marius aharonovich cloud security architect clicksoftware · security best practices checklist: cis...
TRANSCRIPT
Platform Security Marius Aharonovich
Cloud Security Architect ClickSoftware
Platform Security
Management
Secure API keys
Increase Your Visibility
Host Security
Encryption and Key Management
Platform Security
Security Best Practices checklist:
CIS AWS AZURE GOOGLE
Cloud Platform
AWS Infrastructure
Management Services EC2
Instance 3rd party
Management
Amazon Web Services
Root
Limited use
Support plan
Payment
Close account
Request PenTest
Two-Factor-Authentication
TOTP enabled virtual TFA
authenticator Authy
IAM Users
Two-Factor-
Authentication User Groups
DevOps, NOC,
R&D Lead, DBA,
Security
IAM Policies
"Effect":
"Allow",
"Action":
"s3:ListBucket
", "Resource":
"arn:aws:s3:::
example_bucket
"
Services
Resource
Based Policies
" “Effect": "Deny", Principal":
"*",
"Action":
"s3:*",
Resource":
"arn:aws:s3:::
example
Condition": {“BoolIfExists":{ "aws:MultiFactorAuthPresent": false
Cross
Account
Effect":
"Allow", "Principal": {
"AWS":
"arn:aws:iam::
AccountID"}, "Action":
"sts:
AssumeRole", "Condition": {
"StringEquals"
: {
"sts:
ExternalId":
“IAMUSerID"
Services – Secure API keys
Use temporary
keys (STS)
Don't embed API
keys directly
into code
Rotate API keys
periodically
Delete unused
API keys
Use unique API
keys for
applications
Increase Your Visibility
AWS
EC2 CloudTrail
Dashboard APIs
CASB Access & Activities
Trusted Advisor
Credentials Report
IAM User “List Events”
Cloud Security Control SG Changes & Risk & Compliance Forensics traffic layers 3/4
Web traffic analysis
IAM Cross Account Role “List Configuration”
IAM Cross Account Role “IP Traffic”
log
VPC Flow-Log
log
S3 log
Other Cloud Services
log
Service User “List Events”
Infrastructure
EC2 Instance
log Load Balancer
log
Web Traffic (syslog)
Log Collector Security event alerting Security reports Forensics
Domain Auditor Domain changes reporting Forensics
Events Domain Config
Web Traffic (syslog)
Host Security
VPN Gateway
Two-Factor-
Authentication
Encrypted
TLS
Patch Hosts
WSUS Systems
Manager
New
Deployed
AMI
DoS Protection
AWS Shield
Basic Advanced
3rd party
solution
SIEM
Access
& Activities
Infra
Changes Analysis
Firewall
Inbound
&
outbound
rules
Security
Groups 3rd party
Harden Hosts (CIS)
User groups & Permissions
Antimalware & HIPS
Scan Hosts 3rd party Vulnerabilities
Encryption and Key Management
Why to Encrypt ?
Contracts Regulations Standards
Data in Transit
TLSv1.2 AES-256bit
GCM
ELB
ALB
CloudFront
3rd party
Certificate
Manager Data at Rest
Storage / Volume
Encryption
EBS
Encryption
RDS
Storage
Encryption
KMS
Data Backup
Encryption
SQL Backup
Encryption
RDS
Snapshot
Encryption
KMS
HSM
FIPS 140-2 Level 2 FIPS 140-2 Level 3