The security pillar encompasses the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. This presentation will provide in-depth, best-practice guidance for architecting secure systems on AWS.
2. Feedback
Ben de Haan
AWS Meetup regular, serverless enthusiast
Security consultant/engineer @ Xebia Security
https://www.linkedin.com/in/ben-de-haan-65423441/
bdehaan@xebia.com
A bit about me and this Webinar
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
3. How to scale cloud security
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
1. Setting a secure baseline
2. Mastering IAM
3. Leveraging Infrastructure as Code
4. Improving Detection
5. Automating response
4. Guardrails, not gates
Setting a secure baseline
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
5. A secure baseline
Setting a secure baseline
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
6. Leverage AWS accounts
Setting a secure baseline
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
7. Setting a secure baseline
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
8. AWS Organizations
AWS Control Tower
Organization Formation
(https://github.com/OlafConijn/AwsOrganizationFormation)
Creating a secure baseline
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
9. Service Control Policies
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Allow only EU
regions for non-
global services
Only allow
access to
billing data Only allow small
EC2 instances
Prod OU
10. Absence of evidence
is not
evidence of absence
IAM Flow
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Master IAM flow
11. Can’t find an allow?
Doesn’t mean it’s not
there!
(or can’t be added)
IAM Flow
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
12. ïƒ Explicit deny can be
safer
…and easier to
troubleshoot
IAM Flow
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
13. ïƒ Explicit deny can be
safer
…and easier to
troubleshoot
IAM Flow
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
14. Test your SCPs (and other
policies)
IAM simulator & simulation account
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
15. Attribute-based access control (ABAC)
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Attribute based access control
16. Attribute-based access control (ABAC)
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
17. Attribute-based access control (ABAC)
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Why ABAC?
• Scales better than ‘pure’ RBAC
• Smaller/Fewer policies
• (Resource limits… 🙃)
18. IAM resources
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Useful resources:
• Policy evaluation logic
• https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evalu
ation-logic.html
• Duo Parliament (Policy linter)
• https://github.com/duo-labs/parliament/
• Policy simulator
• https://policysim.aws.amazon.com
19. Leverage infrastructure as code
Infrastructure as code:
‘Back-up of your infrastructure’
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
20. Leverage infrastructure as code
Next step:
Immutable infrastructure
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
21. Leverage infrastructure as code
Leverage pipelines
Be mean to your code
Don’t set pipelines to ‘God mode’!
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
23. Improving detection
MITRE ATT&CK
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Source: https://attack.mitre.org/matrices/enterprise/cloud/aws/
24. Automating response
Automate the basics
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
25. Automating response
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
CloudTrail turned off?
ïƒ Turn it back on (and
alert)
26. Automating response
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Assist analyst when things
get complicated
27. Automating response
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
Source: https://github.com/awslabs/aws-security-
automation/
Access denied responder
28. Conclusion
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
1: Prevent
Provide a secure baseline
Get a black belt in IAM-fu
Leverage infrastructure as code
29. Conclusion
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
2: Detect
Understand your threat model
Tailor your detection
30. Conclusion
1. Introduction 2. Secure baseline 3. Mastering IAM 4. Leverage Infra as
Code
5. Improving
detection
6. Automating
response
3: Respond
Automate the basics
Assist analysts