The document discusses the author's journey in cloud security and managing security across multiple companies simultaneously. It emphasizes the importance of recruiting skilled security professionals, implementing basic security controls like MFA and tightening IAM permissions, and challenges such as differing technologies, cultures, and the complexity of cloud environments. The author also provides resources for learning more about AWS security best practices.
7. @stuhirstinfosec
The Initial Journey…
• Well Architected Reviews with AWS
• Manual auditing of accounts
• Setting up of WAFs, AWS tools such as
Guard Duty
• Leveraging Trusted Advisor to help
• Compliance related activities
• Trying to ensure logging is in place
12. Defining Potential AWS Risks & Vulnerabilities
https://github.com/stuhirst/awssecurity/blob/master/risksandv
ulns.md
@stuhirstinfosec
• DDOS - what protection do you have at various layers?
• WAF - are you using one?! Does it have custom rulesets? Is it in blocking mode?
• LOGGING - VPC flow logs, S3 logs, ELB logs - do you centralise these?
• KEYS - how are you protecting these? Any in GitHub?!
• ENCRYPTION - are you forcing encryption on S3, EBS volumes & snapshots -
encrypt all the things!
• S3 - do you know if buckets/objects are open to the world?!
• IAM - overly permissive roles, lack of offboarding
• VULN MGMT - are you using up to date AMIs?
18. Complexities of 4 brands
@stuhirstinfosec
• Tech stack
• Programming languages
• Cultures
• Maturity
• Business structure
• Levels of knowledge
• Location/language
19. Some of the complexities of
multi-brand companies…
@stuhirstinfosec
• Accounts - often many!
• Terraform vs CloudFormation
• HUGE amounts of data!
• Cost / budget implications
• Staff turnover multiplied
30. @stuhirstinfosec
So what have I learnt during this last year?
* Your journey has to start somewhere!
* Changing businesses takes real time and graft. And it’s
painful!
* Try and get the major stakeholders around the table
regularly to collaborate - this takes effort!
* People repeat mistakes - we need to find a way to make
that better
* Cloud is HARD and often COMPLEX
* Recruitment is absolutely KEY!
33. @stuhirstinfosec
Want to know more?
AWS Security Slack Group
AWS Arsenal - open source tools
https://github.com/stuhirst/awssecurity
AWS Vulnerability & Risk list
https://github.com/stuhirst/awssecurity/blob/master/risksandvulns.md