SlideShare a Scribd company logo
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security hardening of core AWS services
RUNCY OOMMEN | 28-Sep-2019
runcyoommen
https://runcy.me
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
| Today’s Agenda |
✓ Generic cloud security
❑ Route 53
❑ API Gateway
❑ Cloud Front
✓ AWS security services
✓ Shared Responsibility Model
✓ AWS services for hardening
❑ Amazon Linux
❑ Elastic Load Balancer
❑ AWS Certificates (ACM)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s define “Cloud Security”
Cloud Security refers to a broad set of policies,
technologies, applications and controls utilized to
protect virtualized IP, data, applications, services and
the associated infrastructure of cloud computing.
Reference:
https://en.wikipedia.org/wiki/Cloud_computing_security
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IT infrastructure & landscape has
undergone a paradigm shift…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Traditional view
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern view
PaaS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why should cloud security differ
from “traditional” network security?
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ubiquitous
The cloud is always reachable from
anywhere, any time, any device
Scalable
You can add new features and thousands
of users without breaking a sweat
Integrated
Security and other services talk to
each other for full visibility
Comprehensive
The Cloud scans every byte – ingress
and egress – including SSL & CDN
Intelligent
The cloud learns from every user and
connection; any new threat is blocked for all
Important facets of cloud
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Early days of cloud
Move Fast OR Stay Secure
Modern day cloud
Move Fast AND Stay Secure
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud v/s Security
➢ Agility
➢ Self-service
➢ Scale
➢ Automation
➢ Gate Keeper
➢ Standards
➢ Control
➢ Centralized
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Product Name Category Brief Description
Certificate Manager SSL/TLS Certificates Service that lets you easily provision, manage, deploy SSL/TLS
certificates
Amazon Cognito User Sign Up & Sign In Lets you add user sign-up/sign-in and access control to your
web and mobile apps
Identity Access Management Access Control Identity & Access Management to control user’s access to AWS
services. Create and manage users and groups.
Amazon Inspector Security Assessment Automated security assessment service that helps improve
security and compliance of deployed applications on AWS
Key Management Service Key Store Managed service that makes it easy to create and control the
encryption keys used to encrypt data
Amazon Macie Sensitive Data
Classification
ML powered security service to discover, classify and protect
sensitive data
Secrets Manager Secrets Management Easily rotate, manage and retrieve database credentials, API
Keys and other secrets throughout the lifecycle
AWS Shield DDoS Protection Managed Distributed Denial od Service protection service that
safeguards web applications running on AWS
Security, Identity and Compliance products from AWS
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Weakness #1:
Amazon Linux 2 AMI is shipped with OpenSSH v7.4 that is
outdated and vulnerable to multiple attacks
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solution: Upgrade to OpenSSH 7.8 or later!
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SITUATION RIGHT NOW!
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to do now? The elaborate way…
AWS package manager does not
even have a higher version of SSH!!!
➢ Install all the relevant dependencies
➢ Compile package from source
➢ Install the compiled package to upgrade
➢ Download the latest package from openbsd.org
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Get the script - https://tinyurl.com/sshupdate
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Weakness #2:
Default SSH settings (Ciphers & Key Exchange algorithms)
in Amazon Linux are deprecated and weak
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Confirming the presence of weak/deprecated Ciphers & Key Exchanges
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Search for ‘Ciphers’ & ‘KexAlgorithms’ in the man page
Solution:
Check for new ciphers and kex after OpenSSH upgrade
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
➢ Edit the /etc/ssh/sshd_config file
➢ Add default Ciphers and KexAlgorithms in preferred order
Restart the sshd service
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Check the Ciphers and Key Exchange Algorithms now…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Weakness #3:
TLS 1.0 and TLS 1.1 that have weak cipher suites are set
as the default when provisioning Elastic Load Balancers
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Confirming the presence of weak cipher suites…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
➢ Select a more stricter and recent security policy for the ELB
Solution:
➢ Force the latest ‘security policy’ on the load balancer
instead of the default lenient one
➢ Navigate to Load Balancer (EC2) → Listeners (tab) → Edit
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reference chart of
security policies
with SSL Options
and Ciphers
Reference:
https://docs.aws.amazon.com/elasticload
balancing/latest/classic/elb-security-
policy-table.html
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Changes are reflected immediately on
re-running a vulnerability scan again
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Weakness #4:
API Gateway by default, provides support for
TLS 1.0 and TLS 1.1 with weak cipher suites
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
➢ Pick and choose the minimum required SSL for CloudFront
➢ Select the appropriate security policy for strong cipher selection
➢ Create a CloudFront distribution with the ‘Origin Domain Name’
as the API Gateway stage
Solution:
➢ Don’t serve the traffic directly from the API Gateway URL
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Weakness #5:
Certificates generated by ACM and managed by Route53
does not force create a ‘CAA’ record to prevent re-issuance
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Solution:
Create an entry in Route 53 for CAA when certificates
are issued by Amazon Certificate Manager (ACM)
Re-run a SSL scan (Qualys online SSL should be sufficient)
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions | Comments | Discussions
runcyoommen
https://runcy.me

