Cloud Security basics

1. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Thinking Out cLOUD 2020
@stuhirstinfosec

2. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Disclaimers;
I like memes & gifs.
I’m not an ‘expert’ or a
‘thought leader’, but I’ve
learned some stuff along the
way.
@stuhirstinfosec

3. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Who Am I?
@stuhirstinfosec

4. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
You’re going to be in
one of two camps….

5. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
1. Thinking of going
Cloud
2. Already there

6. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

7. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you’re not in Cloud
yet, but about to get
there…

8. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

9. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you’re already IN
Cloud, you’ll be in
one of two states…

10. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

11. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

12. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
e Path To Securing The Clo

13. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
What do you care
about?!
(Risk!)

14. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
There are existing frameworks that can help;
• CIS Benchmarking
• NIST
• ISACA
• Cloud Security Alliance

15. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
CIS:
• AWS, Azure, Google Cloud
• Docker, Kubernetes
• Security Metrics
• Also desktop apps, network devices, mobile
devices, servers, operating systems

16. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Threats/Risks In The Cloud

17. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

18. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Cryptojacking /
Bitcoin Mining
Accessing resources you own to leverage computing power to
mine for cryptocurrency

19. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Data Breaches
Open buckets
Open databases
General misconfiguration

20. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Denial Of Service
Though if major Cloud providers are down - everyone has a
problem!

21. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Insider Threats
Malicious or mistake

22. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Hijacking of
Accounts
To log on and access resources and data

23. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Lack of awareness &
training
Cloud is still new and complex!

24. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

25. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
eps To Protect Your AWS En

26. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Look out
for…

27. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
ROOT ACCOUNT

28. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Give your Root Account physical
MFA token to someone non-technical
They’re less likely to kill your
business

29. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

30. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!

31. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Advice:
Delete your Root Account Access
Key and Secret Key ID - you don’t
need them!

32. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
MFA

33. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Ensure EVERY user
has MFA - no
excuses!
Or SAML…

34. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Advice:
You can stipulate in IAM policies that
an action CANNOT take place without
MFA!

35. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
So perhaps you can perform:
DescribeInstances and RunInstances with no
checks
But TerminateInstance can only be where
aws:MultiFactorAuthAge is < X
minutes

36. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
IAM

37. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Check your IAM password policy
Automate checks for unused
passwords or access keys
ALERT FOR ROOT USAGE!!!

38. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!

39. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

40. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Over time, you have probably
created too many roles!
IAM Access Advisor - service last
accessed

41. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
LOGGING

42. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
LOG. ALL. THE. THINGS!

43. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Cloudtrail
S3 Access
VPC Flow
Cloudwatch
API Gateway

44. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
At WORST - make sure you’re
logging Cloudtrail events in every
account.
ALERT IF YOU’RE NOT!

45. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!

46. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you log to a central account, be
wary you might be charged twice
for Cloudtrail logs!

47. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

48. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
S3 BUCKETS

49. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Still arguably the easiest mistake
to make and most impactful

50. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

51. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!

52. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

53. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

54. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SECURITY GROUPS

55. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SG’s act like a firewall for your
instances….
But they’re easy to misconfigure

56. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!

57. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

58. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
• Restrict traffic to internal IPs for protocols such as
SSH
• Use NACL’s to block ports
• Avoid the dreaded 0.0.0.0/0
• Use ELB's SGs wisely to restrict EC2’s access to the
Internet
• Trusted Advisor will help you!

59. @stuhirstinfosec

60. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
INCIDENT
RESPONSE

61. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Behaviour
Alert
Slack

62. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

63. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Create playbooks for incident
response
Even if they just say who to
contact!!!

64. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
ENCRYPTION

65. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Are you encrypting
by default?
If not, why not?!
S3, EBS, RDS etc

66. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
KEY ROTATION &
CREDS

67. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

68. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
North Carolina State University
examined accidental leakage of
authentication secrets to
GitHub…..

69. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
1. Secrets in over
100,000
repositories
2. Over 1000
committed daily

70. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Other helpful tips!

71. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Well Architected
Reviews with
AWS/GCP/Azure
Use your Technical
Account Managers!

72. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Manually audit your
accounts - looking
for gaps, misconfigs,
permissions

73. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Or leverage….
Open Source Goodies!

74. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

75. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

76. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

77. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

78. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

79. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Q: What’s the most
important aspect of
securing the Cloud?

80. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
RECRUIT!
RECRUIT!
RECRUIT!

81. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
KEY TAKEAWAYS
(see what I did
there?!)

82. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
• Start with basics
• Establish a risk framework
• Look out for the banana skins!
• Automate as much as you can
• Leverage the tooling
• Have fun!
• RECRUIT!

83. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
So what have I learnt these last 2-3 years?
* Your journey has to start somewhere!
* Changing businesses takes real time and graft. And it’s
painful!
* Try and get the major stakeholders around the table regularly
to collaborate - this takes effort!
* Cloud is HARD and often COMPLEX
* Recruitment is absolutely KEY!
* TEACHING EACH OTHER IS KEY ALSO!!!

84. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Before I leave you…

85. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

86. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

87. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Want to know more?
Cloud Security Forum on Slack - DM ME ON TWITTER!
AWS Arsenal - open source tools
https://github.com/stuhirst/awssecurity
AWS Vulnerability & Risk list
https://github.com/stuhirst/awssecurity/blob/master/risksandvulns.md

88. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SHOUT OUTS:
• Scott Piper (CloudMapper, FLAWS & more)
• Toni De La Fuente (Prowler)
• Tash Norris (Cloud Threat Modeling)
• Rhino Labs
AND MY INCREDIBLE TEAM!

89. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE

90. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
FANKS!
@stuhirstinfosec