SlideShare a Scribd company logo

Core strategies to develop defense in depth in AWS

S
Shane Peden

Information security guidance and strategies for securing cloud infrastructure in Amazon Web Services, presented by risk3sixty LLC and Afonza. Atlanta based cyber risk management.

Technology
1 of 13
Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
Core Strategy #5 –Layered Defense Model Continued…
Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty

Recommended

Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
俺のTerraform CI/CD ライフサイクル
俺のTerraform CI/CD ライフサイクル俺のTerraform CI/CD ライフサイクル
俺のTerraform CI/CD ライフサイクル
HonMarkHunt
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deck
Matt Soseman
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data PipelineAWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
Amazon Web Services Japan
 
Terraform Enterprise: Clustering & cost estimation webinar
Terraform Enterprise: Clustering & cost estimation webinarTerraform Enterprise: Clustering & cost estimation webinar
Terraform Enterprise: Clustering & cost estimation webinar
Mitchell Pronschinske
 
AWS CAF & Well-Architected Framework
AWS CAF & Well-Architected FrameworkAWS CAF & Well-Architected Framework
AWS CAF & Well-Architected Framework
真吾 吉田
 

Recommended

Mimikatz
MimikatzMimikatz
Mimikatz
rishabh sharma
 
俺のTerraform CI/CD ライフサイクル
俺のTerraform CI/CD ライフサイクル俺のTerraform CI/CD ライフサイクル
俺のTerraform CI/CD ライフサイクル
HonMarkHunt
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Mcas log collector deck
Mcas log collector deckMcas log collector deck
Mcas log collector deck
Matt Soseman
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data PipelineAWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
AWS Black Belt Tech シリーズ 2015 - AWS Data Pipeline
Amazon Web Services Japan
 
Terraform Enterprise: Clustering & cost estimation webinar
Terraform Enterprise: Clustering & cost estimation webinarTerraform Enterprise: Clustering & cost estimation webinar
Terraform Enterprise: Clustering & cost estimation webinar
Mitchell Pronschinske
 
AWS CAF & Well-Architected Framework
AWS CAF & Well-Architected FrameworkAWS CAF & Well-Architected Framework
AWS CAF & Well-Architected Framework
真吾 吉田
 
Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyCon
Karl Fosaaen
 
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
Amazon Web Services Japan
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon Web Services
 
Unraveling the Snake: Turla
Unraveling the Snake: TurlaUnraveling the Snake: Turla
Unraveling the Snake: Turla
Paül Jaramillo
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
AWS Black Belt Techシリーズ AWS Data Pipeline
AWS Black Belt Techシリーズ AWS Data PipelineAWS Black Belt Techシリーズ AWS Data Pipeline
AWS Black Belt Techシリーズ AWS Data Pipeline
Amazon Web Services Japan
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
MuleSoftマイクロサービスとデプロイメントパターン
MuleSoftマイクロサービスとデプロイメントパターンMuleSoftマイクロサービスとデプロイメントパターン
MuleSoftマイクロサービスとデプロイメントパターン
Mitch Okamoto
 
AWSでEC2上にMTAを構築した話
AWSでEC2上にMTAを構築した話AWSでEC2上にMTAを構築した話
AWSでEC2上にMTAを構築した話
康宏 緒方
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Hive on Tezのベストプラクティス
Hive on TezのベストプラクティスHive on Tezのベストプラクティス
Hive on Tezのベストプラクティス
Yahoo!デベロッパーネットワーク
 
SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)
Yukihiro Kikuchi
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
Joe Speed
 
20190806 AWS Black Belt Online Seminar AWS Glue
20190806 AWS Black Belt Online Seminar AWS Glue20190806 AWS Black Belt Online Seminar AWS Glue
20190806 AWS Black Belt Online Seminar AWS Glue
Amazon Web Services Japan
 
Amazon EKS への道 ~ EKS 再入門 ~
Amazon EKS への道 ~ EKS 再入門 ~Amazon EKS への道 ~ EKS 再入門 ~
Amazon EKS への道 ~ EKS 再入門 ~
Hideaki Aoyagi
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
ZabbixによるAWS監視のコツ
ZabbixによるAWS監視のコツZabbixによるAWS監視のコツ
ZabbixによるAWS監視のコツ
ShinsukeYokota
 
AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 

More Related Content

What's hot

Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyCon
Karl Fosaaen
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
CrowdStrike
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
Joe Speed
 

What's hot (20)

Attacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyConAttacking ADFS Endpoints - DerbyCon
Attacking ADFS Endpoints - DerbyCon
 
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
AWS EC2 Eメール制限解除 - 逆引き(rDNS)設定 申請手順
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
CrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary ProblemCrowdCasts Monthly: You Have an Adversary Problem
CrowdCasts Monthly: You Have an Adversary Problem
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
 
Unraveling the Snake: Turla
Unraveling the Snake: TurlaUnraveling the Snake: Turla
Unraveling the Snake: Turla
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
AWS Black Belt Techシリーズ AWS Data Pipeline
AWS Black Belt Techシリーズ AWS Data PipelineAWS Black Belt Techシリーズ AWS Data Pipeline
AWS Black Belt Techシリーズ AWS Data Pipeline
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
MuleSoftマイクロサービスとデプロイメントパターン
MuleSoftマイクロサービスとデプロイメントパターンMuleSoftマイクロサービスとデプロイメントパターン
MuleSoftマイクロサービスとデプロイメントパターン
 
AWSでEC2上にMTAを構築した話
AWSでEC2上にMTAを構築した話AWSでEC2上にMTAを構築した話
AWSでEC2上にMTAを構築した話
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Hive on Tezのベストプラクティス
Hive on TezのベストプラクティスHive on Tezのベストプラクティス
Hive on Tezのベストプラクティス
 
SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)
 
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
ROS 2 Foxy with Eclipse Cyclone DDS | Philly ROS Meetup July 20th 2020
 
20190806 AWS Black Belt Online Seminar AWS Glue
20190806 AWS Black Belt Online Seminar AWS Glue20190806 AWS Black Belt Online Seminar AWS Glue
20190806 AWS Black Belt Online Seminar AWS Glue
 
Amazon EKS への道 ~ EKS 再入門 ~
Amazon EKS への道 ~ EKS 再入門 ~Amazon EKS への道 ~ EKS 再入門 ~
Amazon EKS への道 ~ EKS 再入門 ~
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
ZabbixによるAWS監視のコツ
ZabbixによるAWS監視のコツZabbixによるAWS監視のコツ
ZabbixによるAWS監視のコツ
 

Similar to Core strategies to develop defense in depth in AWS

Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
VAST
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
Amazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Amazon Web Services
 

Similar to Core strategies to develop defense in depth in AWS (20)

AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9AWS Summit Auckland Sponsor Presentation - Dome9
AWS Summit Auckland Sponsor Presentation - Dome9
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management...
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...Scaling Security Operations and Automating Governance: Which AWS Services Sho...
Scaling Security Operations and Automating Governance: Which AWS Services Sho...
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Beginners guide to aws security monitoring
Beginners guide to aws security monitoringBeginners guide to aws security monitoring
Beginners guide to aws security monitoring
 
Top 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practicesTop 10 AWS Security and Compliance best practices
Top 10 AWS Security and Compliance best practices
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Core strategies to develop defense in depth in AWS

  • 1. Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
  • 2. Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
  • 3. Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
  • 4. Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
  • 5. Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
  • 6. Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
  • 7. Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
  • 8. Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
  • 9. Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
  • 10. Core Strategy #5 –Layered Defense Model Continued…
  • 11. Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
  • 12. Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
  • 13. Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty