Migrating from the data center to the cloud requires users to rethink much of what they do to secure their applications. CloudCheckr COO Aaron Klein will highlight effective strategies and tools that AWS users can employ to improve their security posture. The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, users need to adapt their security architecture to face both compliance and security threats. Specific emphasis will be placed upon leveraging native AWS services and the talk will include concrete steps that users can begin employing immediately. Session sponsored by CloudCheckr.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aaron Newman, CloudCheckr
July 13, 2016
Hack-proof Your Cloud:
Responding to 2016 Threats

2. Changing Your Perspective
Moving to the Cloud = rethinking your perimeter security
How do I secure my business applications on AWS?
Rethink how you perform most security tasks:
• Network-based IPS/IDS
• Network scanning
• Penetration tests
• Vulnerability assessments
Focus on securing Cloud workloads, not on
securing the Cloud.

3. In the Data Center
Setting up perimeter security:
• Setting up your infrastructure
• Setting up access points to the internet
• Configuring firewall, IDS, IPS, etc., at the access points
Auditing your perimeter security:
• Gather set of IP address blocks to poke at
• Do a port scan (using tools such as Nmap)
• Determine which ports are open on the target
• Try various exploits on the open ports
• Sniff lots of packets
• Dig around to make sure there are no back doors into the network
• Wireless access points, secondary T1 lines, DSL connections
• VPN access from some other network

4. AWS: What’s Different?
The idea of physical security morphs as
infrastructure becomes virtualized by AWS APIs.
In a new world of ephemeral, autoscaling infrastructure,
you need to adapt your security architecture to meet
both compliance and security threats.
~ Physical assets secured at the AWS Availability Zone ~
~ Must guard the AWS API ~
~ AWS Identity and Access Management (IAM) access is your new physical
security ~

5. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Network
Security
Inventory
& Config
Customer Applications & Content
You get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS and You Share Responsibility for Security
Data
Security
Access
Control
AWS

6. Minimizing Attack Vectors
Principles don’t change:
• Reduce your surface area!
• Defense in depth
Some attack vectors don’t change:
• Application level
• User-privilege escalation, web app vulns, XSS
• Operating system vulnerabilities
• Database vulnerabilities
Some attack vectors change:
• Homogeneous environment
• Polymorphic targets/mapping
• Reduced network sniffing
Security
Hardening
Configure and
manage user
privileges
Remove
unused user
accounts
Close unused
open network
ports
Enforce
password
complexity &
policies
Remove
unwanted
services
Patch all
known
vulnerabilities

7. Give me your network block:
• Nmap
• Port scans
• Ping sweeps
• Etc., …
Perimeter Assessments in the Cloud
How do I assess the perimeter of my Cloud?
Let me see your configuration:
• List of publicly accessible
resources
• Security groups (EC2-Classic,
EC2-VPC, Amazon Redshift,
Amazon RDS, etc., …)
• Routing tables, network ACL
• VPC, subnets
• Amazon S3 buckets and
permissions
• IAM policies
OLD
WORLD NEW
WORLD

8. Virtual Private Clouds (VPCs)
Default VPC is created in every region:
• VPCs are wide open by default
VPC is composed of:
• Internet and VPN gateways–connect to the rest of the world
• 1+ subnet(s)
• Routing table–how to move traffic around the VPC
• Network ACLs–a firewall, but stateless
• Security groups–host-based firewall, stateful
• Resources – Amazon EC2, RDS, Amazon Redshift, Amazon
ElastiCache

10. Network Security in a VPC
Network ACLs:
• Virtual firewalls assigned to VPC/subnets
• Network ACLs are stateless; responses to allowed inbound
traffic are subject to the rules for outbound traffic (and vice versa)
• Rules evaluated numerical ascending–DENY can be overridden by ALLOW
• Watch for INEFFECTIVE rules
Security groups:
• Host-based firewalls assigned to instances
• Stateful–responses to allowed inbound traffic are not subjected
to the rules for outbound traffic
• Rules are cumulative–DENY always overrides ALLOW
• Assigning wrong security group to an instance exposes the entire VPC
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

11. Complex Connections to Amazon EC2
EC2 instance can be run
inside VPCs
•Legacy capability to run
outside VPCs
•Instance ID: i-001bac39
•Friendly name (implemented
as a tag): ISS-V2-API1
EC2 instance can be given
one or more private IP
addresses
•For example: 172.12.6.186
•This generates a DNS name
ip-172-12-6-186.us-west-
2.compute.internal
EC2 instance can be given
one or more public IP
addresses
•For example: 52.24.201.167
•This generates a DNS name
ec2-52-24-201-167.us-west-
2.compute.amazonaws.com
EC2 instance can be attached
to an Elastic IP address (EIP)
•For example: 107.20.135.132

12. Running VA in Cloud Environments
How do I run vulnerability assessments?
Gather the list of public
IPs and EIPs of all
resources.
Do I need to scan the
private IP addresses and
instances?
Scanning an AMI
Spin up a new instance,
run a scan on the new
instance.
Mark everything based
on this AMI as
“scanned.”
What about when an
instance “drifts” from the
original AMI?
Someone can
reconfigure settings,
install new software.
In an elastic, ephemeral, autoscaling environment, clouds
can have tens of thousands of instances.

