© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Aaron Klein, CloudCheckr

Tuesday, June 30th 2016

Hackproof Your CloudResponding to 2016 Threats

Changing Your PerspectiveMoving to the Cloud = rethinking your perimeter security

Old world: Set-up and audit perimeter security

New world: Rethink security tasks:

• Network-based IPS/IDS

• Network scanning

• Penetration tests

• Vulnerability assessments

Focus on securing cloud workloads

• Not on securing the cloud

AWS: What’s Different?

The idea of physical security morphs as

infrastructure becomes virtualized by AWS APIs.

In a new world of ephemeral, auto-scaling infrastructure,

you need to adapt your security architecture to meet

both compliance and security threats.

~ Physical assets secured at the AWS availability zone ~

~ Must guard the AWS API ~

~ IAM Access is your new physical security ~

AWS Foundation Services

Compute Storage Database Networking

AWS Global InfrastructureRegions

Availability Zones

Edge Locations

Network

Security

Inventory

& Config

Customer Applications & Content

You get to define

your controls IN

the Cloud

AWS takes care

of the security

OF the Cloud

You

AWS and You Share Responsibility for Security

Data

Security

Access

Control

Minimizing Attack Vectors

Principles don’t change

• Reduce your surface area!

• Defense-in-depth

Some attack vectors don’t change

• Application level

• user-privilege escalation, web app vulns, XSS

• Operating system vulnerabilities

• Database vulnerabilities

Some attack vectors change

• Homogeneous environment

• Polymorphic targets/mapping

• Reduced network sniffing

Security Hardening

Configure and manage user

privileges

Remove unused user

accounts

Close unused open network

ports

Enforce password

complexity & policies

Remove unwanted services

Patch all known

vulnerabilities

Give me your network block

• Nmap

• Port scans

• Ping sweeps

• Etc…

Perimeter Assessments In the CloudHow do I assess the perimeter of my cloud?

Let me see your configuration

• List of publicly-accessible

resources

• Security groups (Amazon EC2-

Classic, Amazon EC2-VPC,

Redshift, RDS, etc…)

• Routing tables, Network ACL

• VPC, subnets

• Amazon S3 buckets and

permissions

• IAM policies

OLDWORLD

NEWWORLD

Network Security in a VPC

Network ACLs (NACLs)

• Virtual firewalls assigned to VPC/Subnets

• Network ACLs are stateless; responses to allowed inbound

traffic are subject to the rules for outbound traffic (and vice versa).

• Rules evaluated numerical ascending – DENY can be overridden by ALLOW

• Watch for INEFFECTIVE rules

Security Groups

• Host-based firewalls assigned to instances

• Stateful – responses to allowed inbound traffic are not subjected

to the rules for outbound traffic

• Rules are cumulative – DENY always overrides ALLOW

• Assigning wrong security group to an instance exposes the entire VPC

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Complex Connections to Amazon EC2

Amazon EC2 instance can be run inside VPCs

•Legacy capability to run outside VPCs

• Instance ID: i-001bac39

•Friendly name (implemented as a tag): ISS-V2-API1

Amazon EC2 instance can be given 1 or more private IP

addresses

•For example: 172.12.6.186

•This generates a DNS name ip-172-12-6-186.us-west-2.compute.internal

Amazon EC2 instance can be given 1 or more public IP

addresses

•For example: 52.24.201.167

•This generates a DNS name ec2-52-24-201-167.us-west-2.compute.amazonaws.com

Amazon EC2 instance can be attached to an Elastic IP

address (EIP)

•For example: 107.20.135.132

Running VA in Cloud EnvironmentsHow do I run Vulnerability Assessments? REGISTER YOUR SCAN!

Gather the list of public

IPs and EIPs of all

resources

Do I need to scan the

private IP addresses and

instances?

Scanning an AMI

Spin up a new instance,

run a scan on the new

instance

Mark everything based

on this AMI as “scanned”

What about when an

instance “drifts” from

original AMI?

