Post on 16-Jul-2015
transcript
Cloud SecurityScott Arveseth
@ScottArveseth
Scott.Arveseth@gmail.com
The Cloud
IaaS
AWS
Azure
Rackspace
VMWare
SaaS
SalesForce
Cloud9
Akamai
AppDynamics
PaaS
Cloud Foundry
Google App Engine
Azure
AWS
SalesForce
Software & Services
Office 365
QuickBase
Lynda.com
Agility
Scalability
Resiliency
High Availability
Security?
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon Web Services (AWS)
Regions Worldwide (11)
o Availability Zones (2-3 per Region)
Edge Locations (50+)Behind the
Cloud…
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon Web Services (AWS)
Regions Worldwide (11)
o Availability Zones (2-3 per Region)
Edge Locations (50+)
Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
SaaS
Provider
Yours
Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
PaaS
Provider
Yours Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
Security is a Shared Responsibility
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
IaaS
Provider
Yours
Your responsibility vs. Provider responsibility
o Type of service
o Contractual agreements
Evaluating Cloud providers
o SOC I/II, ISO 27002, PCI, HIPAA
o Contractual agreements
o Financial limits
Amazon Web Services (AWS)
IaaS: flexible & complex
AWS offers IaaS, PaaS, and SaaS solutions
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
IaaS
PaaS
Evaluating Risk
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Where are the
biggest risks?
Data Verizon DBIR 2014
Incident Classification:Web App Attacks (35%)
Extern Discovery (88%)
Cyber-Espionage (22%)Extern Discovery (85%)
Actions:Stolen Creds (1)(3)(3)
Export Data (2)(7)(4)
Source: www.verizonenterprise.com/DBIR/2014/
DevOps Users
AWS Dashboard, CLIs, APIs
AWS CLI
Java
Python (boto)
Node.js
DMZ Subnet
Priv. Subnet
NACL
Security Groups
Amazon CloudWatch
AWS CloudFormation
Region: US-East
Users
DMZ Subnet
Priv. Subnet
Amazon CloudWatch
AWS CloudFormation
SSH Key
Admins
Admins
Amazon CloudWatch
AWS CloudFormation
MFA
MFA token
Admins
AWS Access Key
AWS CLI
role
AWS CLIrole
Security in the Cloud
Monitor, Assess, Defend (MAD)
Monitor
o Detection is important
o Built on a foundation of logs
Assess / Test
o Evaluate security controls
o Dangerous ground when scanning your app on provider’s
infrastructure
Defend
o Prevent security incidents from occurring
o Raise the bar Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Monitor (MAD)
Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Web Application Firewall (WAF)
o Bursting thresholds
o OWASP Top 10
o Tuned to the application
Application, RDS logs
o AuthN/Z
o Security related
o Anomaly detection
ELB – Log user requests
o Anomaly detection
Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
S3 Access Logging
o If there is sensitive information in
S3 buckets (S3 access logs not
part of CloudTrail)
CloudWatch
o Availability & performance of EC2
instances
Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
CloudTrail – AWS account actions
o Any root account activity
o StopLogging / UpdateTrail
o Create/DeleteVPC
o CreateAccessKey
o Privileged Role assignments
o DeleteHostedZone
o ChangeResourceRecordSet
o RunInstance (dramatic change)
o Public Security Group modification
IAM
o AWS Access Keys
o Inventory (owner) / Last recycle dateSecurity
Monitor
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
OS / Instances
o “Treat them as cattle, not pets”
o One of these things is not like the
others
o Update FIM snapshot
• New AMI
• New Code
o Collect Syslogs / Event logs
(forensics)FIM FIM
FIM FIM
Event Monitoring System
Collect & correlate
logs to detect
security events
o Oh $4!#! principle
Amazon CloudWatch
Assess (MAD)
Assess / Test
Do you like working with technology, or would you rather make
license plates, do laundry, and be watched 24/7 by armed
guards…
o TALK WITH YOUR CLOUD PROVIDER BEFORE DOING SECURITY TESTING!
o GET WRITTEN PERMISSION!
Assess / Test
Static code analysis
o Secure coding practices
o Plain text credentials
o AWS access keys
Security architecture reviews
o Dev – Sec – Ops?
