This document provides an overview of an AWS security presentation. The presentation covers AWS background and services like EC2, S3, IAM, and more. It discusses key security concepts like the shared responsibility model and compartmentalization. The document also provides tips for securing AWS, such as using tags to limit access, encrypting S3 buckets, and checking for misconfigurations with Trusted Advisor.
Security & Compliance are very important for most businesses. Learn how AWS enables you to securely use the cloud for you most vital business applications and how you can ensure that you are compliant with a large set of security standards and government regulations like GDPR.
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Amazon Web Services
Riot Games struggled with providing new AWS accounts and API access that met its security requirements, so it built an account provisioning service to ensure that all accounts are created consistently with the required security controls. Riot also built a credential service where developers can grab temporary API keys with one command. This works wherever the developers work, and the credentials automatically expire each day. Riot now provisions new accounts with security guardrails within an hour, and the number of permanent AWS API keys is reduced by 70 percent. Learn how to build similar services using AWS Organizations, AWS Step Functions, AWS Lambda, Amazon CloudFront, and Amazon API Gateway.
Do you have on-premises tape backups or expensive VTL hardware? Worried about moving cases of tapes off site? Not sure about the integrity of your data on tape? In this whiteboarding session, learn how to use AWS services, including AWS Storage Gateway, to replace existing traditional tape approaches to backup data.
Let's spend some time prepping for the GuardDuty lab and set everyone up with Amazon account credits. Then we will do a short warm up lab that builds out a real-time serverless dashboard for monitoring account activity using a number of different services. Level 200
by Roy Feintuch, Dome9
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
Security & Compliance are very important for most businesses. Learn how AWS enables you to securely use the cloud for you most vital business applications and how you can ensure that you are compliant with a large set of security standards and government regulations like GDPR.
Account automation and temporary AWS credential service - GRC328 - AWS re:Inf...Amazon Web Services
Riot Games struggled with providing new AWS accounts and API access that met its security requirements, so it built an account provisioning service to ensure that all accounts are created consistently with the required security controls. Riot also built a credential service where developers can grab temporary API keys with one command. This works wherever the developers work, and the credentials automatically expire each day. Riot now provisions new accounts with security guardrails within an hour, and the number of permanent AWS API keys is reduced by 70 percent. Learn how to build similar services using AWS Organizations, AWS Step Functions, AWS Lambda, Amazon CloudFront, and Amazon API Gateway.
Do you have on-premises tape backups or expensive VTL hardware? Worried about moving cases of tapes off site? Not sure about the integrity of your data on tape? In this whiteboarding session, learn how to use AWS services, including AWS Storage Gateway, to replace existing traditional tape approaches to backup data.
Let's spend some time prepping for the GuardDuty lab and set everyone up with Amazon account credits. Then we will do a short warm up lab that builds out a real-time serverless dashboard for monitoring account activity using a number of different services. Level 200
by Roy Feintuch, Dome9
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
In this webinar, you'll learn how to create security workspaces for multiple teams through your AWS account. Discover how IAM works and find out how it integrates with AWS services. In addition, learn how AWS Config rules and AWS Cloud Trial can help you identify and rectify misconfiguration issues quickly and effectively.
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we cover the most common cloud security questions that we hear from customers. We provide detailed answers for each question, distilled from our practical experience working with organizations around the world. This session is for everyone who is curious about the cloud, cautious about the cloud, or excited about the cloud.
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
According to Gartner, the IaaS market grew at a blistering 42.8% in 2017—twice as fast as SaaS. And with last year’s high-profile data exposures, the focus on bolstering IaaS security practices has increased. We’ve worked with AWS and hundreds of IaaS security professionals to develop a list of security practices specifically designed to protect AWS environments and the applications and data within them. In this session, you’ll discover: common yet preventable scenarios that can result in the loss of corporate data, security best practices for user and admin behavior monitoring, secure auditable configuration, Amazon S3 data loss and threat prevention, blueprints for how a solution-based approach (including bridging to your on-premises best practices) can provide IaaS visibility and control, step-by-step guidance on how to gain visibility across all workloads, protect against advanced threats, and discover insights into lateral threat movements, and recommendations for creating a successful DevOps workflow that integrates security.
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
Amazon GuardDuty is a threat detection system that is reimagined and purpose-built for the cloud. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. You do not have to deploy or manage any additional security software, sensors, or network appliances. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. This session introduces you to GuardDuty, walks you through the detection of an event, and discusses the various ways you can react and remediate.
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
by Jeff Levine, Security Specialist, Solutions Architect, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop.
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
In this workshop, you learn about open-source projects and how they can support your security detection and response in the cloud. Learn how Amazon is contributing to open source and how open-source technologies can help you assess and deal with incidents in your environment. Look at automated response, and learn how to respond to and remediate issues in your cloud environment using open-source systems.
by Zack Milem, Trend Micro
DevOps can be coded quickly in the cloud, but it still needs to be secured. In this session, we will discuss how an automated security infrastructure can be constructed. Building from the ground up with API driven security controls, a Security Fabric in AWS can be the foundation to deliver a fast and secure environment in the cloud.
