Apollo Clark, profile picture
Uploaded byApollo Clark
346 views

AWS Architecture Flaws

- The document summarizes common architecture flaws in AWS environments, including lack of account segmentation, improper logging configuration, insufficient alerts and monitoring, insecure secrets management, and overpermissive IAM policies. It provides examples and recommendations for addressing each issue, such as using separate AWS accounts for different environments, configuring CloudTrail, GuardDuty, and a SIEM, using HashiCorp Vault for secrets, and restricting IAM policies to specific resources. The presenter has extensive experience deploying and securing applications on AWS.

Embed presentation

Downloaded 11 times
AWS Architecture Flaws Apollo Clark
• Intro • Multi-tenancy • Logging • Alerts • Secrets Management • IAM Permissions • Questions
Intro
• Web engineer since 2001 • LAMP stacks, PHP, Python, Ruby, Java, … • AWS user since 2010 • Managed 4TB Elasticsearch, 2TB MongoDB • Managed 25,000+ servers, 200+ AWS accounts • Security consultant since 2015
Multi-tenancy
"AWS designed their account security for a single deployment, single environment, in a single region."
• VPC (Virtual Private Cloud) is single-region (ex: us-east, eu-west). • Most resources are tied to a single VPC. • IAM Users, Roles, Groups, and Policies are account-wide. • S3 Buckets are account-wide.
• Use Pacu and Cloudsploit to test AWS Security • https://github.com/RhinoSecurityLabs/pacu • https://github.com/cloudsploit/scans
“Deploy into dedicated AWS accounts.”
Logging
• AWS CloudWatch Logs will log AWS resources like EC2, ELB, RDS. • AWS CloudTrail logs AWS CLI and SDK call requests, sometimes the response. • AWS VPC Flow Logs, logs network 5-tuples between resources.
CloudWatch Log, syslog Jul 11 04:37:01 ip-172-31-9-199 CRON[9575]: (root) CMD (/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1) • You can create a “Log Stream”, to save logs into an S3 bucket, for easier retrieval.
CloudTrail Logs, part 1 { "eventVersion":"1.05", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:apolloclark", "accountId":"123456789012", "accessKeyId":"ASIA1234567890ABCD", "userName":"apolloclark", "sessionContext":{ "attributes":{ "mfaAuthenticated":"true", "creationDate":"2017-08-02T17:51:58Z" } } },
CloudTrail Logs, part 2 "eventTime":"2017-08-02T18:13:23Z", "eventSource":"cloudtrail.amazonaws.com", "eventName":"CreateTrail", "awsRegion":"us-east-1", "sourceIPAddress":"73.0.0.1", "userAgent":"console.amazonaws.com", "requestParameters":{ "enableLogFileValidation":true, "name":"test", "kmsKeyId":"", "includeGlobalServiceEvents":true, "isMultiRegionTrail":true, "s3BucketName":"testbucket" },
CloudTrail Logs, part 3 "responseElements":{ "s3BucketName":"testbucket", "includeGlobalServiceEvents":true, "logFileValidationEnabled":true, "name":"test", "trailARN":"arn:aws:cloudtrail:us-east-1:123456789012:trail/test", "isMultiRegionTrail":true }, "requestID":"4534ea8f-77ae-11e7-93b4-a16934176b9b", "eventID":"05c2522c-4971-4150-96f5-a45cee763a1b", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }
VPC Flow Logs 2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status> • You can’t modify a Flow Log’s configuration after creation. You have to delete it. • Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. • Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity.
Logging Limitations • Default retention is 90 days. • CloudWatch Logs must be configured per Service, ex: Apache, nginx, Tomcat, etc. • CloudTrail Logs will only detect creation of insecure objects, after it was enabled, up to 90 days by default. You need to setup retention. • VPC Flow Logs are unusable for multi-IP EC2 instances.
• Use skew to aggregate AWS resource configs, across multiple accounts, multiple regions. • https://github.com/scopely-devops/skew
Alerts
• All of these use CloudWatch, CloudTrail, VPC Flow Logs, and SSM-Agent or Inspector Agent. • Sep 2013 - AWS Trusted Advisor, basic hygiene. • Nov 2014 - AWS Config, AWS resource configuration. • Oct 2015 - AWS Inspector, EC2 configuration, PCI-DSS, CIS • Aug 2017 - AWS Macie, S3 configuration. • Nov 2017 - AWS GuardDuty, network intrusion detection system • Nov 2018 - AWS Security Hub, aggregates Inspector, Macie, and GuardDuty.
• None of these are free. • Expensive at scale, with 1000+ servers. • Still requires a dedicated SIEM, and SOAR (security orchestration, automation, remediation)
• Still need a SIEM to aggregate the alerts. • ELK, Splunk, LogRhythm, Loggly, SumoLogic, dome9 • Limited automated remediation. • DivvyCloud, Uptycs, Rapid7 InsightConnect, Alienvault, Cyberbit, Swimlane
• Use Argos to automate remediation. • https://github.com/apolloclark/argos
Secrets Management
cloud-init, user data, startup script curl http://169.254.169.254/latest/user-data #!/bin/bash export POSTGRES_HOST=“54.0.0.1" export POSTGRES_USERNAME="pg_admin" export POSTGRES_PASSWORD="5up3r_53cr3t" export AWS_IAM_ACCESS_KEY="AKIA123456780" export AWS_IAM_SECRET_KEY="Qbfaui3289bfaf389" export NESSUS_ACCESS_KEY="abrw31289bfajklfdas"
• Use a dedicated configuration management service. • Ansible Tower, Chef, Puppet, Hashicorp Vault • Use AWS Secrets Manager • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user- data.html
IAM Permissions
IAM Policy, S3 bucket, resource name { "Version": "2012-10-17", "Statement": [ { “Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion” ], "Resource": "arn:aws:s3:*:*:CompanyA/Marketing/*" } ] }
IAM Policy, EBS, resource tag { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": “Marketing"} } } ] }
IAM Policy, RDS { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }
• AWS Managed IAM Policies are too wide-open. • Inline Policies are tedious to manage. • IAM Policies for Describe* are Account-Wide • Unsupported Resource-Level Permissions: • https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePer missions.html#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2- api-unsupported-resource-permissions • Check out Netflix/repokid • https://github.com/Netflix/repokid
• Dedicated AWS Accounts • Logging • Alerts • Secrets Management • IAM Permissions • https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Questions?
AWS Architecture Flaws
AWS Architecture Flaws

More Related Content

PPTX
Containers on AWS
byAWS Riyadh User Group
 
PDF
Netflix security monkey overview
byRyan Hodgin
 
PDF
AWS Security
byarmincoralic
 
PPTX
Aws(in)security - the devil is in the detail
byPawel Rzepa
 
PPTX
Modernizing your AWS Deployment - January 2017
byCloudHesive
 
PDF
How to implement data encryption at rest in compliance with enterprise requir...
bySteffen Mazanek
 
PDF
An Overview of AWS IoT (November 2016)
byJulien SIMON
 
PPTX
Shared Security Responsibility Model of AWS
byAkshay Mathur
 
Containers on AWS
byAWS Riyadh User Group
 
Netflix security monkey overview
byRyan Hodgin
 
AWS Security
byarmincoralic
 
Aws(in)security - the devil is in the detail
byPawel Rzepa
 
Modernizing your AWS Deployment - January 2017
byCloudHesive
 
How to implement data encryption at rest in compliance with enterprise requir...
bySteffen Mazanek
 
An Overview of AWS IoT (November 2016)
byJulien SIMON
 
Shared Security Responsibility Model of AWS
byAkshay Mathur
 

Similar to AWS Architecture Flaws

PPTX
AWS Landing Zone - Architecting Security and Governance.pptx
byAkesh Patil
 
PPTX
AWS Security Architecture - Overview
bySai Kesavamatham
 
PPTX
AWS_Security_Detailed_Tools_and_Model.pptx
byharshmehta940672
 
PPTX
5 minutes on security
byCloudHesive
 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PDF
Lab 5.2 Cloud Security Assessments - 2nd Sight Lab Cloud Security
by2nd Sight Lab
 
PPTX
AWS Monitoring & Logging
byJason Poley
 
PPTX
004 - Logging in the Cloud -- hide01.ir.pptx
bynitinscribd
 
PPTX
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
PDF
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
 
PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
PDF
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
PPTX
How to implement DevSecOps on AWS for startups
byAleksandr Maklakov
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
PDF
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
byAWS Riyadh User Group
 
PDF
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
PDF
Beginners guide to aws security monitoring
byrahuldesh
 
AWS Landing Zone - Architecting Security and Governance.pptx
byAkesh Patil
 
AWS Security Architecture - Overview
bySai Kesavamatham
 
AWS_Security_Detailed_Tools_and_Model.pptx
byharshmehta940672
 
5 minutes on security
byCloudHesive
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Lab 5.2 Cloud Security Assessments - 2nd Sight Lab Cloud Security
by2nd Sight Lab
 
AWS Monitoring & Logging
byJason Poley
 
004 - Logging in the Cloud -- hide01.ir.pptx
bynitinscribd
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
byAlert Logic
 
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
 
Automating Security in Cloud Workloads with DevSecOps
byKristana Kane
 
How to implement DevSecOps on AWS for startups
byAleksandr Maklakov
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
byAWS Riyadh User Group
 
Security @ (Cloud) Scale Deep Dive
byKristana Kane
 
Beginners guide to aws security monitoring
byrahuldesh
 

AWS Architecture Flaws

  • 1.
  • 3.
    • Intro • Multi-tenancy •Logging • Alerts • Secrets Management • IAM Permissions • Questions
  • 4.
  • 5.
    • Web engineersince 2001 • LAMP stacks, PHP, Python, Ruby, Java, … • AWS user since 2010 • Managed 4TB Elasticsearch, 2TB MongoDB • Managed 25,000+ servers, 200+ AWS accounts • Security consultant since 2015
  • 8.
  • 9.
    "AWS designed theiraccount security for a single deployment, single environment, in a single region."
  • 11.
    • VPC (VirtualPrivate Cloud) is single-region (ex: us-east, eu-west). • Most resources are tied to a single VPC. • IAM Users, Roles, Groups, and Policies are account-wide. • S3 Buckets are account-wide.
  • 12.
    • Use Pacuand Cloudsploit to test AWS Security • https://github.com/RhinoSecurityLabs/pacu • https://github.com/cloudsploit/scans
  • 13.
    “Deploy into dedicatedAWS accounts.”
  • 15.
  • 17.
    • AWS CloudWatchLogs will log AWS resources like EC2, ELB, RDS. • AWS CloudTrail logs AWS CLI and SDK call requests, sometimes the response. • AWS VPC Flow Logs, logs network 5-tuples between resources.
  • 18.
    CloudWatch Log, syslog Jul11 04:37:01 ip-172-31-9-199 CRON[9575]: (root) CMD (/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1) • You can create a “Log Stream”, to save logs into an S3 bucket, for easier retrieval.
  • 19.
    CloudTrail Logs, part1 { "eventVersion":"1.05", "userIdentity":{ "type":"Root", "principalId":"123456789012", "arn":"arn:aws:iam::123456789012:apolloclark", "accountId":"123456789012", "accessKeyId":"ASIA1234567890ABCD", "userName":"apolloclark", "sessionContext":{ "attributes":{ "mfaAuthenticated":"true", "creationDate":"2017-08-02T17:51:58Z" } } },
  • 20.
    CloudTrail Logs, part2 "eventTime":"2017-08-02T18:13:23Z", "eventSource":"cloudtrail.amazonaws.com", "eventName":"CreateTrail", "awsRegion":"us-east-1", "sourceIPAddress":"73.0.0.1", "userAgent":"console.amazonaws.com", "requestParameters":{ "enableLogFileValidation":true, "name":"test", "kmsKeyId":"", "includeGlobalServiceEvents":true, "isMultiRegionTrail":true, "s3BucketName":"testbucket" },
  • 21.
    CloudTrail Logs, part3 "responseElements":{ "s3BucketName":"testbucket", "includeGlobalServiceEvents":true, "logFileValidationEnabled":true, "name":"test", "trailARN":"arn:aws:cloudtrail:us-east-1:123456789012:trail/test", "isMultiRegionTrail":true }, "requestID":"4534ea8f-77ae-11e7-93b4-a16934176b9b", "eventID":"05c2522c-4971-4150-96f5-a45cee763a1b", "eventType":"AwsApiCall", "recipientAccountId":"123456789012" }
  • 22.
    VPC Flow Logs 2123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK <version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status> • You can’t modify a Flow Log’s configuration after creation. You have to delete it. • Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. • Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity.
  • 23.
    Logging Limitations • Defaultretention is 90 days. • CloudWatch Logs must be configured per Service, ex: Apache, nginx, Tomcat, etc. • CloudTrail Logs will only detect creation of insecure objects, after it was enabled, up to 90 days by default. You need to setup retention. • VPC Flow Logs are unusable for multi-IP EC2 instances.
  • 24.
    • Use skewto aggregate AWS resource configs, across multiple accounts, multiple regions. • https://github.com/scopely-devops/skew
  • 27.
  • 29.
    • All ofthese use CloudWatch, CloudTrail, VPC Flow Logs, and SSM-Agent or Inspector Agent. • Sep 2013 - AWS Trusted Advisor, basic hygiene. • Nov 2014 - AWS Config, AWS resource configuration. • Oct 2015 - AWS Inspector, EC2 configuration, PCI-DSS, CIS • Aug 2017 - AWS Macie, S3 configuration. • Nov 2017 - AWS GuardDuty, network intrusion detection system • Nov 2018 - AWS Security Hub, aggregates Inspector, Macie, and GuardDuty.
  • 30.
    • None ofthese are free. • Expensive at scale, with 1000+ servers. • Still requires a dedicated SIEM, and SOAR (security orchestration, automation, remediation)
  • 31.
    • Still needa SIEM to aggregate the alerts. • ELK, Splunk, LogRhythm, Loggly, SumoLogic, dome9 • Limited automated remediation. • DivvyCloud, Uptycs, Rapid7 InsightConnect, Alienvault, Cyberbit, Swimlane
  • 32.
    • Use Argosto automate remediation. • https://github.com/apolloclark/argos
  • 35.
  • 37.
    cloud-init, user data,startup script curl http://169.254.169.254/latest/user-data #!/bin/bash export POSTGRES_HOST=“54.0.0.1" export POSTGRES_USERNAME="pg_admin" export POSTGRES_PASSWORD="5up3r_53cr3t" export AWS_IAM_ACCESS_KEY="AKIA123456780" export AWS_IAM_SECRET_KEY="Qbfaui3289bfaf389" export NESSUS_ACCESS_KEY="abrw31289bfajklfdas"
  • 38.
    • Use adedicated configuration management service. • Ansible Tower, Chef, Puppet, Hashicorp Vault • Use AWS Secrets Manager • https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user- data.html
  • 40.
  • 42.
    IAM Policy, S3bucket, resource name { "Version": "2012-10-17", "Statement": [ { “Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion” ], "Resource": "arn:aws:s3:*:*:CompanyA/Marketing/*" } ] }
  • 43.
    IAM Policy, EBS,resource tag { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": “Marketing"} } } ] }
  • 44.
    IAM Policy, RDS { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }
  • 45.
    • AWS ManagedIAM Policies are too wide-open. • Inline Policies are tedious to manage. • IAM Policies for Describe* are Account-Wide • Unsupported Resource-Level Permissions: • https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.ResourcePer missions.html#UsingWithRDS.IAM.UnsupportedResourceLevelPermissions • https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2- api-unsupported-resource-permissions • Check out Netflix/repokid • https://github.com/Netflix/repokid
  • 47.
    • Dedicated AWSAccounts • Logging • Alerts • Secrets Management • IAM Permissions • https://github.com/toniblyx/my-arsenal-of-aws-security-tools
  • 49.