Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018

•

0 likes•1,539 views

This talk discusses detecting compromised AWS credentials that are being used outside of an organization's environment. It describes challenges with detecting this using AWS CloudTrail event history and APIs due to limitations like pagination and rate limiting. The talk presents an approach that makes an assumption about how AWS works to overcome these challenges and enable full coverage detection within around 6 hours. It also covers preventing credential compromise by enforcing API access and protecting metadata.

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detecting Credential
Compromise in AWS
Will Bengtson
Senior Security Engineer
Netflix
SEC389

This is not a machine learning talk
Why use machine learning when things can be much more simple

Detecting Credential Compromise in AWS Will Bengtson
What is the scope of this talk?
Detection of compromised AWS instance credentials outside
of your environment
The AWS Security Token Service (AWS STS) is a web
service that enables you to request temporary, limited-
privilege credentials for AWS Identity and Access
Management (IAM) users or for users that you authenticate
(federated users)1
1 https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

Detecting Credential Compromise in AWS Will Bengtson
AWS CloudTrail
CloudTrail provides event history of your AWS account
activity, including actions taken through the AWS
Management Console, AWS SDKs, command line tools, and
other AWS services.1
● Accessible via console
● Deliverable via Amazon Simple Storage Service (Amazon S3) or Amazon
CloudWatch Logs
○ AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ?UniqueString.FileNameFormat
● Up to 15 or 20 minutes delayed
1 https://aws.amazon.com/cloudtrail/

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html

Detecting Credential Compromise in AWS Will Bengtson
First Iteration
Requirements
● Know all IPs in environment (multiple accounts) for the
last hour
● Compare each IP found in CloudTrail to list of IPs
○ If we had the IP at the time of log keep going
○ If we DID NOT have the IP at the time of the log, ALERT

Detecting Credential Compromise in AWS Will Bengtson
AWS Limitations
● Pagination
● Rate Limiting

Detecting Credential Compromise in AWS Will Bengtson
● Use an understanding of how AWS works to our
advantage
● Make a strong but reasonable assumption
● Profit
From 0 to full coverage in around 6 hours
New Approach

Detecting Credential Compromise in AWS Will Bengtson

Detecting Credential Compromise in AWS Will Bengtson
identifier source_ip arn ttl_value

Detecting Credential Compromise in AWS Will Bengtson
identifier source_ip arn ttl_value
i-00000000000002131 arn:aws:iam::123456789012:ass
umed-role/myCoolRole
1531904179.955654

Detecting Credential Compromise in AWS Will Bengtson
identifier source_ip arn ttl_value
i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass
umed-role/myCoolRole
1531904179.955654

Detecting Credential Compromise in AWS Will Bengtson
Edge Cases
There are a few edge cases to this approach that you may want/need to account
for in order to prevent false positives. The edge cases are as follows:
● AWS will make calls on your behalf using your credentials if certain API calls
are made
○ sourceIPAddress: <service>.amazonaws.com
● You have an AWS VPC Endpoint(s) for certain AWS Services
○ sourceIPAddress: 192.168.0.22
● You attach a new ENI or associate a new address to your instance
○ sourceIPAddress: something new if external subnet

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Deny",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"52.13.101.11/32"
]
},
"StringNotEquals": {
"aws:SourceVpc": [
"vpc-12345678"
],
"aws:SourceVpce": [
"vpce-12345678"
]
}
}
}
]
}

Detecting Credential Compromise in AWS Will Bengtson
● Botocore
● Boto3
● Golang
● Java and Java v2
● Nodejs
● Ruby
Supported AWS SDKs Today

Detecting Credential Compromise in AWS Will Bengtson
● aws-sdk-
● Botocore/
● Boto3/
● aws-cli/
● aws-chalice/
User-Agent String Prefixes

Detecting Credential Compromise in AWS Will Bengtson
Final Thoughts
● Understand how AWS works and CloudTrail to make your life easier
● Understand what is logged in CloudTrail
○ Trailblazer
■ AWS API Enumeration for CloudTrail Intelligence / Attack Platform
■ https://github.com/willbengtson/trailblazer-aws
● AWS Credential Compromise Detection OSS
○ One way to detect credential compromise - Reference Architecture/Code
○ https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection
● AWS Metadata Proxy
○ Example metadata proxy
○ https://github.com/Netflix-Skunkworks/aws-metadata-proxy

Please complete the
session survey in the
mobile app.
!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Will Bengtson
@__muscles

Enabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance autoEnabling AWS CloudTrail for auditing purposes is often a corporate mandate, but do you know how to use CloudTrail events to improve your security and operational posture? Come learn how CloudTrail can help improve your operational monitoring and troubleshooting, security analysis, and compliance auditing processes. Discover best practices for setting up and using CloudTrail; explore use cases for data mining CloudTrail event data; learn how to set up alerts based on activity in your account; and learn about advanced use cases. Also learn how to implement data plane governance automation using data events from Amazon S3 and AWS Lambda. mation using data events from Amazon S3 and AWS Lambda.

Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018

Amazon Web Services

Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...

Amazon Web Services

Find All the Threats: AWS Threat Detection and Remediation (SEC331) - AWS re:...

Amazon Web Services

Join us for this hands-on workshop where you learn about a number of AWS services involved with threat detection and remediation as we walk through some real-world threat scenarios. Learn about the threat detection capabilities of Amazon GuardDuty, Amazon Macie, AWS Config, and the available remediation options. For each hands-on scenario, we review methods to remediate the threat using the following services: AWS CloudFormation, Amazon S3, AWS CloudTrail, Amazon VPC flow logs, Amazon CloudWatch Events, Amazon SNS, Amazon Macie, DNS logs, AWS Lambda, AWS Config, Amazon Inspector and, of course, Amazon GuardDuty.

The Perimeter is Dead. Long Live the Perimeters. (SEC312-S) - AWS re:Invent 2018

Amazon Web Services

Traditional data center environments have regarded the network boundary as a stable perimeter of defense, using gateway firewalls for effective protection. The public cloud, however, is exposing a plethora of hosted services directly to its users, bypassing traditional network filtering technologies, and effectively creating new perimeters around the various services and data element. Examples of these new perimeters include Amazon S3 buckets, Amazon EBS snapshots, and AWS Lambda functions. This session is brought to you by AWS partner, Dome9 Security Inc.

Meeting Enterprise Security Requirements with AWS Native Security Services (S...

Amazon Web Services

GE has very deep security requirements for their cloud applications. In this session, hear their story on replacing on premises complex solutions with AWS native services like Amazon GuardDuty, VPC Flow logs, AWS CloudTrail, and AWS Config rules. Learn how large enterprises can accelerate their cloud adoption by meeting established security standards with AWS native services. Please join us for a speaker meet-and-greet following this session at the Speaker Lounge (ARIA East, Level 1, Willow Lounge). The meet-and-greet starts 15 minutes after the session and runs for half an hour.

Automating Incident Response and Forensics

Amazon Web Services

The document discusses automating incident response and forensics in AWS. It focuses on two scenarios - detecting an insider threat based on an IAM access denied event, and responding to a compromised EC2 instance. For the insider threat, the presenter demonstrates how AWS services like CloudTrail, Lambda, and SNS can be used to detect the denied access and notify relevant parties. For the compromised instance, the presenter shows how Step Functions can automate isolating the instance and launching a "clean room" to forensically analyze the instance without further risk of compromise. The goal is to contain incidents quickly and gather information automatically without human intervention.

A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...

Amazon Web Services

In this session, we discuss how you should be building your runbooks and security incident report system (SIRS) using your company's real-world configuration and processes. Our goal is to give you an easier way to start your runbooks and create a SIRS. Now you can be the hero for your company by building a strategy and finding out how secure you are. You also learn more about why you should be running a DevSecOps pipeline and how it will help your team find threats in your production environment. Finally, learn how things are different in each level of environment and where your developers should be working.

SaaS presents developers with a unique blend of architectural challenges. Supporting a multi-tenant model often means re-thinking your approach to almost every layer of your architecture. Onboarding, security, data partitioning, tenant isolation, identity—these are areas that must be factored into how you design, build, and deploy your SaaS solution. Of course, the best way to wrap your mind around these SaaS architectural principles is to dig into a working example. In this workshop, we’ll expose you to the core concepts of SaaS architecture then dive into a reference SaaS architecture where you can see the moving parts of a SaaS solution in action. The goal here is to provide a series of activities that allow you to interact with a functional solution, introducing code and configuration that realizes and extends the capabilities of this SaaS environment. Through this combination of a brief lecture and hands-on exercises, you’ll get a healthy dose of SaaS best practices all through the lens of a working reference solution.

Threat Detection & Remediation Workshop - Module 2

Amazon Web Services

This document outlines an agenda for a workshop on threat detection and remediation. It includes: - Running a CloudFormation template to set up the initial environment. - A presentation on threat detection and remediation that discusses why it is difficult, the importance of removing humans from data analysis and detection, and AWS security services that can help. - A walkthrough of the workshop where participants will simulate attacks and threats in their environment and use AWS security tools like GuardDuty, Lambda, and CloudWatch Events for detection and remediation.

How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...

