red team vs. blue team on aws - rsaconference.com · session id: #rsac teri radichel. red team vs....
TRANSCRIPT
![Page 1: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Teri Radichel
RED TEAM VS. BLUE TEAM ON AWS
CSV-R12
CEO2nd Sight Lab@teriradichel
Kolby Allen
DevOps EngineerZipwhip@kolbyallen
![Page 2: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/2.jpg)
#RSAC
Attacker vs. Defender
2
![Page 3: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/3.jpg)
#RSAC
Cloud Admin…Duh Duh Duh.
3
![Page 4: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/4.jpg)
#RSAC
Would Be A Boring Talk…
4
![Page 5: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/5.jpg)
#RSAC
5
Instead…
Let’s search for buried treasure!
![Page 6: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/6.jpg)
#RSAC
Some background
6
Initial SetupVanilla Account— Single Admin User— Base VPC & defaults
AWS Tutorial: Elastic Beanstalk with WordPress— https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress-
tutorial.htmlAWS Tutorial: Lambda Accessing RDS in VPC— https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
![Page 7: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/7.jpg)
#RSAC
Pilfer Credentials ~ Read Only Access
7
![Page 8: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/8.jpg)
#RSAC
Look for RDS Databases
8
aws rds describe-db-instances --filter --query DBInstances[].[DBInstanceIdentifier,MasterUsername,DBSubnetGroup.VpcId,Endpoint.Address] --output=table --color off
supersecretdb?! That sounds like a good target…
![Page 9: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/9.jpg)
#RSAC
Examine Selected Database Subnets
9
aws rds describe-db-instances --filter "Name=db-instance-id,Values=supersecretdb" --query DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier --output table --color off
Hmm… let’s check out: subnet-1ae9df57
![Page 10: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/10.jpg)
#RSAC
What Traffic Do NACLs Allow?
10
aws ec2 describe-network-acls --filter "Name=association.subnet-id,Values=subnet-1ae9df57" --query NetworkAcls[].Entries --output table --color off
All traffic allowed ~ Sweet.
![Page 11: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/11.jpg)
#RSAC
What Traffic Do DB Security Groups Allow?
11
aws ec2 describe-security-groups --filter "Name=group-id,Values=sg-217f3e4a" --output table --color off
Port 3306172.31.0.0/16
![Page 12: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/12.jpg)
#RSAC
Find VPC With Access to Database
12
aws ec2 describe-vpcs --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId --output table --color off
vpc-96c34cfe is assigned to CIDR 172.31.0.0/16
![Page 13: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/13.jpg)
#RSAC
VPC Security Groups ~ 3306 Egress
13
aws ec2 describe-security-groups --filter "Name=egress.ip-permission.to-port,Values=3306Name=vpc-id,Values=vpc-96c34cfe" --output table --color off
None…hmm…
![Page 14: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/14.jpg)
#RSAC
Security Groups ~ No Outbound Restrictions
14
aws ec2 describe-security-groups --filter "Name=egress.ip-permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe" --output table --color off --query SecurityGroups[].GroupId
Cool. Wide Open Outbound.Let’s see what’s using these.
![Page 15: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/15.jpg)
#RSAC
Check Lambda Functions
15
aws lambda list-functions --query Functions[?VpcConfig.SecurityGroupIds==[`sg-93aadef8`]].FunctionName --output table --color off
![Page 16: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/16.jpg)
#RSAC
Query Lambda Code Location
16
aws lambda get-function --function-name CreateTableAddRecordsAndRead--query Code.Location
Gives us URL to code location in S3…
![Page 17: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/17.jpg)
#RSAC
Go To URL…Check out the code
17
Hmm, what’s in this file?
![Page 18: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/18.jpg)
#RSAC
About that rds_config file…
18
Oops. Database credentials.
![Page 19: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/19.jpg)
#RSAC
Look for Instances That Can Exfil
19
aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[].Association.[PublicIp,PublicDnsName]
Check the domains in a browser to find web sites.
![Page 20: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/20.jpg)
#RSAC
Exploit Web Site and Exfil
20
Scan Site. Exploit Vulnerability.Upload code to connect to DB.Publish to public web site.
![Page 21: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/21.jpg)
#RSAC
IAM Best Practices
21
Roles
Least Privilege
Segregation of Duties
IAM Top 10
![Page 22: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/22.jpg)
#RSAC
Protecting Credentials
22
User training ~ Phishing and handling of credentials
Password policies and rotation
MFA!!