13. Patching Strategies for AWS
“No patch” strategy:
• Stay away from patching live systems
• Focus on patching templates/AMIs
• Deliver patches by redeploying workloads
• Dependent on adopting pure cloud architectures
Look at AWS OS templates:
• Patched by Amazon
Systematic workload reprovisioning
• Based on high-assurance repositories
• Effective battling advanced persistent threats

14. What Are We Missing?
Don’t assume attacks only happen against Amazon EC2
AWS has many moving parts and dimensions
Over 30 different AWS services
• Many have unique access control systems
You will have 100s of AWS accounts
We need a complete inventory
• All publicly accessible endpoints and resources
Security breaches can happen with a single weak link.

15. RDS (Amazon Relational Database Service)
Location:
• Within a VPC or not, Multi-AZ or not
Security options:
• DB security groups (if not in a VPC) or Amazon EC2-VPC security groups
• Select a non-default database port
RDS listens on only the database port:
• Shut down on all other ports (publicly, I’m sure AWS team can access the OS)
Publicly accessible option:
• Not a good idea, but if you do this:
• Make sure you use security groups to restrict source IP address
• Make sure you have latest patches applied
Secure your database snapshots:
• Keys to the kingdom if someone can get a copy
• Brute-force passwords, restore to their own account

16. S3 (Amazon Simple Storage Service)
Up to 1,000 buckets in an account:
• Unlimited number of objects (billions is not uncommon)
Location:
• Within a region, across Multi-AZs, not housed in a VPC
• Can’t sit between client and storage
Security:
• Access control through IAM policies, bucket policies, ACLs, and query string authentication
• Server-side encryption, HTTPS support
• Server access logs (does not integrate with AWS CloudTrail)
Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!!
Create an inventory of your sensitive data.

17. Amazon SQS (Amazon Simple Queuing Service)
Where does SQS live?
• Within a region, not within a VPC
• Uses a URL such as:
https://sqs.us-east-1.amazonaws.com/123456789012/MySQS
Security based on policy documents:
{
"Version": "2008-10-17",
"Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1415217272568",
"Effect": "Allow", "Principal": { "AWS": "*" },
"Action": [
"SQS:ReceiveMessage", "SQS:SendMessage"
],
"Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS"
},

18. Amazon SNS (Amazon Simple Notification Service)
SNS does not live inside your VPC.
Permissions based on topic policies:

19. Using AWS CloudTrail
An AWS service that records each time the AWS API is called:
• Currently supports most AWS services
• http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html
Conveniently, everything in AWS goes through the API:
• Even actions in the Management Console go through the API
CloudTrail writes files into an S3 bucket:
• Near real time (every five minutes)
• Files are in JSON format
Get started at: https://aws.amazon.com/cloudtrail/ .

20. Using Amazon CloudWatch Logs
Simple method of monitoring operating system logs:
• Ship Windows event logs and syslogs to Amazon CloudWatch
Types of use cases:
• Account Login Failure, Account Login Success, New local account creation,
Excessive Login Failure (Configurable)
• Unauthorized Windows Admin Logon, Windows Account Lockout Attempt,
Windows Computer Account Changes
• Windows Audit Policy Changes, Windows Event Log Cleared
• Non-Windows - Account Locked Out, Non-Windows - Account Unlocked,
Changes to System or Audit log
Get started at:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatchLogs.html

21. Using Amazon VPC Flow Logs
An AWS service that records every time packets enter or leave a VPC:
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Security team comes to you and says:
• We need logs going to instance 1-0123456 from
IP address ranges 52.205.16.0 - 52.205.31.255
Monitor for DENY connections:
• Gives you both security group and network ACL
denies
Announcement:
https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazon-vpc-flow-logs/

22. Tools for Configuring AWS Securely & Cost
Effectively
Generic tools fall short.
Purpose-built, not Cloud washed:
• Make sure tools don’t fall over in the Cloud.
• Tools have to understand dynamic, ephemeral IPs.
Need a deep understanding of AWS:
• What does this mean?
• Context is important.
• Actionable intelligence.

23. Leveraging AWS data – CloudTrail, AWS Config, Amazon
VPC Flow Logs, CloudWatch Logs, DBR, and more
metrics
Providing complete transparency–into 1 or across 1,000s
of AWS accounts
Automating security, configuration, and activity monitoring
and alerting
Continuous monitoring of configurations, resources, and
permissions
Active optimization, sophisticated allocation, and simplified
invoicing for enterprise Cloud cost management
Monitoring, Reporting & Optimization
Enterprise Security & Cost Management from CloudCheckr

24. Questions?

25. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aaron Newman, Founder of CloudCheckr
aaron.newman@cloudcheckr.com
www.cloudcheckr.com
Thank You!