In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments. Level 200
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
A critical component of any cloud journey is ensuring that the identity architecture enables users and operators of cloud-based infrastructure to maintain or increase their level of productivity while maintaining appropriate levels of security. Such an architecture must take into account the likelihood that engineers from different organizations and differing operating models must work together to achieve outcomes. This talk explores how AWS Managed Services built such a system, leveraging industry standard components. Security experts from across multiple AWS service teams answer your questions about strategy and technical implementation.
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018Amazon Web Services
Containers are becoming one of the new normal infrastructures for deploying applications. One of the challenges that customers face is how to secure their applications. Traditional security practices and tools are designed for applications running directly on the hosts, whereas containers are virtualized and multi-tenant. In this session, learn about techniques that can be used to secure hosts, containers themselves, and the applications hosted in individual containers. We look at using Amazon ECS with Amazon EC2, AWS Fargate, and Amazon EKS, and we discuss what techniques and best practices to employ as part of CI/CD processes and for running applications.
Learn about the features supported by AWS storage services, such as object tagging, storage class analysis, inventorying, and monitoring. These tools can help automate data lifecycle policies for optimal and cost-effective storage management, provide detailed insights into usage across the entire enterprise, and limit access to certain accounts
How Symantec Cloud Workload Protection Secures LifeLock on AWS PPTAmazon Web Services
When LifeLock decided to migrate their workloads to Amazon Web Services (AWS) from their on-premises data center, they were concerned that traditional security technology and processes would not transfer to the cloud. They turned to Symantec and deployed Cloud Workload Protection (CWP) to secure both their corporate and customer data, as well as their intellectual property, in part because CWP’s cloud-native design enabled seamless integration with their DevOps workflows and AWS infrastructure.
This webinar will examine concepts for managing sensitive data in AWS. For example, using tools to encrypt client access with AWS Certificate Manager; secret management with AWS Systems Manager Parameter Store and its integration with deployment pipelines; and how to encrypt data at rest to ensure privacy.
At AWS, security is job zero and we have architected our infrastructure for the most data-sensitive organizations in the world. In this session, we will cover our Shared Responsibility Model in relation to Security and our Compliance Program, and what that means for our customers when using our suite of storage services.
AWS & Vizalytics Technology: Smart Cities Solutions
Specialist Days - Smart Cities (March, 2018)
How can cities share information with citizens about their community in real-time, and show how a particular event could impact their morning commute?
Presented by Craig Lawton, Aileen Gemma Smith & Chris Smith.
Preparing data for analysis and insights is the foundation of any data-driven exercise. Moving workloads to a PaaS, be it data engineering, analytic database, or data science requires a two step leap of faith - in trusting the public cloud, and then your PaaS vendor. In this webinar we will discuss the architecture of a PaaS solution for data management and understand the nitty gritty details of what exactly this involves with the following:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
3 things to learn:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
AWS Partner Webcast - Use Your AWS CloudTrail Data and Splunk Software To Imp...Amazon Web Services
With AWS CloudTrail, you can get log files of AWS API calls for your account. CloudTrail enables you to perform security analysis, track resource changes, and aid in compliance reporting.
In this webinar you will learn how CloudTrail collects and stores your AWS log files so that software from AWS Technology Partner Splunk can be used as a Big Data Security Information and Event Management (SIEM) system. You will hear how AWS log files are made available for many security use cases, including incident investigations, security and compliance reporting, and threat detection/alerting. You will also hear from a joint Splunk/AWS customer, FINRA, who will explain how they leverage Splunk in AWS to support their cloud efforts.
What you'll learn:
• Why the machine data from AWS CloudTrail is relevant to security and compliance
• How to visualize data from AWS CloudTrail to monitor and audit security-related activity
• How AWS CloudTrail data can be combined with machine data from other sources in your IT infrastructure, including the OS and apps in your AWS images, for a wide range of operational and security use cases
• How the combination of AWS CloudTrail and Splunk Software improve your uptime, accelerate security and operational investigations, and simplify compliance.
In this webinar, you'll learn how to create security workspaces for multiple teams through your AWS account. Discover how IAM works and find out how it integrates with AWS services. In addition, learn how AWS Config rules and AWS Cloud Trial can help you identify and rectify misconfiguration issues quickly and effectively.
Top Cloud Security Myths - Dispelled! (SEC202-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we cover the most common cloud security questions that we hear from customers. We provide detailed answers for each question, distilled from our practical experience working with organizations around the world. This session is for everyone who is curious about the cloud, cautious about the cloud, or excited about the cloud.
