CB
Uploaded byChris Bingham
14 views

How to Fail (In)gloriously at AWS Security (Webinar)

As an AWS Ambassador who's been working in AWS for 13 years, I've unfortunately encountered many cases of security failings in my customers' AWS environments. This might not be so bad, except it's always the same failings! šŸ˜” So, let's talk about what these seemingly infinitely recurring security faux pas are, and how you can avoid being the next casualty of a failed audit... or worse.

Technologyā—¦
Related topics:
Information Securityā€¢

Embed presentation

FUJITSU-PUBLIC 1 Ā© Fujitsu 2025 FUJITSU-PUBLIC Ā© Fujitsu 2025 How to Fail (In)gloriously at AWS Security Chris Bingham CTO, Switzerland & AWS Ambassador Webinar - 27.11.25 16:00 CET
FUJITSU-PUBLIC 2 Ā© Fujitsu 2025 The 7 Recurring Sins 2nd Forgetting Permissions Boundaries 3rd Failing to Use Hardware Security Tokens 4th Using SMS as an Authentication Factor 5th Overlooking Conditional Permissions 6th Ignoring Sessions Manager 7th Forsaking Central Root User Management Ordered by how bored I am of talking about them! 1st Abusing Wildcards
FUJITSU-RESTRICTED 3 Ā© Fujitsu 2025 FUJITSU-PUBLIC 3 Ā© Fujitsu 2025 Ignoring Session Manager Letā€™s leave the front door unlocked!
FUJITSU-PUBLIC 4 Ā© Fujitsu 2025 Introducing Session Manager ā€¢ AWS Systems Manager feature ā€¢ Log in to systems without requiring direct network access, firewall rules, etc ā€¢ Access control via AWS IAM ā€¢ Session logging ā€¢ Port forwarding (e.g. for RDP) ā€¢ Uses SSM Agent ā€¢ Pre-installed on most EC2 AMIs
FUJITSU-PUBLIC 5 Ā© Fujitsu 2025 The Sin Leaving Session Manager usage uncontrolled and wide open! Allowing ssm:* + Not managing the SSM Agent state & config = Everyone has root on your OS
FUJITSU-PUBLIC 6 Ā© Fujitsu 2025 The Resolution Manage your Session Manager! ā€¢ Grant ssm: action permissions selectively ā€¢ Always explicitly define and monitor your SSM Agent config ā€¢ Even if you think youā€™re not using it ā€¢ Adopt Session Manager ā€¢ Avoid the issues of direct SSH and RDP connections ā€¢ Get actual audit trails of admin activity ā€¢ Simplify your AWS networking and security setup
FUJITSU-RESTRICTED 7 Ā© Fujitsu 2025 FUJITSU-PUBLIC 7 Ā© Fujitsu 2025 Overlooking Conditional Permissions Making life easier for the attackers!
FUJITSU-PUBLIC 8 Ā© Fujitsu 2025 Introducing Conditional Permissions ā€¢ AWS IAM feature ā€¢ Used in IAM policies ā€¢ Define permissions limited by dynamic properties ā€¢ Common examples: ā€¢ Did the principal login with MFA? ā€¢ What AWS Organization is the principal from? ā€¢ What AWS Organization is the resource in? ā€¢ Which AWS region is the request targeting? ā€¢ What tags are applied to the resource?
FUJITSU-PUBLIC 9 Ā© Fujitsu 2025 The Sin Not using conditions to limit permissions Failing to leverage conditions for sensitive permission grants = Overly complex or excessive permissions = Cracks which hackers will slip through
FUJITSU-PUBLIC 10 Ā© Fujitsu 2025 The Resolution Limit permission grants with conditions! ā€¢ Make highly sensitive actions conditional on MFA ā€¢ E.g. those affecting CloudTrail, Flow Logs, etc ā€¢ Use tag conditions to simplify resource definitions ā€¢ Use AWS Organizations conditions to guard against common attack classes ā€¢ E.g. bucket snipping, confused deputy
FUJITSU-RESTRICTED 11 Ā© Fujitsu 2025 FUJITSU-PUBLIC 11 Ā© Fujitsu 2025 Forgetting Permissions Boundaries Because privilege escalation = fun!
FUJITSU-PUBLIC 12 Ā© Fujitsu 2025 Introducing Permissions Boundaries ā€¢ AWS IAM feature ā€¢ Used with IAM roles or users ā€¢ Defines the maximum permissions a role or user can haveā€¦ ā€¢ ... or pass to another IAM entity ā€¢ E.g. when creating an IAM role
FUJITSU-PUBLIC 13 Ā© Fujitsu 2025 The Sin Not configuring permissions boundaries on roles and users! No permissions boundaries + Permissions to create / edit / pass IAM roles = Quick & easy privilege escalation
FUJITSU-PUBLIC 14 Ā© Fujitsu 2025 The Resolution Centrally define and consistently set permissions boundaries ā€¢ Define a standard set of permissions boundaries for your AWS Organization ā€¢ Set a permissions boundary on every IAM principal ā€¢ Because thereā€™s no reason not to, and every reason to ā€¢ Use AWS Config to detect and auto-remediate IAM roles or users without permissions boundaries
FUJITSU-RESTRICTED 15 Ā© Fujitsu 2025 FUJITSU-PUBLIC 15 Ā© Fujitsu 2025 Connect with us via https://bit.ly/40euORy Weā€™re happy to help!
FUJITSU-RESTRICTED 16 Ā© Fujitsu 2025 FUJITSU-PUBLIC Ā© Fujitsu 2025 Thanks for your time

