Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configure Your Cloud to Make It
Rain on Threats
Eric Schwenter
Principal Solutions Architect
AWS WWPS
S E C 3 3 5

Are we in the right place?
• How can I better secure my AWS environment?
• How can I make sure all the accounts in our organization are following
the rules?
• How can I detect threats in one or many accounts?
• What tools should I be using?
• How can I know that new accounts are secure by default?
• I want to know what <insert threat actor here> is doing

Part 1: Secure “an” account.

AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
STORAGE DATABASES NETWORKINGCOMPUTE
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK CONFIGURATION
PLATFORM & APPLICATION MANAGEMENT
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
FIREWALL
CONFIGURATION
AWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
AWSIAM
OPTIONAL – OPAQUE DATA: 0s
& 1s (In transit / at rest)
& DATA INTEGRITY AUTHENTICATION
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CUSTOMER DATA
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES
NETWORK TRAFFIC PROTECTION PROVIDED BY THE PLATFORM
Protection of data in transit
SERVER SIDE ENCRYPTION PROVIDED BY THE PLATFORM
Protection of data at rest
Shared responsibility model
Infrastructure
services
Containers services
Abstract servicesAWS
ENDPOINTS
AWS GLOBAL
INFRASTRUCTURE
REGIONS
AVAILABILITY
ZONES
EDGE
LOCATIONS
FOUNDATION
SERVICES
AWSIAM
OPTIONAL – OPAQUE DATA: 0s & 1s (In transit / at rest)
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
File System and/or Data
NETWORK TRAFFIC PROTECTION
Encryption / Integrity / Identity
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CUSTOMER DATA
CUSTOMERIAM
MANAGED BY
AWS CUSTOMERS
MANAGED BY
AMAZON WEB
SERVICES

https://aws.amazon.com/quickstart/#compliance

Amazon EC2 Systems Manager
Automation Documents Inventory Maintenance
windows
Parameter Store Patch managerRun command State manager

Amazon EC2 Systems Manager
Run command

Why does this matter?
Attack surface Compliance Detect anomalies

Tools you’ll likely need to know

Choose your adventure!

Replace remote access
Part 1, identify remote access for an environment.
o How can you programmatically check the account in all regions for remote access?
o Hint: What defines “remote access”
o Develop a tool for this, checking the console wont scale.
Part 2, replace remote access with AWS Systems Manager
o For Windows or Linux, deploy Systems Manager on a target host
o Disable the old remote protocol with Systems Manager
Part 3, Audit
o How can we see what commands were run in part 2?
o Can we make an alert if someone turns off a service like you just did?

Data flow example
AWS API
Security account
AWS Cloud AWS Cloud
Client
Run
command
Production account

Data flow example
AWS API
AWS Cloud
Client
Run
command
Internet

Automatic remediation
GuardDuty CloudWatch Events Lambda
Event (event-based) Lambda
Function

import boto3
import json
def lambda_handler(event, context):
try:
if event['detail']['type'] in [‘Backdoor:EC2/C&CActivity.B!DNS’]:
response =‘<do something here>’
except Exception, e:
print e

Amazon VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per Amazon VPC
• Logged to Amazon CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept or
reject

Example Amazon VPC flow log query
[version, accountid, interfaceid, srcaddr!=172.31., dstaddr, srcport, distport,
protocol, packets, bytes, start, end, action=REJECT, logstatus]

Query the flow
aws logs filter-log-events --log-group-name flowlogs --log-stream-names eni-
09abcd35bd881234-all --filter-pattern="[version, accountid, interfaceid,
srcaddr!=172.31., dstaddr, srcport, distport, protocol, packets, bytes, start, end,
action=REJECT, logstatus]”
…
{ "ingestionTime": 1540853212620,
"timestamp": 1540852908000,
"message": "2 638930115633 eni-09e099a35bd881234 172.31.56.147 23.15.x.x
49189 80 6 3 152 1540852908 1540852966 REJECT OK",
"eventId": "3436216808972294799655018431925166088321896272121234567",
"logStreamName": "eni-09abcd35bd881234-all"
}

Amazon VPC Flow Logs: Automation
Private subnet
Compliance
app
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Logs group
CloudWatch
alarm
Source IP

Network control
Part 1, Enable network monitoring
o Detect attackers with flow logs
o Create an alert for more than (4) rejects from outside of your Amazon VPC
Part 2, how can you make this easier?
o Can we automatically process Amazon VPC flow logs without having to code anything?
Part 3, Bonus round
o Feeling lucky? Modify your local OS firewall with Systems Manager to block connections to
the host from part 1.

Port scanning?

