There are two kinds of people in this community: those who embrace the cloud and all it has to offer, and those who have the cloud thrust upon them.
In this talk, we focused on Security, DevOps and You. How do you go about setting up security in an environment that wasn't set up with security in mind? How do you go about working in an infrastructure that you are completely unfamiliar with? Security is always evolving and as security professionals it's critical that we know the answers to these solutions before these scenarios crop up.
Join Etsy, DevOps.com, and Evident.io to explore the needs of Devops, Security and IT and how to move at the speed-of-cloud together without creating vulnerabilities. In this webinar we will discuss:
Automation vs AWS Management Console
Identity and Access Management (IAM)
S3 Bucket policies
Logging and alerting so you have proper visibility into your environment
4. Moving at the
Speed-of-Cloud Without
Getting Owned (Hopefully...)
Devina Dhawan
06/06/2017 - Devops.com 2017
Email: iamacybercop@gmail.com
Twitter & Instagram: @theulzo
4
5. Introduction
5
● Etsy (Jan 2015 - Present)
● Orbitz (May 2014 - Dec 2015)
● University of Illinois in Chicago
6. Etsy operates a global marketplace where people around the world connect,
both online and offline, to make, sell and buy unique goods.
6
7. Security at Etsy
7
● Evangelizing Security at Etsy
○ Candy is a great way to make
friends
○ Allow the conversation about
security to be comfortable
and inviting.
8. What is this talk about?
• I will help you improve your
existing AWS infrastructure
• You will walk away with action
items
• http://bit.ly/2sncl4I
8
12. 12
● Evident.io
○ Scans of
configurations to
see if anything is
misconfigured
● Password policies?
● Multi-factor Authentication
● Jira Tickets
Evident.io
16. Changes I made… like a goon
• Password policy to the highest
scrutiny
• Removed all admin roles from
accounts that didn’t need them (aka
hadn’t used aws in 2 yrs and didn’t
have any api keys tied to their user)
16
19. My first Etsy communication
Hello X,
Looks like you still do not have MFA set up on your AWS account.
Go ahead and go to Identity & Access Management in your Amazon Web Services console ->
find your username -> Manage MFA Device.
Note: If you no longer need your AWS account, please let me know!
Devina
20. Version 2.0
Hello X,
Looks like you still do not have MFA set up on your AWS
account. It looks like you used your AWS account recently
as well, so please sign up for MFA by 03/31/16 or your
account will be suspended.
Go ahead and go to Identity & Access Management in
your Amazon Web Services console -> find your username
-> Manage MFA Device.
Note: If you no longer need your AWS account, please let
me know!
Your neighborhood candy provider,
Devina
41. ● Bug Bounties at Etsy:
https://www.etsy.com/bounty
● S3 Scanner
Github:
https://github.com/bear/s3scan
○ Report of all s3 buckets
and perms
○ Likely how bountiers are
finding out about your
misconfigured policies.
42. 42
So… it happened, what do I do now?
❏ Write down all the systems you need to take care of
❏ Find out what you need to fix on all systems, write that down
❏ Start with the low-hanging fruit
❏ Over communicate what you are doing.
❏ Work with networking on the AWS network
❏ Create default rulesets & roles
❏ Work with IT/helpdesk to handle account provisioning
❏ Work with systems engineering to handle provisioning of
services
❏ … profit?