Date post: | 11-Apr-2018 |
Category: |
Documents |
Upload: | truonghanh |
View: | 215 times |
Download: | 0 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aaron Klein, CloudCheckr
Tuesday, June 30th 2016
Hackproof Your CloudResponding to 2016 Threats
Changing Your PerspectiveMoving to the Cloud = rethinking your perimeter security
Old world: Set-up and audit perimeter security
New world: Rethink security tasks:
• Network-based IPS/IDS
• Network scanning
• Penetration tests
• Vulnerability assessments
Focus on securing cloud workloads
• Not on securing the cloud
AWS: What’s Different?
The idea of physical security morphs as
infrastructure becomes virtualized by AWS APIs.
In a new world of ephemeral, auto-scaling infrastructure,
you need to adapt your security architecture to meet
both compliance and security threats.
~ Physical assets secured at the AWS availability zone ~
~ Must guard the AWS API ~
~ IAM Access is your new physical security ~
AWS Foundation Services
Compute Storage Database Networking
AWS Global InfrastructureRegions
Availability Zones
Edge Locations
Network
Security
Inventory
& Config
Customer Applications & Content
You get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS and You Share Responsibility for Security
Data
Security
Access
Control
Minimizing Attack Vectors
Principles don’t change
• Reduce your surface area!
• Defense-in-depth
Some attack vectors don’t change
• Application level
• user-privilege escalation, web app vulns, XSS
• Operating system vulnerabilities
• Database vulnerabilities
Some attack vectors change
• Homogeneous environment
• Polymorphic targets/mapping
• Reduced network sniffing
Security Hardening
Configure and manage user
privileges
Remove unused user
accounts
Close unused open network
ports
Enforce password
complexity & policies
Remove unwanted services
Patch all known
vulnerabilities
Give me your network block
• Nmap
• Port scans
• Ping sweeps
• Etc…
Perimeter Assessments In the CloudHow do I assess the perimeter of my cloud?
Let me see your configuration
• List of publicly-accessible
resources
• Security groups (Amazon EC2-
Classic, Amazon EC2-VPC,
Redshift, RDS, etc…)
• Routing tables, Network ACL
• VPC, subnets
• Amazon S3 buckets and
permissions
• IAM policies
OLDWORLD
NEWWORLD
Network Security in a VPC
Network ACLs (NACLs)
• Virtual firewalls assigned to VPC/Subnets
• Network ACLs are stateless; responses to allowed inbound
traffic are subject to the rules for outbound traffic (and vice versa).
• Rules evaluated numerical ascending – DENY can be overridden by ALLOW
• Watch for INEFFECTIVE rules
Security Groups
• Host-based firewalls assigned to instances
• Stateful – responses to allowed inbound traffic are not subjected
to the rules for outbound traffic
• Rules are cumulative – DENY always overrides ALLOW
• Assigning wrong security group to an instance exposes the entire VPC
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Complex Connections to Amazon EC2
Amazon EC2 instance can be run inside VPCs
•Legacy capability to run outside VPCs
• Instance ID: i-001bac39
•Friendly name (implemented as a tag): ISS-V2-API1
Amazon EC2 instance can be given 1 or more private IP
addresses
•For example: 172.12.6.186
•This generates a DNS name ip-172-12-6-186.us-west-2.compute.internal
Amazon EC2 instance can be given 1 or more public IP
addresses
•For example: 52.24.201.167
•This generates a DNS name ec2-52-24-201-167.us-west-2.compute.amazonaws.com
Amazon EC2 instance can be attached to an Elastic IP
address (EIP)
•For example: 107.20.135.132
Running VA in Cloud EnvironmentsHow do I run Vulnerability Assessments? REGISTER YOUR SCAN!
Gather the list of public
IPs and EIPs of all
resources
Do I need to scan the
private IP addresses and
instances?
Scanning an AMI
Spin up a new instance,
run a scan on the new
instance
Mark everything based
on this AMI as “scanned”
What about when an
instance “drifts” from
original AMI?