Use the API instead

https://aws.amazon.com/security/penetration-testing/

Access Advisor

Keys

Human Things

IAM permissions
Part 1, Using the access advisor
o Using the access advisor in the AWS Identity and Access Management (IAM) console,
identify un-used permissions
o Is there any way that we could get to the specific API level of information?
Part 2, admin but not really
o Is it possible to give full admin access and not allow some specific options?
o Modify an IAM principal with full Administrator access but deny all Amazon Elastic
Compute Cloud (Amazon EC2) operations.
Part 3, Alert on new guy
o Create an alert when a new IAM user is created
Part 4, Bonus round
o Feeling lucky? Create an IAM user with access from the US-East-1 region only.
o Alert if any user has administrator access, and remove it from new accounts.

select
useridentity.sessioncontext.sessionIssuer
.userName as uid, eventsource, eventname
from cloudtrail_logs
Where
.userName = ‘target-name’
GROUP BY
.userName, eventsource, eventname
Query cloud trail data for the target user or role with
Athena

Wait, how do I make that?

https://docs.aws.amazon.com/athena/latest/ug/cl
oudtrail-logs.html#create-cloudtrail-table-ct

https://github.com/Netflix-
Skunkworks/aardvark
https://github.com/Netflix/Repokid

Restrict an IAM role to a region
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeInstances", "ec2:DescribeImages",
"ec2:DescribeKeyPairs", "rds:Describe*", "iam:ListRolePolicies", "iam:ListRoles",
"iam:GetRole", "iam:ListInstanceProfiles", "iam:AttachRolePolicy", "lambda:GetAccountSettings"
],
"Resource": "*" },
{ "Effect": "Allow",
"Action": [ "ec2:RunInstances", "rds:CreateDBInstance", "rds:CreateDBCluster",
"lambda:CreateFunction", "lambda:InvokeFunction" ],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": ”us-east-1"}} }, {
"Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::account-
id:role/Please-use-a-specific-role" } ]
}

AWS
Organizations

Example Corp.
AWS
Organizations
Compliance
accounts
Research
accounts
HIPAA PCI Clinical
Non-
Clinical
A
B
C D E
F

OCP supported in Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Resultant permission on IAM user/role is the intersection between
the SCP and assigned IAM permissions
• Must be used in unison with IAM policy
• IAM policy simulator is SCP aware

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "redshift:*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
Blacklisting example Whitelisting example

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action":
"cloudtrail:StopLogging",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DisableAlarmActions”
],
"Resource": "*"
}
]
}
Deny CloudTrail stop Deny CloudWatch functions

Security Audit account
AWS Cloud
User
Long-term security
credential
MFA token
VPC
Log analysis
Read only
Role
ec2 describe-instances
ec2 describe-security-groups
…
AWS Cloud
AWS Cloud
Alarm Topic
Security
Acct A
Acct B
Alarm Topic
Alarm Topic
Log Bucket

Example Corp.
Compliance
accounts
Research
accounts
HIPAA PCI Clinical
Non-
Clinical
A
B
C D E
F
Security
account
Read only
Audit

Example Corp.
Prod Dev
Stage Deploy Stage Deploy
A
B
C D E
F
Security
account
Read only
Audit

GuardDuty account relationships
• Adding accounts to the services is simple and done via the console or API
• Invites accepted from an account will be designated as “Member” accounts. The
requestor will be the “Master” account
Member
account
……. .
1
Member
account
1000
(max)
Master account
Can do the following to all accounts:
• Generate sample findings
• Configure and view/manage findings
• Suspend GuardDuty service
• Upload and manage trusted IP and
threat IP lists (coming soon!)
Can only disable own account. Member
accounts must all be removed first and by the
member account
Member Account actions and
visibility is limited to the member
account
Each Account Billed Separately.

can play too!

Enforce consistency

From To

AWS CloudFormation + AWS Organizations

Default Security group example
AWS Cloud
AWS Cloud
AWS Cloud
Security
Acct A
Acct B
Templates
Stack
Stack
Stack
VPC
VPC

AWS Landing Zone
https://aws.amazon.com/answers/aws-landing-
zone/

AWS Service Catalog
DevelopersOrganizations
Standardize
Control
Govern
Agility
Self-service
Time to market
…allows organizations to create and manage catalogs of
IT services and software on AWS

Control AWS provisioning (cost, security, governance)
self-service portal – one-stop shop
Standardized deployments
Version control for AWS users
Enforce governance and compliance proactively
Integrate with ITSM tools
Centrally manage IT service lifecycle
Use cases
Why use an AWS Service Catalog?

Thank you!

Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018

Similar to Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Configure Your Cloud to Make It Rain on Threats (SEC335-R1) - AWS re:Invent 2018