Getting Started with AWS Security

Emily Gladstone Cole Diana Initiative 2019
@unixgeekem
1

Emily Gladstone Cole Diana Initiative 2019
@unixgeekem
Getting started with AWS
Security
Emily Gladstone Cole
2

Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
What you will learn today
1. Some history of AWS
2. Intros to some critical AWS concepts and services
3. Tips and tricks for staying secure
4. My list of useful AWS resources
(you will also learn that I like cat photos)
3

Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
4

Who is this Emily person anyway?
PAST
CURRENT
CONTACT
5
" UNIX SysAdmin/Operations background
" Transitioned to Security Incident Response/Security Research
" Senior Security Engineer at (100% AWS infra)
" Mentor for SANS’ Women’s CyberTalent Immersion Academy
" Twitter: @unixgeekem

Disclaimers
I am NOT being compensated by Amazon or
AWS or my employer to give this talk.
I am expressing my own opinions here.
I’m sharing what I have learned. There are
many others who know more about AWS than I
do. Some of them are cited in the references.
6

Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
7

A bookstore with an infrastructure problem
Back in the year 2000, Amazon was an online bookstore, and
then they branched out to selling other things. The idea was
to make a platform to allow people to partner with the store
and become resellers, and then it grew...
AWS either launched March 14th or 19th, 2006, with the
Simple Storage Service (S3), then soon after came Elastic
Compute Cloud (EC2), and AWS took off from there.
8

Definitions: Service
AWS stands for Amazon Web Services.
Service is the term that AWS uses for
each separate product, like EC2, S3,
Lambda, SNS, RDS...
There are now over 150 AWS Services,
with more being announced every month.
9

Emily Gladstone Cole Diana Initiative 2019 @unixgeekem 10

Definitions: Regions and Availability Zones
" Region: A geographical area designed to be isolated from all other
Regions
○ Isolated for fault tolerance and stability
○ AWS has Global Services (like IAM) that apply to all Regions
○ AWS also has Region-based Services
" Availability Zones are separate locations within the Region
Pro Tip: make sure everyone uses the same default Region
11

Shared Responsibility: how much is shared?
AWS always talks about the Shared Responsibility Model.
" AWS is responsible for the security OF the cloud.
" Customers are responsible for the security of everything IN the
cloud.
AWS will set the line between AWS-managed and Customer-managed
at different spots depending on the Service: some, like Lambda, have
fewer places where the Customer can add security.
12

https://aws.amazon.com/compliance/shared-responsibility-model/

https://cloudacademy.com/blog/aws-shared-responsibility-model-security/

Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
15

EC2: Elastic Compute Cloud
" Instances are the traditional virtual servers in the cloud
" AMI are Amazon Machine Images: a Gold Master image to create
instances
○ Choose carefully: anyone can publish an AMI
" Security Groups are groups of resources with a shared set of access
rules
○ A Default Security Group allows everyone to connect from everywhere
" There are also Load Balancers, Auto-Scaling Groups, Elastic (Virtual)
IPs...
16

<screenshot of EC2 home screen>
17

Security Groups
Security Groups are individual enclaves bordered with stateful firewalls
" Can specify separate (or even multiple) Security Groups for each host
" Filtering rules can be set up for inbound and outbound traffic
" Can specify allowed source/destination IPs and ports
" If not otherwise specified, all outbound traffic is permitted
" Implicit DENY of all traffic not explicitly ALLOWed
18

VPC: Virtual Private Cloud
VPC is like a classic VLAN
" Split up Security Groups or allow them to communicate
VPC Endpoints
" By default, AWS-managed Services communicate over the internet. Since AWS
bills for network costs, this can add up.
" VPC Endpoints allow private connections between the AWS back-end and your
VPC.
" You can keep your DB traffic (for example) private!
" Supported by 20+ services so far and more are coming
19

Simple Storage Service (S3)
" Buckets are distinct containers each
with their own permissions
" Used to hold files, collect logs from
your applications, host a website
" They have a bad reputation because
people don’t know how to configure
them, and leave them world-
readable...
20

CloudTrail - audit user activity
" Gathers all the commands executed in AWS, and any affected
Services or Resources.
" Tracks the last 90 days of events, by default ignoring Read-Only
events
" Can be written to an S3 bucket for longer-term storage
" Your Compliance team will want these logs to be stored somewhere,
immutable, for some specific time period.
21