More Related Content

PDF
How to Fail (In)gloriously at AWS Security
byChris Bingham
Ā 
PDF
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
Ā 
PDF
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
Ā 
PPTX
Deep dive - AWS security by design
byRichard Harvey
Ā 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
Ā 
PDF
Security Best Practices
byIan Massingham
Ā 
PDF
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
Ā 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
Ā 
How to Fail (In)gloriously at AWS Security
byChris Bingham
Ā 
Securing Your Customers Data From Day One
byAmazon Web Services LATAM
Ā 
Advanced Security Masterclass - Tel Aviv Loft
byIan Massingham
Ā 
Deep dive - AWS security by design
byRichard Harvey
Ā 
Hackproof Your Cloud: Responding to 2016 Threats
byCloudCheckr
Ā 
Security Best Practices
byIan Massingham
Ā 
Security Best Practices: AWS AWSome Day Management Track
byIan Massingham
Ā 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
byAWS Germany
Ā 

Similar to How to Fail (In)gloriously at AWS Security (Webinar)

PDF
Security best practices on AWS cloud
byMartin Yan
Ā 
PDF
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
Ā 
PPTX
Group-1 Presentation.pptx cloud security
byTdxToxic
Ā 
PDF
Serverless Security Automation on AWS - Hamburg AWS User Group
byDennis Traub
Ā 
PDF
Download full ebook of Aws Security Final Release Dylan Shields instant downl...
byonurmronbh7028
Ā 
PDF
Safeguarding Your Mission Understanding Common Security Threats and How to P...
byTechSoup
Ā 
PDF
Simple Security for Startups
byMark Bate
Ā 
PDF
Simple Security for Startups
byAWS Germany
Ā 
PPTX
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
Ā 
PDF
Improving Your Security Posture: AWS Infrastructure
byAdam Bouhmad
Ā 
PPTX
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
Ā 
PPTX
Academy Cloud Foundations Module 04 Premier University
byshovondeb333
Ā 
PPTX
Aws security best practices
bySundeep Roxx
Ā 
PDF
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
byVladimir Simek
Ā 
PDF
AWS Security Best Practices (March 2017)
byJulien SIMON
Ā 
PDF
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
Ā 
PPTX
Security framework shakedown_-_chart_your_journey_with_aws_best_practices_ini...
byAmazon Web Services LATAM
Ā 
PPTX
Security Framework Shakedown- Mapeie sua jornada com as melhores prƔticas da AWS
byAmazon Web Services LATAM
Ā 
PPTX
AWS Well-Architected Webinar Security - Ben de Haan
byGoDataDriven
Ā 
PPTX
Building Bulletproof Infrastructure on AWS
by2nd Watch
Ā 
Security best practices on AWS cloud
byMartin Yan
Ā 
3 Steps for Securing Your AWS Organisation.pdf
byChris Bingham
Ā 
Group-1 Presentation.pptx cloud security
byTdxToxic
Ā 
Serverless Security Automation on AWS - Hamburg AWS User Group
byDennis Traub
Ā 
Download full ebook of Aws Security Final Release Dylan Shields instant downl...
byonurmronbh7028
Ā 
Safeguarding Your Mission Understanding Common Security Threats and How to P...
byTechSoup
Ā 
Simple Security for Startups
byMark Bate
Ā 
Simple Security for Startups
byAWS Germany
Ā 
Hack proof your aws cloud cloudcheckr_040416
byJarrett Plante
Ā 
Improving Your Security Posture: AWS Infrastructure
byAdam Bouhmad
Ā 
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
Ā 
Academy Cloud Foundations Module 04 Premier University
byshovondeb333
Ā 
Aws security best practices
bySundeep Roxx
Ā 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
byVladimir Simek
Ā 
AWS Security Best Practices (March 2017)
byJulien SIMON
Ā 
Practical AWS Security - Scott Hogg
byTrish McGinity, CCSK
Ā 
Security framework shakedown_-_chart_your_journey_with_aws_best_practices_ini...
byAmazon Web Services LATAM
Ā 
Security Framework Shakedown- Mapeie sua jornada com as melhores prƔticas da AWS
byAmazon Web Services LATAM
Ā 
AWS Well-Architected Webinar Security - Ben de Haan
byGoDataDriven
Ā 
Building Bulletproof Infrastructure on AWS
by2nd Watch
Ā 