Amazon Web Services

Zocdoc, an online healthcare scheduling service, receives more than 6 million patient visits monthly. In less than 12 months, Zocdoc became a cloud-first organization to meet their business goals. This digital transformation allowed for rapid innovation and the ability to deliver products that align with demands of the 21st-century patient. In this session, Brian Lozada, CISO at Zocdoc, and Jay Ball, Head of Application Security, explain how Zocdoc uses AWS security services to seamlessly and automatically monitor, audit, and enforce their security policies within all their AWS environments. They use AWS security services, such as AWS Config, Amazon GuardDuty, Amazon Inspector, and AWS Shield, while using AWS Lambda functions to augment their security team, all without slowing down their developers.

Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018

Amazon Web Services

Operating a security practice on AWS brings many new challenges and opportunities that have not been addressed in data center environments. The dynamic nature of infrastructure, the relationship between development team members and their applications, and the architecture paradigms have all changed as a result of building software on top of AWS. In this session, learn how your security team can leverage AWS Lambda as a tool to monitor, audit, and enforce your security policies within an AWS environment.

Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018

Amazon Web Services

Come Out From Behind Your Firewall

Amazon Web Services

The document discusses traditional on-premise security approaches using firewalls and their limitations. It then covers cloud security using tools like CloudTrail, VPC flow logs, and GuardDuty for continuous monitoring. GuardDuty detects threats and security findings can be responded to automatically using Lambda. The document concludes with an overview of DevSecOps which aims to integrate security practices into the entire software development lifecycle through automation, testing, and a shared culture of security.

A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...

Amazon Web Services

Users are increasingly adopting AWS Cloud for their IT strategy to drive digital transformation. Securing clouds requires shared security responsibility. In this session, learn about the inherent threats and solutions needed to secure your entire cloud stack, from infrastructure to applications. Learn the importance of total visibility across your public clouds, and how to set up security for workloads from both internal and in the perimeter. Avoid issues such as data leaks and crypto-mining attacks through your cloud infrastructure with continuous security monitoring. Learn best practices from real-world examples of customers transparently orchestrating security into their practices and DevOps pipelines. This session is brought to you by AWS partner, Qualys.

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...

Amazon Web Services

The document discusses an automated solution for deploying an AWS Landing Zone. It describes the AWS Landing Zone as providing an easy way to set up a new multi-account AWS environment based on AWS best practices. The solution automates the initial setup of accounts and baseline security and governance controls. It also includes an AWS Account Vending Machine that allows additional accounts to be automatically provisioned with security baselines. The workshop will include demos of deploying a Landing Zone, creating new accounts via the AWS Vending Machine, and extending the Landing Zone with add-on features.

Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...

Amazon Web Services

This document discusses GoDaddy's journey to migrate their infrastructure and applications to AWS over a 15-month period. It describes how they used AWS Service Catalog to standardize infrastructure deployment and provide self-service provisioning for their development teams. The migration involved 3 phases: an initial onboarding of 10 teams (Phase 1), a second round of onboarding (Phase 2), and ongoing onboarding while building out a self-service portal (Phase 3). By the end of Phase 3, GoDaddy had enabled self-service provisioning for their teams through the use of AWS Service Catalog.

Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...

Amazon Web Services

Are you interested in becoming a IAM policy master and learning about powerful techniques for controlling access to AWS resources? If your answer is “yes,” this session is for you. Join us as we cover the different types of policies and describe how they work together to control access to resources in your account and across your AWS organization. We walk through use cases that help you delegate permission management to developers by demonstrating IAM permission boundaries. We take an in-depth look at controlling access to specific AWS regions using condition keys. Finally, we explain how to use tags to scale permissions management in your account. This session requires you to know the basics of IAM policies.

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...

Amazon Web Services

The document discusses operational excellence for identity and access management using an AWS Landing Zone solution, which automates the setup of new AWS multi-account environments based on best practices and recommendations and provides initial security, governance, and shared service controls. It describes the components of the AWS Landing Zone including AWS Organizations, AWS Config, and IAM and how labs can be used to demonstrate creating guardrails, applying governance, and handling drift across accounts to meet security and operational goals.

AWS Security by Design

Amazon Web Services

The document discusses security best practices for AWS, including implementing a segregated account environment, strong identity and access management, enabling traceability through logging and monitoring, and applying security controls at multiple layers. It provides examples of setting up identity and access management with AWS IAM, implementing detective controls with AWS CloudTrail and GuardDuty, and using network and host-level security features like VPCs, security groups, and AWS WAF.

Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018

Amazon Web Services

The Executive Security Simulation takes senior security management and IT/business executive teams through an experiential exercise that illuminates key decision points for a successful and secure cloud journey. During this team-based, game-like competitive simulation, participants leverage an industry case study to make strategic security, risk, and compliance time-based decisions and investments. Participants experience the impact of these investments and decisions on the critical aspects of their secure cloud adoption. Join this workshop to gain an understanding of the major success factors to lead security, risk, and compliance in the cloud, and learn applicable decision and investment approaches to specific secure cloud adoption journeys. AWS facilitators translate lessons learned in the simulation into real-life examples and practical advice for your team.

How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...

Amazon Web Services

Performing forensics on AWS resources is a new experience for many customers who might have older runbooks based on on-premises workflows using manual steps, or perhaps no processes in place at all. In this session, get a deeper insight into the various runbooks to perform practical forensic tasks on AWS resources like Amazon EC2 instances, using a combination of industry tooling, AWS serverless services like AWS Lambda and AWS Step Functions, and managed services like Amazon Athena.

Serverless Authentication and Authorisation for Your APIs on AWS

Amazon Web Services

The document discusses authentication and authorization best practices when building APIs and applications. It describes using Amazon Cognito for user management, including sign up, verification, authentication, and issuing JSON Web Tokens (JWTs). Cognito handles common user flows and security requirements out of the box, and also allows customization. The document provides an example user flow diagram and explains the JSON Web Token (JWT) structure with header, payload and signature.

AWS Security Best Practices

Aleksandr Maklakov

The document discusses security best practices when using AWS. It highlights some common security anti-patterns to avoid, such as overcrowding AWS accounts, using personal AWS accounts, and relying only on manual technical auditing. It promotes practices like implementing least privilege access, continuous automated auditing using native AWS services, and adopting a DevSecOps approach to development that incorporates security testing and monitoring throughout the software development lifecycle.

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...

Amazon Web Services

In this session, learn how Vanguard has matured their IAM controls and automation to support a micro-account strategy, providing further agility to developers while reducing blast radius and improving governance. You learn how Vanguard uses STS Federation at the OU level, builds common roles across all micro accounts, implements AWS Organizations SCPs, and uses different network control zones for admin vs. non-admin functions. Vanguard also shares how they are using AWS Lambda to block escalation of privilege.

Automating Compliance Certification with Automated Mathematical Proof (SEC330...

Amazon Web Services

At AWS, we have begun using automated mathematical proof search methods to automate compliance certification. Our approach uses automated mathematical proof tools to find arguments that express, in a repeatable precise way, what controls are used, and why and how they are correctly implemented. In this chalk talk, learn how auditors can independently validate design and operating effectiveness using open-source and community-validated tools. This validation approach provides evidence of the operating effectiveness of a control at all times, for all operations. This approach can reduce costs and takes the time spent achieving compliance certification from months to seconds. This approach can also remove ambiguity from what it means to be compliant with a particular control.

Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...

Amazon Web Services

Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...

Amazon Web Services

This document discusses using AWS services for ingesting, storing, sharing, and analyzing video content. It describes how to stream live video from millions of devices using Amazon Kinesis Video Streams and then analyze the video using Amazon Rekognition. It also provides an example of building a system to detect faces on video streams from cameras using DeepLens and storing the results in databases like DynamoDB for further processing.

Detecting Credential Compromise in AWS (Black Hat Conference 2018)

Priyanka Aash

Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure. This paper describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...

Amazon Web Services

The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.

What's hot

Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...

Amazon Web Services

Threat Detection & Remediation Workshop - Module 2

Amazon Web Services

How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...

Amazon Web Services

Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018

Amazon Web Services

Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018

Amazon Web Services

Come Out From Behind Your Firewall

Amazon Web Services

A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...

Amazon Web Services

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...

Amazon Web Services

Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...

Amazon Web Services

Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...

Amazon Web Services

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...

Amazon Web Services

AWS Security by Design

Amazon Web Services

Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018

Amazon Web Services

How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...

Amazon Web Services

Serverless Authentication and Authorisation for Your APIs on AWS

Amazon Web Services

AWS Security Best Practices

Aleksandr Maklakov

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...

Amazon Web Services

Automating Compliance Certification with Automated Mathematical Proof (SEC330...

Amazon Web Services

Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...

Amazon Web Services

Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...

Amazon Web Services

What's hot (20)

Hands-on SaaS: Constructing a Multi-Tenant Solution on AWS (ARC327-R1) - AWS ...

Threat Detection & Remediation Workshop - Module 2

How Zocdoc Achieves Automatic Threat Detection & Remediation with Security as...

Using AWS Lambda as a Security Team (SEC322-R1) - AWS re:Invent 2018

Leadership Session: AWS Security (SEC305-L) - AWS re:Invent 2018

Come Out From Behind Your Firewall

A 360-Degree Cloud-Native Approach to Secure Your AWS Cloud Stack (SEC313-S) ...

Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...

Drive Self-Service & Standardization in the First 100 Days of Your Cloud Migr...

Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) - AWS reInvent ...

Operational Excellence for Identity & Access Management (SEC334) - AWS re:Inv...

AWS Security by Design

Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018

How to Perform Forensics on AWS Using Serverless Infrastructure (SEC416-R1) -...

Serverless Authentication and Authorisation for Your APIs on AWS

AWS Security Best Practices

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...

Automating Compliance Certification with Automated Mathematical Proof (SEC330...

Security at Scale: Security Hub and the Well Architected Framework - AWS Summ...

Using AWS to Ingest, Store, Archive, Share and carry out Analysis of Video Co...

Similar to Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018

Detecting Credential Compromise in AWS (Black Hat Conference 2018)

Priyanka Aash

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...

Amazon Web Services

Secure your AWS Account and your Organization's Accounts

Amazon Web Services

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

Jean-François LOMBARDO

Infrastructure Security services are seen as the traditional mechanisms for enforcing protection of data. But now Identity and Access Management has to be considered too to prevent illegitimate access to information, unauthorized usage of services, and tampering of data. This is why, at AWS, Identity and Access Management oriented services is global service in our portfolio. Implementing a least privileged model for your workload requires that you consider what each component must have as permissions. For example: is it better to assign an IAM role to your Compute instance or to impersonate the initial requestor with their roles and permissions? Are the attributes of the requestor important for your access control logic? Can the context of the request influence how the resource should be disclosed? Answering those questions will allow you to design and implement access control thanks to a composition of multiple mechanisms. Through this session, we will describe how a very simple web store application will benefit from implementing: identity federation, attribute-based access control, and security token exchange through the usage of the appropriate AWS services.

Understanding AWS Security

Amazon Web Services

AWS Summit 2014 Melbourne - Breakout 3 The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources. Presenter: Stephen Quigg, Solutions Architect, APAC, Amazon Web Services

Network Security and Access Control within AWS

Amazon Web Services

AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.

Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...

Amazon Web Services

AWS and the Cloud has ushered in a new era for Information Security & Risk Professionals. In this session, we will talk through how the world's leading corporates are reinventing their internal GRC practices to enable their business to leverage the business value of AWS while improving the security posture of their organisation. We will talk about the journey undertaken by globally regulated entities such as Capital One who now believe they can operate more securely in the public cloud than they can in their own data centres. Finally, we will provide lessons and best practices on how you can use AWS to improve the security posture of your organisation. Speaker: Rodney Haywood, Manager Solutions Architecture, Amazon Web Services Featured Customer - Xero

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone

Amazon Web Services

With customers migrating workloads to AWS, we are starting to see a need for the creation of a prescribed landing zone, which uses native AWS capabilities and meets or exceeds customers' security and compliance objectives. In this session, we will describe an AWS landing zone and explain features for account structuring, user configuration, provisioning, networking and operation automation. The Migration Landing Zone solution is based on AWS native capabilities such as AWS Service Catalog, AWS Identity and Access Management, AWS Config Rules, AWS CloudTrail and AWS Lambda. We will provide an overview of AWS Service Catalog and how it be used to provide self-service infrastructure to applications users, including various options for automation. After this session you will be able to configure an AWS landing zone for successful large scale application migrations. Speaker: Koen Biggelaar, Senior Manager, Solutions Architecture, Amazon Web Services and Mahmoud ElZayet

AWS Summit Auckland Sponsor presentation - Bulletproof

Amazon Web Services

Xero migrated their cloud infrastructure to AWS to improve data protection, eliminate scheduled downtime, maintain and improve security, and reduce costs per customer. They focused on automating security, accelerating the pace of security innovation, and creating on-demand security infrastructure that scales. Key learnings included measuring and testing everything, adopting a security-by-design approach, and ensuring good communication.

Following Well Architected Frameworks - Lunch and Learn.pdf

Amazon Web Services

The AWS Well-Architected Framework enables customers to understand best practices around security, reliability, performance, cost optimization and operational excellence when building systems on AWS. This approach helps customers make informed decisions and weigh the pros and cons of application design patterns for the cloud. In this session, you'll learn how to use the Well-Architected Framework to follow AWS guidelines and best practices to your architecture on AWS.

Security and Compliance Better on AWS_John Hildebrandt

Helen Rogers

This document discusses security on AWS. It begins by outlining AWS's security practices and culture, including how access is limited and monitored. It then explains the shared responsibility model where AWS is responsible for security of the cloud, while customers are responsible for security in the cloud. The document provides examples of how AWS tools can help with security best practices like the Essential 8, encryption, DDoS protection, and more. It also discusses how customers have control over aspects like data location, access management, and infrastructure configuration. The document concludes that security is the top priority at AWS and customers are generally better off from a security perspective using AWS than maintaining their own environments.

Getting Started with Windows Workloads on Amazon EC2

Amazon Web Services

This document provides an overview and introduction to using Windows workloads on Amazon EC2. It discusses AWS regions and availability zones, reference architectures including for SQL Server and Active Directory, developing on AWS for Windows using tools like AWS Toolkit for Visual Studio, licensing options like Dedicated Hosts that allow using existing Microsoft licenses, and demoing PowerShell for importing VMs. Technical resources are provided including quickstarts, whitepapers, videos and the upcoming re:Invent conference for the Windows track.

Getting Started with AWS Security

Amazon Web Services

Amazon Web Services offers a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. Amazon Web Services provides security-specific tools and features across network security, configuration management, access control and data security. In addition, Amazon Web Services provides monitoring and logging tools to provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that Amazon Web Services offers, and the latest security innovations coming from Amazon Web Services. Andrew Watts-Curnow, Cloud Architect - Professional Services, ASEAN

What's new in Serverless at AWS?

Daniel Zivkovic

The entire AWS Serverless Developer Advocates team recaps the news from Amazon Web Services & answers many serverless questions, so the event felt like a mini re:Invent. The meetup recording with TOC for easy navigation is at https://www.youtube.com/watch?v=Y4vMXsY2Pc4. Thank you @talia_nassi, @edjgeek, @benjamin_l_s, @julian_wood and @jbesw for visiting our Serverless Tronto community! P.S. For more interactive lectures like this, go to http://youtube.serverlesstoronto.org/ or sign up for our upcoming live events at https://www.meetup.com/Serverless-Toronto/events/

The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019

Amazon Web Services

The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption.

AWSKRUG 콘퍼런스 - re:Invent 신규 서비스 (박상욱) - 보안, 인프라 관련 서비스 소개

AWSKRUG - AWS한국사용자모임

Going Further with VMware Cloud on AWS: New Integration Options with Native A...

Amazon Web Services

SID201 Overview of AWS Identity, Directory, and Access Services

Amazon Web Services

Every journey to the AWS Cloud is unique. Some customers are migrating existing applications, while others are building new applications using cloud-native services. Along each of these journeys, identity and access management helps customers protect their applications and resources. In this session, you learn how AWS identity services provide you a secure, flexible, and easy solution for managing identities and access on the AWS Cloud. With AWS identity services, you do not have to adapt to AWS. Instead, you have a choice of services designed to meet you anywhere along your journey to the AWS Cloud.

Understanding AWS Security

Amazon Web Services

This document summarizes some key capabilities and benefits of AWS security. It discusses how AWS provides more visibility into environments through services like CloudTrail, more auditability options, and more control over networking, data encryption, and user access through features such as IAM, VPCs, and encryption services. The document argues that AWS can provide even stronger security than on-premises data centers due to its defense-in-depth approach and ability to rapidly scale security capabilities.

Aws certification training guruprasanth.s

GURUPRASANTH33

The document discusses an AWS certification training course offered by Apponix. The course covers AWS concepts, services like S3, EC2, EBS, deployment and management options. It notes that completing the course can lead to a salary of around Rs. 6,09,553 per year for an AWS cloud administrator according to payscale.com. There are many job opportunities with AWS skills as AWS has over 70% of the cloud services market share and 83% of enterprise workloads are expected to move to the cloud. Responsibilities of an AWS job include managing AWS accounts, resources like EC2 instances, VPC, monitoring with CloudWatch and CloudTrail. Contact details for Apponix are also provided.

Similar to Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018 (20)

Detecting Credential Compromise in AWS (Black Hat Conference 2018)

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...

Secure your AWS Account and your Organization's Accounts

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf

Understanding AWS Security

Network Security and Access Control within AWS

Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone

AWS Summit Auckland Sponsor presentation - Bulletproof

Following Well Architected Frameworks - Lunch and Learn.pdf

Security and Compliance Better on AWS_John Hildebrandt

Getting Started with Windows Workloads on Amazon EC2

Getting Started with AWS Security

What's new in Serverless at AWS?

The fundamentals of AWS cloud security - FND209-R - AWS re:Inforce 2019

AWSKRUG 콘퍼런스 - re:Invent 신규 서비스 (박상욱) - 보안, 인프라 관련 서비스 소개

Going Further with VMware Cloud on AWS: New Integration Options with Native A...

SID201 Overview of AWS Identity, Directory, and Access Services

Understanding AWS Security

Aws certification training guruprasanth.s

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...

Amazon Web Services

Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS. In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...

Amazon Web Services

La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup. Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti. Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.

