2. Changing Your Perspective
•How do I secure my business applications in AWS?
•Moving to the cloud =
• Rethinking your perimeter security
•Rethinking how you perform most security tasks:
• Network-based IPS/IDS
• Network scanning
• Penetration tests
• Vulnerability assessments
•Focus on securing cloud workloads
• Not on securing the cloud
3. In the Data Center
•Setting Up Perimeter Security:
• Setting up your infrastructure
• Setting up access points to the internet
• Configuring firewall, IDS, IPS, etc. at the access points
•Auditing Your Perimeter Security:
• Gather set of IP Address blocks to poke at
• Do a port scan (using tools such as Nmap)
• Determine which ports are open on the target
• Try various exploits on the open ports.
• Sniff lots of packets
• Dig around to make sure no back doors into the network
• Wireless access points, secondary T1 lines, DSL
connections
• VPN access from some other network
4. AWS: What’s Different?
•Physical assets secured at the
• AWS availability zone
•But we still need to guard the AWS API
• IAM Access is your new physical security
The idea of physical security morphs as
infrastructure becomes virtualized by AWS APIs.
In a new world of ephemeral, auto-scaling infrastructure,
you need to adapt your security architecture to meet
both compliance and security threats.
5. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Network
Security
Inventory
& Config
Customer applications & content
You get to define
your controls IN
the Cloud
AWS takes care
of the security
OF the Cloud
You
AWS and You Share Responsibility for Security
Data
Security
Access
Control
7. Perimeter Assessments In the Cloud
• How do I assess the perimeter of my cloud?
• Old world – nmap, port scans, ping sweeps, etc…
• Give me your network block
• New world – let me see your configuration
• List of publicly-accessible resources
• Security groups (Amazon EC2-Classic, Amazon EC2-VPC, Amazon
Redshift, Amazon RDS, etc…)
• Routing tables, Network ACL
• VPC, subnets
• Amazon S3 buckets and permissions
• AWS Identity and Access
Management (IAM) policies
8. Virtual Private Clouds (VPCs)
•Default VPC is created in every region
• VPCs are wide open by default
•VPC is composed of:
• Internet and VPN gateways – connect to the rest of the world
• 1+ subnet(s)
• Routing table – how to move traffic around the VPC
• Network ACLs – a firewall but stateless
• Security groups – host-based firewall stateful
• Resources – Amazon EC2, Amazon RDS, Amazon Redshift,
Amazon ElastiCache
9.
10. Network Security in a VPC
•Network ACLs (NACLs)
• Virtual firewalls assigned to VPC/subnets
• Network ACLs are stateless; responses to allowed inbound traffic are subject
to the rules for outbound traffic (and vice versa).
• Rules evaluated numerical ascending – DENY can be overridden by ALLOW
• Watch for INEFFECTIVE rules
•Security Groups
• Host-based firewalls assigned to instances
• Stateful – responses to allowed inbound traffic are not subjected to the rules
for outbound traffic
• Rules are cumulative – DENY always overrides ALLOW
• Assigning wrong security group to an instance exposes the entire VPC
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
11. Complex Connections to Amazon EC2
•Amazon EC2 instances run inside VPCs
• Legacy capability to run outside VPCs
•Instance ID: i-001bac39
• Friendly name (implemented as a tag): ISS-V2-API1
•Amazon EC2 instance is given 1 or more private IP addresses
• For example: 172.12.6.186
• This generates a DNS name
• ip-172-12-6-186.us-west-2.compute.internal
•Amazon EC2 instance can be given 1 or more public IP addresses
• For example: 52.24.201.167
• This generates a DNS name
• ec2-52-24-201-167.us-west-2.compute.amazonaws.com
•Amazon EC2 instance can be attached to an Elastic IP Address (EIP)
• For example: 107.20.135.132
12. Running VA in Cloud Environments
•How do I run Vulnerability Assessments
• In an elastic, ephemeral, auto-scaling environment
• Clouds can have tens of thousands of instances
•Gather the list of public IPs and EIPs of all resources
• Do I need to scan the private IP addresses and instances?
