2. 2whoami
2019 Delivery Manager, j-labs in Kraków
2010-2014 Security & Trust Research, SAP Labs France in Sophia-Antipolis
2014-2018 Corporate Security, Yelp in London and San Francisco
3. 3Fahrplan
1.AWS Security Audit at glance
2.cloudmapper
3.Scout Suite
4.CloudTrail
5.GuardDuty
6.Joining the pieces: alerrrting pipeline
4. 4Amazon Web Services
• password policy
• Multi-Factor Authentication (MFA)
• roles
• key rotation
• inline policies
• exposed ports
• misconfigured images
• unencrypted images
• secrets in instance data
Identity and Access Management
(IAM)
Elastic Compute Cloud
(EC2)
Simple Storage Service
(S3)
• lack of versioning
• lack of encryption
• MFA delete
7. 73 useful commands
Looks for security misconfigurations in
your AWS account
Collects your AWS account
configuration
collectaudit report
Graphical representation of the audit
findings based on the collected
configuration
15. 15Some other handy cloudmapper commands - public
public - finds public hosts and port ranges
16. 16Some other handy cloudmapper commands – find_admins
find_admins - identifies admin users and roles
17. 17Some other handy cloudmapper commands – find_unused
find_unused - looks for unused resources in the account, e.g. unused Security Groups, Elastic IPs,
network interfaces, and volumes
31. 31GuardDuty Findings
• Compromised resources
• Activity different than the baseline
• Crypto currency miners
• Pentest activity
• Trojan attacks
• Suspicious activity by unauthorized users
32. 32Joining the pieces: alerting pipeline, pt. II
GuardDuty CloudWatch Lambda
CloudWatch Event Lambda Function
33. 33
cloudmapper
+ simple
+ cheap
+ easy to set up
- no real-time monitoring
Summary
Scout Suite
+ concise report
+ detailed analysis of each service
- no real time monitoring
CloudTrail
+ robust and detailed
- trail requires processing
- processing may incurre aditional
costs
GuardDuty
+ real-time and enterprise-ready
- expensive
- still requires incident response