McAfee Skyhigh: Elevating Your AWS Security Posture (SEC307-S) - AWS re:Inven...Amazon Web Services
According to Gartner, the IaaS market grew at a blistering 42.8% in 2017—twice as fast as SaaS. And with last year’s high-profile data exposures, the focus on bolstering IaaS security practices has increased. We’ve worked with AWS and hundreds of IaaS security professionals to develop a list of security practices specifically designed to protect AWS environments and the applications and data within them. In this session, you’ll discover: common yet preventable scenarios that can result in the loss of corporate data, security best practices for user and admin behavior monitoring, secure auditable configuration, Amazon S3 data loss and threat prevention, blueprints for how a solution-based approach (including bridging to your on-premises best practices) can provide IaaS visibility and control, step-by-step guidance on how to gain visibility across all workloads, protect against advanced threats, and discover insights into lateral threat movements, and recommendations for creating a successful DevOps workflow that integrates security.
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
Amazon GuardDuty is a threat detection system that is reimagined and purpose-built for the cloud. Once enabled, GuardDuty immediately starts analyzing continuous streams of account and network activity in near real-time and at scale. You do not have to deploy or manage any additional security software, sensors, or network appliances. Threat intelligence is pre-integrated into the service and is continuously updated and maintained. This session introduces you to GuardDuty, walks you through the detection of an event, and discusses the various ways you can react and remediate.
Foundations: Understanding the Critical Building Blocks of AWS Identity and G...Amazon Web Services
by Jeff Levine, Security Specialist, Solutions Architect, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop.
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
In this workshop, you learn about open-source projects and how they can support your security detection and response in the cloud. Learn how Amazon is contributing to open source and how open-source technologies can help you assess and deal with incidents in your environment. Look at automated response, and learn how to respond to and remediate issues in your cloud environment using open-source systems.
by Zack Milem, Trend Micro
DevOps can be coded quickly in the cloud, but it still needs to be secured. In this session, we will discuss how an automated security infrastructure can be constructed. Building from the ground up with API driven security controls, a Security Fabric in AWS can be the foundation to deliver a fast and secure environment in the cloud.
In this talk, we will introduce several methods of threat detection and remediation on AWS, including GuardDuty, Macie, WAF, Shield, Lambda, AWS Config, Systems Manager and Inspector. We will do a brief overview of each of these services, and then talk about how to put them all together, to have a comprehensive thread detection and remediation solution. We will also discuss how to use these services across multiple AWS accounts and regions, to cover the governance needs of enterprise AWS deployments. Level 200
Architecting for Enterprise Identity Across Multiple Operating Models (ENT413...Amazon Web Services
A critical component of any cloud journey is ensuring that the identity architecture enables users and operators of cloud-based infrastructure to maintain or increase their level of productivity while maintaining appropriate levels of security. Such an architecture must take into account the likelihood that engineers from different organizations and differing operating models must work together to achieve outcomes. This talk explores how AWS Managed Services built such a system, leveraging industry standard components. Security experts from across multiple AWS service teams answer your questions about strategy and technical implementation.
Container Security and Avoiding the 2 A.M. Call (CON303-R1) - AWS re:Invent 2018Amazon Web Services
Containers are becoming one of the new normal infrastructures for deploying applications. One of the challenges that customers face is how to secure their applications. Traditional security practices and tools are designed for applications running directly on the hosts, whereas containers are virtualized and multi-tenant. In this session, learn about techniques that can be used to secure hosts, containers themselves, and the applications hosted in individual containers. We look at using Amazon ECS with Amazon EC2, AWS Fargate, and Amazon EKS, and we discuss what techniques and best practices to employ as part of CI/CD processes and for running applications.
Learn about the features supported by AWS storage services, such as object tagging, storage class analysis, inventorying, and monitoring. These tools can help automate data lifecycle policies for optimal and cost-effective storage management, provide detailed insights into usage across the entire enterprise, and limit access to certain accounts
How Symantec Cloud Workload Protection Secures LifeLock on AWS PPTAmazon Web Services
When LifeLock decided to migrate their workloads to Amazon Web Services (AWS) from their on-premises data center, they were concerned that traditional security technology and processes would not transfer to the cloud. They turned to Symantec and deployed Cloud Workload Protection (CWP) to secure both their corporate and customer data, as well as their intellectual property, in part because CWP’s cloud-native design enabled seamless integration with their DevOps workflows and AWS infrastructure.
This webinar will examine concepts for managing sensitive data in AWS. For example, using tools to encrypt client access with AWS Certificate Manager; secret management with AWS Systems Manager Parameter Store and its integration with deployment pipelines; and how to encrypt data at rest to ensure privacy.
At AWS, security is job zero and we have architected our infrastructure for the most data-sensitive organizations in the world. In this session, we will cover our Shared Responsibility Model in relation to Security and our Compliance Program, and what that means for our customers when using our suite of storage services.
AWS & Vizalytics Technology: Smart Cities Solutions
Specialist Days - Smart Cities (March, 2018)
How can cities share information with citizens about their community in real-time, and show how a particular event could impact their morning commute?
Presented by Craig Lawton, Aileen Gemma Smith & Chris Smith.
Preparing data for analysis and insights is the foundation of any data-driven exercise. Moving workloads to a PaaS, be it data engineering, analytic database, or data science requires a two step leap of faith - in trusting the public cloud, and then your PaaS vendor. In this webinar we will discuss the architecture of a PaaS solution for data management and understand the nitty gritty details of what exactly this involves with the following:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
3 things to learn:
An exploration of the architecture of Cloudera Altus PaaS - the industry’s first multi-function, multi-cloud data and analytic platform-as-a-service
A dive into use cases and a demo of Altus
The synergy between AWS and Altus to help you securely standardize on a combination of public cloud and data management
AWS Partner Webcast - Use Your AWS CloudTrail Data and Splunk Software To Imp...Amazon Web Services
With AWS CloudTrail, you can get log files of AWS API calls for your account. CloudTrail enables you to perform security analysis, track resource changes, and aid in compliance reporting.
In this webinar you will learn how CloudTrail collects and stores your AWS log files so that software from AWS Technology Partner Splunk can be used as a Big Data Security Information and Event Management (SIEM) system. You will hear how AWS log files are made available for many security use cases, including incident investigations, security and compliance reporting, and threat detection/alerting. You will also hear from a joint Splunk/AWS customer, FINRA, who will explain how they leverage Splunk in AWS to support their cloud efforts.
What you'll learn:
• Why the machine data from AWS CloudTrail is relevant to security and compliance
• How to visualize data from AWS CloudTrail to monitor and audit security-related activity
• How AWS CloudTrail data can be combined with machine data from other sources in your IT infrastructure, including the OS and apps in your AWS images, for a wide range of operational and security use cases
• How the combination of AWS CloudTrail and Splunk Software improve your uptime, accelerate security and operational investigations, and simplify compliance.
AWS's access model provides powerful opportunities for controlling who has what level of access to which resources. But with this awesome power comes awesome complexity. The inevitable shortcuts mean that a one-line bug could wipe out all your EC2 resources instead of the intended targeted few. In this talk, we'll quickly review the key aspects of IAM and discuss some strategies for keeping cloud resources safe from friendly fire.
Presented at Austin DevOps July 2019
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
This workshop provides a hands-on opportunity for you to learn to use machine learning (ML) via Amazon SageMaker in your security pipeline. You are guided through the process of feeding data from AWS CloudTrail and Amazon GuardDuty into Amazon SageMaker in order to augment GuardDuty findings. You’ll receive an introduction to Amazon SageMaker and leverage the IP Insights algorithm to train a model based on IP addresses in the CloudTrail logs. This model is used to score IP addresses from GuardDuty findings to gain additional threat information about alerts, enabling security operators to better prioritize alerts for further action.
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Amazon Web Services
Innovating IAM Protection for AWS. Protecting your IAM users and roles is a priority for security professionals and DevOps teams alike. The challenge becomes more complex when adding multiple AWS accounts, many users, and a growing list of local and cross account roles. By utilizing an innovative IAM protection solution, you can successfully defend your AWS cloud from new threats.
In this 30 min session you will learn:
How to identify and map out potential IAM risk factors and attack vectors.
How to prevent potentially dangerous activities over your AWS accounts directly from your mobile device.
How to defend your AWS investment from compromised credentials and malicious insiders that can impact your business.
Speaker: Patrick Pushor, Chief Technical Evangelist at Dome9
AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...Amazon Web Services
It is critical to maintain strong identity and access policy to prevent unexpected access to your resources for whatever applications you are running on AWS. It is equally important to track and alert on changes being made to your AWS resources.
In this webinar, you will learn about the different ways you can use AWS Identity and Access Management (IAM) to control access to your AWS services and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation.
In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We will also cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector.
Learning Objectives:
• Understand the AWS Shared Responsibility Model.
• Understand AWS account and identity management options and configuration.
• Learn the concept of infrastructure as code and change management using CloudFormation.
• Learn how to audit and log your AWS service usage.
• Learn about AWS services to add automatic compliance checks to your AWS infrastructure.
Who Should Attend:
• IT administrators, architects, and security engineers, or anyone interested in controlling access to AWS resources, deploying infrastructure on AWS, or performing compliance checks on their infrastructure
AWS re:Invent 2016: Automating Security Event Response, from Idea to Code to ...Amazon Web Services
With security-relevant services such as AWS Config, VPC Flow Logs, Amazon CloudWatch Events, and AWS Lambda, you now have the ability to programmatically wrangle security events that may occur within your AWS environment, including prevention, detection, response, and remediation. This session covers the process of automating security event response with various AWS building blocks, taking several ideas from drawing board to code, and gaining confidence in your coverage by proactively testing security monitoring and response effectiveness before anyone else does.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives.
View a recording of the webinar based on this presentation on YouTube here: http://youtu.be/rXPyGDWKHIo
Policy Verification and Enforcement at Scale with AWS (SEC320) - AWS re:Inven...Amazon Web Services
In an ever-growing cloud environment, scaling to a number of accounts can range in the thousands— where edge cases dominate your firm’s spectrum and changes in your environment happen quickly. The Goldman Sachs cloud engineering team finds enforcement of best security practice as a growing concern. With developers managing infrastructure as code (IaC), learn how Goldman Sachs uses distributed serverless logging pipelines and leverages AWS formal verification tools to help enforce access policy in the process. In this session, we cover AWS Config, AWS Lambda, Amazon DynamoDB, and Amazon Simple Notification Service (Amazon SNS) as distributed infrastructure that can help catch security issues early and remediate those that happen unexpectedly.