Cloud Formation Templates
o Review before running in production Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Assess / Test
IAM
o Roles
• Responsibility
o Users / Instances with privileged roles
o Separation of duties
EC2 AMIs that are in use
Security Group Configuration
Trusted AdvisorPhysical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Security
Assess: Trusted Advisor
Defense (MAD)
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
Contractual agreements
Vendor attestations
Resilient architecture
o Decoupled
o Auto-Scaling
o Multi-AZ
o Secure
o Automation
o Snapshots/backups
• EBS, RDS, S3
Users
AWS CloudFormation
Amazon CloudWatch
Priv. Subnet
Defense
Encryption: Amazon Key
Management Service (KMS)
o Centralized key management
(CloudTrail)
o Encrypt Elastic Block Storage
(EBS) without impacting
performance
o Encrypt credentials or other
sensitive data
http://aws.amazon.com/kms/
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
Web Application Firewall (WAF)
o Tune and re-tune it
o Block malicious traffic
o Turn on rate limiting to save $
Evaluate WAF effectiveness by
reviewing HTTP request logs
Amazon CloudWatch
Defense
Use Your Identity Provider
o AssumeRoleWithSAML()
o Does anyone have time to manage two IdPs?
Limit creation of AWS Access Keys
o DevOps – temporary access keys
o Applications – EC2 instance roles
o Permanent – least privilege
• Rotate keys regularly
• Scour code and configs
Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
AWS Access Keys Anyone?
o “When I got to GitHub, I checked … and sure enough it [had] my API
keys…crap!”
o “I reverted the last few commits, and deleted all traces from GitHub …
within about 5 minutes.”
o “When I woke up the next morning I had four emails from Amazon AWS
and a missed phone call … something about 140 servers running on my
AWS account.”
o “Boom! A $2375 bill”
o “Amazon was kind enough to drop the charges this time!”
Source: http://www.devfactor.net/2014/12/30/2375-amazon-mistake/
IAM
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Defense
MFA on AWS root and highly privileged accounts
Separation of Duties & Least Privilege
o IAM, VPC Privileges, Route53, etc.
o Access to backups and snapshots need special protection
CodeSpaces
o “Code Spaces will not be able to operate beyond this point”
o “upon seeing us make the attempted recovery of the account [attacker] proceeded to randomly delete artifacts”
o “[attacker deleted] all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances”
Source: http://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/d-id/1278743
IAM
Defense: Incident Response
Investigate without tipping off the attacker
Automate your response, assume the attacker has automated his
Defense
OS / AMI
o Use trusted, securely configured AMIs - Update Often (patching)
o AWS Marketplace has DISA STIG compliant AMIs
o If FIM tests fail: investigate, new instance, isolate old (SG)
o Auto-scaling will use the AMI(s) you configure – make sure it’s the right one
o SSH Keys / Admin Passwords
o Bastion
o Prod and non-prod
o Managed in your custom AMIsPhysical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
FIM FIM
FIM FIM
Defense
NACLs
o IPv4
o Stateless
o Inbound/Outbound
o Soft Limit of 20/20 per subnet
o Block 22, 3389, etc.
o (Don’t lose hope yet)
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
NACL
Defense
Security Groups
o IPv4
o Stateful
o Inbound/Outbound
o Apply to an instance or group of
instances (across AZ)
o AWS limits on the number of
security groups and rules per
security group
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Security Groups
Defense: Security Groups
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Source
(in)
Protocol Port(s) Comment
0.0.0.0/0 TCP 80 HTTP
0.0.0.0/0 TCP 443 HTTPS
0.0.0.0/0 ICMP N/A Ping
Default Deny
Dest (out) Protocol Port(s) Comment
SG_WAF TCP 8080 WAFs
Default Deny
X
Defense: Security Groups
Physical Facilities
Infrastructure
Compute & Storage
Hypervisor
Virtual Network
Operating System
App Framework
Application
Data
Amazon CloudWatch
Source
(in)
Protocol Port(s) Comment
BAST_SG ANY All Admin
SG_IN_ELB TCP 8888 Internal
Default Deny
Dest (out) Protocol Port(s) Comment
SG_DB TCP 1433
Default Deny
Defense
Bastion Host
o Leave it off (Stopped) until you
need it
Amazon CloudWatch
AWS CloudFormation
Cloud Nirvana
Do you need admin access to production?
o AWS or Bastion
o Automation -> APIs, CloudFormationTemplates, Logs
Additional Resources
AWS Security Whitepapers
o http://aws.amazon.com/whitepapers/
Re:Invent 2014 - Building a DDoS Resilient Architecture with AWS
o https://www.youtube.com/watch?v=OT2y3DzMEmQ
AWS Key Management System
o http://aws.amazon.com/kms/
RDS Logging
o http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
AWS QwikLABS
o https://run.qwiklab.com/