Someone can
reconfigure settings,
install new software
In an elastic, ephemeral, auto scaling environment clouds
can have tens of thousands of instances
Patching Strategies for AWS
“No Patch” Strategy
• Stay away from patching live systems
• Focus on patching templates/AMIs
• Deliver patches by redeploying workloads
• Dependent on adopting pure cloud architectures
Look at AWS OS Templates• Patched by Amazon
Systematic Workload Reprovisioning
• Based on high-assurance repositories
• Effective battling Advanced Persistent Threats
Outside of your VPC: What are we missing?
Don’t assume attacks only happen against Amazon EC2
AWS is a complex system
Over 30 different AWS services
• Many have unique access control systems
You may have 100s of AWS accounts
We need a complete inventory
• All publicly-accessible endpoints and resources
Security breaches can happen with a single weak link
S3 (Simple Storage Service)
Up to 1000 buckets in an account
• Unlimited number of objects (billions is not uncommon)
Location
• Within a region, across multi-AZs, not housed in a VPC
• Can’t sit between client and storage
Security
• Access control through IAM policies, bucket policies, ACLs, and query string authentication
• Server-side Encryption, HTTPS support
• Server-access logs (does not integrate with CloudTrail)
Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!!
Create an inventory of your sensitive data
SQS (Simple Queuing Service)
Where does SQS live?
• Within a region, not within a VPC
• Uses a URL such as:
https://sqs.us-east-1.amazonaws.com/123456789012/MySQS
Security based on policy documents:{
"Version": "2008-10-17",
"Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1415217272568",
"Effect": "Allow", "Principal": { "AWS": "*" },
"Action": [
"SQS:ReceiveMessage", "SQS:SendMessage"
],
"Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS"
},
SNS (Simple Notification Service)
SNS does not live inside your VPC
Permissions based on topic policies:
Logs: Using AWS CloudTrail
An AWS Service that records each time the AWS API is called
• Currently supports most AWS services
• http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html
Conveniently everything in AWS goes through the API
• Even actions in the Management Console go through the API
CloudTrail writes files into an Amazon S3 bucket
• Near real-time (every five minutes)
• Files are in JSON format
Get started at http://aws.amazon.com/cloudtrail/
Using CloudWatch Logs
Simple method of monitoring operating system logs• Ship Windows event logs and syslogs to AWS CloudWatch
Types of use-case:• Account Login Failure, Account Login Success, New local account creation,
Excessive Login Failure (Configurable)
• Unauthorized Windows Admin Logon, Windows Account Lockout Attempt,
Windows Computer Account Changes
• Windows Audit Policy Changes, Windows Event Log Cleared
• Non-Windows - Account Locked Out, Non-Windows - Account Unlocked,
Changes to System or Audit log
Get started at:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudW
atchLogs.html
Using Amazon VPC Flow Logs
An AWS service that records each time packets enter or leave a VPC
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Security team comes to you and says:
• We need logs going to instance 1-0123456 from
IP address ranges 52.205.16.0 - 52.205.31.255
Monitor for DENY connections
• Gives you both security group and NACL denies
Announcement:
https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazon-
vpc-flow-logs/
Tools For Configuring AWS Securely & Cost
EffectivelyGeneric tools fall short
Purpose-built, not cloud-washed
• Make sure tools don’t fall over in the cloud
• Tools have to understand dynamic, ephemeral IPs
Need a deep understanding of AWS
• What does this means
• Context is important
• Actionable intelligence
CloudCheckrUnified Cost & Security Management
What cloud users need… CloudCheckr provides…
Automated reports, generated and updated daily, listing all
additions, deletions, or modifications over the past 24 hours
Comprehensive visibility & control on security, availability, cost
and usage with 350+ out-of-the-box best practice policy checks
Granular visibility to understand, deconstruct, and optimize cloud
costs
Automated best practice checks covering
security, availability, cost, and usage
Simplified monitoring of changes in a cloud
environment
Understand/Audit costs in the cloud
»»»»»
Actionable security and activity alertsOver 100 out of the box alerts with endless
customization opportunities
Remediation and self-healing of security
vulnerabilities
Automation that allows users to receive alerts
and delegate remediation to CloudCheckr
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aaron Klein, Founder of [email protected]
www.cloudcheckr.com
Thank You for Attending