Continuous Cloud Security

The Sadistic SecOps Manager @ LA AWS User Group 2014-10-30

John Martinez <john@evident.io>

2Require MFA for CLI Access

Why the hell would I want to do this?

• Laptops generally make bad places to store API Access Keys and Secret Keys • 99.9% of developers and (dev)ops engineers store keys on their laptops (this is an

unscientific observation!) • Maybe your laptop drive is encrypted, maybe it’s not • Do you have an incident response scenario for lost laptops? lost API keys? stolen

API keys? • Many of the breaches that happen on AWS are because of lost or stolen API access

keys • Many of those compromised keys are associated with IAM users who have

administrative privilege in that AWS account • Or…you’re just a flat-out sadistic security person!

3How Does it Work?

• The STS Service provides temporary authentication tokens to AWS IAM • The STS GetSessionToken API call provides the mechanism to get a temporary

authentication session token for an IAM user • Force the use of MFA in the IAM policy assigned to the user or group the user is a

member of

• Check out the aws:MultiFactorAuthAge IAM policy key http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html

An MFA condition in a policy specifies the aws:MultiFactorAuthAge key. The policy can use the key in two ways: • Existence—To simply verify that the user has been authenticated with MFA, check that the

aws:MultiFactorAuthAge key is not null. (If the user has not been authenticated with MFA, this key doesn't exist and therefore is null.)

• Duration—If you want to grant access only within a specified time after MFA authentication, use a numeric condition type to compare the key's age to a value (such as 3600 seconds).

4What are the Drawbacks?

• Your developers will hate you • Interferes with automated systems like Jenkins —- mainly useful for interactive

CLI use or in places where security cannot be guaranteed • Doesn’t work well in large environments — recommend using Identity Federation

with SAML instead

5The Meat of It

aws --profile $AWS_CLI_PROFILE sts get-session-token --duration 3600 --serial-number $ARN_OF_MFA --token-code $MFA_TOKEN_CODE

GET-SESSION-TOKEN() GET-SESSION-TOKEN()

NAME get-session-token -

DESCRIPTION Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use get-session-token if you want to use MFA to protect programmatic calls to specific AWS APIs like Amazon EC2 StopInstances . MFA-enabled IAM users would need to call get-ses- sion-token and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to APIs that require MFA authentication.

~ ~

6Shell Scripts Make Things Easier

$ bin/aws-temp-token.sh myuser arn:aws:iam::000000000000:mfa/johndev 000000 Using AWS CLI found at /usr/local/bin/aws AWS-CLI Profile: johndev MFA ARN: arn:aws:iam::000000000000:mfa/myuser MFA Token Code: 000000 Copy and paste the following into your shell: export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXX" export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

7Group Policy Example

{ "GroupName": “Group-Admin-with-MFA”, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Resource": "*", "Effect": "Allow", "Condition": { "Null": { "aws:MultiFactorAuthAge": "false" } } } ] }, "PolicyName": “Admin-with-MFA" }

8Before and After

BEFORE $ aws --profile johndev ec2 describe-regions

A client error (UnauthorizedOperation) occurred when calling the DescribeRegions operation: You are not authorized to perform this operation.

AFTER $ aws ec2 describe-regions --dry-run

A client error (DryRunOperation) occurred when calling the DescribeRegions operation: Request would have succeeded, but DryRun flag is set.

9Resources

Code Repo https://github.com/EvidentSecurity/MFAonCLI

AWS STS Service Documentation http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html

AWS IAM Service Documentation http://docs.aws.amazon.com/IAM/latest/APIReference/Welcome.html http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html

AWS Security Blog Posts http://blogs.aws.amazon.com/security/post/Tx1KJ4H6H5R80UD/Securing-access-to-AWS-using-MFA-Part-I http://blogs.aws.amazon.com/security/post/Tx3NJXSBQUB4QMH/Securing-access-to-AWS-using-MFA-Part-2

Evident.io Blog https://blog.evident.io/

10

Send me email john@evident.io

Come see us at re:Invent Booth #1003!

26QUESTIONS?