Cloud services are bread and butter of today’s enterprise software development. They offer us flexibility and scalability for a reasonable price, compared to running your own data center and managing physical infrastructure. But as with all good things, there is an additional overhead related to ensuring that our cloud services are configured properly and don’t open potential security holes that maybe exploited, e.g. to run a cryptocurrency miner, that you are unwillingly paying for. Fortunately, these days we have some useful tools at our disposal, both from the open source community, as well as proprietary solutions from AWS, that should make the job of your IT Operations and Information Security teams easier. I will go over a few such projects, including CloudMapper from Duo, Scout Suite from NCC, and two solutions from Amazon: CloudTrail and GuardDuty. I will demonstrate how they can be utilized to detect a couple of common security vulnerabilities in your infrastructure. On top of that I will propose an example alerting pipeline, that should improve mean response time to the security threats in your infrastructure, should you wish to use it for your AWS account.

1. ⚡Storm Busters⚡
Auditing & Securing
AWS Cloud Infrastructure
Kuba Sendor
j-labs software specialists 25-26 November 2019, Warsaw
www.devopsdays.pl

2. 2019: Delivery Manager, j-labs in Kraków
2010-2014: Security & Trust Research, SAP Labs France in Sophia-Antipolis
2014-2018: Corporate Security, Yelp in London and San Francisco

3. o AWS security
o cloudmapper
o Scout Suite
o CloudTrail
o GuardDuty
o Joining the pieces: alerting pipeline

4. Amazon Web Services
Elastic Compute Cloud
(EC2)
Identity and Access Management
(IAM)
Simple Storage Service
(S3)

5. Identity and Access Management
(IAM)
password policy
Multi-Factor Authentication (MFA)
roles
key rotation
inline policies

6. Elastic Compute Cloud
(EC2)
misconfigured images
unencrypted images
secrets in instance data

7. Simple Storage Service
(S3)
lack of versioning
lack of encryption
MFA delete

8. cloudmapper
Infrastructure visualization
3 useful commands
1) audit
2) collect
3) report

10. Looks for security
misconfigurations in your
AWS account
Collects your AWS
account configuration
collectaudit report
Graphical representation
of the audit findings
based on the collected
configuration

11. audit

12. collect

17. Some other useful
cloudmapper commands

18. public - find public hosts and port ranges

19. find_admins - identify admin users

20. find_unused - look for unused resources

23. issue severity

28. Secrets in instance user data

30. CloudTrail

33. Joining the pieces: alerting pipeline
CloudTrail CloudTrail logs
S3 bucket
SNS topic
CloudTrail logs S3 Event
Notifications

34. GuardDuty
VPC (Virtual Private Cloud) Flow Logs
DNS Logs
CloudTrail Logs

35. GuardDuty Findings
 Compromised resources
 Activity different than the baseline
 Crypto currency miners
 Pentest activity
 Trojan attacks
 Suspicious activity by unauthorized users

36. Joining the pieces: alerting pipeline, pt. II
GuardDuty CloudWatch Lambda
CloudWatch
Event
Lambda
Function

37. Summary
cloudmapper
 simple
 cheap
 easy to set up
 no real-time monitoring
Scout Suite
 concise report
 detailed analysis of each
service
 no real-time monitoring
CloudTrail
 robust and detailed
 trail requires processing
 processing may incurre
aditional costs
GuardDuty
 real-time and enterprise-
ready
 expensive
 still requires incident
response

38. Kuba Sendor, j-labs software specialists
@jsendor
I'm waiting for
your feedback!
You can rate speakers and lectures using
our official conference app