an Authorization Solution for Microservices Using Neo4j and OPA
Neo4j
 
How object oriented are you feeling today?
How object oriented are you feeling today?How object oriented are you feeling today?
How object oriented are you feeling today?
Krzysztof Jelski
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
Amazon Web Services
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda
 
XXE
XXEXXE
XXE
n|u - The Open Security Community
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and Alarms
Felipe
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
Ian Naumenko, CISSP, CRISC
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
Amazon Web Services
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
 
Amazon Aurora Deep Dive (김기완) - AWS DB Day
Amazon Aurora Deep Dive (김기완) - AWS DB DayAmazon Aurora Deep Dive (김기완) - AWS DB Day
Amazon Aurora Deep Dive (김기완) - AWS DB Day
Amazon Web Services Korea
 
Content Management with MongoDB by Mark Helmstetter
Content Management with MongoDB by Mark Helmstetter Content Management with MongoDB by Mark Helmstetter
Content Management with MongoDB by Mark Helmstetter
MongoDB
 
Introduction to AWS Glue
Introduction to AWS GlueIntroduction to AWS Glue
Introduction to AWS Glue
Amazon Web Services
 
NoSQL Essentials: Cassandra
NoSQL Essentials: CassandraNoSQL Essentials: Cassandra
NoSQL Essentials: Cassandra
Fernando Rodriguez
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
Amazon Web Services
 
Amazon S3: Masterclass
Amazon S3: MasterclassAmazon S3: Masterclass
Amazon S3: Masterclass
Amazon Web Services
 
Application & Account Monitoring in AWS
Application & Account Monitoring in AWSApplication & Account Monitoring in AWS
Application & Account Monitoring in AWS
Bhuvaneswari Subramani
 
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
Simplilearn
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 

More Related Content

What's hot

AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
zekeLabs Technologies
 
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
Simplilearn
 

What's hot (20)

How object oriented are you feeling today?
How object oriented are you feeling today?How object oriented are you feeling today?
How object oriented are you feeling today?
 
Amazon Virtual Private Cloud
Amazon Virtual Private CloudAmazon Virtual Private Cloud
Amazon Virtual Private Cloud
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
 
XXE
XXEXXE
XXE
 
Cloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and AlarmsCloudwatch: Monitoring your Services with Metrics and Alarms
Cloudwatch: Monitoring your Services with Metrics and Alarms
 
AWS Cloud Watch
AWS Cloud WatchAWS Cloud Watch
AWS Cloud Watch
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Amazon Aurora Deep Dive (김기완) - AWS DB Day
Amazon Aurora Deep Dive (김기완) - AWS DB DayAmazon Aurora Deep Dive (김기완) - AWS DB Day
Amazon Aurora Deep Dive (김기완) - AWS DB Day
 
Content Management with MongoDB by Mark Helmstetter
Content Management with MongoDB by Mark Helmstetter Content Management with MongoDB by Mark Helmstetter
Content Management with MongoDB by Mark Helmstetter
 
Introduction to AWS Glue
Introduction to AWS GlueIntroduction to AWS Glue
Introduction to AWS Glue
 
NoSQL Essentials: Cassandra
NoSQL Essentials: CassandraNoSQL Essentials: Cassandra
NoSQL Essentials: Cassandra
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
 
Amazon S3: Masterclass
Amazon S3: MasterclassAmazon S3: Masterclass
Amazon S3: Masterclass
 
Application & Account Monitoring in AWS
Application & Account Monitoring in AWSApplication & Account Monitoring in AWS
Application & Account Monitoring in AWS
 
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
AWS Lambda Tutorial For Beginners | What is AWS Lambda? | AWS Tutorial For Be...
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 

Similar to Core strategies to develop defense in depth in AWS

Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
VAST
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Amazon Web Services
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 

Similar to Core strategies to develop defense in depth in AWS (20)

AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Beginners guide to aws security monitoring
Beginners guide to aws security monitoringBeginners guide to aws security monitoring
Beginners guide to aws security monitoring
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Core strategies to develop defense in depth in AWS

  • 1. Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
  • 2. Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
  • 3. Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
  • 4. Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
  • 5. Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
  • 6. Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
  • 7. Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
  • 8. Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
  • 9. Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
  • 10. Core Strategy #5 –Layered Defense Model Continued…
  • 11. Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
  • 12. Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
  • 13. Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty