RVASec AWS Survival Guide 2.0
-
Upload
ken-johnson -
Category
Technology
-
view
203 -
download
0
Transcript of RVASec AWS Survival Guide 2.0
![Page 1: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/1.jpg)
AWS SURVIVAL
GUIDE 2.0
![Page 2: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/2.jpg)
HELLO!Before we get started,
let’s chat about recent
events…
2
![Page 3: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/3.jpg)
AWS Key
“Our review has shown that a
threat actor obtained access
to a set of AWS keys and
used them to access the AWS
API from an intermediate host
with another, smaller service
provider in the US.”
3
![Page 4: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/4.jpg)
S3 Bucket Permissions
“On May 24, Chris Vickery, a
cyber risk analyst with the
security firm UpGuard,
discovered a publicly
accessible data cache on
Amazon Web Services' S3
storage service that contained
highly classified intelligence
data.”
4
![Page 5: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/5.jpg)
Quora & 50k bill
“After just one week of the
account being compromised,
the monthly bill was
$285,000!”
5
![Page 6: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/6.jpg)
Gettin’ Robbed
“I hired a remote developer to
help me with my startup. After
asking him to sign a Non
Disclosure Agreement (NDA),
I added him to my private
Github repository. He then
forked my repository and
publicly exposed a copy of
it on his own repository”
6
![Page 7: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/7.jpg)
Background
![Page 8: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/8.jpg)
Me8
CTO – nVisium
Breaker & Builder
Utilize AWS Heavily
@cktricky
![Page 9: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/9.jpg)
This talk9
Preventing the preventable
![Page 10: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/10.jpg)
“
”
Account exploitation, in my
experience, occurs due to hosting
vulnerable systems, misconfigured
services, or compromised
credentials.
![Page 11: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/11.jpg)
Exposed
Credentials
![Page 12: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/12.jpg)
Exposed Credentials
▸Keys are often stored on developer or
ops machines
▸Typically can be found under ▹~/.aws/config
▹~/.bashrc
▹ ~/.zshrc
▹~/.elasticbeanstalk/aws_credential_file
12
![Page 13: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/13.jpg)
“
”
Thankfully, developers never
embed secret keys in source code
or post their sensitive dot files to
public repos
~ Nobody, the F%@k Ever
![Page 14: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/14.jpg)
Exposed Credentials14
![Page 15: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/15.jpg)
Exposed Credentials15
![Page 16: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/16.jpg)
Exposed Credentials16
![Page 17: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/17.jpg)
Misconfigured
Services
![Page 18: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/18.jpg)
Misconfigured Services
▸S3 bucket with “any authenticated user”
permissions (credit: Chris Gates)
18
![Page 19: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/19.jpg)
Misconfigured Services
▸Listing buckets contents
19
![Page 20: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/20.jpg)
Misconfigured Services20
ASK SHODANDon’t believe me? Just
ask Shodan.io…
![Page 21: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/21.jpg)
Misconfigured Services
▸I have many more examples including▹RDS default creds
▹“Internal” assets on a VPC
▹Security groups
▹Unencrypted storage of PII
▹List goes on…
![Page 22: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/22.jpg)
Vulnerable
Systems
![Page 23: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/23.jpg)
Vulnerable Systems
▸Machine is compromised
▸Attacker grabs metadata info
▸Uses these credentials to pivot
![Page 24: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/24.jpg)
Vulnerable Systems
▸For compromised instances, just turn to Google...
![Page 25: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/25.jpg)
Vulnerable Systems
▸Browse to this address from
compromised machine
▸http://169.254.169.254/latest/meta-
data/iam/security-credentials/
▸Obtain credentials here and pivot
![Page 26: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/26.jpg)
Vulnerable Systems
▸Even a talk/tool to help with this
▹https://www.blackhat.com/docs/us-14/materials/us-
14-Riancho-Pivoting-In-Amazon-Clouds-WP.pdf
▹https://andresriancho.github.io/nimbostratus/
![Page 27: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/27.jpg)
Vulnerable Systems
▸Summary▹Plenty of ways to get in
▹Plenty of ways to secure your infrastructure
▹Let’s get started shall we
![Page 28: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/28.jpg)
Prevention
![Page 29: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/29.jpg)
Prevention
Monitoring
29
Hardening Q&A
![Page 30: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/30.jpg)
Monitoring
![Page 31: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/31.jpg)
Monitoring
▸AWS Solutions - Monitoring▹3 Services: CloudWatch, CloudTrail, and Config
![Page 32: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/32.jpg)
Monitoring
![Page 33: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/33.jpg)
Monitoring
▸Step 1 – Turn it on
![Page 34: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/34.jpg)
Monitoring
▸Step – 2 Configure Log Group
![Page 35: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/35.jpg)
Monitoring
▸Step 3 - Create IAM Role
![Page 36: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/36.jpg)
Monitoring
▸CloudWatch Alarms – Helpful but not
detailed
![Page 37: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/37.jpg)
Monitoring
▸This is more along the lines of what we
want
![Page 38: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/38.jpg)
Monitoring
▸I learned the hard way so you don’t have
to▹Alarms filter for metric data and, when sent to
Lambda, SNS, etc. they only contain info on the metric
▹Events on the other hand, they send the entire event
data to Lambda (much more detailed)
▸Both are functions of CloudWatch
![Page 39: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/39.jpg)
Monitoring
▸First we will setup an alarm for IAM
Unauthorized Activity
▸Second, setup a similar alarm but for
events and with better, more granular
details
▸Discuss other types of events to monitor
for
![Page 40: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/40.jpg)
“
”
One last thing - you want both an
alarm and events… we have good
reason
![Page 41: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/41.jpg)
Monitoring
▸Choose log group, create metric
![Page 42: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/42.jpg)
Monitoring
▸Define Pattern (what to grok for)
![Page 43: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/43.jpg)
Monitoring
▸Assign a metric (naming conventions)
![Page 44: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/44.jpg)
Monitoring
▸Click “Create Alarm”
![Page 45: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/45.jpg)
Monitoring
▸Give it a name, desc, etc.
![Page 46: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/46.jpg)
Monitoring
▸It works really really well
▸No matter what event source the data
comes from, its parsed and recognized
correctly
▸This means its safe
▸But… those “details”…
![Page 47: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/47.jpg)
Monitoring
![Page 48: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/48.jpg)
Monitoring
▸But then I learned about CloudWatch
Events (Rules)!
▸If something (Event) happens, you can
send that something to Lambda for
processing based on a rule (Rules)
![Page 49: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/49.jpg)
CloudWatch
Events!If something (Event) happens, you can send that
something to Lambda for processing based on a
rule (Rules)
49
![Page 50: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/50.jpg)
Monitoring
![Page 51: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/51.jpg)
Monitoring
▸This what an event typically looks like
![Page 52: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/52.jpg)
Monitoring
▸At first, I tried “How to Detect and
Automatically Revoke Unintended IAM Access
with Amazon CloudWatch Events”
https://aws.amazon.com/blogs/security/how-
to-detect-and-automatically-revoke-
unintended-iam-access-with-amazon-
cloudwatch-events/
![Page 53: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/53.jpg)
Monitoring
▸Filters requests when event source = IAM
▸Sends IAM event to Lambda
▸Check user permissions
▸Lacking administrative permissions?
