Contenu connexe Similaire à Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 2017 (20) Plus de Amazon Web Services (20) Using Access Advisor to Strike the Balance Between Security and Usability - SID316 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:Invent
Using Access Advisor to Strike the
Balance Between Security and Usability
Patrick Kelley + Travis McPeak, Netflix Security
S I D 3 1 6
N o v e m b e r 2 9 , 2 0 1 7
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Le t me te ll you a story ab ou t a
big
bad
hacker...
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patrick Kelley
● Netflix for five years
● Security Monkey
● CloudAux
● PolicyUniverse
● Aardvark
● Repokid
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Travis McPeak
● Netflix for one year
● Previously: IBM, Symantec, HP,
Initech, Death Star
● Bandit
● Aardvark
● Repokid
● OWASP Bay Area
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Least privilege
Too many permissions:
● Developers Happy
● Security Unhappy
● Attackers Happy
Too few permissions:
● Developers Unhappy
● Security Happy
● Attackers Unhappy
Just
Right
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Least privilege
Too many permissions:
● Developers Happy
● Security Unhappy
● Attackers Happy
Too few permissions:
● Developers Unhappy
● Security Happy
● Attackers Unhappy
Just
Right
Getting Permissions Just Right:
● Developers Happy
● Security Happy
● Attackers… not so much
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Assigning the correct permissions is hard
3,200 unique permissions
100+ services
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RDS Snapshot
EBS Snapshot
AMI
IAM User Inline Policy
IAM Role Inline Policy
IAM Group Inline Policy
Managed Policy
Organization Policies
Security Groups (Classic + VPC)
Network ACLs
S3 SNS
Glacier Elasticsearch
KMS Lambda Function
SQS Role Trust Policy
SSL/TLS Certificates
ACM Certificates
ELB/ALB Listener Protocols
ELB/ALB Listener Policies
Other Resources IAM Policies Other Policies
Networking Resource Policies Transit Encryption
Problem scope
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
RDS Snapshot
EBS Snapshot
AMI
IAM User Inline Policy
IAM Role Inline Policy
IAM Group Inline Policy
Managed Policy
Organization Policies
Security Groups (Classic + VPC)
Network ACLs
S3 SNS
Glacier Elasticsearch
KMS Lambda Function
SQS Role Trust Policy
SSL/TLS Certificates
ACM Certificates
ELB/ALB Listener Protocols
ELB/ALB Listener Policies
Problem scope
Other Resources IAM Policies Other Policies
Networking Resource Policies Transit Encryption
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Creation Access
Profiling
Accommodate
New Features
& Permissions
Cleanup
Service permission lifecycle
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aardvark
Aardvark is
Access Advisor !
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid It’s been 90
days, you going
to use those
permissions?
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A role is born
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The great balancing act
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Role childhood
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policy anatomy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policy anatomy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example"
}
}
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policy anatomy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example"
}
}
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policy anatomy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example"
}
}
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:CreateVolume"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"]
"Resource": "*"
}
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:CreateVolume"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"]
"Resource": "*"
}
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:CreateVolume"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"]
"Resource": "*"
}
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Repokid and data sources
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:CreateVolume"]
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket", "s3:PutObject"]
"Resource": "*" "arn:aws:s3:::my_bucket_name"
},
{
"Effect": "Allow",
"Action": ["sqs:ListQueues", "sqs:PurgeQueue", "sqs:SendMessage"]
"Resource": "*"
}
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Young role
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mature role
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Retired role
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works
• Update
• Schedule
• Repo
• Rollback
37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—update
38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—update
39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—update
40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—update
41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—update
42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—schedule
43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—schedule
44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—schedule
45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—repo
46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—repo
47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—repo
48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—repo
49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—repo
50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How it all works—rollback
56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Permissions over time
57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap of challenges
58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap of challenges
59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap of challenges
60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap of challenges
61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap of challenges
62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
● Wanna chat?
• https://gitter.im/netflix-repokid/Lobby
● Twitter
● @MonkeySecurity
● @travismcpeak
● Contribute
• https://github.com/Netflix-Skunkworks/aardvark
• https://github.com/Netflix/repokid
Thanks!