More from Chris Bingham

PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
Ā 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
Ā 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
Ā 
PDF
AimingĀ forĀ Zero-Ops,Ā Zero(ish)-CostĀ onĀ AWS
byChris Bingham
Ā 
PDF
Managing Geospatial Open Data Serverlessly [AWS Community Day CH 2025]
byChris Bingham
Ā 
PDF
Managing Geospatial Open Data Serverlessly [Cloud Native Bern Meetup | May 2025]
byChris Bingham
Ā 
PDF
How AWS Encryption Key Options Impact Your Security and Compliance
byChris Bingham
Ā 
PDF
Managing Geospatial Open Data Serverlessly: paddelbuch.ch [Cloud Native Compu...
byChris Bingham
Ā 
PDF
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
byChris Bingham
Ā 
PDF
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023]
byChris Bingham
Ā 
PDF
SucculentPi [AWS Basel Meetup - Oct 2022]
byChris Bingham
Ā 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
Ā 
Lets Build a Serverless Function with Kiro
byChris Bingham
Ā 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
Ā 
AimingĀ forĀ Zero-Ops,Ā Zero(ish)-CostĀ onĀ AWS
byChris Bingham
Ā 
Managing Geospatial Open Data Serverlessly [AWS Community Day CH 2025]
byChris Bingham
Ā 
Managing Geospatial Open Data Serverlessly [Cloud Native Bern Meetup | May 2025]
byChris Bingham
Ā 
How AWS Encryption Key Options Impact Your Security and Compliance
byChris Bingham
Ā 
Managing Geospatial Open Data Serverlessly: paddelbuch.ch [Cloud Native Compu...
byChris Bingham
Ā 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
byChris Bingham
Ā 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023]
byChris Bingham
Ā 
SucculentPi [AWS Basel Meetup - Oct 2022]
byChris Bingham
Ā 

Recently uploaded

PPTX
Workflow and decision Automation with Flowable
bychakib ch
Ā 
PDF
final.pdf
byomarbishtawi04
Ā 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
Ā 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
Ā 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
Ā 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
Ā 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
Ā 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
Ā 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
Ā 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
Ā 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
Ā 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
Ā 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
Ā 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
Ā 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
Ā 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
Ā 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
Ā 
PPTX
Working Session ā€” Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
Ā 
Workflow and decision Automation with Flowable
bychakib ch
Ā 
final.pdf
byomarbishtawi04
Ā 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
Ā 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
Ā 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
Ā 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
Ā 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
Ā 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
Ā 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
Ā 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
Ā 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
Ā 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
Ā 
Celonis Optimizing your future with process
bydevjeremyappleyard
Ā 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
Ā 
Rustici Software: eLearning standards in the age of AI
byRustici Software
Ā 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
Ā 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
Ā 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupŔčini IEEE Slovenija ...
byUniversity of Maribor
Ā 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
Ā 
Working Session ā€” Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
Ā 

How to Fail (In)gloriously at AWS Security (Webinar)