Someone can

reconfigure settings,

install new software

In an elastic, ephemeral, auto scaling environment clouds

can have tens of thousands of instances

Patching Strategies for AWS

“No Patch” Strategy

• Stay away from patching live systems

• Focus on patching templates/AMIs

• Deliver patches by redeploying workloads

• Dependent on adopting pure cloud architectures

Look at AWS OS Templates• Patched by Amazon

Systematic Workload Reprovisioning

• Based on high-assurance repositories

• Effective battling Advanced Persistent Threats

Outside of your VPC: What are we missing?

Don’t assume attacks only happen against Amazon EC2

AWS is a complex system

Over 30 different AWS services

• Many have unique access control systems

You may have 100s of AWS accounts

We need a complete inventory

• All publicly-accessible endpoints and resources

Security breaches can happen with a single weak link

S3 (Simple Storage Service)

Up to 1000 buckets in an account

• Unlimited number of objects (billions is not uncommon)

Location

• Within a region, across multi-AZs, not housed in a VPC

• Can’t sit between client and storage

Security

• Access control through IAM policies, bucket policies, ACLs, and query string authentication

• Server-side Encryption, HTTPS support

• Server-access logs (does not integrate with CloudTrail)

Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!!

Create an inventory of your sensitive data

SQS (Simple Queuing Service)

Where does SQS live?

• Within a region, not within a VPC

• Uses a URL such as:

https://sqs.us-east-1.amazonaws.com/123456789012/MySQS

Security based on policy documents:{

"Version": "2008-10-17",

"Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy",

"Statement": [

{

"Sid": "Sid1415217272568",

"Effect": "Allow", "Principal": { "AWS": "*" },

"Action": [

"SQS:ReceiveMessage", "SQS:SendMessage"

],

"Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS"

},

SNS (Simple Notification Service)

SNS does not live inside your VPC

Permissions based on topic policies:

Logs: Using AWS CloudTrail

An AWS Service that records each time the AWS API is called

• Currently supports most AWS services

• http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html

Conveniently everything in AWS goes through the API

• Even actions in the Management Console go through the API

CloudTrail writes files into an Amazon S3 bucket

• Near real-time (every five minutes)

• Files are in JSON format

Get started at http://aws.amazon.com/cloudtrail/

Using CloudWatch Logs

Simple method of monitoring operating system logs• Ship Windows event logs and syslogs to AWS CloudWatch

Types of use-case:• Account Login Failure, Account Login Success, New local account creation,

Excessive Login Failure (Configurable)

• Unauthorized Windows Admin Logon, Windows Account Lockout Attempt,

Windows Computer Account Changes

• Windows Audit Policy Changes, Windows Event Log Cleared

• Non-Windows - Account Locked Out, Non-Windows - Account Unlocked,

Changes to System or Audit log

Get started at:

http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudW

atchLogs.html

Using Amazon VPC Flow Logs

An AWS service that records each time packets enter or leave a VPC

• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

Security team comes to you and says:

• We need logs going to instance 1-0123456 from

IP address ranges 52.205.16.0 - 52.205.31.255

Monitor for DENY connections

• Gives you both security group and NACL denies

Announcement:

https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazon-

vpc-flow-logs/

Tools For Configuring AWS Securely & Cost

EffectivelyGeneric tools fall short

Purpose-built, not cloud-washed

• Make sure tools don’t fall over in the cloud

• Tools have to understand dynamic, ephemeral IPs

Need a deep understanding of AWS

• What does this means

• Context is important

• Actionable intelligence

CloudCheckrUnified Cost & Security Management

What cloud users need… CloudCheckr provides…

Automated reports, generated and updated daily, listing all

additions, deletions, or modifications over the past 24 hours

Comprehensive visibility & control on security, availability, cost

and usage with 350+ out-of-the-box best practice policy checks

Granular visibility to understand, deconstruct, and optimize cloud

costs

Automated best practice checks covering

security, availability, cost, and usage

Simplified monitoring of changes in a cloud

environment

Understand/Audit costs in the cloud

»»»»»

Actionable security and activity alertsOver 100 out of the box alerts with endless

customization opportunities

Remediation and self-healing of security

vulnerabilities

Automation that allows users to receive alerts

and delegate remediation to CloudCheckr

Questions?

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Aaron Klein, Founder of CloudCheckraaron.klein@cloudcheckr.com

www.cloudcheckr.com

Thank You for Attending