Esegui pod serverless con Amazon EKS e AWS Fargate

Amazon Web Services

Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi

Costruire Applicazioni Moderne con AWS

Amazon Web Services

Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.

Come spendere fino al 90% in meno con i container e le istanze spot

Amazon Web Services

L’utilizzo dei container è in continua crescita. Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili. I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!

Open banking as a service

Amazon Web Services

In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th. Event Agenda : Open banking so far (short recap) • PSD2, OB UK, OB Australia, OB LATAM, OB Israel Intro to Open Finance marketplace • Scope • Features • Tech overview and Demo The role of the Cloud The Future of APIs • Complying with regulation • Monetizing data / APIs • Business models • Time to market One platform for all: a Strategic approach Q&A

Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...

Amazon Web Services

Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc. AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta. Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.

OpsWorks Configuration Management: automatizza la gestione e i deployment del...

Amazon Web Services

Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity. AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet. Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads

Amazon Web Services

Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.

Computer Vision con AWS

Amazon Web Services

Database Oracle e VMware Cloud on AWS i miti da sfatare

Amazon Web Services

Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti. Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi. La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.

Crea la tua prima serverless ledger-based app con QLDB e NodeJS

Amazon Web Services

Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti. Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire. Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito. In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.

API moderne real-time per applicazioni mobili e web

Amazon Web Services

Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline. Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.

Database Oracle e VMware Cloud™ on AWS: i miti da sfatare

Amazon Web Services

Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi. La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali. In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.

Tools for building your MVP on AWS

Amazon Web Services

1) The document discusses building a minimum viable product (MVP) using Amazon Web Services (AWS). 2) It provides an example of an MVP for an omni-channel messenger platform that was built from 2017 to connect ecommerce stores to customers via web chat, Facebook Messenger, WhatsApp, and other channels. 3) The founder discusses how they started with an MVP in 2017 with 200 ecommerce stores in Hong Kong and Taiwan, and have since expanded to over 5000 clients across Southeast Asia using AWS for scaling.

How to Build a Winning Pitch Deck

Amazon Web Services

This document discusses pitch decks and fundraising materials. It explains that venture capitalists will typically spend only 3 minutes and 44 seconds reviewing a pitch deck. Therefore, the deck needs to tell a compelling story to grab their attention. It also provides tips on tailoring different types of decks for different purposes, such as creating a concise 1-2 page teaser, a presentation deck for pitching in-person, and a more detailed read-only or fundraising deck. The document stresses the importance of including key information like the problem, solution, product, traction, market size, plans, team, and ask.

Building a web application without servers

Amazon Web Services

This document discusses building serverless web applications using AWS services like API Gateway, Lambda, DynamoDB, S3 and Amplify. It provides an overview of each service and how they can work together to create a scalable, secure and cost-effective serverless application stack without having to manage servers or infrastructure. Key services covered include API Gateway for hosting APIs, Lambda for backend logic, DynamoDB for database needs, S3 for static content, and Amplify for frontend hosting and continuous deployment.

Fundraising Essentials

Amazon Web Services

This document provides tips for fundraising from startup founders Roland Yau and Sze Lok Chan. It discusses generating competition to create urgency for investors, fundraising in parallel rather than sequentially, having a clear fundraising narrative focused on what you do and why it's compelling, and prioritizing relationships with people over firms. It also notes how the pandemic has changed fundraising, with examples of deals done virtually during this time. The tips emphasize being fully prepared before fundraising and cultivating connections with investors in advance.

AWS_HK_StartupDay_Building Interactive websites while automating for efficien...

Amazon Web Services

This document discusses Amazon's machine learning services for building conversational interfaces and extracting insights from unstructured text and audio. It describes Amazon Lex for creating chatbots, Amazon Comprehend for natural language processing tasks like entity extraction and sentiment analysis, and how they can be used together for applications like intelligent call centers and content analysis. Pre-trained APIs simplify adding machine learning to apps without requiring ML expertise.

Introduzione a Amazon Elastic Container Service

Amazon Web Services

Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...

Big Data per le Startup: come creare applicazioni Big Data in modalità Server...

Esegui pod serverless con Amazon EKS e AWS Fargate

Costruire Applicazioni Moderne con AWS

Come spendere fino al 90% in meno con i container e le istanze spot

Open banking as a service

Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...

OpsWorks Configuration Management: automatizza la gestione e i deployment del...

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads

Computer Vision con AWS

Database Oracle e VMware Cloud on AWS i miti da sfatare

Crea la tua prima serverless ledger-based app con QLDB e NodeJS

API moderne real-time per applicazioni mobili e web

Database Oracle e VMware Cloud™ on AWS: i miti da sfatare

Tools for building your MVP on AWS

How to Build a Winning Pitch Deck

Building a web application without servers

Fundraising Essentials

AWS_HK_StartupDay_Building Interactive websites while automating for efficien...

