SlideShare a Scribd company logo
1 of 53
Download to read offline
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps-Teams das
Security-Steuer überlassen
B A T B E R N 4 7 Z U " S H I F T L E F T E V E R Y T H I N G "
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introduction
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS global infrastructure
26 geographical regions, 84 availability zones, 310+ POPs
Region & number of Availability Zones (AZs)
GovCloud (U.S.) Europe
U.S.-East (3), US-West (3) Frankfurt (3), Paris (3),
Ireland (3), Stockholm (3),
U.S. West London (3), Milan (3)
Oregon (4)
Northern California (3)
U.S. East
N. Virginia (6), Ohio (3)
Middle East
Bahrain (3)
Canada Asia Pacific
Central (3) Singapore (3), Sydney (3), Jakarta (3),
Tokyo (4), Osaka (3)
South America
São Paulo (3)
Seoul (4), Mumbai (3), Hong Kong (3)
Africa China
Cape Town (3) Beijing (2), Ningxia (3)
Announced Regions
8 Regions and 24 AZs in Australia, Canada, India, Israel, Australia, Switzerland,
Spain, and United Arab Emirates (UAE)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS region design
AWS Regions are comprised of multiple AZs for high availability, high scalability, and
high fault tolerance. Applications and data are replicated in real time and consistent
in the different AZs.
AWS Availability Zone (AZ)
A Region is a physical location in the world
where we have multiple Availability Zones.
Availability Zones consist of one or more discrete data
centers, each with redundant power, networking, and
connectivity, housed in separate facilities.
AZ
AZ
AZ AZ
Transit
Transit
Datacenter
Datacenter
Datacenter
AWS Region
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is an AWS account?
Each AWS account:
• Is a resource container/isolation boundary for
AWS services
• Is an explicit security boundary
• Is a container for cost tracking and billing
Security tooling
Templates & Images
Workload
AWS account
AWS account
AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With one account…
Workload Workload Workload
Workload Workload Workload
VPC 1 VPC 2
Private subnet
Public subnet
VPC 3
AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of a multi-account environment
Centrally provision accounts and
resources
Share resources and control access
Optimize costs
Secure and audit your environment
for compliance
Benefits
Many teams
Business
process
Billing
Simplify billing
Isolation
& security
Tight security boundaries
Innovate with exclusive resources
for each team
Organize AWS accounts
Use cases
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
With multiple accounts…
Workload
Sec tooling
Templates & images Workload
Workload
Workload
Dev VPC
Management account
AWS account AWS account
AWS account AWS account
AWS account AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
A Is for “Alice” and B Is for “Bob”
Alice follows best practices Bob does NOT follow best practices
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bill’s
Bad
Day
AWS Account
Internal
Data Service
S3 Bucket
“Data Backup”
S3 Bucket
“Website
Images”
Web Server
Instance
AWS Cloud
VPC
Internet
Internet
Gateway
Bob
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Account
Internal
Data Service
S3 Bucket
“Data Backup”
Intruder
S3 Bucket
“Website
Images”
Web Server
Instance
1 2
3 4
5
Bill’s
Bad
Day
1
Access the
vulnerable web
application
2 Pivot to the data
service
3
Delete the website
image files
4 Change
permissions to the
data backup
5 Download the data
backup
AWS Cloud
VPC
Internet
Internet
Gateway
Bob
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bill’s
Bad
Day
No web application
protection
2 No segmentation
3 One account
4
All permissions
granted
5
Sensitive data not
encrypted
1
6
No logging,
monitoring,
alerting
… now let’s help Alice
have a great day!
Alice
AWS Account
Internal
Data Service
S3 Bucket
“Data Backup”
S3 Bucket
“Website
Images”
Web Server
Instance
AWS Cloud
VPC
Internet
Internet
Gateway
Bob
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best-of-the-Best Practices: Logging and Monitoring
1) Turn on logging in all accounts, for
all services, in all regions
The AWS API history in CloudTrail enables security
analysis, resource change tracking, and compliance
auditing. GuardDuty provides managed threat
intelligence and findings.
2) Use the AWS platform’s built-in
monitoring and alerting features
Monitoring a broad range of sources will ensure that
unexpected occurrences are detected. Establish
alarms and notifications for anomalous or sensitive
account activity.
Amazon
GuardDuty
AWS
CloudTrail
AWS Config
AWS Security
Hub
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is AWS Config?
AWS Config = Continuous configuration auditor
Changing resources AWS Config
Normalized
AWS Config rules
Notifications
API access
History, snapshot
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail provides audit logs for AWS
An audit log of an AWS account’s
authenticated request to perform an action
with an AWS service and its resources
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Amazon GuardDuty works?
VPC flow logs
DNS Logs
CloudTrail Events
Findings
Data Sources
Threat
intelligence
Anomaly
Detection
(ML)
AWS Security
Hub
• Alert
• Remediate
• Partner Solutions
• Send to SIEM
CloudWatch Event
Finding Types
Examples
Bitcoin
Mining
C&C
Activity
Unusual User behavior
Example:
• Launch instance
• Change Network Permissions
Amazon GuardDuty
Threat Detection
Types
HIGH
MEDIUM
LOW
Unusual traffic patterns
Example:
• Unusual ports and volume
Amazon Detective
S3 Data Plane Events
EKS control plane logs
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Hub overview
AWS Identity and
Access Management
Access Analyzer
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Many AWS accounts and many Security Finding
Workload
Dev VPC
AWS account
Workload
Dev VPC
AWS account
Workload
Dev VPC
AWS account
Workload
Dev VPC
AWS account
Workload
Dev VPC
AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Shift Left AWS Security
17.06.2022, Michael Ullrich
Who is Nuvibit?
• Nuvibit AG
• Founded in 2021 in Switzerland
• 100% Focus on AWS
• Focus large AWS Multi-Account
Environments and Security
• Addicted to Everything as Code
Discover your Security Findings
AWS has cool native Services
Fully integrated Security Standards:
• AWS Foundational Security Best Practices v1.0.0:
143 controls per account
• CIS AWS Foundations Benchmark v1.2.0:
43 controls per account
• PCI DSS v3.2.1: 45 controls per account
More than 100 threat-detections for:
• EC2
• IAM
• S3
• Kubernetes
AWS Security Hub
Amazon GuardDuty
Amazon CloudWatch Logs Insights
• 3.1 Monitor for unauthorized API calls
• 3.2 Monitor for AWS Management Console sign-in without MFA
• 3.3 Monitor for usage of root account
• 3.5 Monitor for CloudTrail configuration changes
• 3.6 Monitor for AWS Management Console authentication failures
• 3.7 Monitor for disabling or scheduled deletion of customer created CMKs
• 3.8 Monitor for S3 bucket policy changes
• 3.9 Monitor for AWS Config configuration changes
• 3.10 Monitor for security group changes
• 3.11 Monitor for changes to Network Access Control Lists (NACL)
• 3.12 Monitor for changes to network gateways
• 3.13 Monitor for route table changes
• 3.14 Monitor for VPC changes
Control Details
Nuvibit Blog Post
How do you monitor the CIS AWS 3.x controls?
Customer Challenges we faced
• General Security Controls are not applicable for all workloads
(i.e. sandbox accounts)
• Some workloads require custom Security Controls
• Large amounts of false positives / accepted findings clutter our
monitoring
• Transparent Security Control and -Finding customization
• Fast rollout of new Security Controls (in a large set of accounts)
• From Paper Policies to reproducible Results (Security as Code)
Your AWS Accounts are heterogeneous!
You need good Tailoring!
1. AWS Foundational Security Best Practices standard
2. CIS AWS Foundations Benchmark controls
3. PCI DSS controls
Cluster your AWS Accounts
AWS Account comes with:
• Account ID
• OU-ID
• Account Tags
Security /
Foundation Team
Workload A Team
Use Case - Root Login In Production & Core
• CIS AWS 3.3 Benchmark: Monitor for usage of root account
• Security Team: In Production- & Core Accounts the security control must generate an alarm
Security /
Compliance Team
Use Case - Security Group
Security /
Compliance Team
Workload A Team
Workload X Team
• CIS AWS 3.10: Monitor for Security Group changes
• Security Team: Only in Production accounts monitor for Security Group changes
• Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules
• Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
Examples of raw
Security Finding
Messages
Use Case - Security Group
Security / Compliance Team
Detect
Condition
• Only in Production accounts monitor
for Security Group changes
Use Case - Security Group
Workload A Team
Drop
Condition
• For Production Workload A filter out
inbound TCP port 80 / 443 rules
Use Case - Security Group
Workload X Team
Response
Instruction
Condition
Response-Examples:
• Notification
• Alarming
• Ticket
• Auto-Remediation
• For Production Workload X alarm on
inbound TCP port 22 (SSH) rules
Let’s dive slightly deeper
Use Case - Security Group - Demo
Security /
Compliance Team
Workload A Team
Workload X Team
• CIS AWS 3.10: Monitor for Security Group changes
• Security Team: Only in Production accounts monitor for Security Group changes
• Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules
• Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
SEMPER in a nutshell
1. Detect YOUR findings
2. Enrich YOUR findings with context
3. Filter out unnecessary findings
4. Manage YOUR Response to findings
Shift Left AWS Security with Security as Code
Thank
You!
Nuvibit AG
Nuvibit AG
Loonstrasse 36
5452 Oberrohrdorf
Switzerland
+41 56 511 24 20
hello@nuvibit.com
https://nuvibit.com
https://ch.linkedin.com/company/nuvibit
Appendix
Cloud Security Frameworks
CIS Critical Security Controls v8
BSI C5:2020
NIST CYBERSECURITY FRAMEWORK v1.1
A solid AWS Foundation helps – a lot
Foundation Team
Workload Team
Workload Team
• Nuvibit Cloud Foundation Map
• Nuvibvit Reference architecture for AWS Multi-Account Customers
• AWS Landing Zone
Security Team
Discover your Security Findings
Sample of Processed Finding
Normalization
Response Instruction
Original Message
Nuvibit SEMPER
AWS Native Security Finding Management
Link to Product-Page
SEMPER Deployment
Our Paradigm: Security as Code
• McKinsey - Security as code: The best (and maybe only) path to securing cloud applications and systems
Because it is the most effective approach to
secure cloud workloads with speed and agility!
Context-Driven
Configuration and
Processing
• Gartner - Using Cloud-Native ‘Policy as Code’ to Secure Deployments at Scale
SEMPER Policy Types
Demo SEMPER – Policy-Scope
Account-Clusters via Policy-Scope
Configure Policies
Filtering-Exclude Policies
Response Policies
SEMPER Demo – Use Case IAM
Use Case – Observe IAM Roles
• Security Team: In the whole AWS Organization monitor for IAM Role changes
• Workload A Team: In Production Workload A account IAM Roles must have a Boundary Policy attached
Security /
Compliance Team
Workload A Team
SEMPER Demo – Use Case IAM
Security / Compliance Team Workload A Team