=>Revoke access
![Page 54: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/54.jpg)
Monitoring
▸Not exactly what I want although, cool
stuff
▸We are looking to alert on any
Unauthorized Activity error triggered by
AWS calls
![Page 55: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/55.jpg)
Monitoring
▸Now for a brief interruption
![Page 56: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/56.jpg)
Monitoring
▸Prior to Event Rule Creation1. Configure Slack Webhook
2. KMS encrypt Slack Webhook URL
3. Create Lambda Function
![Page 57: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/57.jpg)
Monitoring
▸Start configuring incoming webhook
![Page 58: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/58.jpg)
Monitoring
▸Add configuration inside of slack
![Page 59: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/59.jpg)
Monitoring
▸Choose the channel (and other details)
![Page 60: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/60.jpg)
Monitoring
▸Retrieve the webhook URL
![Page 61: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/61.jpg)
Monitoring
▸Create KMS key, later used to decrypt
![Page 62: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/62.jpg)
Monitoring
▸Name the key, follow steps 1 - 4
![Page 63: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/63.jpg)
Monitoring
▸Use the AWS KMS encrypt function to
encrypt the webhook URL
![Page 64: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/64.jpg)
Monitoring
▸Next we will create the Lambda function
▸We need the Base 64 encoded + KMS
encrypted URL from the previous slide
▸This will be needed for our code to
securely retrieve the Slack Webhook URL
![Page 65: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/65.jpg)
Monitoring
▸Select a blank function template
![Page 66: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/66.jpg)
Monitoring
▸Configure Trigger (just click “Next”)
![Page 67: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/67.jpg)
Monitoring
▸Place the following code into the function
https://gist.github.com/cktricky/8f4e9912f75
7d1ccdcd00ad8e8630620
![Page 68: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/68.jpg)
Monitoring
▸Use Base64+ KMS encrypted URL
![Page 69: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/69.jpg)
Monitoring
▸Lastly, choose the slack service role
![Page 70: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/70.jpg)
Monitoring
▸Directly edit the JSON
![Page 71: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/71.jpg)
Monitoring
▸Paste in JSON and select Lambda
Function as Target
![Page 72: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/72.jpg)
Monitoring
▸FINISH IT
![Page 73: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/73.jpg)
Monitoring
▸Time to test
![Page 74: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/74.jpg)
Monitoring
▸W00T!
![Page 75: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/75.jpg)
Monitoring
▸You can now unleash the power of Event
Rules for other alerts
▸Simple as editing the JSON and parsing
the data via Lambda
▸Use BOTH CloudWatch Alarms AND
Events
![Page 76: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/76.jpg)
Monitoring
▸Previous versions of this talk show how to
configure Alerts for:▹Root account usage
▹Billing Alerts (Exceed normal spend)
▹Failed Login Attempts
https://www.youtube.com/watch?v=g-
wy9NdATtA&feature=youtu.be
![Page 77: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/77.jpg)
Hardening
![Page 78: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/78.jpg)
Hardening
▸The AWS Security Fundamentals Course
provides the framework for your plan:▹You are responsible for leveraging the tools AWS
provides (financially)
▹Your configuration… that is on you
https://aws.amazon.com/training/course-
descriptions/security-fundamentals/
![Page 79: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/79.jpg)
Hardening
1. Don’t Use The Root Account!
2. Audit IAM user policies
3. Multi-Factor Authentication
4. API + MFA
5. IAM Roles
6. Misc
![Page 80: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/80.jpg)
AWS ROOT
ACCOUNT
80
![Page 81: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/81.jpg)
Hardening – AWS Root Account
▸Every AWS environment has a root
account
▹Root account is the king/god/all-powerful
▹Use only when you absolutely must
▹When those circumstances arise, notify your team
first
![Page 82: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/82.jpg)
Hardening – AWS Root Account
Simple steps:
▹Disable or delete access keys if they exist:
▹Implement verbal/written policy that states “we don’t
create access keys for the root account
▹Use the CloudWatch Alarm I mention to alert on its
use
![Page 83: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/83.jpg)
Auditing IAM
Permissions
83
![Page 84: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/84.jpg)
Hardening – Auditing IAM Permissions
▸A single IAM user can have… ▹Multiple Managed Policies
▹Multiple Inline Policies
▹Belong to multiple IAM Groups which…
▹Have multiple managed policies
▹Have multiple inline policies
![Page 85: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/85.jpg)
Hardening – Auditing IAM Permissions
▸Explanation
▹Managed Policies: Policies that can be attached to
multiple users, groups, or roles
▹Inline Policies: Directly attached to a single user,
