cloud security on the dollar menu - shellcon manalo, cissp, aws- csaa shellcon 2018. agenda •...
TRANSCRIPT
Cloud Security on the Dollar Menu
ARNEL MANALO, CISSP, AWS-CSAASHELLCON 2018
Agenda• Introductions
• What RMTS does
• Intro AWS security model
• Breaches and State Laws
• AWS Recon
• Hardening AWS
About me:
Arnel Manalo, CISSPCybersecurity ArchitectR I C H E Y M A Y T E C H N O L O G Y S O L U T I O N S
• BS, Computer Systems Security, Colorado Technical University
• CISSP
• AWS-CSAA
About Richey May Technology SolutionsRichey May Technology Solutions is a results-driven consulting firm offering the full spectrum of technology solutions for your business. Led by technology experts with decades of cumulative experience in executive IT roles, our team is able to bring you pragmatic, real-world solutions that deliver value to your business.
Governance, Risk, Compliance
& Privacy
Cybersecurity
Marketing Technology
Cloud Services
Technology Management Consulting
Image Source: http://srini.karlekar.com/?p=313
AWS Security Incident Leaderboard1. Uber – 57 million customer/drivers records compromised
2. Time Warner Cable – 4m customer records exposed
3. 10k GitHub users revealed their AWS secret keys
AWS Uber Data Breach• Acquired AWS account credentials via GitHub
• Restricted access and implemented controls AFTERWARDS
Image Source: https://i.imgflip.com/1pgtpk.jpg
AWS Time Warner Breach• Found publicly available S3 Buckets
• Information spanned from November 2010 – July 2017
Image Source: https://assets.rbl.ms/13622690/980x.jpg
Breaches
dwt.com
U.S. State Data Breach Notification Statutes –Form of Data
Breaches
dwt.comdwt.com
U.S. State Data Breach Notification Statutes -Harm Threshold
California Breach Laws• California Breach Notice: California Civil Code s. 1798.29
and California Civ. Code s. 1798.82
• CCPA (2020) allows consumers to sue companies for “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
Recent State ChangesStates Increase Focus:Arizona HB 2154:In 2018, Arizona expanded the coverage of their existing data breach notification law; via House Bill 2154. The updated legislation expands the definition of what is considered personally identifiable information; consumer data, as well as adds specific definitions for what the state believes to be a security incident vs a data breach. It also adds civil penalties of $10,000-$500,000
Colorado House Bill 18-1128:Colorado has also passed expanded privacy and cybersecurity legislation requiring covered entities to deploy and maintain reasonable security controls around personally indefinable information of Colorado residents. Colorado also requires defined controls that manage the data life cycle of consumer data from inception, during use, at rest and destruction at end of life. The new law which becomes effective this fall; September 1st 2018, requiring firms develop a formal cybersecurity program focused on protecting information appropriate to the nature of the personal information collected and the size of the business.
Recent State ChangesStates Increase Focus:Ohio Senate Bill 220:Ohio recently signed into law the Ohio Data Protection Act; enabling organizations to limit their liability through a safe harbor rule if the organizations adopted and implemented a written cybersecurity program based on industry accepted frameworks such as the National Institute of Standards and Technology (NIST) 800.53, ISO 27000, or PCI-DSS.
AWS Reconnaissance
Shodan.ionet:"50.112.0.0/16"
GitHub• https://github.com/michenriksen/gitrob
• https://github.com/awslabs/git-secrets
Locating Buckets• https://github.com/gwen001/s3-buckets-finder
• https://github.com/eth0izzle/bucket-stream
• https://github.com/digininja/CloudStorageFinder
• https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3
• https://github.com/glen-mac/goGetBucket
gwen001
Image source: https://github.com/gwen001/s3-buckets-finder/blob/master/README.md
eth0izzle
Image source: https://github.com/eth0izzle/bucket-stream/blob/master/README.md
Other• https://github.com/marpaia/AWSome
• https://github.com/dagrz/aws_pwn
• https://github.com/nccgroup/Scout2
• https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Hardening AWS
IAM Roles• Lock Away Your AWS Account Root User Access Keys
• Create Individual IAM Users
• Use Groups to Assign Permissions to IAM Users
• Use AWS Defined Policies to Assign Permissions Whenever Possible
• Grant Least Privilege
• Use Access Levels to Review IAM Permissions
• Configure a Strong Password Policy for Your Users
• Video Presentation About IAM Best Practices
• Enable MFA for Privileged Users
• Use Roles for Applications That Run on Amazon EC2 Instances
• Use Roles to Delegate Permissions
• Do Not Share Access Keys
• Rotate Credentials Regularly
• Remove Unnecessary Credentials
• Use Policy Conditions for Extra Security
• Monitor Activity in Your AWS Account
More reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
S3 Bucket Hardening• Restrict Access to buckets
• Monitor S3 resources
• Use Encryption
S3 Bucket Policy Examples• Permit only specific IP address or website
S3 Bucket Events• Emailed when an object gets created or deleted
• Completed easily with a few steps:
• Create SNS topic to email events
• Permit access of s3 bucket to SNS topic
• Configure Events which to trigger off of
Create SNS Topic• SNS Console -> Create new topic• Select newly created topic -> create subscription*
S3 Access to SNS Topic• Select topic -> edit topic Policy
Configure S3 Bucket Events• Go to S3 console
• Select desired bucket
• Select properties
• Scroll down and select events
Alert Examples
VPC NACL vs. EC2 Security Groups• VPC NACL are what define general outbound and inbound
rules for the specified VPC or network. Default allow
• EC2 Security Groups are what are assigned to specific EC2 instances within VPCs and define inbound/outbound traffic. Default deny
When to use NACL vs Security Group• NACL for generic inbound-outbound to entire VPC
• Security Group for specific host or hosts traffic
• Sometimes both
CloudTrail• Audit, compliance, operational risk
• Marks API calls as Events
• Can forward events to store in S3 or make alerts in CloudWatch
• Two Non-API actions captured:• Service Events – Spot Instance bid prices
• Console Login Attempts
CloudWatch• Monitors AWS services and resources real-time
• Collect and track metrics and/or logs
• Can send off alarms or automatically make changes or start workflows
Monitor Root Account Usage• From the CloudWatch console -> Logs
• Select CloudTrail logs group
• Create Metric Filter
• Assign the metric -> Metric Filter box: RootAccountUsage -> Metric Namespace: CloudTrailMetrics -> Metrics Name: RootAccountUsage -> Metric Value: 1
Monitor Root Account Usage cont.• Create Alarm
• Enter notification information as desired
TrustedAdvisor• AWS Service that scans and compares it to best practices.
• Cost Optimization
• Performance
• Fault Tolerance
• Service Limits
• Security
Trusted Advisor Security – FREE!!• Security Groups – Specific Ports• IAM• S3 Buckets• EBS Snapshots• RDS Snapshots• More specifics on different best practices:
https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
Billing Alarms• Must be signed in with root account -> billing -> preferences
-> receive billing alerts.• After it’s enabled – go to cloudwatch console and create
alarm specific to billing and set to your desired threshold.