More Related Content

Similar to DevSecOps-Teams das Security-Steuer überlassen

Similar to DevSecOps-Teams das Security-Steuer überlassen (20)

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Getting Started with AWS Security
 Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
DevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as CodeDevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as Code
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
Segurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSSegurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWS
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 

More from BATbern

From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
BATbern
 

More from BATbern (20)

BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data Mesh
 
BATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und Knacknüsse
 
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
 
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
 
Embracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceEmbracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplace
 
Serverless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureServerless und Event-Driven Architecture
Serverless und Event-Driven Architecture
 
Serverless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisServerless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der Praxis
 
Serverless at Lifestage
Serverless at LifestageServerless at Lifestage
Serverless at Lifestage
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless Architectures
 
BATbern51 Serverless?!
BATbern51 Serverless?!BATbern51 Serverless?!
BATbern51 Serverless?!
 
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersEin Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
 
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
 
The Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLThe Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/ML
 
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarKlassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
 
BATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdf
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
 
Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?
 

Recently uploaded

Recently uploaded (14)

2024 mega trends for the digital workplace - FINAL.pdf
2024 mega trends for the digital workplace - FINAL.pdf2024 mega trends for the digital workplace - FINAL.pdf
2024 mega trends for the digital workplace - FINAL.pdf
 
The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...The Concession of Asaba International Airport: Balancing Politics and Policy ...
The Concession of Asaba International Airport: Balancing Politics and Policy ...
 
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docxThe Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
 
TSM unit 5 Toxicokinetics seminar by Ansari Aashif Raza.pptx
TSM unit 5 Toxicokinetics seminar by  Ansari Aashif Raza.pptxTSM unit 5 Toxicokinetics seminar by  Ansari Aashif Raza.pptx
TSM unit 5 Toxicokinetics seminar by Ansari Aashif Raza.pptx
 
Deciding The Topic of our Magazine.pptx.
Deciding The Topic of our Magazine.pptx.Deciding The Topic of our Magazine.pptx.
Deciding The Topic of our Magazine.pptx.
 
DAY 0 8 A Revelation 05-19-2024 PPT.pptx
DAY 0 8 A Revelation 05-19-2024 PPT.pptxDAY 0 8 A Revelation 05-19-2024 PPT.pptx
DAY 0 8 A Revelation 05-19-2024 PPT.pptx
 
ServiceNow CIS-Discovery Exam Dumps 2024
ServiceNow CIS-Discovery Exam Dumps 2024ServiceNow CIS-Discovery Exam Dumps 2024
ServiceNow CIS-Discovery Exam Dumps 2024
 
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdfACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
 
Understanding Poverty: A Community Questionnaire
Understanding Poverty: A Community QuestionnaireUnderstanding Poverty: A Community Questionnaire
Understanding Poverty: A Community Questionnaire
 
Microsoft Fabric Analytics Engineer (DP-600) Exam Dumps 2024.pdf
Microsoft Fabric Analytics Engineer (DP-600) Exam Dumps 2024.pdfMicrosoft Fabric Analytics Engineer (DP-600) Exam Dumps 2024.pdf
Microsoft Fabric Analytics Engineer (DP-600) Exam Dumps 2024.pdf
 
2024-05-15-Surat Meetup-Hyperautomation.pptx
2024-05-15-Surat Meetup-Hyperautomation.pptx2024-05-15-Surat Meetup-Hyperautomation.pptx
2024-05-15-Surat Meetup-Hyperautomation.pptx
 
Databricks Machine Learning Associate Exam Dumps 2024.pdf
Databricks Machine Learning Associate Exam Dumps 2024.pdfDatabricks Machine Learning Associate Exam Dumps 2024.pdf
Databricks Machine Learning Associate Exam Dumps 2024.pdf
 
STM valmiusseminaari 26-04-2024 PUUMALAINEN Ajankohtaista kansainvälisestä yh...
STM valmiusseminaari 26-04-2024 PUUMALAINEN Ajankohtaista kansainvälisestä yh...STM valmiusseminaari 26-04-2024 PUUMALAINEN Ajankohtaista kansainvälisestä yh...
STM valmiusseminaari 26-04-2024 PUUMALAINEN Ajankohtaista kansainvälisestä yh...
 
SaaStr Workshop Wednesday with CEO of Guru
SaaStr Workshop Wednesday with CEO of GuruSaaStr Workshop Wednesday with CEO of Guru
SaaStr Workshop Wednesday with CEO of Guru
 