Digression: AWS Service Naming
Corey Quinn (@QuinnyPig) has a
lot to say about AWS. Much of it is
funny. Most of it is useful.
He’s right that the service names
don’t always make a lot of sense.
22

Identity and Access Management (IAM)
" Users: Can be people or machine/bot/service accounts
" Groups: Easy way to combine similar users and grant roles/policies
" Roles: like a user, can be used to delegate access to resources/services
" Policies: Used to grant a user or group or role access to a service
Pro Tip: If you do not grant a user access to any Services, all
they can do is log in and stare at a blank console.
23

IAM Policy Concepts: Who does What to Which
" Principal: individuals or Roles
○ "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }
" Effect: "Allow" or "Deny"
" Action: specific command(s)
○ "Action": ["iam:ChangePassword"]
" Resource: thing(s) to be acted on (can be a user, EC2 instance, S3 bucket…)
○ "Resource": "arn:aws:iam::*:user/${aws:username}"
" Condition: further restrictions on how/when/why
○ "Condition": {
○ "DateGreaterThan": {"aws:CurrentTime": "2019-08-05T00:00:00Z"},
○ "DateLessThan": {"aws:CurrentTime": "2019-08-11T23:59:59Z"}
○ }
24

Tuning IAM Policies
They’re written in JSON and AWS allows you to update them in a
few ways (from Easy to Hard):
1. Pre-Written Policies from AWS
2. Let the Wizard guide you
3. Write your own in JSON
4. Use your Automation tools
25

Pre-Written IAM Policy Example
Amazon Macie allows
you to examine your
data for sensitive
information.
There are 5 different
AWS-provided
policies, or you can
create your own.
26

IAM Policy Wizard in the Console
After you select which
Service(s) you want to use in
your policy, you can specify
exactly which Actions the
policy grants or denies
access to, sometimes select
the Resources it acts on
(some are global), and finally
other request conditions
(MFA, source IP restrictions).
27

Writing IAM Policies
" Many sample policies
available (see References)
" You need to be familiar with
JSON if you’re going to
customize the examples
There will be more about the
automation tools that allow you
to specify permissions later on.
28

Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
29

Let’s Play Tag
Tag: a metadata key (value is optional) that can be attached to AWS resources.
" Tag Instances, Buckets, Databases, Users, Secrets…
○ Technical Tags: name, app ID/role, version
○ Lifecycle Tags: date created/date to remove
○ Business Tags: owner, customer, business unit
○ Security Tags: confidentiality level and/or compliance
" Limit access to resources based on Tags:
○ “Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
Tags are free! Use them freely!
30

Check out this one cool trick with Tags
This is the example from the previous slide, allowing you to limit access to
resources based on Tags:
“Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
1. Only the resources (users?) with the matching tag can access the relevant
secrets.
2. You need to be sure that everything is tagged correctly to begin with.
3. You need to be sure that users can’t assign tags themselves so they don’t just
tag themselves into all projects.
31

API access to AWS
AWS has as one of its foundational principles the idea that all internal data and
functionality should be accessible as a service. They have carried that over into their
customer-facing infrastructure with their API. Almost everything that can be done in
the console can be done through the API.
They have released two ways of doing so:
" The AWS Command Line Interface (CLI) is a tool you can use to execute API
calls on your local system.
" There are AWS-provided SDKs for C++, Go, Java, JavaScript, .NET, Node.js,
PHP, Python, and Ruby if you want to write code to use the API.
32

API access prerequisite: API Access Keys
Access Key ID:
" Always starts with AKIA…
" Is the equivalent to your username
Secret Access Key:
" Secret really means secret
" Do not put this key into your code.
33

Infrastructure As Code
If you have heard of “Infrastructure
as Code”, this is what people are
talking about. CloudFormation is
an AWS product, and Terraform is
an open source equivalent.
The code to the right is the
definition of a sample VPC.
34

Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
35

Finally, we’re talking
about Security!
36

Common AWS Security Failure Modes
Accessible API Keys
Excessive Permissions
37

Where did I put my Keys?
Your AWS API keys allow people to impersonate you, get
access to your resources, and use your AWS account to
mine for bitcoin.
Especially do not check those keys into GitHub.
Fortunately truffleHog and git-secrets are available to
audit any GitHub repositories to find AWS Keys,
passwords, and other sensitive data.
38

S3 and you: how not to be in the headlines
Public buckets: not even once1.
Use bucket lifecycles for data retention.
Pro Tip: the “Authenticated Users”
group means anyone who has logged in
to any AWS account, not just yours!
1 Without explicit signoff from management
39

Encrypt All The Things
40
HOWEVER!
" Setting your bucket status to encrypted does not encrypt all the old data in
the bucket.
" If you have Versioning enabled on your bucket, you must encrypt all previous
versions as well as the current one.
Set your S3 buckets to be encrypted by
default. It has zero impact on your
workflow and makes your auditors
happy.