More Related Content

What's hot

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
Aqua Security
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
Robb Boyd
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
VMworld
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWS
Amazon Web Services
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
CloudPassage
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
Hantzley Tauckoor
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
Alert Logic
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 

What's hot (20)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Equifax cyber attack contained by containers
Equifax cyber attack contained by containersEquifax cyber attack contained by containers
Equifax cyber attack contained by containers
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
TechWiseTV Workshop: Cisco ISE 2.1 (Identity Services Engine)
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX VMworld 2013: Security Automation Workflows with NSX
VMworld 2013: Security Automation Workflows with NSX
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWS
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
VMworld 2013: NSX Security Solutions In Action - Deploying, Troubleshooting, ...
 
#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach#ALSummit: Cyber Resiliency: Surviving the Breach
#ALSummit: Cyber Resiliency: Surviving the Breach
 

Similar to Security hardening of core AWS services

Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices
Security Framework Shakedown: Chart Your Journey with AWS Best PracticesSecurity Framework Shakedown: Chart Your Journey with AWS Best Practices
Security Framework Shakedown: Chart Your Journey with AWS Best Practices
Amazon Web Services
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
Amazon Web Services
 
Security Framework Shakedown
Security Framework ShakedownSecurity Framework Shakedown
Security Framework Shakedown
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Amazon Web Services
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Amazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
Amazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Amazon Web Services
 
Learn how AWS customers are implementing robust security posture for their A...
 Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...
Amazon Web Services
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Amazon Web Services
 
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPCAWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
Amazon Web Services
 
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPCAWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
Amazon Web Services
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
DevOps.com
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Amazon Web Services
 
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless BackendsAWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
Patrick Sard
 
A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...
Amazon Web Services
 

Similar to Security hardening of core AWS services (20)

Pitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overviewPitt Immersion Day Module 5 - security overview
Pitt Immersion Day Module 5 - security overview
 
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
Accelerate and secure your applications running on AWS - SVC208 - Santa Clara...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Security Framework Shakedown: Chart Your Journey with AWS Best Practices
Security Framework Shakedown: Chart Your Journey with AWS Best PracticesSecurity Framework Shakedown: Chart Your Journey with AWS Best Practices
Security Framework Shakedown: Chart Your Journey with AWS Best Practices
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
 
Security Framework Shakedown
Security Framework ShakedownSecurity Framework Shakedown
Security Framework Shakedown
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
Learn how AWS customers are implementing robust security posture for their A...
 Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...
 
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
Moving 400 Engineers to AWS: Our Journey to Secure Adoption (SEC306-S) - AWS ...
 
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPCAWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
AWS Initiate Day Dublin 2019 – Security and Compliance in your VPC
 
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPCAWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
AWS Initiate Day Manchester 2019 – AWS Security Compliance in your VPC
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless BackendsAWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
AWS Meetup Brussels 3rd Sep 2019 Simplify Frontend Apps with Serverless Backends
 
A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...A security-first approach to delivering end-user computing services - FND327 ...
A security-first approach to delivering end-user computing services - FND327 ...
 