DevSecOps-Teams das Security-Steuer überlassen

  • 1. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps-Teams das Security-Steuer überlassen B A T B E R N 4 7 Z U " S H I F T L E F T E V E R Y T H I N G "
  • 2. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introduction
  • 3. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS global infrastructure 26 geographical regions, 84 availability zones, 310+ POPs Region & number of Availability Zones (AZs) GovCloud (U.S.) Europe U.S.-East (3), US-West (3) Frankfurt (3), Paris (3), Ireland (3), Stockholm (3), U.S. West London (3), Milan (3) Oregon (4) Northern California (3) U.S. East N. Virginia (6), Ohio (3) Middle East Bahrain (3) Canada Asia Pacific Central (3) Singapore (3), Sydney (3), Jakarta (3), Tokyo (4), Osaka (3) South America São Paulo (3) Seoul (4), Mumbai (3), Hong Kong (3) Africa China Cape Town (3) Beijing (2), Ningxia (3) Announced Regions 8 Regions and 24 AZs in Australia, Canada, India, Israel, Australia, Switzerland, Spain, and United Arab Emirates (UAE)
  • 4. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region design AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs. AWS Availability Zone (AZ) A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. AZ AZ AZ AZ Transit Transit Datacenter Datacenter Datacenter AWS Region
  • 5. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is an AWS account? Each AWS account: • Is a resource container/isolation boundary for AWS services • Is an explicit security boundary • Is a container for cost tracking and billing Security tooling Templates & Images Workload AWS account AWS account AWS account
  • 6. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With one account… Workload Workload Workload Workload Workload Workload VPC 1 VPC 2 Private subnet Public subnet VPC 3 AWS account
  • 7. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of a multi-account environment Centrally provision accounts and resources Share resources and control access Optimize costs Secure and audit your environment for compliance Benefits Many teams Business process Billing Simplify billing Isolation & security Tight security boundaries Innovate with exclusive resources for each team Organize AWS accounts Use cases
  • 8. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With multiple accounts… Workload Sec tooling Templates & images Workload Workload Workload Dev VPC Management account AWS account AWS account AWS account AWS account AWS account AWS account
  • 9. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. A Is for “Alice” and B Is for “Bob” Alice follows best practices Bob does NOT follow best practices
  • 10. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
  • 11. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Account Internal Data Service S3 Bucket “Data Backup” Intruder S3 Bucket “Website Images” Web Server Instance 1 2 3 4 5 Bill’s Bad Day 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup AWS Cloud VPC Internet Internet Gateway Bob
  • 12. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day No web application protection 2 No segmentation 3 One account 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Alice have a great day! Alice AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
  • 13. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best-of-the-Best Practices: Logging and Monitoring 1) Turn on logging in all accounts, for all services, in all regions The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. GuardDuty provides managed threat intelligence and findings. 2) Use the AWS platform’s built-in monitoring and alerting features Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Amazon GuardDuty AWS CloudTrail AWS Config AWS Security Hub
  • 14. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is AWS Config? AWS Config = Continuous configuration auditor Changing resources AWS Config Normalized AWS Config rules Notifications API access History, snapshot
  • 15. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail provides audit logs for AWS An audit log of an AWS account’s authenticated request to perform an action with an AWS service and its resources
  • 16. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon GuardDuty works? VPC flow logs DNS Logs CloudTrail Events Findings Data Sources Threat intelligence Anomaly Detection (ML) AWS Security Hub • Alert • Remediate • Partner Solutions • Send to SIEM CloudWatch Event Finding Types Examples Bitcoin Mining C&C Activity Unusual User behavior Example: • Launch instance • Change Network Permissions Amazon GuardDuty Threat Detection Types HIGH MEDIUM LOW Unusual traffic patterns Example: • Unusual ports and volume Amazon Detective S3 Data Plane Events EKS control plane logs
  • 17. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Hub overview AWS Identity and Access Management Access Analyzer
  • 18. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Many AWS accounts and many Security Finding Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account