Introduzione a Amazon Elastic Container Service

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018

3. This is not a machine learning talk Why use machine learning when things can be much more simple

4. Detecting Credential Compromise in AWS Will Bengtson What is the scope of this talk? Detection of compromised AWS instance credentials outside of your environment The AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited- privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)1 1 https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

5. WHAT’S THE PROBLEM?

6. WHO IS DOING THIS WELL?

7. WHY IS THIS SO HARD?

8. WHAT TOOLS ARE THERE?

9. Detecting Credential Compromise in AWS Will Bengtson AWS CloudTrail CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.1 ● Accessible via console ● Deliverable via Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch Logs ○ AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ?UniqueString.FileNameFormat ● Up to 15 or 20 minutes delayed 1 https://aws.amazon.com/cloudtrail/

10. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html

11. S3 Bucket

12. First Iteration

13. Detecting Credential Compromise in AWS Will Bengtson First Iteration Requirements ● Know all IPs in environment (multiple accounts) for the last hour ● Compare each IP found in CloudTrail to list of IPs ○ If we had the IP at the time of log keep going ○ If we DID NOT have the IP at the time of the log, ALERT

14. Detecting Credential Compromise in AWS Will Bengtson AWS Limitations ● Pagination ● Rate Limiting

15. New Approach

16. Detecting Credential Compromise in AWS Will Bengtson ● Use an understanding of how AWS works to our advantage ● Make a strong but reasonable assumption ● Profit From 0 to full coverage in around 6 hours New Approach

17. HOW DOES AWS WORK?

18. Detecting Credential Compromise in AWS Will Bengtson

19. Detecting Credential Compromise in AWS Will Bengtson

20. Detecting Credential Compromise in AWS Will Bengtson

21. Detecting Credential Compromise in AWS Will Bengtson

22. Detecting Credential Compromise in AWS Will Bengtson

23. Detecting Credential Compromise in AWS Will Bengtson

24. Detecting Credential Compromise in AWS Will Bengtson

25. STRONG ASSUMPTION

26.

27.

28. Detecting Credential Compromise in AWS Will Bengtson

29. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value

30.

31. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654

32.

33. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654

34. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654

35.

36. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121

37. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121

38.

39. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 67.178.52.232

40. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654

41. DEMO

42.

43.

44.

45.

46. Detecting Credential Compromise in AWS Will Bengtson Edge Cases There are a few edge cases to this approach that you may want/need to account for in order to prevent false positives. The edge cases are as follows: ● AWS will make calls on your behalf using your credentials if certain API calls are made ○ sourceIPAddress: <service>.amazonaws.com ● You have an AWS VPC Endpoint(s) for certain AWS Services ○ sourceIPAddress: 192.168.0.22 ● You attach a new ENI or associate a new address to your instance ○ sourceIPAddress: something new if external subnet

47. Preventing Credential Compromise

48. 169.254.169.254

49. Detecting Credential Compromise in AWS Will Bengtson

50. Detecting Credential Compromise in AWS Will Bengtson

51. Detecting Credential Compromise in AWS Will Bengtson

52. API Enforcement

53. { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Deny", "Condition": { "NotIpAddress": { "aws:SourceIp": [ "52.13.101.11/32" ] }, "StringNotEquals": { "aws:SourceVpc": [ "vpc-12345678" ], "aws:SourceVpce": [ "vpce-12345678" ] } } } ] }

54. Metadata Protection

55. Detecting Credential Compromise in AWS Will Bengtson

56. Detecting Credential Compromise in AWS Will Bengtson

57. Detecting Credential Compromise in AWS Will Bengtson ● Botocore ● Boto3 ● Golang ● Java and Java v2 ● Nodejs ● Ruby Supported AWS SDKs Today

58. Detecting Credential Compromise in AWS Will Bengtson ● aws-sdk- ● Botocore/ ● Boto3/ ● aws-cli/ ● aws-chalice/ User-Agent String Prefixes

59. Detecting Credential Compromise in AWS Will Bengtson Final Thoughts ● Understand how AWS works and CloudTrail to make your life easier ● Understand what is logged in CloudTrail ○ Trailblazer ■ AWS API Enumeration for CloudTrail Intelligence / Attack Platform ■ https://github.com/willbengtson/trailblazer-aws ● AWS Credential Compromise Detection OSS ○ One way to detect credential compromise - Reference Architecture/Code ○ https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection ● AWS Metadata Proxy ○ Example metadata proxy ○ https://github.com/Netflix-Skunkworks/aws-metadata-proxy

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018

Similar to Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018