© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Aaron Newman, CloudCheckr

Tuesday, November 29, 2016

Hackproof Your CloudResponding to 2016 Threats

What to Expect from the Session

• Re-evaluate:• Your perspective as you move to the cloud/scale up• Intrusion Detection, Activity Monitoring and Vulnerability

Assessment in AWS

• Gain a better understanding of: • How to better leverage native AWS services• Perimeter assessments of your VPCs• Internal vs. External Threats• Monitoring Threats

Changing Your PerspectiveMoving to the Cloud = rethinking your perimeter security

How do I secure my business applications on AWS?

Rethink how you perform most security tasks:• Network-based IPS/IDS• Network scanning• Penetration tests• Vulnerability assessments

Focus on securing cloud workloads• Not on securing the cloud

In the Data CenterSetting Up Perimeter Security:

• Setting up your infrastructure• Setting up access points to the internet• Configuring firewall, IDS, IPS, etc. at the access points

Auditing Your Perimeter Security:• Gather set of IP Address blocks to poke at• Do a port scan (using tools such as Nmap) • Determine which ports are open on the target • Try various exploits on the open ports. • Sniff lots of packets

AWS: What’s Different?

The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs.

In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet

both compliance and security threats.

~ Physical assets secured at the AWS availability zone ~~ Must guard the AWS API ~

~ IAM Access is your new physical security ~

AWS Foundation Services

Compute Storage Database Networking

AWS Global InfrastructureAvailability Zones

Regions

Edge Locations

NetworkSecurity

Inventory & Config

Customer Applications & ContentYou get to define your controls IN the Cloud

AWS takes care of the security OF the Cloud

You

AWS and You Share Responsibility for Security

DataSecurity

Access Control

AWS

Minimizing Attack Vectors

Principles don’t change• Reduce your surface area!• Defense-in-depth

Some attack vectors don’t change• Application level

• user-privilege escalation, web app vulns, XSS• Operating system vulnerabilities• Database vulnerabilities

Some attack vectors change• Polymorphic targets/mapping• Reduced network sniffing

Security Hardening

Configure and

manage user

privilegesRemove unused

user accounts

Close unused

open network

portsEnforce

password complexity & policies

Remove unwanted services

Patch all known

vulnerabil-ities

Give me your network block• Nmap• Port scans• Ping sweeps• Etc…

Perimeter Assessments In the CloudHow do I assess the perimeter of my cloud?

Let me see your configuration• List of publicly-accessible

resources• Security groups• Routing tables, Network ACL• VPC, subnets • Amazon S3 buckets and

permissions• IAM policies

OLDWORLD NEW

WORLD

Virtual Private Clouds (VPCs)

Default VPC is created in every region

VPC is composed of:• Internet and VPN gateways – connect to the rest of the world• 1+ subnet(s)• Routing table – how to move traffic around the VPC• Network ACLs – a firewall but stateless• Security groups – host-based firewall stateful• Resources

• Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache

Network Security in a VPC

Network ACLs (NACLs)• Network ACLs are stateless; responses to allowed inbound

traffic are subject to the rules for outbound traffic (and vice versa).• Rules evaluated numerical ascending

• DENY can be overridden by ALLOW, Watch for INEFFECTIVE rules

Security Groups• Stateful – responses to allowed inbound traffic are not subjected

to the rules for outbound traffic• Rules are cumulative – traffic is denied unless explicitly ALLOWed• Assigning wrong security group to an instance exposes the entire VPC

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Complex Connections to Amazon EC2

•Legacy capability to run outside VPCs

•Instance ID: i-001bac39 •Friendly name (implemented as a tag): ISS-V2-API1

Run inside VPCs

• For example: 172.12.6.186• This generates a DNS name ip-

172-12-6-186.us-west-2.compute.internal

• For example: 52.24.201.167• This generates a DNS name

ec2-52-24-201-167.us-west-2.compute.amazonaws.com

Given 1 or more public IP addresses

• For example: 107.20.135.132

Attached to an Elastic IP address (EIP)

Amazon EC2 Instances can be:Given 1 or more private IP

addresses

Running VA in Cloud EnvironmentsHow do I run Vulnerability Assessments (VA)?

Stage 1:

Gather the list of public IPs and EIPs of all resources

Do I need to scan the private IP addresses and instances?

Stage 2:

Scanning an AMI

Spin up a new instance, run a scan on the new instance

Mark everything based on this AMI as “scanned”

Stage 3:

What about when an instance “drifts” from original AMI?