•Scanning an Amazon Machine Image (AMI)
• Spin up a new instance, run a scan on the new instance
• Mark everything based on this AMI as “scanned”
•What about when an instance “drifts” from original AMI
• Someone can reconfigure settings, install new software
13. Patching Strategies for AWS
•“No Patch” Strategy
• Stay away from patching live systems
• Focus on patching templates/AMIs
• Deliver patches by redeploying workloads
• Dependent on adopting pure cloud architectures
•Look at AWS OS Templates
• Patched by Amazon
•Systematic Workload Reprovisioning
• Based on high-assurance repositories
• Effective battling Advanced Persistent Threats
http://www.gartner.com/newsroom/id/1725515
14. Amazon Relational Database Service (Amazon RDS)
•Location
• Within a VPC or not, multi-AZ or not
•Security options
• DB security groups (if not in a VPC) or Amazon EC2-VPC security groups
• Select a non-default database port
•Only port RDS listens on is the database port
• Shutdown on all other ports (publicly, I’m sure AWS team can access the OS)
•Publicly accessible option
• Not a good idea, but if you do this
• Make sure you use security groups to restrict source IP address
• Make sure you have latest patches applied
•Secure your database snapshots
• Keys to the kingdom if someone can get a copy
• Brute-force passwords, restore to their own account
15. What are we missing?
•Don’t assume attacks only happen against Amazon EC2
•AWS is a complex system
•Over 30 different AWS services
• Many have unique access control systems
•You will have 100s of AWS accounts
•We need a complete inventory
• All publicly-accessible endpoints and resources
Security breach can happen with a single weak link
16. Amazon Simple Storage Service (Amazon S3)
•Up to 1000 buckets in an account
• Unlimited number of objects (billions is not uncommon)
•Location
• Within a region, across Multi-AZs, not housed in a VPC
• Can’t sit between client and storage
•Security
• Access control through IAM policies, bucket policies, ACLs, and query string authentication
• Server-side Encryption, HTTPS support
• Server-access logs (does not integrate with AWS CloudTrail)
•Don’t grant FULL_CONTROL, WRITE_ACP, WRITE bucket permissions to
Everyone EVER!!!
•Create an inventory of your sensitive data
17. Amazon Simple Queue Service (Amazon SQS)
•Where does SQS live?
• Within a region, not within a VPC
• Uses a URL such as
• https://sqs.us-east-1.amazonaws.com/123456789012/MySQS
•Security based on policy documents:
{
"Version": "2008-10-17",
"Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy",
"Statement": [
{
"Sid": "Sid1415217272568",
"Effect": "Allow", "Principal": { "AWS": "*" },
"Action": [
"SQS:ReceiveMessage", "SQS:SendMessage"
],
"Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS"
},
18. Amazon Simple Notification Service (Amazon SNS)
•SNS does not live inside your VPC
•Permissions based on topic policies:
19. Using AWS CloudTrail
•An AWS service that records each time the AWS API is called
• Currently supports most AWS services
• http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html
•Conveniently everything in AWS goes through the API
• Even actions in the AWS Management Console go through the API
•CloudTrail writes files into an Amazon S3 bucket
• Near real-time (every five minutes)
• Files are in JSON format
Get started at http://aws.amazon.com/cloudtrail/
20. Using Amazon CloudWatch Logs
•Simple method of monitoring operating system logs
• Ship Microsoft Windows event logs and syslogs to Amazon CloudWatch
•Types of use-case
• Account Login Failure, Account Login Success, New local account creation,
Excessive Login Failure (Configurable)
• Unauthorized Windows Admin Logon, Windows Account Lockout Attempt,
Windows Computer Account Changes
• Windows Audit Policy Changes, Windows Event Log Cleared
• Non-Windows - Account Locked Out, Non-Windows - Account Unlocked,
Changes to System or Audit log
Get started at
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatI
sCloudWatchLogs.html
21. Using Amazon VPC Flow Logs
An AWS service that records each time packets enter or leave a VPC
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Security team comes to you and says:
We need logs going to instance 1-0123456 from IP address ranges 52.205.16.0 -
52.205.31.255
Monitor for DENY connections
• Gives you both security group and NACL denies
Announcement:
https://aws.amazon.com/about-aws/
whats-new/2015/06/aws-launches-amazon-vpc-flow-logs/
22. Tools For Configuring AWS Securely
•Generic tools fall short
•Purpose-built, not cloud-washed
• Make sure tools don’t fall over in the cloud
• Tools have to understand dynamic, ephemeral IPs
•Need a deep understanding of AWS
• What does this mean?
• Context is important
• Actionable intelligence
24. Thank You for Attending
Aaron Newman is the Founder
of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:
aaron.newman@cloudcheckr.com