Date post: | 18-Jul-2015 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 646 times |
Download: | 1 times |
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Using Security to Build
with Confidence in AWS
Mark Nunnikhoven for Trend Micro
@marknca
The Story
More at aws.trendmicro.com
2012 re:Invent
SPR203: Cloud Security Is a Shared Responsibilityhttp://bit.ly/2012-spr203
2013 re:Invent
SEC208: How to Meet Strict Security and Compliance Requirements in the Cloudhttp://bit.ly/2013-sec208
SEC307: How Trend Micro Built Their Enterprise Security Offering on AWShttp://bit.ly/2013-sec307
2014 re:Invent
SEC313: Updating Security Operations for the Cloudhttp://bit.ly/2014-sec313
SEC314: Customer Perspectives on Implementing Security Controls with AWShttp://bit.ly/2014-sec314
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating system
Applications
Data
Service configuration
More at aws.amazon.com/security
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating system
Applications
Data
Service configuration
More at aws.amazon.com/security
1989Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
1 day, 22:19:13 More details React
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React
2 days, 4:37:25 More details React
3:44:00 More details React
0:27:51 Public disclosure React
0:36:30 More details React
0:34:39 Public disclosure :: CVE-2014-7169 React
Important Shellshock Events
Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00
AWS VPC Checklist
Review
AWS Identity and Access Management (IAM)
roles
Security groups
Network segmentation
Network access control lists (NACL)
More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
HTTPSHTTPS
Intrusion prevention can look at each packet and then take action depending on what it finds
Review
All instances covered
Workload appropriate rules
Centrally managed
Security controls must scale out automatically with the deployment
Workflow should be completely automated
Instantiate DestroyConfigure
AMI Creation Workflow
Bake Instantiate Test
Instances tend to drift from the known good state; monitoring key files and processes is important
AMI Instance
AlertIntegrity Monitoring
Keys
Respond
Review configuration
Apply intrusion preventionRepair
Patch vulnerability in new AMI
Leverage integrity monitoring