rsa cloud security ppt

1. SESSION ID:
#RSAC
Ashish Rajan
Breaking the Cloud to Rebuild it : A
Tale of 3 Breaches!
Podcast Host for Cloud Security Podcast | CISO Kaizenteq

2. #RSAC
Disclaimer
Presentations are intended for educational purposes only and do not replace independent professional
judgment. Statements of fact and opinions expressed are those of the presenters individually and,
unless expressly stated to the contrary, are not the opinion or position of RSA Conference or any other
co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the
content, accuracy or completeness of the information presented.
Attendees should note that sessions may be audio- or video-recorded and may be published in various
media, including print, audio and video formats without further notice. The presentation template and
any media capture are subject to copyright protection.
© 2024 RSA Conference LLC or its affiliates. The RSA Conference logo and other trademarks are proprietary. All rights reserved.
If applicable, insert your organization’s disclaimer statement here, in black (or delete this line)
12

3. #RSAC
Who am I!
• Professionally
– 14yrs+ in CyberSecurity (last 7yrs spent helping companies build securely
in Public Cloud)
– CISO of Kaizenteq (Ed-Tech company)
– Host of Cloud Security Podcast , Co-Host of AI Cybersecurity Podcast
• Personally
– Grew older in Melbourne, Getting wiser in London, UK
– Can talk for hours on Coffee & Men’s Fashion
13

4. #RSAC
Our Cloud Breach story…

5. #RSAC
Video
True stories from an environment with over 300
AWS Accounts and over 100K identities

6. #RSAC

7. #RSAC
Lesson Learned

8. #RSAC
What happened here!
• Where did this start?
– We left a set of AWS Access Keys in a Terraform State file and merged it
into our public Github
• Possible Risk & Consequences
– Reputation Risk
– Not having the right information to correct this from further damage
– Low Hanging fruits are FREE TO FIX so should not exist
– Git History is not fun - forever on the internet!
18

9. #RSAC
What happened here! ( For those who love Architecture)
19

10. #RSAC
What happened here! ( For those who love Architecture)
20
A| Ä
î �*Ä
̉ X�| JT� F ?� N
N
Xî î �1X
©
î �↑
┼
�

11. #RSAC
3 Tales of Cloud Breaches

12. #RSAC
Tale of the 3 Cloud Breaches - #1
22
• Access Keys Exposed on the internet
– Common code sources etc
– Configuration files
• Kill Chain
– AWS Access Keys in Github
– Privileged permissions to access S3 Buckets with Sensitive Data

13. #RSAC
Tale of the 3 Cloud Breaches - #2
23
• Lost IAM Users Credentials
– No MFA
– Shared Password
• Kill Chain
– Lost access to AWS Account
– All Passwords in all password including Crypto Wallet in Secret Manager

14. #RSAC
Tale of the 3 Cloud Breaches - #3
24
• IAM Role with Excessive Permissions
– Role Shared across identity and resources
– Excessive permissions to a role
• Kill Chain
– EC2 instance with an IAM Role (with permission to access S3 bucket)
– AWS IMDS v1 was in use on the AWS EC2 instance

15. #RSAC
Insecure Cloud or Insecure Customer?
25
Access Keys exposed on the internet
- F ?� N
N
Xî î �1X
©
î �Ä
ã�+ Ä
ö| §M
- 2XJT�öç�?▪ �M
§N
Ü
Xö�ß Ä
ö| �
î Xãî Ä
ḟ ¶X�&JöJ
IAM Users
- IAM User with no MFA
- Lead to Crypto Wallet was in Secret
Manager
- All Passwords were in 1 AWS
Account
Shared IAM Roles
- ( $ □�Ä
ãî öJãN
X�ß Ä
ö| �Jã�. 5 �>ç̉ X
- F ?�.5 &?�¶ℓ�Ä
ã�§î X
- A| X�. 5 �>ç̉ X�| JT�êXìä Ä
î î Ä
çã�
JN
N
Xî î �öç�?▪ �M
§N
Ü
Xö

16. #RSAC
Has my Cloud been pwned?

17. #RSAC
Our Cloud Footprint
• 300 AWS Accounts & growing
• Multi-Cloud with AWS, Azure, GCP presence
• 100K Identities
• Mixed Compute - EC2, EKS, Lambdas etc
27
Yours perhaps maybe more complex!

18. #RSAC
Possible Outcomes from this mistakes!
• Privilege Access to S3
– Ransomware
• Denial of Service for Customers
– No Training data to serve customers
– Turning off the service
• Many more…
28

19. #RSAC
ATTACK MITRE - Cloud
29

20. #RSAC
Initial Access to Cloud
• Entry points to Public Cloud
– Public Facing Resources
– Valid Account Credentials
• Examples
– Credentials in Source Code Repositories, config etc
– 3rd Party Credentials created inside the Cloud Account to grant access
30

21. #RSAC
3 things that work at scale to secure cloud
• Threat Model of Cloud & Application
• Establish Data Perimeter based Trusted Zone using Policies*
• Incident Response Readiness testing
31

22. #RSAC
Threat Model our Application
• Threat Actors
– Identity - Human & Services (Machine Users)
– Data - Type of Data, Data Flow
– Resources - Types of Resources, Access, Password etc
• Threat Vectors
– Terraform State files to deploy IaC
• Security Controls
32
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
• STRIDE

23. #RSAC
Threat Model our Application - Example
• Application Hosted in Public Cloud with On-Premise Network
Connection
– S - Application can only be used by Authenticated Users
– T - Firewall rules restrict who can access persistent storage e.g Database
– R - Audit Logging to record all user activity in the environment
– I - Encryption in Transit between Public Cloud & On-Premise network
– D - Not Applicable as no internet facing components
– E - By default all users have low privileges and use JIT for elevating their
permission
33

24. #RSAC
Establish Data Perimeter in your Cloud Environment
• Essential List for Data Perimeter
– Identity - Human & Machine Users (Native services acting on behalf)
– Network - Trusted Zone e.g Known Cloud Accounts & Networks
– Resources - Types of Resources owned by your company etc
• Threat Vectors
– Terraform State files to deploy IaC
• Security Controls
34

25. #RSAC
Data Perimeter in Cloud Environment - Example
35

26. #RSAC
Incident Response Readiness Assessment
• A review of existing or missing Incident Response Plan for both
Cloud & Hybrid
• Even if not a regulated entity, have process to regularly test the
incident response plan for business critical applications
• Good test - when was the last incident raised and what was the
source from where the incident came from?
36

27. #RSAC
Incident Response Readiness - Example
• Is there logging for Host, container, database, orchestration, cloud
management api, cloud storage access and network logs available
for detection and inspection
• Access to security tools and environment incase of an incident -
how quickly can this be provided incase there is an incident
• Regular Table Top Exercises to test the Incident Response Plans
37

28. #RSAC
What does not work
• CSPM
– Scale 100K users limit
– Not using popular Cloud Services
• Business Logic Vulnerability
– User Access Review & SDLC Review Process
– Pentest of both Application & Infrastructure
• Zero Day
38

29. #RSAC
First step is always the
hardest!

30. #RSAC
What can you do today - What, When & How
• What are you using to ensure vulnerabilities are neutralised e.g
AWS Service Control Policy (SCP) to create data perimeter not a
network based perimeter
• When was the last time User Access Management was done of
your business critical production cloud environments?
• How was the last incident raised and what was the source for
where the incident came from?
40

31. #RSAC
Thank You!
www.cloudsecuritypodcast.tv
www.cloudsecuritybootcamp.com
www.aicybersecuritypodcast.com