Information security guidance and strategies for securing cloud infrastructure in Amazon Web Services, presented by risk3sixty LLC and Afonza. Atlanta based cyber risk management.
Injustice - Developers Among Us (SciFiDevCon 2024)
Core strategies to develop defense in depth in AWS
1. Welcome to risk3sixty
North West Atlanta AWS
Establishing a Stronghold:
Core strategies to develop defense in
depth in AWS
Proudly co-hosted by:
Simplifying security and compliance so you
can focus on business.
2. Grit ◊ Team ◊ Steadfast
◊Craftsmanship◊Freedom
Fastest Growing
Atlanta-Based
Cybersecurity
Consulting Firm
What is risk3sixty?
Founded in 2016, risk3sixty has quickly become one
of the most respected boutique security advisory
firms in the nation. Serving the high growth
technology sector, we are on the cutting edge of
security, privacy, and compliance.
Summary Practice Areas:
Advisory Compliance
Virtual CISO
Offensive Security
Privacy Programs
Security Programs
Internal Audit
Crisis Management
SOC 2 Reporting
PCI DSS Certification
ISO 27001
GDPR/CCPA
NYDFS Cyber
NIST 800-53
www.risk3sixty.com
3. Context and Introduction
Misconfiguration, poor credential management &
insider threat are the top causes of Cloud Infrastructure
data breaches
• In the past two years alone, the US Department of Defense,
US Central and Pacific Command, Accenture, GoDaddy,
FedEx, and Cisco all encountered data
breaches/unauthorized disclosures due to AWS
misconfigurations.
• According to the global research and advisory firm Gartner,
approximately 80% of all cloud infrastructure breaches are
due to:
• Mismanagement of Credentials
• Infrastructure Misconfiguration
• Insider Theft (preventable with proper access,
segregation of duties control, and monitoring/alerting)
4. Security IRL
Are these the same old problems we have always
contended with, or has the root cause evolved?
Some things to consider:
• Deployment of new web-scale cloud infrastructure is rapid and low effort. A few
incorrect clicks can expose it all to the public internet.
• The concept of deploying a strong firewalled perimeter to wall off a weak internal
network cannot be taken for granted in the web-scale cloud infrastructure.
• Modern web-scale cloud infrastructure favors a developer approach to management.
The negative implications of the skills gap for IT ops personnel without dev expertise
is magnified in web-scale cloud infrastructure.
• The types of issues we are identifying during penetration tests over web-scale cloud
infrastructure differ considerably from what is typical in traditional enterprise IT
environments.
5. Core Strategy #1 – Enable Cloud-centric Logging
Logging is a necessity for capturing security events, tracking
configuration changes, and meeting compliance requirements.
AWS Native Solution:
Enable AWS CloudTrail to capture all API activity.
Considerations:
• What are the access restrictions for who can read, modify and delete?
• Are logs being stored in S3 buckets? How are these protected? Is encryption
enabled on the bucket?
• Are logs encrypted in transit? You can do so using S3 Server Side Encryption in
conjunction with Amazon KMS.
• Have retention policies been defined and implemented? Is a lifecycle policy in
place in S3?
• Are you centrally locating log data (if logging against multiple Availability
Zones?
6. Core Strategy #2 –Restrict Root & Console Access & Enable MFA
Everywhere
The Root account can touch and modify all assets, billing and more.
This account should almost never be accessed or use.
AWS Native Solution(s):
Identity Access Management and Multifactor Authentication
Considerations:
• Create a super strong password and enable multi-factor authentication with a time based token (and
properly secure that token).
• Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA
tokens across the organization.
• Segregate accounts with console and programmatic access to create further segregation of duties.
• Disable/delete the Root accounts API access keys (it doesn’t need it).
• Make sure CloudTrail is logging security events (including Root account activity).
• Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
7. Core Strategy #3 – Develop an IAM Management Strategy
AWS IAM can be used to implement a zero-trust security policy
where access is highly restricted based on least privilege.
AWS Native Solution(s):
Identity Access Management, Secure Token Service
Considerations:
• Start with AWS Managed Policies which are pre-made by AWS for common use cases.
• Take the time to map User Groups to required permissions truly based on least privilege.
• Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities.
Inline exists only for a single user, group, or role.
• Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials
to production resources that auto-expire in a short time (within minutes). Highly restrict
persistent access to production (limit to SRE team or use immutable and go TNO)
• Field Experience Note: AWS IAM integration with Okta and Duo, immutable
infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
8. Core Strategy #4 – Rotate Access Keys & Use AWS STS
Access keys are required for AWS Command Line, SDKs, and direct API
calls. Key rotation drastically reduces the impact of stolen credentials.
AWS Native Solution(s):
Identity Access Management, Lambda, Security Token Service
Considerations:
For Databases:
• For database key rotation, consider Lambda key rotation functions. AWS provides templates.
For Everything Else:
• Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an
IAM Role to Grant Permissions to Applications).
• Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to
obtain auto rotation. As opposed to IAM user access keys that never expire.
• Also consider using different access keys for different applications. To minimize impact of stolen
keys and create distinct CloudTrail logs.
9. Core Strategy #5 –Layered Defense Model for Web Apps
The majority of organizations utilizing AWS do so to host web apps and
publicly accessible services. Use a layered defense approach to protect them.
AWS Native Solution(s):
CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual
Private Cloud with Network Access Control Lists, and Security Groups
Considerations:
• Identify and define business needs for all open ports and lines of communication including
both ingress and egress traffic from public sources and server to server communication needs.
• Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out.
• But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out.
NACLs are designed to allow explicit rules for web applications.
• Strategies surrounding TLS termination will vary. Outside the scope of this talk.
• Field Experience Note: Every team architects their solution differently. I’ve never seen the
same set up twice.
11. Core Strategy #6 – Make Sure S3 Data is Locked Down
AWS S3 provides comprehensive security and compliance
capabilities, but with that flexibility and complexity comes risk.
AWS Native Solution(s):
Amazon S3, CloudFront, IAM, Amazon Macie
Considerations:
• Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies
to Secure S3”.
• Pay close attention to how IAM permissions are applied. S3 is locked down by default but as
you have to open up access to make communication with apps work, errors abound.
• When public access is needed, use an Origin Access Identity in CloudFront. Google search for
“Restricting Access to Amazon S3 Content by Using an Origin Access Identity”.
• Look for the “Public” flag in the S3 Management Console.
• Consider Amazon Macie to automatically scan your S3 buckets for security concerns.
• Consider community tools like S3-inspector to perform security checks. Google search “github
s3-inspector”
12. Core Strategy #7 – Consider but Don’t over Rely on Security Tools
AWS is releasing new features and tools all the time, but they should
never be considered a replacement for foundational security practices.
AWS Native Solution(s):
AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield
Considerations:
Most common and solutions encountered in the wild:
• AWS Inspector: Automated security assessment scanner which can evaluate security loopholes
and deviation from the best practices.
• Amazon Macie: Automatically discover, classify, and protect sensitive data
• AWS WAF: Protect your web applications from common web exploits
• Amazon GuardDuty: Threat detection service and continuous monitoring.
• AWS Shield: Managed DDOS Service
• AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance
status across AWS accounts.