iam:CreateAccessKey 22 LAUNCH INSTANCES MODULE Auto detects configuration for launching EC2 instances
Can launch one or multiple instances Can execute setup scripts 23 LOCKOUT USERS MODULE
Requires an IAM admin role (created by previous module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts
24 DISCLAIMER This is not an Amazon Web Services issue This is a DevOps education issue It is the users responsibility to understand the technology being used With power user privileges comes great responsibilities 25
Demo Putting it all Together AWS API IGW 1
SSH API 3 Prox y Attack
er Jenkins 10.0.0.0/1 6 27 2 How do we stay safe in the
Cloud? Staying Safe in the Cloud IAM Best Practices Add MFA to Root user and remove Root user access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for users Enable MFA for all users
Use roles for Applications running on EC2 Detach roles from applications that don't need them (*New) 29 Staying Safe in the Cloud IAM Best Practices Delegate by using roles instead of by sharing credentials Rotate passwords and access keys regularly Remove unnecessary credentials
Use policy conditions for extra security Monitor activity in your AWS account (CloudTrail) See: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 30 Staying Safe in the Cloud Practice separation of duties Can all your users perform IAM actions?
Only a subset of users should be IAM Admins Can any instance perform IAM actions? Heavily restrict IAM actions on Instances Audit your Users/Groups/Roles 31 Staying Safe in the Cloud
Beware of tunnels Do you use VPN tunnels between AWS and Datacenters Other AWS accounts (or VPC Peering) Other hosts Attacks can traverse these tunnels Lock down security groups 32
Staying Safe in the Cloud Monitor your CloudTrail Will someone notice when a new user is created in your account a resource is created in an unused region Will you notice right away or at the end of the month?
33 Staying Safe in the Cloud Test for Security Is your AWS footprint covered by
Threat Models Vulns scanners Penetration tests RedTeam 34 Staying Safe in the Cloud
Awareness Security training Conferences like this one Read IAM Best Practices and security whitepapers Build a community around Cloud security 35
Questions? Javier Godinez Thank you! Cumulus - A Cloud Exploitation Toolkit https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ See cumulus branch: https://github.com/godinezj/metasploit-framework
Control Plane: https://github.com/devsecops/controlplane/ Javier Godinez APPENDIX HOW APPLY THIS KNOWLEDGE Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail
Audit your AWS Account IAM Policies and Roles Red Team your applications and instances: https://www.metasploit.com Think to yourself: How would an attacker use this against me? Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org 39 UNDERSTANDING THE TECHNOLOGY YOU USE
How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious choices Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing 40
Ex. The maple leaf is a symbol for Canada. Some symbols must be interpreted in the context of the story. Ex. A heart may symbolize love and affection. However, in "The Tell-Tale Heart," the beating heart represents truth and the...
Extended French -no special interview or application process Partial or Full French Immersion program in Grade 8 is required There is a selection for WCI Extended French on the Gr. 8 online course selection (MY WAY) A certificate is granted...
U.S. Trends in Refractive Surgery: 2011 ISRS Survey - Partner of AAO - Richard J. Duffey, MD David Leaming, MD Refractive Subspecialty Day Orlando: October 22, 2011 DUFFEY 2011 Total LVC Volume w/i ISRS (1000s) * 6% increase in Total...
What is Geography? Main Ideas. Geography is the study of the world, its people, and the landscapes they create. Geographers look at the world in many different ways. Maps and other tools helps geographers study the planet. The Big Idea....
Positive discipline places emphasis on preventing problems by attending to the room arrangement, having age-appropriate expectations, providing interactive activities for play and learning, and active adult monitoring and supervision.
Types of Thread Ball Screws (1) Ball Screws (2) Advantages of a ball screw Have very high efficiency (Over 90%) Could be used in applications which require precise and repeatable movement Could be easily preloaded to eliminate backlash Smooth movement...
Person in My Papa's Waltz. Which person is My Papa's Waltz written in? Is it told in more than one "person?" How does the point of view relate to the meaning of the poem? How would the poem be different...
Ready to download the document? Go ahead and hit continue!