Presentation from DevOps congress - DevOps conference organized by Sii in Wrocław.

1. j-labs software specialists | Cracow | Warsaw | Munich j-labs.pl blog.j-labs.pl itakademia.j-labs.pl
⚡Storm Busters⚡
Auditing & Securing
AWS Infrastructure
Kuba Sendor, Delivery Manager @ j-labs

2. 2whoami
2019 Delivery Manager, j-labs in Kraków
2010-2014 Security & Trust Research, SAP Labs France in Sophia-Antipolis
2014-2018 Corporate Security, Yelp in London and San Francisco

3. 3Fahrplan
1.AWS Security Audit at glance
2.cloudmapper
3.Scout Suite
4.CloudTrail
5.GuardDuty
6.Joining the pieces: alerrrting pipeline

4. 4Amazon Web Services
• password policy
• Multi-Factor Authentication (MFA)
• roles
• key rotation
• inline policies
• exposed ports
• misconfigured images
• unencrypted images
• secrets in instance data
Identity and Access Management
(IAM)
Elastic Compute Cloud
(EC2)
Simple Storage Service
(S3)
• lack of versioning
• lack of encryption
• MFA delete

5. 5cloudmapper
Infrastructure visualization
+ 3 useful commands:
• audit
• collect
• report

6. 6Infrastructure Visualization

7. 73 useful commands
Looks for security misconfigurations in
your AWS account
Collects your AWS account
configuration
collectaudit report
Graphical representation of the audit
findings based on the collected
configuration

8. 8audit

9. 9collect

10. 10report

11. 11report - findings

12. 12iam_report

13. 13iam_report

14. 14Some other handy cloudmapper commands
public find_admins find_unused

15. 15Some other handy cloudmapper commands - public
public - finds public hosts and port ranges

16. 16Some other handy cloudmapper commands – find_admins
find_admins - identifies admin users and roles

17. 17Some other handy cloudmapper commands – find_unused
find_unused - looks for unused resources in the account, e.g. unused Security Groups, Elastic IPs,
network interfaces, and volumes

18. 18Scout Suite

19. 19Scout Suite

20. 20IAM Dashboard
issue severity

21. 21IAM Dashboard

22. 22S3

23. 23Compute

24. 24False positives

25. 25CloudTrail

26. 26CloudTrail

27. 27CloudTrail

28. 28Events in JSON

29. 29Joining the pieces: alerting pipeline
CloudTrail CloudTrail logs
S3 bucket
SNS topic
CloudTrail logs
S3 Event
Notifications

30. 30GuardDuty
VPC (Virtual Private Cloud) Flow Logs
DNS Logs
CloudTrail Logs

31. 31GuardDuty Findings
• Compromised resources
• Activity different than the baseline
• Crypto currency miners
• Pentest activity
• Trojan attacks
• Suspicious activity by unauthorized users

32. 32Joining the pieces: alerting pipeline, pt. II
GuardDuty CloudWatch Lambda
CloudWatch Event Lambda Function

33. 33
cloudmapper
+ simple
+ cheap
+ easy to set up
- no real-time monitoring
Summary
Scout Suite
+ concise report
+ detailed analysis of each service
- no real time monitoring
CloudTrail
+ robust and detailed
- trail requires processing
- processing may incurre aditional
costs
GuardDuty
+ real-time and enterprise-ready
- expensive
- still requires incident response

34. 34
Thank you!