18. Exercise 1:
Disable Root Account API
Access Key
Root Account has no
restrictions
Create administrative IAM users
Grant access to billing
information and tools
“Lock the door and throw away
the key” i.e. Disable/Remove
the default AWS root user API
access keys
19. Exercise 2:
Enable MFA Tokens Everywhere
Rotating passwords too often:
BAD
Using overly complicated
passwords no one remembers:
BAD
Using Multi-factor
Authentication:
GOOD
MFA – Physical or Virtual
Virtual has choices – Google
Authenticator, Authy, etc.
20. Exercise 3:
Reduce IAM Users With Admin Rights
10
Create IAM admin users. At least 2,
no more than 3 per IAM group
What is the risk if an Admin account
is lost or compromised?
Could the result impact my revenue
or reputation?
21. Exercise 4:
Use Roles for AWS EC2
Temporary authentication
credentials. Limited privilege
Reduce the surface area of
attack
1
2
3
4
5 Auditable activity with CloudTrail
Automatically generated
authentication credentials
Do your EC2 instances need to
contact other AWS Services?
22. Exercise 5:
Least Privilege
Only give minimal rights to do
things on AWS...just what is
needed to accomplish tasks or
actions
IAM can get very granular
This applies to:
● IAM Users
● IAM Groups
● IAM Roles / Instance Profiles
● Applications or Scripts
e.g. If an app only needs to write
to an S3 bucket, then only give it
permission to PutObject.
23. Exercise 6:
Rotate All the Keys Regularly
Rotate all credentials, passwords,
and API Access Keys on a regular
basis.
90 days minimum
Compromised API Access Keys
can cost your business dearly
24. 14
Exercise 7:
Use IAM Roles With AWS STS
Similar to EC2 Roles
Can be used in place of privileged
IAM User Access Keys
Temporary credentials
Allows for 3rd parties to access
your account more securely
Extended version of AssumeRole
allows for Identity Federation
25. Exercise 8:
Use AutoScaling to
Counter DDoS
AutoScaling allows you to increase
the number of EC2 instances
automatically
More instances means your site
stays up
Small price to pay for increased
reliability
26. Exercise 9:
Do Not Allow 0.0.0.0/0 Unless You Mean It
SSH - Only allow the access from the origin IP and port where you will admin your instance from.
Only turn this on when needed and remove it when not.
EC2 IP Address range is a favourite of scanners
Affects not just EC2 instances but also ELB’s, ElastiCache clusters, RDS, EMR nodes, and others…
27. Exercise 10:
Strengthen S3 Bucket
Policies
Watch world-readable and world-
listable S3 buckets
Open S3 buckets a favourite for
trolling for API Access Keys
Check your bucket security
regularly
Watch for AuthenticatedUsers
grantee
28. Are your S3 Buckets Secure?
359 Million
Records Leaked
30. The CloudFit Regimen
⃞ Exercise 1: Disable Root Account API Access Key
⃞ Exercise 2: Enable MFA Tokens Everywhere
⃞ Exercise 3: Reduce IAM Users With Admin Rights
⃞ Exercise 4: Use Roles for AWS EC2
⃞ Exercise 5: Least Privilege
⃞ Exercise 6: Rotate All the Keys Regularly
⃞ Exercise 7: Use IAM Roles With AWS STS
⃞ Exercise 8: Use AutoScaling to Counter DDoS
⃞ Exercise 9: Do Not Allow 0.0.0.0/0 Unless You Mean It
⃞ Exercise 10: Create AWS S3 Bucket Policies
⃞ Exercise 11: Enable AWS CloudTrail and Encryption
38. ● Founded in 2010
● 150,000+ businesses
● 150+ countries
● 7 products
● $249M in funding
39. Freshdesk ● Customer support software
● Email, social, phone & chat channels
● 2.5 million DB reads in a minute
● 3 million conversations in a day
● 44TB of data
● 750 Million requests per week
● DCs in US, Australia, EU-C & India