Codeless Security for the Apps You Buy & Build on AWSCloudLock
Watch this webinar to learn what codeless security looks like for the cloud apps you build. Codeless - that means baking in security capabilities to defend your custom apps against data breaches without having to write a single line of code.
This presentation will give you the opening introduction on what is cloud computing with AWS, getting started, and the technical modules presented on the day.
Module 2: AWS Infrastructure: Storage (S3, EBS), Compute (EC2), Networking (VPC)
Module 3: Security, Identity, and Access Management: IAM
Module 4: Databases: Amazon DynamoDB and Amazon RDS
Module 5: AWS Elasticity and Management Tools: Auto Scaling, Elastic Load Balancing, Amazon CloudWatch, and AWS Trusted Advisor
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJean-François LOMBARDO
Infrastructure Security services are seen as the traditional mechanisms for enforcing protection of data. But now Identity and Access Management has to be considered too to prevent illegitimate access to information, unauthorized usage of services, and tampering of data. This is why, at AWS, Identity and Access Management oriented services is global service in our portfolio. Implementing a least privileged model for your workload requires that you consider what each component must have as permissions. For example: is it better to assign an IAM role to your Compute instance or to impersonate the initial requestor with their roles and permissions? Are the attributes of the requestor important for your access control logic? Can the context of the request influence how the resource should be disclosed?
Answering those questions will allow you to design and implement access control thanks to a composition of multiple mechanisms. Through this session, we will describe how a very simple web store application will benefit from implementing: identity federation, attribute-based access control, and security token exchange through the usage of the appropriate AWS services.
As organizations start migrating to Cloud to improve their operational efficiency and reduce cost, Amazon's Cloud Service is one the most sought out platforms for all Cloud needs. The Blog talks about Cloud Computing, its benefits, best practices in AWS and so on.
Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018
A talk I gave at DevOpsDays Silicon Valley in May of 2018. This is a high-level presentation about common security guidelines and how your DevOps team can automate their way to better security.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
2. Emily Gladstone Cole Diana Initiative 2019
@unixgeekem
Getting started with AWS
Security
Emily Gladstone Cole
2
3. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
What you will learn today
1. Some history of AWS
2. Intros to some critical AWS concepts and services
3. Tips and tricks for staying secure
4. My list of useful AWS resources
(you will also learn that I like cat photos)
3
4. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
4
5. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Who is this Emily person anyway?
PAST
CURRENT
CONTACT
5
" UNIX SysAdmin/Operations background
" Transitioned to Security Incident Response/Security Research
" Senior Security Engineer at (100% AWS infra)
" Mentor for SANS’ Women’s CyberTalent Immersion Academy
" Twitter: @unixgeekem
6. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Disclaimers
I am NOT being compensated by Amazon or
AWS or my employer to give this talk.
I am expressing my own opinions here.
I’m sharing what I have learned. There are
many others who know more about AWS than I
do. Some of them are cited in the references.
6
7. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
7
8. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
A bookstore with an infrastructure problem
Back in the year 2000, Amazon was an online bookstore, and
then they branched out to selling other things. The idea was
to make a platform to allow people to partner with the store
and become resellers, and then it grew...
AWS either launched March 14th or 19th, 2006, with the
Simple Storage Service (S3), then soon after came Elastic
Compute Cloud (EC2), and AWS took off from there.
8
9. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Definitions: Service
AWS stands for Amazon Web Services.
Service is the term that AWS uses for
each separate product, like EC2, S3,
Lambda, SNS, RDS...
There are now over 150 AWS Services,
with more being announced every month.
9
11. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Definitions: Regions and Availability Zones
" Region: A geographical area designed to be isolated from all other
Regions
○ Isolated for fault tolerance and stability
○ AWS has Global Services (like IAM) that apply to all Regions
○ AWS also has Region-based Services
" Availability Zones are separate locations within the Region
Pro Tip: make sure everyone uses the same default Region
11
12. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Shared Responsibility: how much is shared?
AWS always talks about the Shared Responsibility Model.
" AWS is responsible for the security OF the cloud.
" Customers are responsible for the security of everything IN the
cloud.
AWS will set the line between AWS-managed and Customer-managed
at different spots depending on the Service: some, like Lambda, have
fewer places where the Customer can add security.
12
15. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
15
16. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
EC2: Elastic Compute Cloud
" Instances are the traditional virtual servers in the cloud
" AMI are Amazon Machine Images: a Gold Master image to create
instances
○ Choose carefully: anyone can publish an AMI
" Security Groups are groups of resources with a shared set of access
rules
○ A Default Security Group allows everyone to connect from everywhere
" There are also Load Balancers, Auto-Scaling Groups, Elastic (Virtual)
IPs...
16
17. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
<screenshot of EC2 home screen>
17
18. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Security Groups
Security Groups are individual enclaves bordered with stateful firewalls
" Can specify separate (or even multiple) Security Groups for each host
" Filtering rules can be set up for inbound and outbound traffic
" Can specify allowed source/destination IPs and ports
" If not otherwise specified, all outbound traffic is permitted
" Implicit DENY of all traffic not explicitly ALLOWed
18
19. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
VPC: Virtual Private Cloud
VPC is like a classic VLAN
" Split up Security Groups or allow them to communicate
VPC Endpoints
" By default, AWS-managed Services communicate over the internet. Since AWS
bills for network costs, this can add up.
" VPC Endpoints allow private connections between the AWS back-end and your
VPC.
" You can keep your DB traffic (for example) private!
" Supported by 20+ services so far and more are coming
19
20. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Simple Storage Service (S3)
" Buckets are distinct containers each
with their own permissions
" Used to hold files, collect logs from
your applications, host a website
" They have a bad reputation because
people don’t know how to configure
them, and leave them world-
readable...
20
21. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
CloudTrail - audit user activity
" Gathers all the commands executed in AWS, and any affected
Services or Resources.
" Tracks the last 90 days of events, by default ignoring Read-Only
events
" Can be written to an S3 bucket for longer-term storage
" Your Compliance team will want these logs to be stored somewhere,
immutable, for some specific time period.
21
22. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Digression: AWS Service Naming
Corey Quinn (@QuinnyPig) has a
lot to say about AWS. Much of it is
funny. Most of it is useful.
He’s right that the service names
don’t always make a lot of sense.
22
23. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Identity and Access Management (IAM)
" Users: Can be people or machine/bot/service accounts
" Groups: Easy way to combine similar users and grant roles/policies
" Roles: like a user, can be used to delegate access to resources/services
" Policies: Used to grant a user or group or role access to a service
Pro Tip: If you do not grant a user access to any Services, all
they can do is log in and stare at a blank console.
23
24. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
IAM Policy Concepts: Who does What to Which
" Principal: individuals or Roles
○ "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }
" Effect: "Allow" or "Deny"
" Action: specific command(s)
○ "Action": ["iam:ChangePassword"]
" Resource: thing(s) to be acted on (can be a user, EC2 instance, S3 bucket…)
○ "Resource": "arn:aws:iam::*:user/${aws:username}"
" Condition: further restrictions on how/when/why
○ "Condition": {
○ "DateGreaterThan": {"aws:CurrentTime": "2019-08-05T00:00:00Z"},
○ "DateLessThan": {"aws:CurrentTime": "2019-08-11T23:59:59Z"}
○ }
24
25. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Tuning IAM Policies
They’re written in JSON and AWS allows you to update them in a
few ways (from Easy to Hard):
1. Pre-Written Policies from AWS
2. Let the Wizard guide you
3. Write your own in JSON
4. Use your Automation tools
25
26. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Pre-Written IAM Policy Example
Amazon Macie allows
you to examine your
data for sensitive
information.
There are 5 different
AWS-provided
policies, or you can
create your own.
26
27. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
IAM Policy Wizard in the Console
After you select which
Service(s) you want to use in
your policy, you can specify
exactly which Actions the
policy grants or denies
access to, sometimes select
the Resources it acts on
(some are global), and finally
other request conditions
(MFA, source IP restrictions).
27
28. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Writing IAM Policies
" Many sample policies
available (see References)
" You need to be familiar with
JSON if you’re going to
customize the examples
There will be more about the
automation tools that allow you
to specify permissions later on.
28
29. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
29
30. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Let’s Play Tag
Tag: a metadata key (value is optional) that can be attached to AWS resources.
" Tag Instances, Buckets, Databases, Users, Secrets…
○ Technical Tags: name, app ID/role, version
○ Lifecycle Tags: date created/date to remove
○ Business Tags: owner, customer, business unit
○ Security Tags: confidentiality level and/or compliance
" Limit access to resources based on Tags:
○ “Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
Tags are free! Use them freely!
30
31. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Check out this one cool trick with Tags
This is the example from the previous slide, allowing you to limit access to
resources based on Tags:
“Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
1. Only the resources (users?) with the matching tag can access the relevant
secrets.
2. You need to be sure that everything is tagged correctly to begin with.
3. You need to be sure that users can’t assign tags themselves so they don’t just
tag themselves into all projects.
31
32. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
API access to AWS
AWS has as one of its foundational principles the idea that all internal data and
functionality should be accessible as a service. They have carried that over into their
customer-facing infrastructure with their API. Almost everything that can be done in
the console can be done through the API.
They have released two ways of doing so:
" The AWS Command Line Interface (CLI) is a tool you can use to execute API
calls on your local system.
" There are AWS-provided SDKs for C++, Go, Java, JavaScript, .NET, Node.js,
PHP, Python, and Ruby if you want to write code to use the API.
