Using Security to Build with Confidence in AWS

2. Mark Nunnikhoven @marknca aws.trendmicro.com

3. The Story More at aws.trendmicro.com 2012 re:Invent SPR203: Cloud Security Is a Shared Responsibility http://bit.ly/2012-spr203 2013 re:Invent SEC208: How to Meet Strict Security and Compliance Requirements in the Cloud http://bit.ly/2013-sec208 SEC307: How Trend Micro Built Their Enterprise Security Offering on AWS http://bit.ly/2013-sec307 2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313 SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314

4. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating system Applications Data Service configuration More at aws.amazon.com/security

5. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating system Applications Data Service configuration More at aws.amazon.com/security

6. Vulnerability Respond Repair

8. by Andreas Lindh (@addelindh)

9. bash is a common command line interpreter

10. a:() { b; } | attack 10 | 10 vulnerability. Widespread and easy to exploit

11. Shellshock Impact

12. 1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

13. "MicroTAC" by Redrum0486 at English Wikipedia 12.3oz

14. Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React 2 days, 4:37:25 More details React 3:44:00 More details React 0:27:51 Public disclosure React 0:36:30 More details React

15. Important Shellshock Events Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00 3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00 1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

17. aws.amazon.com/architecture: Web application hosting

18. aws.amazon.com/architecture : Web application hosting

19. TCP : 443TCP: 443 TCP: 4433TCP: 4433 Primary workflow for our deployment

20. AWS VPC Review

21. AWS VPC Checklist Review AWS Identity and Access Management (IAM) roles Security groups Network segmentation Network access control lists (NACL) More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

22. TCP: 443TCP: 443 TCP: 4433TCP: 4433 Primary workflow for our deployment

23. HTTPSTPS Intrusion prevention can look at each packet and then take action depending on what it finds

25. Intrusion Prevention in Action

26. Review All instances covered Workload appropriate rules Centrally managed Security controls must scale out automatically with the deployment

29. All instances deployment from task-specific AMI TCP: 443TCP: 443 TCP: 4433TCP: 4433

30. Workflow should be completely automated Instantiate DestroyConfigure AMI Creation Workflow Bake Instantiate Test

31. AMI Creation

33. Instances tend to drift from the known good state; monitoring key files and processes is important AMI Instance AlertIntegrity Monitoring

34. Integrity Monitoring

35. Keys Respond Review configuration Apply intrusion prevention Repair Patch vulnerability in new AMI Leverage integrity monitoring

36. Keys Automation

37. Build With Confidence

38. SAN FRANCISCO

Using Security to Build with Confidence in AWS

Amazon Web Services

Using Security to Build with Confidence in AWS