SlideShare a Scribd company logo

Core strategies to develop defense in depth in AWS

S
Shane Peden

Information security guidance and strategies for securing cloud infrastructure in Amazon Web Services, presented by risk3sixty LLC and Afonza. Atlanta based cyber risk management.

Technology
1 of 13
Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
Core Strategy #5 –Layered Defense Model Continued…
Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty

Recommended

Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019
Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019
Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019AWSKRUG - AWS한국사용자모임
 
AWS AutoScaling
AWS AutoScalingAWS AutoScaling
AWS AutoScalingMahesh Raj
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Serverless Architecture Patterns
Serverless Architecture PatternsServerless Architecture Patterns
Serverless Architecture PatternsAmazon Web Services
 
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018Amazon Web Services Korea
 
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...Amazon Web Services
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie DemoAmazon Web Services
 
AWS Cost Management Workshop
AWS Cost Management WorkshopAWS Cost Management Workshop
AWS Cost Management WorkshopAmazon Web Services
 

Recommended

Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019
Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019
Amazon.com 의 개인화 추천 / 예측 기능을 우리도 써 봅시다. :: 심호진 - AWS Community Day 2019AWSKRUG - AWS한국사용자모임
 
AWS AutoScaling
AWS AutoScalingAWS AutoScaling
AWS AutoScalingMahesh Raj
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Serverless Architecture Patterns
Serverless Architecture PatternsServerless Architecture Patterns
Serverless Architecture PatternsAmazon Web Services
 
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018
AWS를 활용한 상품 추천 서비스 구축::김태현:: AWS Summit Seoul 2018Amazon Web Services Korea
 
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...
Deep Dive on Amazon S3 Storage Classes: Creating Cost Efficiencies across You...Amazon Web Services
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie DemoAmazon Web Services
 
AWS Cost Management Workshop
AWS Cost Management WorkshopAWS Cost Management Workshop
AWS Cost Management WorkshopAmazon Web Services
 
Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessAmazon Web Services
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Amazon Web Services
 
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018Amazon Web Services Korea
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
Introduction to Sagemaker
Introduction to SagemakerIntroduction to Sagemaker
Introduction to SagemakerAmazon Web Services
 
AWS Support Services Overview - Spiezio
AWS Support Services Overview - SpiezioAWS Support Services Overview - Spiezio
AWS Support Services Overview - SpiezioAmazon Web Services
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM IntroductionAmazon Web Services
 
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けてAWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けてAmazon Web Services Japan
 
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Amazon Web Services
 
Introduction to Block and File storage on AWS
Introduction to Block and File storage on AWSIntroduction to Block and File storage on AWS
Introduction to Block and File storage on AWSAmazon Web Services
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost ManagementAmazon Web Services
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesJames Armes
 
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...Amazon Web Services
 
Introduction to EC2
Introduction to EC2Introduction to EC2
Introduction to EC2Mark Squires
 
AWSome Day Dublin - June 2016
AWSome Day Dublin - June 2016AWSome Day Dublin - June 2016
AWSome Day Dublin - June 2016Amazon Web Services
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...Tim Wagner
 
Getting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingGetting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingAmazon Web Services
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerAmazon Web Services
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWSAmazon Web Services
 
AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 

More Related Content

What's hot

Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessAmazon Web Services
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Amazon Web Services
 
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018Amazon Web Services Korea
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaAmazon Web Services
 
AWS Support Services Overview - Spiezio
AWS Support Services Overview - SpiezioAWS Support Services Overview - Spiezio
AWS Support Services Overview - SpiezioAmazon Web Services
 
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けてAWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けてAmazon Web Services Japan
 
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Amazon Web Services
 
Introduction to Block and File storage on AWS
Introduction to Block and File storage on AWSIntroduction to Block and File storage on AWS
Introduction to Block and File storage on AWSAmazon Web Services
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost ManagementAmazon Web Services
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web ServicesJames Armes
 
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...Amazon Web Services
 
Introduction to EC2
Introduction to EC2Introduction to EC2
Introduction to EC2Mark Squires
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignAmazon Web Services
 
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...Tim Wagner
 
Getting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingGetting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingAmazon Web Services
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerAmazon Web Services
 

What's hot (20)

Getting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and ServerlessGetting Started with AWS Lambda and Serverless
Getting Started with AWS Lambda and Serverless
 
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
Modern Cloud Data Warehousing ft. Equinox Fitness Clubs: Optimize Analytics P...
 
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
Amazon.com 사례와 함께하는 유통 차세대 DW 구축을 위한 Data Lake 전략::구태훈::AWS Summit Seoul 2018
 
How to Become an IAM Policy Ninja
How to Become an IAM Policy NinjaHow to Become an IAM Policy Ninja
How to Become an IAM Policy Ninja
 
Introduction to Sagemaker
Introduction to SagemakerIntroduction to Sagemaker
Introduction to Sagemaker
 
AWS Support Services Overview - Spiezio
AWS Support Services Overview - SpiezioAWS Support Services Overview - Spiezio
AWS Support Services Overview - Spiezio
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けてAWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
AWS Black Belt Online Seminar AWS 認定クラウドプラクティショナー取得に向けて
 
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018Landing Zones Creating a Foundation - AWS Summit Sydney 2018
Landing Zones Creating a Foundation - AWS Summit Sydney 2018
 
Introduction to Block and File storage on AWS
Introduction to Block and File storage on AWSIntroduction to Block and File storage on AWS
Introduction to Block and File storage on AWS
 
Introduction to AWS Cost Management
Introduction to AWS Cost ManagementIntroduction to AWS Cost Management
Introduction to AWS Cost Management
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web Services
 
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
Microservices on AWS: Architectural Patterns and Best Practices | AWS Summit ...
 
Introduction to EC2
Introduction to EC2Introduction to EC2
Introduction to EC2
 
AWSome Day Dublin - June 2016
AWSome Day Dublin - June 2016AWSome Day Dublin - June 2016
AWSome Day Dublin - June 2016
 
Deep Dive - AWS Security by Design
Deep Dive - AWS Security by DesignDeep Dive - AWS Security by Design
Deep Dive - AWS Security by Design
 
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
ServerlessConf 2018 Keynote - Debunking Serverless Myths (no video / detailed...
 
Getting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingGetting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless Computing
 
Machine Learning & Amazon SageMaker
Machine Learning & Amazon SageMakerMachine Learning & Amazon SageMaker
Machine Learning & Amazon SageMaker
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 

Similar to Core strategies to develop defense in depth in AWS

AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityVAST
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...Amazon Web Services
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorAmazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...Amazon Web Services
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceVignesh Ganesan I Microsoft MVP
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Amazon Web Services
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
Beginners guide to aws security monitoring
Beginners guide to aws security monitoringBeginners guide to aws security monitoring
Beginners guide to aws security monitoringrahuldesh
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesAhmad Khan
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practicesSundeep Roxx
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriOWASP Delhi
 

Similar to Core strategies to develop defense in depth in AWS (20)

AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Beginners guide to aws security monitoring
Beginners guide to aws security monitoringBeginners guide to aws security monitoring
Beginners guide to aws security monitoring
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Core strategies to develop defense in depth in AWS

  • 1. Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
  • 2. Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
  • 3. Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
  • 4. Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
  • 5. Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
  • 6. Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
  • 7. Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
  • 8. Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
  • 9. Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
  • 10. Core Strategy #5 –Layered Defense Model Continued…
  • 11. Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
  • 12. Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
  • 13. Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty