More Related Content Similar to Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configure Your Cloud to Make It
Rain on Threats
Eric Schwenter
Principal Solutions Architect
AWS WWPS
S E C 3 3 5
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Are we in the right place?
• How can I better secure my AWS environment?
• How can I make sure all the accounts in our organization are following
the rules?
• How can I detect threats in one or many accounts?
• What tools should I be using?
• How can I know that new accounts are secure by default?
• I want to know what <insert threat actor here> is doing
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Part 1: Secure “an” account.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
FIREWALL
CONFIGURATION
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s
& 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY AUTHENTICATION
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM
Protection of data in transit
SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM
Protection of data at rest
Shared responsibility model
Infrastructure
services
Containers services
Abstract servicesAWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
File System and/or Data
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/quickstart/#compliance
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Systems Manager
Automation Documents Inventory Maintenance
windows
Parameter Store Patch managerRun command State manager
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon EC2 Systems Manager
Run command
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why does this matter?
Attack surface Compliance Detect anomalies
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools you’ll likely need to know
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choose your adventure!
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Replace remote access
Part 1, identify remote access for an environment.
o How can you programmatically check the account in all regions for remote access?
o Hint: What defines “remote access”
o Develop a tool for this, checking the console wont scale.
Part 2, replace remote access with AWS Systems Manager
o For Windows or Linux, deploy Systems Manager on a target host
o Disable the old remote protocol with Systems Manager
Part 3, Audit
o How can we see what commands were run in part 2?
o Can we make an alert if someone turns off a service like you just did?
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data flow example
AWS API
Security account
AWS Cloud AWS Cloud
Client
Run
command
Production account
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data flow example
AWS API
AWS Cloud
Client
Run
command
Internet
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automatic remediation
GuardDuty CloudWatch Events Lambda
Event (event-based) Lambda
Function
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
import boto3
import json
def lambda_handler(event, context):
try:
if event['detail']['type'] in [‘Backdoor:EC2/C&CActivity.B!DNS’]:
response =‘<do something here>’
except Exception, e:
print e
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data flow example
AWS API
AWS Cloud
Client
Run
command
Internet
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per Amazon VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example Amazon VPC flow log query
[version, accountid, interfaceid, srcaddr!=172.31., dstaddr, srcport, distport,
protocol, packets, bytes, start, end, action=REJECT, logstatus]
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Query the flow
aws logs filter-log-events --log-group-name flowlogs --log-stream-names eni-
09abcd35bd881234-all --filter-pattern="[version, accountid, interfaceid,
srcaddr!=172.31., dstaddr, srcport, distport, protocol, packets, bytes, start, end,
action=REJECT, logstatus]”
…
{ "ingestionTime": 1540853212620,
"timestamp": 1540852908000,
"message": "2 638930115633 eni-09e099a35bd881234 172.31.56.147 23.15.x.x
49189 80 6 3 152 1540852908 1540852966 REJECT OK",
"eventId": "3436216808972294799655018431925166088321896272121234567",
"logStreamName": "eni-09abcd35bd881234-all"
}
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Flow Logs: Automation
Private subnet
Compliance
app
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Logs group
CloudWatch
alarm
Source IP
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools you’ll likely need to know
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network control
Part 1, Enable network monitoring
o Detect attackers with flow logs
o Create an alert for more than (4) rejects from outside of your Amazon VPC
Part 2, how can you make this easier?
o Can we automatically process Amazon VPC flow logs without having to code anything?
Part 3, Bonus round
o Feeling lucky? Modify your local OS firewall with Systems Manager to block connections to
the host from part 1.
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Port scanning?
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use the API instead
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://aws.amazon.com/security/penetration-testing/
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access Advisor
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keys
44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Human Things
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tools you’ll likely need to know
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM permissions
Part 1, Using the access advisor
o Using the access advisor in the AWS Identity and Access Management (IAM) console,
identify un-used permissions
o Is there any way that we could get to the specific API level of information?
Part 2, admin but not really
o Is it possible to give full admin access and not allow some specific options?
o Modify an IAM principal with full Administrator access but deny all Amazon Elastic
Compute Cloud (Amazon EC2) operations.
Part 3, Alert on new guy
o Create an alert when a new IAM user is created
Part 4, Bonus round
o Feeling lucky? Create an IAM user with access from the US-East-1 region only.
o Alert if any user has administrator access, and remove it from new accounts.
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
select
useridentity.sessioncontext.sessionIssuer
.userName as uid, eventsource, eventname
from cloudtrail_logs
Where
useridentity.sessioncontext.sessionIssuer
.userName = ‘target-name’
GROUP BY
useridentity.sessioncontext.sessionIssuer
.userName, eventsource, eventname
Query cloud trail data for the target user or role with
Athena
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wait, how do I make that?
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://docs.aws.amazon.com/athena/latest/ug/cl
oudtrail-logs.html#create-cloudtrail-table-ct
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
https://github.com/Netflix-
Skunkworks/aardvark
https://github.com/Netflix/Repokid
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restrict an IAM role to a region
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeKeyPairs", "rds:Describe*", "iam:ListRolePolicies", "iam:ListRoles",
"iam:GetRole", "iam:ListInstanceProfiles", "iam:AttachRolePolicy", "lambda:GetAccountSettings"
],
"Resource": "*" },
{ "Effect": "Allow",
"Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "rds:CreateDBCluster",
"lambda:CreateFunction", "lambda:InvokeFunction" ],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": ”us-east-1"}} }, {
"Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account-
id:role/Please-use-a-specific-role" } ]
}
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
Organizations
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example Corp.
AWS
Organizations
Compliance
accounts
Research
accounts
HIPAA PCI Clinical
Non-
Clinical
A
B
C D E
F
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OCP supported in Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection between
the SCP and assigned IAM permissions
• Must be used in unison with IAM policy
• IAM policy simulator is SCP aware
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "redshift:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
Blacklisting example Whitelisting example
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action":
"cloudtrail:StopLogging",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DisableAlarmActions”
],
"Resource": "*"
}
]
}
Deny CloudTrail stop Deny CloudWatch functions
60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Audit account
AWS Cloud
User
Long-term security
credential
MFA token
VPC
Log analysis
Read only
Role
ec2 describe-instances
ec2 describe-security-groups
…
AWS Cloud
AWS Cloud
Alarm Topic
Security
Acct A
Acct B
Alarm Topic
Alarm Topic
Log Bucket
61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example Corp.
Compliance
accounts
Research
accounts
HIPAA PCI Clinical
Non-
Clinical
A
B
C D E
F
Security
account
Read only
Audit
62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example Corp.
Prod Dev
Stage Deploy Stage Deploy
A
B
C D E
F
Security
account
Read only
Audit
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
GuardDuty account relationships
• Adding accounts to the services is simple and done via the console or API
• Invites accepted from an account will be designated as “Member” accounts. The
requestor will be the “Master” account
Member
account
……. .
1
Member
account
1000
(max)
Master account
Can do the following to all accounts:
• Generate sample findings
• Configure and view/manage findings
• Suspend GuardDuty service
• Upload and manage trusted IP and
threat IP lists (coming soon!)
Can only disable own account. Member
accounts must all be removed first and by the
member account
Member Account actions and
visibility is limited to the member
account
Each Account Billed Separately.
67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
can play too!
68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforce consistency
70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
From To
71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation + AWS Organizations
72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default Security group example
AWS Cloud
AWS Cloud
AWS Cloud
Security
Acct A
Acct B
Templates
Stack
Stack
Stack
VPC
VPC
77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Default Security group example
AWS Cloud
AWS Cloud
AWS Cloud
Security
Acct A
Acct B
Templates
Stack
Stack
Stack
VPC
VPC
80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Landing Zone
https://aws.amazon.com/answers/aws-landing-
zone/
82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog
DevelopersOrganizations
Standardize
Control
Govern
Agility
Self-service
Time to market
…allows organizations to create and manage catalogs of
IT services and software on AWS
83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control AWS provisioning (cost, security, governance)
self-service portal – one-stop shop
Standardized deployments
Version control for AWS users
Enforce governance and compliance proactively
Integrate with ITSM tools
Centrally manage IT service lifecycle
Use cases
Why use an AWS Service Catalog?
85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.