group, or role
![Page 86: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/86.jpg)
Hardening – Auditing IAM Permissions
▸Tool to inspect each user’s permissions:
▹https://gist.github.com/cktricky/257990df2f36aa3a01
a8809777d49f5d
▹Will create a CSV file
▹Provides you with▹Usernames
▹Inline Policies
▹Managed Policies
▹Groups
![Page 87: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/87.jpg)
Hardening – Auditing IAM Permissions
▸Tool Output
![Page 88: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/88.jpg)
Hardening – Auditing IAM Permissions
▸Closer look
![Page 89: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/89.jpg)
Hardening – Auditing IAM Permissions
▸https://aws.amazon.com/blogs/security/move-over-
json-policy-summaries-make-understanding-iam-
policies-easier/
![Page 90: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/90.jpg)
Hardening – Auditing IAM Permissions
▸Why this is important
▹If you house sensitive data, you need to know who has
access
▹Permissions should be a need-to-have/know situation in
order to limit damage should creds get stolen
▹AWS is a flexible environment that changes – your
permission model might need to change with it (inventory it)
![Page 91: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/91.jpg)
Multi-Factor
Authentication
(MFA)
91
![Page 92: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/92.jpg)
Hardening – MFA
▸MFA == 2-Factor Authentication
▸If credentials are stolen or guessed, we want a
second layer of protection
▸You can use apps or hardware to do this
▹Google Authenticator (Apps)
▹Gemalto (Hardware)
▸Find the full list of MFA devices here:
https://aws.amazon.com/iam/details/mfa/
![Page 93: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/93.jpg)
Hardening – MFA
Let’s demonstrate enabling MFA using a virtual device
(app) on an IAM account
![Page 94: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/94.jpg)
Hardening – MFA
▸Navigate to Identity & Access Management
![Page 95: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/95.jpg)
Hardening – MFA
![Page 96: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/96.jpg)
Hardening – MFA
![Page 97: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/97.jpg)
Hardening – MFA
![Page 98: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/98.jpg)
Hardening – MFA
▸At this point, its worth mentioning that non-
administrators or those without IAM privileges
cannot enable MFA on their own account
▸Why is this a problem? Well, they need to be
able to enable MFA on their own device… not
the administrator’s
▸Fortunately, we have a solution!
![Page 99: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/99.jpg)
Hardening – MFA
![Page 100: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/100.jpg)
Hardening – MFA
▸Okay so that wasn’t the easiest to read, so
here is the link: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_
credentials_delegate-
permissions_examples.html#creds-policies-mfa-
console
▸Basically this IAM policy allows a user to
manage their *OWN* MFA device
![Page 101: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/101.jpg)
Hardening – MFA
▸Need a shared MFA for root? TOTP!
▸Recommend using something like
1password for teams, can share the TOTP
code: https://support.1password.com/guides/mac/totp.htm
l
https://www.youtube.com/watch?v=eZyb-ArMK9g
![Page 102: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/102.jpg)
API & MFA
102
![Page 103: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/103.jpg)
Hardening – API & MFA
▸This is the alternative to interacting with
the AWS environment via the web console
▸Typically used for automated tasks
▸Automated tasks means “code”.
![Page 104: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/104.jpg)
Hardening – API & MFA
▸At a minimum apply to those with IAM
permissions
![Page 105: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/105.jpg)
Hardening – API & MFA
▸This entry requires MFA for Web/API
![Page 106: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/106.jpg)
Hardening – API & MFA
▸Truth be told, doing this can be painful at
first
▸Things that used to work, might not (via the
API)
▸Fortunately, we have some answers for you
▸Firstly, let’s discuss STS or SecurityToken
Service
![Page 107: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/107.jpg)
Hardening – API & MFA
▸Leverage STS in order to interact with the
AWS API should this MFA restriction be
placed on resources (and it should )
▸Example of using STS:
https://gist.github.com/cktricky/127be4e431563a986f0f
![Page 108: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/108.jpg)
Hardening – API & MFA
▸Example of retrieving creds (in the gist)
![Page 109: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/109.jpg)
Hardening – API & MFA
▸Output of script
![Page 110: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/110.jpg)
Hardening – API & MFA
▸Use the creds to leverage tools like ec2-api-
tools
▸(-O <access key id>–W <secret> and –T
<session token>)
![Page 111: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/111.jpg)
Hardening – API & MFA
▸https://github.com/jimbrowne/aws-sts-
helpers
![Page 112: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/112.jpg)
Hardening – API & MFA
▸ElasticBeanstalk does not work with STS. Le
Terrible.
▸However, there is a workaround, use
CodePipeline.
▸Very simple process to setup but only works
with:▹GitHub
▹AWS CodeCommit
▹Amazon S3
![Page 113: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/113.jpg)
Hardening – API & MFA
Remember MFA only protects against the web
and NOT the API… unless you change your
policies and use STS
![Page 114: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/114.jpg)
IAM Roles
114
![Page 115: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/115.jpg)
Hardening – IAM Roles
▸Roles
▸Is *like* a user but is not an IAM user
▸Replaces the need for hardcoded Access
Key ID & Secret
▸The extent of what a role can do is heavily
controlled by you, the administrator
![Page 116: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/116.jpg)
Hardening – IAM Roles
▸Credentials automatically rotate via STS
▸Available here on an EC2 instance:
http://169.254.169.254/latest/meta-data/iam/security-
credentials/
▸If you’re using the AWS-SDK gem/egg/etc –
credential handling is built-in
▸If you’re using something like Paperclip + Rails, try
Fog to leverage Roles
▸https://github.com/thoughtbot/paperclip/issues/1591
![Page 117: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/117.jpg)
Hardening – IAM Roles
▸Example of a Role policy (shown within IAM)
![Page 118: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/118.jpg)
Hardening – IAM Roles
▸Example attaching Role to ElasticBeanstalk instance
![Page 119: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/119.jpg)
Misc
119
![Page 120: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/120.jpg)
Hardening – Misc
▸Review AWS environment for Unencrypted and
Encrypted EBS Volumes
https://gist.github.com/cktricky/0fa3b13ca4306bcd1ec
384e88eac3f55
![Page 121: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/121.jpg)
Hardening – Misc
▸Review S3 buckets to determine security policy
https://gist.github.com/cktricky/faf0f40116e535a055b7
412458136917
![Page 122: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/122.jpg)
Splunk + AWS
![Page 123: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/123.jpg)
Splunk + AWS
▸Splunk is a pretty great resource for
monitoring activity
▸I’m fairly new to Splunk myself
▸Two separate plugins:Splunk App for AWS
https://splunkbase.splunk.com/app/1274/
Splunk Add-On
https://splunkbase.splunk.com/app/1876/
![Page 124: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/124.jpg)
Splunk + AWS
▸Examples of things you can view:
▹Billing
▹Topology
▹Usage
▹IAM Activity
▹SSH Key Pair Activity
▹User Activity
▹Network ACL(s)
▹VPC Activity
and a lot more…
![Page 125: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/125.jpg)
Splunk + AWS
![Page 126: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/126.jpg)
Splunk + AWS
![Page 127: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/127.jpg)
Splunk + AWS
![Page 128: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/128.jpg)
Splunk + AWS
▸Splunk will need an AWS account in
order to retrieve data
▸Create account(s) for Splunk, grab the
necessary permission policy from here:
http://docs.splunk.com/Documentation/AddOns/rele
ased/AWS/ConfigureAWSpermissions
![Page 129: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/129.jpg)
Summary
![Page 130: RVASec AWS Survival Guide 2.0](https://reader031.fdocuments.in/reader031/viewer/2022022415/5a6700697f8b9a85028b4989/html5/thumbnails/130.jpg)
Hardening – API & MFA
▸Hopefully, I’ve given you some ideas
▸We talked about Monitoring & Hardening
▸But we did NOT discuss recovery (prepare for the
worst)
▸http://www.irongeek.com/i.php?page=videos/derbyc
on6/120-hardening-aws-environments-and-
automating-incident-response-for-aws-compromises-
andrew-krug-alex-mccormack