  • 19. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!
  • 21. Shift Left AWS Security 17.06.2022, Michael Ullrich
  • 22. Who is Nuvibit? • Nuvibit AG • Founded in 2021 in Switzerland • 100% Focus on AWS • Focus large AWS Multi-Account Environments and Security • Addicted to Everything as Code
  • 24. AWS has cool native Services Fully integrated Security Standards: • AWS Foundational Security Best Practices v1.0.0: 143 controls per account • CIS AWS Foundations Benchmark v1.2.0: 43 controls per account • PCI DSS v3.2.1: 45 controls per account More than 100 threat-detections for: • EC2 • IAM • S3 • Kubernetes AWS Security Hub Amazon GuardDuty Amazon CloudWatch Logs Insights
  • 25. • 3.1 Monitor for unauthorized API calls • 3.2 Monitor for AWS Management Console sign-in without MFA • 3.3 Monitor for usage of root account • 3.5 Monitor for CloudTrail configuration changes • 3.6 Monitor for AWS Management Console authentication failures • 3.7 Monitor for disabling or scheduled deletion of customer created CMKs • 3.8 Monitor for S3 bucket policy changes • 3.9 Monitor for AWS Config configuration changes • 3.10 Monitor for security group changes • 3.11 Monitor for changes to Network Access Control Lists (NACL) • 3.12 Monitor for changes to network gateways • 3.13 Monitor for route table changes • 3.14 Monitor for VPC changes Control Details Nuvibit Blog Post How do you monitor the CIS AWS 3.x controls?
  • 26. Customer Challenges we faced • General Security Controls are not applicable for all workloads (i.e. sandbox accounts) • Some workloads require custom Security Controls • Large amounts of false positives / accepted findings clutter our monitoring • Transparent Security Control and -Finding customization • Fast rollout of new Security Controls (in a large set of accounts) • From Paper Policies to reproducible Results (Security as Code)
  • 27. Your AWS Accounts are heterogeneous! You need good Tailoring! 1. AWS Foundational Security Best Practices standard 2. CIS AWS Foundations Benchmark controls 3. PCI DSS controls
  • 28. Cluster your AWS Accounts AWS Account comes with: • Account ID • OU-ID • Account Tags Security / Foundation Team Workload A Team
  • 29. Use Case - Root Login In Production & Core • CIS AWS 3.3 Benchmark: Monitor for usage of root account • Security Team: In Production- & Core Accounts the security control must generate an alarm Security / Compliance Team
  • 30. Use Case - Security Group Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 31. Examples of raw Security Finding Messages
  • 32. Use Case - Security Group Security / Compliance Team Detect Condition • Only in Production accounts monitor for Security Group changes
  • 33. Use Case - Security Group Workload A Team Drop Condition • For Production Workload A filter out inbound TCP port 80 / 443 rules
  • 34. Use Case - Security Group Workload X Team Response Instruction Condition Response-Examples: • Notification • Alarming • Ticket • Auto-Remediation • For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 36. Use Case - Security Group - Demo Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 37. SEMPER in a nutshell 1. Detect YOUR findings 2. Enrich YOUR findings with context 3. Filter out unnecessary findings 4. Manage YOUR Response to findings Shift Left AWS Security with Security as Code
  • 39. Nuvibit AG Nuvibit AG Loonstrasse 36 5452 Oberrohrdorf Switzerland +41 56 511 24 20 hello@nuvibit.com https://nuvibit.com https://ch.linkedin.com/company/nuvibit
  • 41. Cloud Security Frameworks CIS Critical Security Controls v8 BSI C5:2020 NIST CYBERSECURITY FRAMEWORK v1.1
  • 42. A solid AWS Foundation helps – a lot Foundation Team Workload Team Workload Team • Nuvibit Cloud Foundation Map • Nuvibvit Reference architecture for AWS Multi-Account Customers • AWS Landing Zone Security Team
  • 43.
  • 45.
  • 46. Sample of Processed Finding Normalization Response Instruction Original Message
  • 47. Nuvibit SEMPER AWS Native Security Finding Management Link to Product-Page
  • 49. Our Paradigm: Security as Code • McKinsey - Security as code: The best (and maybe only) path to securing cloud applications and systems Because it is the most effective approach to secure cloud workloads with speed and agility! Context-Driven Configuration and Processing • Gartner - Using Cloud-Native ‘Policy as Code’ to Secure Deployments at Scale
  • 50. SEMPER Policy Types Demo SEMPER – Policy-Scope Account-Clusters via Policy-Scope Configure Policies Filtering-Exclude Policies Response Policies
  • 51.
  • 52. SEMPER Demo – Use Case IAM Use Case – Observe IAM Roles • Security Team: In the whole AWS Organization monitor for IAM Role changes • Workload A Team: In Production Workload A account IAM Roles must have a Boundary Policy attached Security / Compliance Team Workload A Team
  • 53. SEMPER Demo – Use Case IAM Security / Compliance Team Workload A Team