32
33. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
API access prerequisite: API Access Keys
Access Key ID:
" Always starts with AKIA…
" Is the equivalent to your username
Secret Access Key:
" Secret really means secret
" Do not put this key into your code.
33
34. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Infrastructure As Code
If you have heard of “Infrastructure
as Code”, this is what people are
talking about. CloudFormation is
an AWS product, and Terraform is
an open source equivalent.
The code to the right is the
definition of a sample VPC.
34
35. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Talk Agenda
" Introduction
" AWS Background
" Key AWS Services
" More AWS Tools
" Using AWS to Secure AWS
35
37. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Common AWS Security Failure Modes
Accessible API Keys
Excessive Permissions
37
38. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Where did I put my Keys?
Your AWS API keys allow people to impersonate you, get
access to your resources, and use your AWS account to
mine for bitcoin.
Especially do not check those keys into GitHub.
Fortunately truffleHog and git-secrets are available to
audit any GitHub repositories to find AWS Keys,
passwords, and other sensitive data.
38
39. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
S3 and you: how not to be in the headlines
Public buckets: not even once1.
Use bucket lifecycles for data retention.
Pro Tip: the “Authenticated Users”
group means anyone who has logged in
to any AWS account, not just yours!
1 Without explicit signoff from management
39
40. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Encrypt All The Things
40
HOWEVER!
" Setting your bucket status to encrypted does not encrypt all the old data in
the bucket.
" If you have Versioning enabled on your bucket, you must encrypt all previous
versions as well as the current one.
Set your S3 buckets to be encrypted by
default. It has zero impact on your
workflow and makes your auditors
happy.
41. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Wide Open Application Endpoints
Elasticsearch was build to allow
people easy access to their data. If
you don’t configure it properly, others
get access as well.
Default admin credentials could be a
problem here.
You also need to look at whether you
have a public endpoint, or one on a
VPC.
41
42. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Wide Open Security Groups
Everyone will poke at your
exposed instances/resources
if you let them, and they will
keep doing it day and night.
If your IDS/Pager vendor
charges by the number of
alerts, they will love you.
Your on-call team or SOC will
hate you, however.
42
43. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Enter AWS Trusted Advisor
You can use Trusted Advisor to audit some
common misconfigurations in your account:
" Public buckets
" Security Groups that allow traffic from
anywhere
" Some checks are available only for
Business or Enterprise support customers
It doesn’t take the place of doing the audits
yourself, but it can point out good places to start.
43
45. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Ways to compartmentalize
Do you have separate accounts for Production and Development
(and Staging and Test)? There are a lot of benefits:
" Not having to write policies that prevent people from bringing down the
master database on their first day
" Not having to worry about restricting who has Admin privileges and thus
can evaluate new services
" Not having to spend all your time working access request tickets
Wait, but now I have to manage multiple accounts!
45
46. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
AWS Organizations and Control Tower
" AWS Organizations will help you manage a group of
existing Accounts
○ You can invite existing Accounts into the Organization
○ You can set up constraints across all of the Accounts
○ You can centralize Billing and user management
" AWS Control Tower lets you quickly build new accounts
from a template
○ You can’t control existing Accounts or infrastructure
○ You can easily launch pre-configured new Accounts with
Resources and Users pre-populated
46
47. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Remember this cool trick with Tags
If for some reason you can’t put everything into a separate account, you
can still limit access to resources based on Tags:
“Secrets manager:ResourceTag/Project”: “${aws:PrincipalTag/Project}”
1. Only the resources (users?) with the matching tag can access the relevant
secrets.
2. You need to be sure that everything is tagged correctly to begin with.
3. You need to be sure that users can’t assign tags themselves so they don’t just
tag themselves into all projects.
47
48. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
IAM Refresher
" Users: Can be people or machine/bot/service accounts
" Groups: Easy way to combine similar users and grant roles/policies
○ Example: “Engineers”, “Marketing”, “Security”, “Product A”
○ Managing users is easier if policies only get added to groups
" Roles: like a user, can be used to delegate access to resources/
services
○ Users can assume roles in order to get access to those resources or
services
○ Allows short-term access to something without sharing IAM Access Keys
" Policies: Used to grant a user or group or role access to a service
48
49. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
IAM Best Practices
" Least Privilege:
○ Create Profiles and Groups and Roles to ease management
○ Restrict privileged access (Administrator) to only necessary users/times
" IAM Roles:
○ Restrict specific cross-account access using Roles
○ Use Roles to allow EC2 Instances access to resources
" Hygiene:
○ Enforce MFA and strong passwords
○ Build a process to rotate Access Keys and practice it
" Auditing:
○ Enable AWS CloudTrail to get logs of API calls
49
50. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
How do you reduce privileges?
1. Proactively: “your privileges are being reduced to XYZ now”
a. Likely to build resentment
b. Likely to lead to many exception requests being filed
2. Gradually: “I’ve audited, and removed access to all but ABC”
a. Still leaves spots where people have more access than they should
b. Can be further addressed by auditing CloudTrail for the user
50
51. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
IAM
Access
Advisor
example
51
52. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
CloudTrail Audit example
Here you can see what this dangerous ‘emilygcole’ user did today on a more
granular level. They logged in, and stopped an EC2 Instance, and then
Terminated it.
