2. Hacked!!...Not again!!... A guide on
Reducing your attack surface on AWS cloud
Albertini/Ellan | 20th April 2024
KENYA
3. Albertini Francis
Cloud Security Engineer
Cloud Native security enthusiast
AWS Community Builder: Security &
Identity
Gamer, Basketball
Presenters
Ellan Wambugu
KENYA
Solutions Architect
DevSecOps Engineer
AWS Community Builder : Machine
Learning
A stressed-out man united fan
5. Recent Cloud Breach Victims
Football Australia
Vectors: embedded
cloud access keys &
Public s3 bucket
containing PII: player
passports & contracts
Capital one
Vector: misconfigured
Firewall leading to SSRF
Led to the loss of 100
million records
KENYA
Cisco WebEx
Vectors: Long term
credentials & non-
decommissioned access
by a resigned engineer
6. Major Vulnerabilities in the Cloud
Limited Visibility
Misconfigurations
Insecure APIs
Secrets mismanagement: Embedding, stolen credentials
Insecure IAM
Storage
Application vulnerabilities leading to breach e.g. SSRF
KENYA
7. Attacker View of your Application
Hackers look for the following breach points
1. Assets i.e. underlying cloud
2. Application Vulnerabilities
3. Secret scanning on app, Code repository
4. 3rd Party personnel
KENYA
8. So how do I not become the next
cloud sec breach headline???
9. Major Guidelines
Threat model i.e Assumed breach perspective
Cloud Security is Modular & a continuous process
Build Secure from the start i.e secure architecture
There is no silver bullet… you can’t just throw money at the problem
KENYA
10. Actions to Implement
Establish Visibility & drift detection
Automate & orchestrate everything!!!!!... Well.. Almost everything!!
Implement Configuration Management
Establish comprehensive IAM policies, provisioning and deprovisioning
practices
Secrets management
Implement workload Security
KENYA
12. Cloud Security needs to be a major in organization,
done well it could be the best asset but neglected will
bleed you
Demo time
Albertini/Ellan | 20th April 2024
KENYA
13.
14. Cloud Security needs to be a major in organization,
done well it could be the best asset but neglected will
bleed you
Q & A
Albertini/Ellan | 20th April 2024
KENYA