Wide Open Application Endpoints
Elasticsearch was build to allow
people easy access to their data. If
you don’t configure it properly, others
get access as well.
Default admin credentials could be a
problem here.
You also need to look at whether you
have a public endpoint, or one on a
VPC.
41

Wide Open Security Groups
Everyone will poke at your
exposed instances/resources
if you let them, and they will
keep doing it day and night.
If your IDS/Pager vendor
charges by the number of
alerts, they will love you.
Your on-call team or SOC will
hate you, however.
42

Enter AWS Trusted Advisor
You can use Trusted Advisor to audit some
common misconfigurations in your account:
" Public buckets
" Security Groups that allow traffic from
anywhere
" Some checks are available only for
Business or Enterprise support customers
It doesn’t take the place of doing the audits
yourself, but it can point out good places to start.
43

“Contain the Blast Radius”
44

Ways to compartmentalize
Do you have separate accounts for Production and Development
(and Staging and Test)? There are a lot of benefits:
" Not having to write policies that prevent people from bringing down the
master database on their first day
" Not having to worry about restricting who has Admin privileges and thus
can evaluate new services
" Not having to spend all your time working access request tickets
Wait, but now I have to manage multiple accounts!
45

AWS Organizations and Control Tower
" AWS Organizations will help you manage a group of
existing Accounts
○ You can invite existing Accounts into the Organization
○ You can set up constraints across all of the Accounts
○ You can centralize Billing and user management
" AWS Control Tower lets you quickly build new accounts
from a template
○ You can’t control existing Accounts or infrastructure
○ You can easily launch pre-configured new Accounts with
Resources and Users pre-populated
46

Remember this cool trick with Tags
If for some reason you can’t put everything into a separate account, you
can still limit access to resources based on Tags:
“Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
1. Only the resources (users?) with the matching tag can access the relevant
secrets.
2. You need to be sure that everything is tagged correctly to begin with.
3. You need to be sure that users can’t assign tags themselves so they don’t just
tag themselves into all projects.
47

IAM Refresher
" Users: Can be people or machine/bot/service accounts
" Groups: Easy way to combine similar users and grant roles/policies
○ Example: “Engineers”, “Marketing”, “Security”, “Product A”
○ Managing users is easier if policies only get added to groups
" Roles: like a user, can be used to delegate access to resources/
services
○ Users can assume roles in order to get access to those resources or
services
○ Allows short-term access to something without sharing IAM Access Keys
" Policies: Used to grant a user or group or role access to a service
48

IAM Best Practices
" Least Privilege:
○ Create Profiles and Groups and Roles to ease management
○ Restrict privileged access (Administrator) to only necessary users/times
" IAM Roles:
○ Restrict specific cross-account access using Roles
○ Use Roles to allow EC2 Instances access to resources
" Hygiene:
○ Enforce MFA and strong passwords
○ Build a process to rotate Access Keys and practice it
" Auditing:
○ Enable AWS CloudTrail to get logs of API calls
49

How do you reduce privileges?
1. Proactively: “your privileges are being reduced to XYZ now”
a. Likely to build resentment
b. Likely to lead to many exception requests being filed
2. Gradually: “I’ve audited, and removed access to all but ABC”
a. Still leaves spots where people have more access than they should
b. Can be further addressed by auditing CloudTrail for the user
50

IAM
Access
Advisor
example
51

CloudTrail Audit example
Here you can see what this dangerous ‘emilygcole’ user did today on a more
granular level. They logged in, and stopped an EC2 Instance, and then
Terminated it.
52

Tune your Endpoints and VPCs
1. Ensure that Bastions and other
exposed endpoints can’t access
buckets and databases.
2. If you can, make sure that your AWS
services like databases,
Elasticsearch, and Kubernetes are
connected to a specific VPC instead
of wide open to the internet.
53

How to audit resources: AWS Config
Pros:
" Can audit your AWS Services to see if they
meet conditions (“is this bucket public?”)
" Can automatically get notified if things are
not set up properly.
" Can be set up to take automatic
remediation actions based on failed
compliance checks (like “encrypt this
bucket”)
" Can now alert on changes to an audited
item, instead of just the state of the item.
54
Cons:
" Extremely noisy if not configured properly.
" Requires configuration and tuning of
Config, and also a notification method
(typically SNS or GuardDuty).
" The default mode, alerting on the status
of an item (did this Instance launch from
the Golden Master AMI?), is often noisy.
" Alerting on changes to a frequently-
changing item (an S3 bucket) is also
noisy.