52
53. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Tune your Endpoints and VPCs
1. Ensure that Bastions and other
exposed endpoints can’t access
buckets and databases.
2. If you can, make sure that your AWS
services like databases,
Elasticsearch, and Kubernetes are
connected to a specific VPC instead
of wide open to the internet.
53
54. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
How to audit resources: AWS Config
Pros:
" Can audit your AWS Services to see if they
meet conditions (“is this bucket public?”)
" Can automatically get notified if things are
not set up properly.
" Can be set up to take automatic
remediation actions based on failed
compliance checks (like “encrypt this
bucket”)
" Can now alert on changes to an audited
item, instead of just the state of the item.
54
Cons:
" Extremely noisy if not configured properly.
" Requires configuration and tuning of
Config, and also a notification method
(typically SNS or GuardDuty).
" The default mode, alerting on the status
of an item (did this Instance launch from
the Golden Master AMI?), is often noisy.
" Alerting on changes to a frequently-
changing item (an S3 bucket) is also
noisy.
55. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
CapitalOne Hack
55
On July 29th, a story broke about a hacker who extracted data
from CapitalOne’s infrastructure. Credit card application data
from 2005-2019 was taken.
There were 140,000 Social Security Numbers and 80,000
bank numbers included in this data.
The source of the data was an S3 bucket, but this was not a
public S3 bucket.
56. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
CapitalOne Hack facts
1. The Indictment contains references to
getting credentials for a Web
Application Firewall (WAF) IAM Role
from an accessible EC2 instance.
2. This Role has privileges to list and sync
S3 buckets, and that is how the data
was exfiltrated.
3. CapitalOne says the hack was not
AWS’ fault.
56
57. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
CapitalOne Hack questions
57
1. Current speculation is that Server Side
Request Forgery was an attack vector. Is
this the weakness described in @silvexis’
RSAC presentation from 2015?
a. If so, why hasn’t it been fixed yet?
2. Why does a WAF Role have the ability to
list and sync S3 buckets?
3. What can people do to keep
themselves safer?
58. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Circling back to Roles
1. Create specific Roles for different functions:
users, instances, database access
2. Make sure that these Roles can only do the few
things necessary to keep your applications
running - remember CapitalOne had a WAF role
that can sync buckets
3. Bastions and other exposed endpoints shouldn’t
have permissions allowing them to access
buckets and databases directly.
58
59. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
News from Yesterday: EBS Snapshots public
Friday at DEFCON, Ben Morris from Bishop Fox announced that he had discovered
that many Elastic Block Store (EBS) snapshots are set to public.
" Elastic Block Store is a virtual hard drive for your EC2 Instances.
" Backups of these virtual hard drives are done via Snapshots.
" If Snapshots are in Public mode, they are open to everyone.
" Anything that might be on your system might be in an EBS Snapshot (Code,
AWS Keys, log data, company confidential information).
You can audit your snapshots to figure out if they’re Public or not via the Console or
the AWS CLI, or set up AWS Config rules to audit and enforce Private snapshots.
59
61. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
AWS Gaps (not a real service name)
AWS is not perfect. They
provide a lot of helpful tools and
information, but like all security
tools, the more you put into
managing AWS, the more you
get out of it.
There is no Easy Button.
61
62. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Gaps: Inventory Management
Some people use their monthly bill to
figure out what they have running in
their infrastructure.
Some people use Systems Manager to
manage their instances.
There are no AWS Services that will
answer the question “what are all the
resources that use the tag ProductA?”
62
63. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Gaps: Vulnerability Management
When there is a vulnerability in
a Service like EKS or Lambda,
you may have to open a
support case to find out when
fixes will be available.
On the other hand, you can
often find information on
Amazon Linux’s OS
vulnerabilities very easily
online.
63
64. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Fixing some Gaps: AWS Marketplace
If AWS doesn’t sell it,
there may be a vendor or
partner who does. You
can find anything from
AMIs to FedRAMP in a
box, for a price, on the
AWS Marketplace.
64
65. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
The most important Service: AWS Billing
" Use it to find unexpected
resources, as inventory
management, and a justification
for lifecycle management.
" Keep an eye on those data
transfer costs (some things you
thought were local probably
aren’t), but you may be able to
fix that using VPC Endpoints.
65
66. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
What I said you will learn today
1. Some history of AWS
2. Intros to some critical AWS concepts and services
3. Tips and tricks for staying secure
4. My list of useful AWS resources
66
67. Emily Gladstone Cole Diana Initiative 2019 @unixgeekem
Summing Up
1. If you have to pick one Service to learn well, pick IAM.
2. Other critical Services: EC2, S3, VPC.
3. Use Tags everywhere.
4. AWS has many tools to help you manage your account(s),
but there is no Easy Button.
5. There are a lot of resources out there to learn more.
67