More from Runcy Oommen

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
Runcy Oommen
 
Security enhancements for popular GCP services
Security enhancements for popular GCP servicesSecurity enhancements for popular GCP services
Security enhancements for popular GCP services
Runcy Oommen
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWS
Runcy Oommen
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud services
Runcy Oommen
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
Runcy Oommen
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloads
Runcy Oommen
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless website
Runcy Oommen
 
Get to know Git
Get to know GitGet to know Git
Get to know Git
Runcy Oommen
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth Hacking
Runcy Oommen
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)
Runcy Oommen
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHub
Runcy Oommen
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud Functions
Runcy Oommen
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best Practices
Runcy Oommen
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon Finals
Runcy Oommen
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution Idea
Runcy Oommen
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet view
Runcy Oommen
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - Finals
Runcy Oommen
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever Hackathon
Runcy Oommen
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker Swarm
Runcy Oommen
 

More from Runcy Oommen (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Security enhancements for popular GCP services
Security enhancements for popular GCP servicesSecurity enhancements for popular GCP services
Security enhancements for popular GCP services
 
Serverless solution architecture in AWS
Serverless solution architecture in AWSServerless solution architecture in AWS
Serverless solution architecture in AWS
 
Europe Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud servicesEurope Cloud Summit - Security hardening of public cloud services
Europe Cloud Summit - Security hardening of public cloud services
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloads
 
Building AWS native serverless website
Building AWS native serverless websiteBuilding AWS native serverless website
Building AWS native serverless website
 
Get to know Git
Get to know GitGet to know Git
Get to know Git
 
GCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth HackingGCDC Bengaluru - Community Growth Hacking
GCDC Bengaluru - Community Growth Hacking
 
Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)Earth Engine on Google Cloud Platform (GCP)
Earth Engine on Google Cloud Platform (GCP)
 
Get your Git on GitHub
Get your Git on GitHubGet your Git on GitHub
Get your Git on GitHub
 
Run C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud FunctionsRun C++ as serverless with GCP Cloud Functions
Run C++ as serverless with GCP Cloud Functions
 
Effective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best PracticesEffective Tech Community Engagement - Best Practices
Effective Tech Community Engagement - Best Practices
 
Rajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon FinalsRajasthan IT Day Hackathon Finals
Rajasthan IT Day Hackathon Finals
 
Arvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution IdeaArvind Brands - Hackathon - Solution Idea
Arvind Brands - Hackathon - Solution Idea
 
Intro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet viewIntro to Virtualization - 10000 feet view
Intro to Virtualization - 10000 feet view
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
Accenture Hack Forward - Finals
Accenture Hack Forward - FinalsAccenture Hack Forward - Finals
Accenture Hack Forward - Finals
 
Unilever Hackathon
Unilever HackathonUnilever Hackathon
Unilever Hackathon
 
Hybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker SwarmHybrid (Windows + Linux) Apps with Docker Swarm
Hybrid (Windows + Linux) Apps with Docker Swarm
 

Recently uploaded

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 

Recently uploaded (20)

AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 

Security hardening of core AWS services

  • 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security hardening of core AWS services RUNCY OOMMEN | 28-Sep-2019 runcyoommen https://runcy.me
  • 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. | Today’s Agenda | ✓ Generic cloud security ❑ Route 53 ❑ API Gateway ❑ Cloud Front ✓ AWS security services ✓ Shared Responsibility Model ✓ AWS services for hardening ❑ Amazon Linux ❑ Elastic Load Balancer ❑ AWS Certificates (ACM)
  • 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s define “Cloud Security” Cloud Security refers to a broad set of policies, technologies, applications and controls utilized to protect virtualized IP, data, applications, services and the associated infrastructure of cloud computing. Reference: https://en.wikipedia.org/wiki/Cloud_computing_security
  • 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IT infrastructure & landscape has undergone a paradigm shift…
  • 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional view
  • 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modern view PaaS
  • 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why should cloud security differ from “traditional” network security?
  • 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ubiquitous The cloud is always reachable from anywhere, any time, any device Scalable You can add new features and thousands of users without breaking a sweat Integrated Security and other services talk to each other for full visibility Comprehensive The Cloud scans every byte – ingress and egress – including SSL & CDN Intelligent The cloud learns from every user and connection; any new threat is blocked for all Important facets of cloud
  • 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Early days of cloud Move Fast OR Stay Secure Modern day cloud Move Fast AND Stay Secure
  • 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud v/s Security ➢ Agility ➢ Self-service ➢ Scale ➢ Automation ➢ Gate Keeper ➢ Standards ➢ Control ➢ Centralized
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 12.
  • 13.
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Product Name Category Brief Description Certificate Manager SSL/TLS Certificates Service that lets you easily provision, manage, deploy SSL/TLS certificates Amazon Cognito User Sign Up & Sign In Lets you add user sign-up/sign-in and access control to your web and mobile apps Identity Access Management Access Control Identity & Access Management to control user’s access to AWS services. Create and manage users and groups. Amazon Inspector Security Assessment Automated security assessment service that helps improve security and compliance of deployed applications on AWS Key Management Service Key Store Managed service that makes it easy to create and control the encryption keys used to encrypt data Amazon Macie Sensitive Data Classification ML powered security service to discover, classify and protect sensitive data Secrets Manager Secrets Management Easily rotate, manage and retrieve database credentials, API Keys and other secrets throughout the lifecycle AWS Shield DDoS Protection Managed Distributed Denial od Service protection service that safeguards web applications running on AWS Security, Identity and Compliance products from AWS
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Weakness #1: Amazon Linux 2 AMI is shipped with OpenSSH v7.4 that is outdated and vulnerable to multiple attacks
  • 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Solution: Upgrade to OpenSSH 7.8 or later!
  • 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SITUATION RIGHT NOW!
  • 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What to do now? The elaborate way… AWS package manager does not even have a higher version of SSH!!! ➢ Install all the relevant dependencies ➢ Compile package from source ➢ Install the compiled package to upgrade ➢ Download the latest package from openbsd.org
  • 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Get the script - https://tinyurl.com/sshupdate
  • 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Weakness #2: Default SSH settings (Ciphers & Key Exchange algorithms) in Amazon Linux are deprecated and weak
  • 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Confirming the presence of weak/deprecated Ciphers & Key Exchanges
  • 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Search for ‘Ciphers’ & ‘KexAlgorithms’ in the man page Solution: Check for new ciphers and kex after OpenSSH upgrade
  • 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ➢ Edit the /etc/ssh/sshd_config file ➢ Add default Ciphers and KexAlgorithms in preferred order Restart the sshd service
  • 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Check the Ciphers and Key Exchange Algorithms now…
  • 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Weakness #3: TLS 1.0 and TLS 1.1 that have weak cipher suites are set as the default when provisioning Elastic Load Balancers
  • 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Confirming the presence of weak cipher suites…
  • 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ➢ Select a more stricter and recent security policy for the ELB Solution: ➢ Force the latest ‘security policy’ on the load balancer instead of the default lenient one ➢ Navigate to Load Balancer (EC2) → Listeners (tab) → Edit
  • 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Reference chart of security policies with SSL Options and Ciphers Reference: https://docs.aws.amazon.com/elasticload balancing/latest/classic/elb-security- policy-table.html
  • 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Changes are reflected immediately on re-running a vulnerability scan again
  • 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Weakness #4: API Gateway by default, provides support for TLS 1.0 and TLS 1.1 with weak cipher suites
  • 37. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ➢ Pick and choose the minimum required SSL for CloudFront ➢ Select the appropriate security policy for strong cipher selection ➢ Create a CloudFront distribution with the ‘Origin Domain Name’ as the API Gateway stage Solution: ➢ Don’t serve the traffic directly from the API Gateway URL
  • 38. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 39. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Weakness #5: Certificates generated by ACM and managed by Route53 does not force create a ‘CAA’ record to prevent re-issuance
  • 40. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Solution: Create an entry in Route 53 for CAA when certificates are issued by Amazon Certificate Manager (ACM) Re-run a SSL scan (Qualys online SSL should be sufficient)
  • 41. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 42. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions | Comments | Discussions runcyoommen https://runcy.me