Hackproof Your Cloud Responding to 2016 Threats Aaron Klein, CloudCheckr Tuesday, June 30 th 2016 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Changing Your Perspective Moving to the Cloud = rethinking your perimeter security Old world: Set-up and audit perimeter security New world: Rethink security tasks: Network-based IPS/IDS Network scanning Penetration tests Vulnerability assessments Focus on securing cloud workloads Not on securing the cloud
AWS: What s Different? The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats. ~ Physical assets secured at the AWS availability zone ~ ~ Must guard the AWS API ~ ~ IAM Access is your new physical security ~
AWS and You Share Responsibility for Security You Network Security Customer Applications & Content Inventory & Config Data Security Access Control You get to define your controls IN the Cloud AWS Foundation Services Compute Storage Database Networking AWS takes care of the security OF the Cloud Availability Zones Edge Locations AWS Global Infrastructure Regions
Minimizing Attack Vectors Principles don t change Reduce your surface area! Defense-in-depth Patch all known vulnerabilities Configure and manage user privileges Remove unused user accounts Some attack vectors don t change Application level user-privilege escalation, web app vulns, XSS Operating system vulnerabilities Database vulnerabilities Remove unwanted services Security Hardening Close unused open network ports Some attack vectors change Homogeneous environment Polymorphic targets/mapping Reduced network sniffing Enforce password complexity & policies
Perimeter Assessments In the Cloud How do I assess the perimeter of my cloud? Give me your network block Let me see your configuration Nmap Port scans Ping sweeps Etc OLD WORLD NEW WORLD List of publicly-accessible resources Security groups (Amazon EC2- Classic, Amazon EC2-VPC, Redshift, RDS, etc ) Routing tables, Network ACL VPC, subnets Amazon S3 buckets and permissions IAM policies
Network Security in a VPC Network ACLs (NACLs) Virtual firewalls assigned to VPC/Subnets Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Rules evaluated numerical ascending DENY can be overridden by ALLOW Watch for INEFFECTIVE rules Security Groups Host-based firewalls assigned to instances Stateful responses to allowed inbound traffic are not subjected to the rules for outbound traffic Rules are cumulative DENY always overrides ALLOW Assigning wrong security group to an instance exposes the entire VPC http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_acls.html http://docs.aws.amazon.com/awsec2/latest/userguide/using-network-security.html
Complex Connections to Amazon EC2 Amazon EC2 instance can be run inside VPCs Amazon EC2 instance can be given 1 or more private IP addresses Amazon EC2 instance can be given 1 or more public IP addresses Amazon EC2 instance can be attached to an Elastic IP address (EIP) Legacy capability to run outside VPCs Instance ID: i-001bac39 Friendly name (implemented as a tag): ISS-V2-API1 For example: 172.12.6.186 This generates a DNS name ip-172-12-6-186.us-west- 2.compute.internal For example: 52.24.201.167 This generates a DNS name ec2-52-24-201-167.us-west- 2.compute.amazonaws.com For example: 107.20.135.132
Running VA in Cloud Environments How do I run Vulnerability Assessments? REGISTER YOUR SCAN! Gather the list of public IPs and EIPs of all resources Do I need to scan the private IP addresses and instances? Scanning an AMI Spin up a new instance, run a scan on the new instance Mark everything based on this AMI as scanned What about when an instance drifts from original AMI? Someone can reconfigure settings, install new software In an elastic, ephemeral, auto scaling environment clouds can have tens of thousands of instances
Patching Strategies for AWS No Patch Strategy Stay away from patching live systems Focus on patching templates/amis Deliver patches by redeploying workloads Dependent on adopting pure cloud architectures Look at AWS OS Templates Patched by Amazon Systematic Workload Reprovisioning Based on high-assurance repositories Effective battling Advanced Persistent Threats
Outside of your VPC: What are we missing? Don t assume attacks only happen against Amazon EC2 AWS is a complex system Over 30 different AWS services Many have unique access control systems You may have 100s of AWS accounts We need a complete inventory All publicly-accessible endpoints and resources Security breaches can happen with a single weak link
S3 (Simple Storage Service) Up to 1000 buckets in an account Unlimited number of objects (billions is not uncommon) Location Within a region, across multi-azs, not housed in a VPC Can t sit between client and storage Security Access control through IAM policies, bucket policies, ACLs, and query string authentication Server-side Encryption, HTTPS support Server-access logs (does not integrate with CloudTrail) Don t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to Everyone EVER!!! Create an inventory of your sensitive data
SQS (Simple Queuing Service) Where does SQS live? Within a region, not within a VPC Uses a URL such as: https://sqs.us-east-1.amazonaws.com/123456789012/mysqs Security based on policy documents: { "Version": "2008-10-17", "Id": "arn:aws:sqs:us-east-1:123456789012:mysqs/sqsdefaultpolicy", "Statement": [ { "Sid": "Sid1415217272568", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SQS:ReceiveMessage", "SQS:SendMessage" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:mysqs" },
SNS (Simple Notification Service) SNS does not live inside your VPC Permissions based on topic policies:
Logs: Using AWS CloudTrail An AWS Service that records each time the AWS API is called Currently supports most AWS services http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html Conveniently everything in AWS goes through the API Even actions in the Management Console go through the API CloudTrail writes files into an Amazon S3 bucket Near real-time (every five minutes) Files are in JSON format Get started at http://aws.amazon.com/cloudtrail/
Using CloudWatch Logs Simple method of monitoring operating system logs Ship Windows event logs and syslogs to AWS CloudWatch Types of use-case: Account Login Failure, Account Login Success, New local account creation, Excessive Login Failure (Configurable) Unauthorized Windows Admin Logon, Windows Account Lockout Attempt, Windows Computer Account Changes Windows Audit Policy Changes, Windows Event Log Cleared Non-Windows - Account Locked Out, Non-Windows - Account Unlocked, Changes to System or Audit log Get started at: http://docs.aws.amazon.com/amazoncloudwatch/latest/developerguide/whatiscloudw atchlogs.html
Using Amazon VPC Flow Logs An AWS service that records each time packets enter or leave a VPC http://docs.aws.amazon.com/amazonvpc/latest/userguide/flow-logs.html Security team comes to you and says: We need logs going to instance 1-0123456 from IP address ranges 52.205.16.0-52.205.31.255 Monitor for DENY connections Gives you both security group and NACL denies Announcement: https://aws.amazon.com/about-aws/whats-new/2015/06/aws-launches-amazonvpc-flow-logs/
Tools For Configuring AWS Securely & Cost Effectively Generic tools fall short Purpose-built, not cloud-washed Make sure tools don t fall over in the cloud Tools have to understand dynamic, ephemeral IPs Need a deep understanding of AWS What does this means Context is important Actionable intelligence
CloudCheckr Unified Cost & Security Management What cloud users need Automated best practice checks covering security, availability, cost, and usage Simplified monitoring of changes in a cloud environment Actionable security and activity alerts Remediation and self-healing of security vulnerabilities Understand/Audit costs in the cloud»»»»» CloudCheckr provides Comprehensive visibility & control on security, availability, cost and usage with 350+ out-of-the-box best practice policy checks Automated reports, generated and updated daily, listing all additions, deletions, or modifications over the past 24 hours Over 100 out of the box alerts with endless customization opportunities Automation that allows users to receive alerts and delegate remediation to CloudCheckr Granular visibility to understand, deconstruct, and optimize cloud costs
Questions?
Thank You for Attending www.cloudcheckr.com Aaron Klein, Founder of CloudCheckr aaron.klein@cloudcheckr.com 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.