SlideShare a Scribd company logo

Moving at the Speed-of-Cloud Without Getting Owned

Deborah Schalm
Deborah Schalm

There are two kinds of people in this community: those who embrace the cloud and all it has to offer, and those who have the cloud thrust upon them. In this talk, we focused on Security, DevOps and You. How do you go about setting up security in an environment that wasn't set up with security in mind? How do you go about working in an infrastructure that you are completely unfamiliar with? Security is always evolving and as security professionals it's critical that we know the answers to these solutions before these scenarios crop up. Join Etsy, DevOps.com, and Evident.io to explore the needs of Devops, Security and IT and how to move at the speed-of-cloud together without creating vulnerabilities. In this webinar we will discuss: Automation vs AWS Management Console Identity and Access Management (IAM) S3 Bucket policies Logging and alerting so you have proper visibility into your environment

Software
1 of 58
Download to read offline
● ● ● ●
Moving at the Speed-of-Cloud Without Getting Owned (Hopefully...) Devina Dhawan 06/06/2017 - Devops.com 2017 Email: iamacybercop@gmail.com Twitter & Instagram: @theulzo 4
Introduction 5 ● Etsy (Jan 2015 - Present) ● Orbitz (May 2014 - Dec 2015) ● University of Illinois in Chicago
Etsy operates a global marketplace where people around the world connect, both online and offline, to make, sell and buy unique goods. 6
Security at Etsy 7 ● Evangelizing Security at Etsy ○ Candy is a great way to make friends ○ Allow the conversation about security to be comfortable and inviting.
What is this talk about? • I will help you improve your existing AWS infrastructure • You will walk away with action items • http://bit.ly/2sncl4I 8
“Securing Amazon Web Services” 9
10 - Traditional bare metal - Minimal footprint in the clouds Infrastructure
Where to begin?
12 ● Evident.io ○ Scans of configurations to see if anything is misconfigured ● Password policies? ● Multi-factor Authentication ● Jira Tickets Evident.io
13 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
Scout2 ● Github Page: https://github.com/nccgro up/Scout2 ● Reports for all accounts ● Tie that into alerts manually
Changes I made… like a goon • Password policy to the highest scrutiny • Removed all admin roles from accounts that didn’t need them (aka hadn’t used aws in 2 yrs and didn’t have any api keys tied to their user) 16
17 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
Password Policies
My first Etsy communication Hello X, Looks like you still do not have MFA set up on your AWS account. Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device. Note: If you no longer need your AWS account, please let me know! Devina
Version 2.0 Hello X, Looks like you still do not have MFA set up on your AWS account. It looks like you used your AWS account recently as well, so please sign up for MFA by 03/31/16 or your account will be suspended. Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device. Note: If you no longer need your AWS account, please let me know! Your neighborhood candy provider, Devina
Oops...
Multiple statements which allow you to: ● Resync MFA devices ● Deactivate MFA devices ● List MFA devices ● Primary, management Other policies: ● Forcing MFA
Oof…
Aws-cli for account creation Becoming really used to the aws client is really useful too!
Using Terraform for IAM ● What is terraform? ● What can it do? ○ Static creds ○ Environment variables ○ Shared creds ○ EC2 Roles
Static Creds
27 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
Logging in AWS - Cloudtrail
ELK
Alert Types Email: ● Daily Roundup Emails ○ No production impacting ● High Risk Alerts ○ Enough resources to handle IRC/Slack/Jabber: ● Slack & Dropbox Collect the alerts: ● Splunk ● 411 / Elastalert
34 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Scout2 # Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
Inbound/Outbound
EC2 Roles
37 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Scout2 # Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
Bucket Policies
● Bug Bounties at Etsy: https://www.etsy.com/bounty ● S3 Scanner Github: https://github.com/bear/s3scan ○ Report of all s3 buckets and perms ○ Likely how bountiers are finding out about your misconfigured policies.
42 So… it happened, what do I do now? ❏ Write down all the systems you need to take care of ❏ Find out what you need to fix on all systems, write that down ❏ Start with the low-hanging fruit ❏ Over communicate what you are doing. ❏ Work with networking on the AWS network ❏ Create default rulesets & roles ❏ Work with IT/helpdesk to handle account provisioning ❏ Work with systems engineering to handle provisioning of services ❏ … profit?
THANKS! iamacybercop@gmail.com @theulzo
@johnmartinezjohn@evident.io
● ● ●
● ● ● ● Image: Disney XD
→ → → Image: 20th Century Fox
● Teach your craft ● Ask to be part of the IR team ● Be proactive where it counts (budget, resources, time)
@evidentdotio /company/evident-io /evident.io/ sales@evident.io

Recommended

Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 

Recommended

Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Devina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWSDevina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWSAWS Chicago
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWSAmazon Web Services
 
This is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill ShockThis is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill ShockDaniel Zivkovic
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...Amazon Web Services
 
SiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageSiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageAlvaro Folgado Rueda
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Denver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 SlidesDenver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 SlidesDavid McDaniel
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
SEO for Large Websites
SEO for Large WebsitesSEO for Large Websites
SEO for Large WebsitesDominic Woodman
 