  • 1.
    FUJITSU-PUBLIC 1 Ā©Fujitsu 2025 FUJITSU-PUBLIC Ā© Fujitsu 2025 How to Fail (In)gloriously at AWS Security Chris Bingham CTO, Switzerland & AWS Ambassador Webinar - 27.11.25 16:00 CET
  • 2.
    FUJITSU-PUBLIC 2 Ā©Fujitsu 2025 The 7 Recurring Sins 2nd Forgetting Permissions Boundaries 3rd Failing to Use Hardware Security Tokens 4th Using SMS as an Authentication Factor 5th Overlooking Conditional Permissions 6th Ignoring Sessions Manager 7th Forsaking Central Root User Management Ordered by how bored I am of talking about them! 1st Abusing Wildcards
  • 3.
    FUJITSU-RESTRICTED 3 Ā©Fujitsu 2025 FUJITSU-PUBLIC 3 Ā© Fujitsu 2025 Ignoring Session Manager Letā€™s leave the front door unlocked!
  • 4.
    FUJITSU-PUBLIC 4 Ā©Fujitsu 2025 Introducing Session Manager ā€¢ AWS Systems Manager feature ā€¢ Log in to systems without requiring direct network access, firewall rules, etc ā€¢ Access control via AWS IAM ā€¢ Session logging ā€¢ Port forwarding (e.g. for RDP) ā€¢ Uses SSM Agent ā€¢ Pre-installed on most EC2 AMIs
  • 5.
    FUJITSU-PUBLIC 5 Ā©Fujitsu 2025 The Sin Leaving Session Manager usage uncontrolled and wide open! Allowing ssm:* + Not managing the SSM Agent state & config = Everyone has root on your OS
  • 6.
    FUJITSU-PUBLIC 6 Ā©Fujitsu 2025 The Resolution Manage your Session Manager! ā€¢ Grant ssm: action permissions selectively ā€¢ Always explicitly define and monitor your SSM Agent config ā€¢ Even if you think youā€™re not using it ā€¢ Adopt Session Manager ā€¢ Avoid the issues of direct SSH and RDP connections ā€¢ Get actual audit trails of admin activity ā€¢ Simplify your AWS networking and security setup
  • 7.
    FUJITSU-RESTRICTED 7 Ā©Fujitsu 2025 FUJITSU-PUBLIC 7 Ā© Fujitsu 2025 Overlooking Conditional Permissions Making life easier for the attackers!
  • 8.
    FUJITSU-PUBLIC 8 Ā©Fujitsu 2025 Introducing Conditional Permissions ā€¢ AWS IAM feature ā€¢ Used in IAM policies ā€¢ Define permissions limited by dynamic properties ā€¢ Common examples: ā€¢ Did the principal login with MFA? ā€¢ What AWS Organization is the principal from? ā€¢ What AWS Organization is the resource in? ā€¢ Which AWS region is the request targeting? ā€¢ What tags are applied to the resource?
  • 9.
    FUJITSU-PUBLIC 9 Ā©Fujitsu 2025 The Sin Not using conditions to limit permissions Failing to leverage conditions for sensitive permission grants = Overly complex or excessive permissions = Cracks which hackers will slip through
  • 10.
    FUJITSU-PUBLIC 10 Ā©Fujitsu 2025 The Resolution Limit permission grants with conditions! ā€¢ Make highly sensitive actions conditional on MFA ā€¢ E.g. those affecting CloudTrail, Flow Logs, etc ā€¢ Use tag conditions to simplify resource definitions ā€¢ Use AWS Organizations conditions to guard against common attack classes ā€¢ E.g. bucket snipping, confused deputy
  • 11.
    FUJITSU-RESTRICTED 11 Ā©Fujitsu 2025 FUJITSU-PUBLIC 11 Ā© Fujitsu 2025 Forgetting Permissions Boundaries Because privilege escalation = fun!
  • 12.
    FUJITSU-PUBLIC 12 Ā©Fujitsu 2025 Introducing Permissions Boundaries ā€¢ AWS IAM feature ā€¢ Used with IAM roles or users ā€¢ Defines the maximum permissions a role or user can haveā€¦ ā€¢ ... or pass to another IAM entity ā€¢ E.g. when creating an IAM role
  • 13.
    FUJITSU-PUBLIC 13 Ā©Fujitsu 2025 The Sin Not configuring permissions boundaries on roles and users! No permissions boundaries + Permissions to create / edit / pass IAM roles = Quick & easy privilege escalation
  • 14.
    FUJITSU-PUBLIC 14 Ā©Fujitsu 2025 The Resolution Centrally define and consistently set permissions boundaries ā€¢ Define a standard set of permissions boundaries for your AWS Organization ā€¢ Set a permissions boundary on every IAM principal ā€¢ Because thereā€™s no reason not to, and every reason to ā€¢ Use AWS Config to detect and auto-remediate IAM roles or users without permissions boundaries
  • 15.
    FUJITSU-RESTRICTED 15 Ā©Fujitsu 2025 FUJITSU-PUBLIC 15 Ā© Fujitsu 2025 Connect with us via https://bit.ly/40euORy Weā€™re happy to help!
  • 16.
    FUJITSU-RESTRICTED 16 Ā©Fujitsu 2025 FUJITSU-PUBLIC Ā© Fujitsu 2025 Thanks for your time