CapitalOne Hack
55
On July 29th, a story broke about a hacker who extracted data
from CapitalOne’s infrastructure. Credit card application data
from 2005-2019 was taken.
There were 140,000 Social Security Numbers and 80,000
bank numbers included in this data.
The source of the data was an S3 bucket, but this was not a
public S3 bucket.

CapitalOne Hack facts
1. The Indictment contains references to
getting credentials for a Web
Application Firewall (WAF) IAM Role
from an accessible EC2 instance.
2. This Role has privileges to list and sync
S3 buckets, and that is how the data
was exfiltrated.
3. CapitalOne says the hack was not
AWS’ fault.
56

CapitalOne Hack questions
57
1. Current speculation is that Server Side
Request Forgery was an attack vector. Is
this the weakness described in @silvexis’
RSAC presentation from 2015?
a. If so, why hasn’t it been fixed yet?
2. Why does a WAF Role have the ability to
list and sync S3 buckets?
3. What can people do to keep
themselves safer?

Circling back to Roles
1. Create specific Roles for different functions:
users, instances, database access
2. Make sure that these Roles can only do the few
things necessary to keep your applications
running - remember CapitalOne had a WAF role
that can sync buckets
3. Bastions and other exposed endpoints shouldn’t
have permissions allowing them to access
buckets and databases directly.
58

News from Yesterday: EBS Snapshots public
Friday at DEFCON, Ben Morris from Bishop Fox announced that he had discovered
that many Elastic Block Store (EBS) snapshots are set to public.
" Elastic Block Store is a virtual hard drive for your EC2 Instances.
" Backups of these virtual hard drives are done via Snapshots.
" If Snapshots are in Public mode, they are open to everyone.
" Anything that might be on your system might be in an EBS Snapshot (Code,
AWS Keys, log data, company confidential information).
You can audit your snapshots to figure out if they’re Public or not via the Console or
the AWS CLI, or set up AWS Config rules to audit and enforce Private snapshots.
59

AWS Security Services
60

AWS Gaps (not a real service name)
AWS is not perfect. They
provide a lot of helpful tools and
information, but like all security
tools, the more you put into
managing AWS, the more you
get out of it.
There is no Easy Button.
61

Gaps: Inventory Management
Some people use their monthly bill to
figure out what they have running in
their infrastructure.
Some people use Systems Manager to
manage their instances.
There are no AWS Services that will
answer the question “what are all the
resources that use the tag ProductA?”
62

Gaps: Vulnerability Management
When there is a vulnerability in
a Service like EKS or Lambda,
you may have to open a
support case to find out when
fixes will be available.
On the other hand, you can
often find information on
Amazon Linux’s OS
vulnerabilities very easily
online.
63

Fixing some Gaps: AWS Marketplace
If AWS doesn’t sell it,
there may be a vendor or
partner who does. You
can find anything from
AMIs to FedRAMP in a
box, for a price, on the
AWS Marketplace.
64

The most important Service: AWS Billing
" Use it to find unexpected
resources, as inventory
management, and a justification
for lifecycle management.
" Keep an eye on those data
transfer costs (some things you
thought were local probably
aren’t), but you may be able to
fix that using VPC Endpoints.
65

What I said you will learn today
1. Some history of AWS
2. Intros to some critical AWS concepts and services
3. Tips and tricks for staying secure
4. My list of useful AWS resources
66

Summing Up
1. If you have to pick one Service to learn well, pick IAM.
2. Other critical Services: EC2, S3, VPC.
3. Use Tags everywhere.
4. AWS has many tools to help you manage your account(s),
but there is no Easy Button.
5. There are a lot of resources out there to learn more.
67

https://github.com/emilygcole/talks/AWS_Sec_101
68
Thank you!

Getting Started with AWS Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Getting Started with AWS Security

Similar to Getting Started with AWS Security (20)

More from EmilyGladstoneCole

More from EmilyGladstoneCole (6)

Recently uploaded

Recently uploaded (20)

Getting Started with AWS Security