aws re:invent 2016: proactive security testing in aws: from early implementation to deployment...
TRANSCRIPT
![Page 1: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Lucas, AWS Security
November 29, 2016
SEC309
Proactive Security Testing in AWSFrom Early Implementation to Deployment Penetration Testing
![Page 2: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/2.jpg)
What to expect from this session
• How to think about your AWS assets
• Threat modeling and attack surface
• Security baseline
• Testing for security
• Automation
• Continuous Security
• Close
![Page 3: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/3.jpg)
Threat modeling
• Why?
• External dependencies and assumptions
• System edges and entry points
• Assets and information flows
• Classes of user and action / trust
• Risks and mitigations
![Page 4: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/4.jpg)
Threat modeling assets
• What is an asset?
• Amazon EC2 instance
• Amazon S3 bucket
• Amazon RDS
• Access management
• Networking
• Deployment and development
![Page 5: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/5.jpg)
Threat modeling actors
• Users
• Services
• Access to shared assets
![Page 6: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/6.jpg)
Threat model architecture
Unknown user
Authenticated
user
Web
server
Cache
RDBMS
Web admin DB admin
DB users?CMS
1.1 Login
1. 2 Post2.1 Admin
![Page 7: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/7.jpg)
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
![Page 8: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/8.jpg)
Table of flows, STRIDE etc
Data flow ID Description
1.1 An unauthenticated user can logon onto the CMS
system with valid credentials at this point a
session identifying the user controls their identity.
STRIDE • Spoofing – A user could assume an incorrect
identity if not checked properly
• Repudiation – Attempts to login and failed
login attempts may not be traced
• Denial of service (DoS) - If the login flow is
too expensive (computationally complex) the
login call could potentially be used to deny
service to other users
• Elevation of Privilege (EoP) – Incorrectly
logging in a user would result in this
![Page 9: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/9.jpg)
Feature Id Mitigation Description
SESSION-104 To address spoofing concerns an external audit of
the code by [X] will take place. All changes to the
code post-event will undergo code review.
AUDIT-7 For repudiation all login attempts will be logged
into the application log and stored to Amazon
CloudWatch Logs.
AUDIT-7-1 In support of LOGIN-102 the team will investigate
the feasibility of using CloudWatch alarms with
thresholds for failed logins.
LOGIN-11 For DoS prevention we will do extensive profiling
of the login flow and ensure that failed and
successful logins represent log computational
burden. A single web server instance should be
able to support O(x) login calls simultaneously.
LOGIN-12 To prevent EoP we will follow the same principals
![Page 10: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/10.jpg)
Management layer
Private subnetPublic subnet
ws
Internet
gateway
Router
Route
table
Route
table
Endpoint
S3 bucket
Instance role
IAM
ElastiCache
Route 53CloudFormation
KMSAmazon
Inspector
CloudTrail Config
![Page 11: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/11.jpg)
Security baseline
• Core:
• Instances are patched and remain so
• Instances are safe to use post-startup as long as security
groups only expose the expected services to the Internet
• Account AWS infrastructure management is correctly
controlled
• Application:
• The application has been security tested
![Page 12: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/12.jpg)
Demo – patch level
• Any outstanding security patches?
• Using EC2 Simple Systems Manager (SSM) run
command.
![Page 13: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/13.jpg)
![Page 14: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/14.jpg)
Build security testing in
• Static analysis on code push to central repository
• Adding a trigger to look for security issues
• Check staging and pre-deployment
• Check your application access controls
![Page 15: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/15.jpg)
Demo – source code
• AWS CodeCommit trigger to look for AWS stored secrets
![Page 16: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/16.jpg)
![Page 17: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/17.jpg)
Demo – deployment assessment
• Using Amazon Inspector to assess a pre-production
environment and move it to production.
![Page 18: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/18.jpg)
![Page 19: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/19.jpg)
Security testing
• Penetration test request process:
https://aws.amazon.com/security/penetration-testing/
• Focus on baseline
• Know your tools
• Be selective
![Page 20: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/20.jpg)
Demo – network profile
• Enumerate Internet endpoints
• Confirm availability
![Page 21: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/21.jpg)
![Page 22: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/22.jpg)
Continuous security
• Integrated testing
• Point in time questions
• Monitor for changes
![Page 23: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/23.jpg)
Thank you!
![Page 24: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/24.jpg)
Remember to complete
your evaluations!
![Page 25: AWS re:Invent 2016: Proactive Security Testing in AWS: From Early Implementation to Deployment Penetration Testing (SEC309)](https://reader031.vdocument.in/reader031/viewer/2022022621/586f880b1a28ab54768b5abf/html5/thumbnails/25.jpg)
Related sessions
• SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC401 - 5 Security Automation Improvements You Can
Make by Using Amazon CloudWatch Events and AWS
Config Rules