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS Amazon Web Services
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAmazon Web Services
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...James DeLuccia IV
 
Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3aspyker
 
AWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - VenturesityAWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - VenturesityDhilipsiva DS
 
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Deborah Schalm
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDeborah Schalm
 

More Related Content

Similar to Moving at the Speed-of-Cloud Without Getting Owned

Devina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWSDevina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWSAWS Chicago
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWSAmazon Web Services
 
This is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill ShockThis is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill ShockDaniel Zivkovic
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...Amazon Web Services
 
SiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageSiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageAlvaro Folgado Rueda
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done righttladesignz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Denver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 SlidesDenver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 SlidesDavid McDaniel
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsGarth Boyd
 
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS Amazon Web Services
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAmazon Web Services
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...James DeLuccia IV
 
Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3aspyker
 
AWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - VenturesityAWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - VenturesityDhilipsiva DS
 

Similar to Moving at the Speed-of-Cloud Without Getting Owned (20)

Devina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWSDevina Dhawan's talk - Women and non binary focused intro to AWS
Devina Dhawan's talk - Women and non binary focused intro to AWS
 
Moving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit AtlantaMoving the needle on cloud security - AWS Summit Atlanta
Moving the needle on cloud security - AWS Summit Atlanta
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Jump Start your First Hour with AWS
Jump Start your First Hour with AWSJump Start your First Hour with AWS
Jump Start your First Hour with AWS
 
This is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill ShockThis is my Architecture to prevent Cloud Bill Shock
This is my Architecture to prevent Cloud Bill Shock
 
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
You Can’t Protect What You Can’t See: AWS Security Monitoring & Compliance Va...
 
SiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team VillageSiestaTime - Defcon27 Red Team Village
SiestaTime - Defcon27 Red Team Village
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Denver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 SlidesDenver AWS Users' Group Meeting - July 2018 Slides
Denver AWS Users' Group Meeting - July 2018 Slides
 
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOpsIn the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
In the Cloud, nobody can hear you scream: AWS Cloud Security for DevOps
 
SEO for Large Websites
SEO for Large WebsitesSEO for Large Websites
SEO for Large Websites
 
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
AWS Summit Auckland 2014 | Jump Start your First Hour with AWS
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWSAWS Summit Sydney 2014 | Jump Start your First Hour with AWS
AWS Summit Sydney 2014 | Jump Start your First Hour with AWS
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
 
Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...Cloud security - the most vital today for your business and product that uses...
Cloud security - the most vital today for your business and product that uses...
 
Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3Netflix Open Source Meetup Season 4 Episode 3
Netflix Open Source Meetup Season 4 Episode 3
 
AWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - VenturesityAWS LearnUp - Intro to AWS Services - Venturesity
AWS LearnUp - Intro to AWS Services - Venturesity
 

More from Deborah Schalm

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Deborah Schalm
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDeborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleDeborah Schalm
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsDeborah Schalm
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOpsDeborah Schalm
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsDeborah Schalm
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainDeborah Schalm
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private CloudDeborah Schalm
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Deborah Schalm
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleDeborah Schalm
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Deborah Schalm
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017Deborah Schalm
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingDeborah Schalm
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsDeborah Schalm
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementDeborah Schalm
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildDeborah Schalm
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesDeborah Schalm
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinDeborah Schalm
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessDeborah Schalm
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesDeborah Schalm
 

More from Deborah Schalm (20)

Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
Exploring Prometheus: Combining Metrics and Alerting to Improve Incident Mana...
 
Discovering Dark Debt in your Culture
Discovering Dark Debt in your CultureDiscovering Dark Debt in your Culture
Discovering Dark Debt in your Culture
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
 
Protect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security DefectsProtect Your Organization Against Known Security Defects
Protect Your Organization Against Known Security Defects
 
Putting the Ops in DevOps
Putting the Ops in DevOpsPutting the Ops in DevOps
Putting the Ops in DevOps
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
Post-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply ChainPost-Equifax: How to Trust But Verify Your Software Supply Chain
Post-Equifax: How to Trust But Verify Your Software Supply Chain
 
30 Minutes to a Private Cloud
30 Minutes to a Private Cloud30 Minutes to a Private Cloud
30 Minutes to a Private Cloud
 
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
Taking DevOps Monitoring to the Next Level - The 5 Step Guide to Monitoring N...
 
Top 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at ScaleTop 5 Considerations for Operating a Kubernetes Environment at Scale
Top 5 Considerations for Operating a Kubernetes Environment at Scale
 
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
Is a Monolith Standing in the Way of Your Digital Transformation? Refactor fo...
 
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
EMA: Ten Priorities for Hybrid Cloud, Containers and DevOps in 2017
 
Application Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on GivingApplication Discovery! The Gift That Keeps on Giving
Application Discovery! The Gift That Keeps on Giving
 
Top 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield EnvironmentsTop 5 Challenges in Scaling DevOps in Brownfield Environments
Top 5 Challenges in Scaling DevOps in Brownfield Environments
 
The Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration ManagementThe Coming Earthquake in WebSphere Application Server Configuration Management
The Coming Earthquake in WebSphere Application Server Configuration Management
 
Planet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the WildPlanet of the APIs: Monitoring Transactions in the Wild
Planet of the APIs: Monitoring Transactions in the Wild
 
Get Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled ArchitecturesGet Loose! Microservices and Loosely Coupled Architectures
Get Loose! Microservices and Loosely Coupled Architectures
 
Proactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the WinProactive Monitoring: Playing Offense for the Win
Proactive Monitoring: Playing Offense for the Win
 
No Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your businessNo Tool is an Island: Building DevOps into your business
No Tool is an Island: Building DevOps into your business
 
Scale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBeesScale Continuous Deployment to Production with DeployHub and CloudBees
Scale Continuous Deployment to Production with DeployHub and CloudBees
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 

Recently uploaded (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 

Moving at the Speed-of-Cloud Without Getting Owned

  • 1.
  • 2.
  • 4. Moving at the Speed-of-Cloud Without Getting Owned (Hopefully...) Devina Dhawan 06/06/2017 - Devops.com 2017 Email: iamacybercop@gmail.com Twitter & Instagram: @theulzo 4
  • 5. Introduction 5 ● Etsy (Jan 2015 - Present) ● Orbitz (May 2014 - Dec 2015) ● University of Illinois in Chicago
  • 6. Etsy operates a global marketplace where people around the world connect, both online and offline, to make, sell and buy unique goods. 6
  • 7. Security at Etsy 7 ● Evangelizing Security at Etsy ○ Candy is a great way to make friends ○ Allow the conversation about security to be comfortable and inviting.
  • 8. What is this talk about? • I will help you improve your existing AWS infrastructure • You will walk away with action items • http://bit.ly/2sncl4I 8
  • 10. 10 - Traditional bare metal - Minimal footprint in the clouds Infrastructure
  • 12. 12 ● Evident.io ○ Scans of configurations to see if anything is misconfigured ● Password policies? ● Multi-factor Authentication ● Jira Tickets Evident.io
  • 13. 13 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
  • 14. Scout2 ● Github Page: https://github.com/nccgro up/Scout2 ● Reports for all accounts ● Tie that into alerts manually
  • 15.
  • 16. Changes I made… like a goon • Password policy to the highest scrutiny • Removed all admin roles from accounts that didn’t need them (aka hadn’t used aws in 2 yrs and didn’t have any api keys tied to their user) 16
  • 17. 17 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
  • 19. My first Etsy communication Hello X, Looks like you still do not have MFA set up on your AWS account. Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device. Note: If you no longer need your AWS account, please let me know! Devina
  • 20. Version 2.0 Hello X, Looks like you still do not have MFA set up on your AWS account. It looks like you used your AWS account recently as well, so please sign up for MFA by 03/31/16 or your account will be suspended. Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device. Note: If you no longer need your AWS account, please let me know! Your neighborhood candy provider, Devina
  • 22. Multiple statements which allow you to: ● Resync MFA devices ● Deactivate MFA devices ● List MFA devices ● Primary, management Other policies: ● Forcing MFA
  • 24. Aws-cli for account creation Becoming really used to the aws client is really useful too!
  • 25. Using Terraform for IAM ● What is terraform? ● What can it do? ○ Static creds ○ Environment variables ○ Shared creds ○ EC2 Roles
  • 27. 27 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Cloudtrail Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
  • 28. Logging in AWS - Cloudtrail
  • 29.
  • 30.
  • 31.
  • 32. ELK
  • 33. Alert Types Email: ● Daily Roundup Emails ○ No production impacting ● High Risk Alerts ○ Enough resources to handle IRC/Slack/Jabber: ● Slack & Dropbox Collect the alerts: ● Splunk ● 411 / Elastalert
  • 34. 34 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Scout2 # Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
  • 37. 37 Low-hanging IAM Fruit # Password Policy # Multi-factor auth Monitoring # Scout2 # Logging EC2 # Netwerkin’ # EC2 Roles S3 # S3 Bucket Policies
  • 39.
  • 40.
  • 41. ● Bug Bounties at Etsy: https://www.etsy.com/bounty ● S3 Scanner Github: https://github.com/bear/s3scan ○ Report of all s3 buckets and perms ○ Likely how bountiers are finding out about your misconfigured policies.
  • 42. 42 So… it happened, what do I do now? ❏ Write down all the systems you need to take care of ❏ Find out what you need to fix on all systems, write that down ❏ Start with the low-hanging fruit ❏ Over communicate what you are doing. ❏ Work with networking on the AWS network ❏ Create default rulesets & roles ❏ Work with IT/helpdesk to handle account provisioning ❏ Work with systems engineering to handle provisioning of services ❏ … profit?
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 51.
  • 53.
  • 54. → → → Image: 20th Century Fox
  • 55.
  • 56. ● Teach your craft ● Ask to be part of the IR team ● Be proactive where it counts (budget, resources, time)
  • 57.