Mitigating techniques

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Compliance and Security
Mitigation Techniques on AWS
Ric Harvey, Technical Developer Evangelist
@ric__harvey
https://gitlab.com/ric_harvey

Back to Basics

Identity Access Management (IAM)
Ensure only authorized and authenticated users are able
to access resources:
• Define users, groups, services and roles
• Protect AWS credentials
• Use fine grained authorization/access control

Define access
Users Groups Services Roles
• Think carefully
• SAML 2.0 (ADFS)
• Define a
management policy
• Logically group users
• Apply group policies
• Least privilege access
• Be granular
• Use roles for instances and
functions
• Avoid using API keys in code

Protecting AWS credentials
• Establish less-privileged Users
• Enable MFA on the root account
• Consider federation
• Set a password policy
• MFA for users and/or certain operations (s3
delete)
• Avoid storing API Keys in source control
• Use temporary credentials via STS

Fine grained access control
• Establish least privilege
principle
• Define clear roles for users
and roles
• Use AWS organizations to
centrally manage access

Resources
AWS IAM - https://aws.amazon.com/iam/
AWS STS - https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
AWS Organizations - https://aws.amazon.com/organizations/

VPC and Subnetting

Infrastructure protection
Protect network and
host level boundaries
System security
config and
management
Enforce service-level
protection

Protect network and host level boundaries
VPC considerations:
• Subnets to separate workloads
• Use NACL’s to prevent access between subnets
• Use route tables to deny internet access from
protected subnets
• Use Security groups to grant access to and from
other security groups
Limit what you run in public subnets:
• ELB/ALB and NLB’s
• Bastion hosts
• Try and avoid where possible having a system
directly accessible from the internet
External connectivity for management:
• Use VPN gateways to your on premise systems
• Direct Connect

CloudTrail

Enabled by default

GuardDuty

Amazon GuardDuty
Genera lly a va ila ble toda y

Amazon GuardDuty
Instance reconisance
• Port probe / accepted comm
• Port scan (intra-VPC)
• Bruteforce attack (IP)
• Tor communications
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added

Amazon GuardDuty
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Spambot activity
• Outbound SSH bruteforce
• EC2 Credential Exfiltration
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
• Domain generated algorithms
Account reconisance
• Tor API call (failed)

Amazon GuardDuty Automated response
HTTPS
CLI
CloudWatch Events

Amazon GuardDuty Console

Amazon GuardDuty Console
Detailed response
• Time
• IP Location
• Type of action

Amazon GuardDuty Pricing
Pricing examples (monthly)
US-East (N. VA) / Example 1
GuardDuty processes
•40,000,000 events
•2,000 GB of VPC Flow logs
•1,000 GB of DNS Query Logs
Charges =
40 x $4.00 (per 1,000,000 events)
+ 500 x $1.00 (first 500 GB)
+ 2,000 x $0.50 (next 2,000 GB)
+ 500 x $0.25 (over 2,500 GB)
= $1,785 per month

Amazon GuardDuty Automated response
https://github.com/aws-samples/amazon-guardduty-hands-on

AWS WAF

What’s WAF?
Web Application Firewall
Choose WAF behaviors:
• Allow all requests except the ones that you specify
• Block all requests except the ones that you specify
• Count the requests that match the properties that you specify

WAF Rules
• Protect your API’s and web applications
• Preconfigured RuleGroups
• OWASP Top 10 mitigations
• Bad-bot defenses
• Virtual patching against latest CVE’s

WAF Examples
https://github.com/aws-samples/aws-waf-sample

AWS Shield

AWS Shield
Goal Suggested services
Protect a web application and RESTful APIs
against a DDoS attack
Shield Advanced protecting an Amazon
CloudFront distribution and an Application
Load Balancer
Protect a TCP-based application against a
DDoS attack
Shield Advanced protecting a Network Load
Balancer attached to an Elastic IP address
Protect a UDP-based game server against a
DDoS attack
Shield Advanced protecting an Amazon EC2
instance attached to an Elastic IP address

AWS Shield Features
Active monitoring
• Network flow monitoring
• Automated application (layer 7) traffic
monitoring
DDoS mitigations
• Helps protect from common DDoS
attacks, such as SYN floods and UDP
reflection attacks
• Access to additional DDoS mitigation
capacity
Standard and Advanced
Standard and Advanced
Advanced
Advanced

AWS Shield Features
Visibility and reporting
• Layer 3/4 attack notification and
attack forensic reports
• Layer 3/4/7 attack historical report
DDoS response team support
• Incident management during high
severity events
• Custom mitigations during attacks
• Post-attack analysis
Advanced
Advanced
Advanced
Advanced
Advanced

AWS Shield Features
Cost protection
• Reimburse related Route 53,
CloudFront, and ELB DDoS charges
Price
No additional cost for all AWS customers
$3,000/month plus additional data
transfer fees
AWS WAF included at no additional cost
Standard
Advanced
Advanced

Amazon Inspector

Threat assessment tooling at scale
Automate security assessments
First reports in minutes
Install agent on Linux
Install agent on windows
https://aws.amazon.com/inspector/getting-started/

Amazon Inspector findinds

AWS Secrets Manager

AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API
keys, and other secrets through their lifecycle
• Secure secrets storage
• Automatic secrets rotation without disrupting applications
• Programmatic retrieval of secrets
• Audit and monitor secrets usage
https://aws.amazon.com/secrets-manager/getting-started/

Questions?
@ric__harvey

Thank you!
@ric__harvey

Mitigating techniques

More Related Content

Similar to Mitigating techniques

More from Richard Harvey

Recently uploaded

Mitigating techniques