Require frequent re-auth – especially to sensitive apps
Prevent deployment of code with embedded credentialshttps://github.com/awslabs/git-secrets
![Page 23: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/23.jpg)
#RSAC
IAM Configuration
23
WOW THAT IS A LOT OF YAML!!https://github.com/allenk1/2018rsapresentation/
blob/master/Default-IAM-Profile.yaml
![Page 24: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/24.jpg)
#RSAC
IAM Master - Initial Roles
24
Sid: AllowUserstoListAccountsEffect: AllowAction:- "iam:ListAccountAliases"- "iam:ListUsers"- "iam:GetAccountPasswordPolicy"- "iam:GetAccountSummary"Resource: "*"
• Allows users to view enough information to get into IAM
• Can get the PW Policy IMPORTANT so it can apply
• List Users – needed in order to find themselves
![Page 25: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/25.jpg)
#RSAC
IAM Master - Initial Roles
25
Actions allow users to manage their account – BUT NOT PERMISSIONS
Sid: AllowUserstoManageOwnAccountEffect: AllowAction:- "iam:ChangePassword"- "iam:CreateAccessKey"- "iam:CreateLoginProfile"- "iam:DeleteAccessKey"- "iam:DeleteLoginProfile"- "iam:GetLoginProfile"- "iam:ListAccessKeys"- "iam:UpdateAccessKey"- "iam:UpdateLoginProfile"- "iam:ListSigningCertificates"- "iam:DeleteSigningCertificate"- "iam:UpdateSigningCertificate"- "iam:UploadSigningCertificate"- "iam:ListSSHPublicKeys"- "iam:GetSSHPublicKey"- "iam:DeleteSSHPublicKey"- "iam:UpdateSSHPublicKey"- "iam:UploadSSHPublicKey"Resource: "arn:aws:iam::*:user/${aws:username}"
Resource only allows them to perform on their username – can’t modify anyone else
![Page 26: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/26.jpg)
#RSAC
IAM ~ User Roles
26
Sid: AllowUserstoListOnlyThierMFAEffect: AllowAction:- "iam:ListVirtualMFADevices"- "iam:ListMFADevices"Resource:- "arn:aws:iam::*:mfa/*"- "arn:aws:iam::*:user/${aws:username}"-Sid: AllowUsertoManageThierMFAEffect: AllowAction:- "iam:CreateVirtualMFADevice"- "iam:DeleteVirtualMFADevice"- "iam:EnableMFADevice"- "iam:ResyncMFADevice"Resource:- "arn:aws:iam::*:mfa/${aws:username}"- "arn:aws:iam::*:user/${aws:username}"-Sid: AllowUserstoDeactiveTheirMFAWhenUseingMFAEffect: AllowAction:- "iam:DeactivateMFADevice"Resource:- "arn:aws:iam::*:mfa/${aws:username}"- "arn:aws:iam::*:user/${aws:username}"Condition:Bool:"aws:MultiFactorAuthPresent": "true"
• Allows users to manage this MFA• Must login with MFA to remove device
![Page 27: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/27.jpg)
#RSAC
IAM ~ Assumed Roles
27
Initial role has no permissions except to assume other roles
MFA Required to assume role with temp creds
![Page 28: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/28.jpg)
#RSAC
IAM Master
28
Failure due to default policy not having permissions
Temporary credential request & setting at environmental variable
MFA!
Commands work!
![Page 29: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/29.jpg)
#RSAC
CloudTrail
29
Monitor all API Actions
Feed data to events
Respond
![Page 30: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/30.jpg)
#RSAC
Scan and Secure
30
Encryption in flight with only specific IAM role with rights
Instance retrieves encrypted value
Instance IAM Role allows rights to use key to decrypt
EC2 Parameter Store for secrets
![Page 31: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/31.jpg)
#RSAC
EC2 Parameter Store
31
OLD: Password embedded in rds_config.py
New: No password in
rds_config.py
![Page 32: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/32.jpg)
#RSAC
EC2 Parameter Store
32
Calls AWS SSM
![Page 33: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/33.jpg)
#RSAC
Monitoring
33
AWS GuardDuty
VPC Flow Logs
CloudTrail
Config
Log shipping
Secure log backups
Automate Remediation
![Page 34: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/34.jpg)
#RSAC
34
![Page 35: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/35.jpg)
#RSAC
WAF Security
35
![Page 36: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/36.jpg)
#RSAC
Presentation Layer
Application Layer
Data Layer
Limited NACL & Security Groups between subnets
Limit all outbound traffic
Network Architecture
36
![Page 37: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/37.jpg)
#RSAC
Network Architecture
37
BAD NETWORK
NACLs are wide open
Wide open inbound rules on security groups
Security groups all everything to talk to internet
![Page 38: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/38.jpg)
#RSAC
Network Architecture
38
BETTER NETWORK
NACLs limit access between subnets
Security Groups limiting access to specific servers
Blocking internet where not needed
![Page 39: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/39.jpg)
#RSAC
Conclusion
39
Red Team:Attackers can use the same tools used by DevOps teams.Cloud APIs provide a means for mapping out an entire account.Read only access can be powerful.
Blue Team:Restrict accessAutomated deploymentArchitect networks to minimize open ports and pivotingProtect secrets - don't embed in code!Monitor everything
![Page 40: RED TEAM VS. BLUE TEAM ON AWS - rsaconference.com · SESSION ID: #RSAC Teri Radichel. RED TEAM VS. BLUE TEAM ON AWS. CSV-R12. CEO. 2nd Sight Lab. @teriradichel. Kolby Allen. DevOps](https://reader031.vdocuments.us/reader031/viewer/2022021705/5b5bbb867f8b9aa30c8ead42/html5/thumbnails/40.jpg)
SESSION ID:
#RSAC
Teri Radichel
THANK YOU!CSV-R12
CEO2nd Sight Lab@teriradichel
Kolby Allen
DevOps EngineerZipwhip@kolbyallen