Someone can reconfigure settings, install new software

In an elastic, ephemeral, auto scaling environment clouds can have tens of thousands of instances

Patching Strategies for Operating Systems

“No Patch” Strategy• Stay away from patching live systems• Focus on patching templates/AMIs• Deliver patches by redeploying workloads• Dependent on adopting pure cloud architectures

Look at AWS OS Templates

Systematic Workload Reprovisioning• Based on high-assurance repositories• Effective battling Advanced Persistent Threats

What are we missing?

Don’t assume attacks only happen against Amazon EC2

Over 80 different AWS services • IAM authentication is centralized• But services have unique authorization/access controls

You will have 100s of AWS accounts

We need a complete inventory• All publicly-accessible endpoints and resources

Security breaches can happen with a single weak link

RDS (Relational Database Service)

Only port RDS listens on is the database port • AWS limits access to database ports only

Publicly accessible option• Not a good idea, but if you do this

• Make sure you use security groups to restrict source IP address• Make sure you have latest patches applied

Secure your database snapshots• Keys to the kingdom if someone can get a copy• Encrypt your snapshots with KMS keys• Brute-force passwords, restore to their own account

Amazon S3 (Simple Storage Service)

Up to 1000 buckets in an account

Location• Within a region, across multi-AZs, not housed in a VPC• Can’t sit between client and storage

Security• Access control through IAM policies, bucket policies, ACLs, and query string authentication• Server-side Encryption, HTTPS support• Server-access logs (does not integrate with CloudTrail)

Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!!

Create an inventory of your sensitive data

Amazon SQS (Simple Queuing Service)

Where does SQS live?• Within a region, not within a VPC• Uses a URL such as:

https://sqs.us-east-1.amazonaws.com/123456789012/MySQS

Amazon SNS (Simple Notification Service)

Amazon SNS does not live inside your VPC

Permissions based on topic policies:

Using AWS CloudTrail

An AWS Service that records each time the AWS API is called• Currently supports most AWS services • http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html

Conveniently everything in AWS goes through the API• Even actions in the Management Console go through the API

AWS CloudTrail writes files into an Amazon S3 bucket• Near real-time (every five minutes)• Files are in JSON format

Get started at http://aws.amazon.com/cloudtrail/

Using AWS CloudWatch LogsSimple method of monitoring operating system logs

• Ship Windows event logs and syslogs to AWS CloudWatch

Integration from CloudTrail into CloudWatch Logssystem logs• With alerting capabilities

Types of use-case:• Account Login Failure, Account Login Success, New local account creation,

Excessive Login Failure (Configurable)• Unauthorized Windows Admin Logon, Windows Account Lockout Attempt,

Windows Computer Account Changes• Windows Audit Policy Changes, Windows Event Log Cleared• Account Locked Out, Changes to System or Audit log

Get started at: http://docs.aws.amazon.com/AmazonCloudWatch/latest/

DeveloperGuide/WhatIsCloudWatchLogs.html

Using Amazon VPC Flow Logs

An AWS service that records each time packets enter or leave a VPC• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

Security team comes to you and says:• We need logs going to instance 1-0123456 from

IP address ranges 52.205.16.0 - 52.205.31.255

Monitor for DENY connections• Gives you both security group and NACL denies

Announcement:https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazon-vpc

-flow-logs/

Tools For Configuring AWS Security & Cost

Generic tools fall short

Purpose-built, not cloud-washed• Make sure tools don’t fall over in the cloud• Tools have to understand dynamic, ephemeral IPs

Need a deep understanding of AWS• What does this means• Context is important• Actionable intelligence

Leveraging AWS data – AWS CloudTrail, AWS Config, VPC Flow logs, AWS CloudWatch logs, DBR, and more metrics

Providing complete transparency – into 1 or across 1000sof AWS accounts

Automating security, configuration, and activity monitoring and alerting

Continuous monitoring of configurations, resources and permissions

Active optimization, sophisticated allocation, and simplified invoicing for enterprise cloud cost management

Monitoring, Reporting, & Optimization Enterprise Security & Cost Management from CloudCheckr

Questions?

Thank you!

Aaron NewmanCEO & Founder of CloudCheckr

aaron.newman@cloudcheckr.com

www.cloudcheckr.com

Remember to complete your evaluations!

Related Sessions

http://www.quantum.com/