The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Theory and Math Behind Data
Privacy and Security Assurance
Neha Rungta
Principal Software Development Engineer
AWS
S E C 3 0 1
Dan Peebles
Senior Software Development Engineer
Bridgewater Associates
Greg Frascadore
Security Architect
Bridgewater Associates

Key takeaways
Need to Automate access controls for organizations
How AWS is Scaling provable security across AWS offerings
Peek under the hood, the Math and Logic driving provable security
Learn from an enterprise Use Case, Bridgewater Associates

Security and data privacy in the cloud is
moving from obligation to advantage.

Multiple forces are impacting cloud security
The cloud security and privacy landscape is evolving,
and so are customer needs
Customers need
to scale rapidly
Highly dynamic security
threat landscape, globally
Consumers cite security and
data privacy as top priority
in the cloud
Rising data volumes lead to
need for security
management at scale

Advent of Next Gen Security Tech, Provable Security

Shared Responsibility Model

ZELKOVA provides provable security for
customers in the cloud by leveraging automated
reasoning to verify key IAM enterprise
governance & data privacy controls are
implemented as intended, at scale
ZELKOVA

What Does ZELKOVA Do?

Checks in the S3 Console

Amazon S3 Block Public Access

AWS Config Managed Rules

“The ability to formally prove a policy in AWS enables
automation that can provide an accurate holistic view of access
in your environment and bolsters compliance adherence.”
Will Bengtson
Principal Security Engineer
Netflix

What do I want as an AWS customer?

What Does the Math and Logic Buy Me?

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
}
]
}

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*:*",
}
]
}

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
}
]
}

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-12345678"
}
}
}
]
}

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Condition": {
"ForAllValues:StringEquals": {
}
}
}
]
}

Regex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "${aws:sourceVpc}"
}
}
}
]
}

Reg-ex Scanner
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Condition": {
"StringNotLike": { "aws:sourceVpc": "vpc-12345678" }
}
}
]
}

Other things to consider
aws:PrincipalOrgId
aws:SourceAccount
aws:SourceOwner
aws:userid
NotPrincipal
NotAction
ForAnyValue
IpAddress

Need a more principled approach

Logic
Modern symbolic logic began in
the 19th century with Boolean
algebra, introduced in 1847 by
the English mathematician
George Boole.

Symbolic logic Formula
not x or (y and z)
means
Either x is false or y and z are true (or both)

Boolean Satisfiability – SAT Solving
not x or (y and z)
x = false, y = true, z = false
is satisfiable

Boolean Satisfiability – SAT Solving
not x and x
is unsatisfiable

Theoretical Importance
First NP-complete problem
(Cook, 1971)
No known algorithm to efficiently
determine satisfiability of every
possible Boolean formula.
Hard in theory. Efficient in practice.

Satisfiability Modulo Theories
x2 – 4 = 0
is satisfiable
Solution 1: x = 2
Solution 2: x = -2

Modern SMT Solvers
• Microprocessor Verification
• Aerospace Applications
• Protocol Verification
• Software Verification
• Planning in AI
• Automated Theorem Proving

Encode IAM Policies as Logical Formulas!
• Allow Statements
• Deny Statements
• Access is denied by default
• Access granted by allow statements
• Access revoked by deny statements
• Deny trumps allow

Problem Space
1012 AWS accounts
× 5000 Actions
× 1013 Resources in AWS
× ∞ Condition key values

{ Principal: AWS:999999999999,
Action : s3:listBucket,
Resource : docs,
Condition: {
aws:sourceVpc: vpc-12345678 }}

Resource : docs,
Condition: {
aws:sourceVpc: vpc-12345678 }

Action : s3:deleteBucket,
Resource : docs }
Resource : docs,
Condition: {
aws:sourceVpc: vpc-12345678 }

How to encode Policies as Logical Formulas?

Principal = “aws:999999999999” and
Action = “s3:get*” and
Resource = “docs/manual.pdf”
or
Resource = “docs/manual.pdf” or “docs/secret.pdf”

Check A Governance Rule

Check A Governance Rule
Action = “s3:get*” and Resource = “docs/secret.pdf”
=> Principal = “aws:777777777777”

or
=> Principal =“aws:777777777777”

NotPrincipal

or
Principal != “aws:777777777777” and
=> Principal =“aws:777777777777”

Amazon SNS
Amazon SNS
SNS Message
Lambda
Lambda Function calls on
Zelkova
AWS Lambda
Config
AWS Config
Zelkova = Automated threat checking
IAM
S3
IoT Device Defender

Enterprise, Fortune 100 Customers
From a variety of verticals

Then, this happened…

Bridgewater and Zelkova
• Who we are
• What we want
• Why Zelkova helps
• How to call Zelkova
• Bridgewater use cases

About Bridgewater
The world's largest hedge fund
Our mission is to build great portfolios for our clients
350 of the largest global institutional clients

Bridgewater uses AWS
We use AWS to help systematize our understanding of
the global economy and financial markets
Our workloads span a fleet of AWS accounts

What we want
To identify and reduce risk
• Eliminate vulnerabilities in cloud configuration
that threaten data security, access controls, and compliance
By ensuring that security controls are working
• IAM policies do what we want
• Without unexpected secondary-effects
• In a methodical, automated, rigorous way
• Minimizing false positives and false negatives
”... I just want folks to run tools that encode our best understanding of IAM policies,
against their real or hypothetical infrastructure, and quickly learn how they messed
up." - Dan Peebles
Identity and
Access Mgt
Compliance
Availability
Governance
DR/BC
Data
Protection
Scope of
talk

How Zelkova helps Bridgewater
We use Zelkova to:
• Detect misconfigurations that expose data
• Identify policy statements that need to change
• Check planned changes for defects
• Audit polices across all our accounts and deployment pipelines
We'd say ACID, but that's taken

Using Zelkova (what good looks like)
• Monitor and collect policy JSON
• And call Zelkova
• Properties and comparisons
Threat
Model
Constraints
Check
with
Zelkova
AWS
Policy
Change
Vuln.
Tracking
Findings
Policy
Change Event
Apply
Remediation

Using Zelkova (what better looks like)
• Collect policies pre-deployment
• Across all CI/CD pipelines
• And call Zelkova
• Properties and comparisons
• Detect trouble before it can hurt us
Threat
Model
Constraints
Check
with
Zelkova
Vuln.
Tracking
Config
Change
AWS
Findings
Plan Apply

Calling Zelkova
- check_policy(Policy, Effect, Constraints)

Calling Zelkova
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:GetObject", "s3:ListBucket*" ],
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringEquals": {
}..},
Effect = ALLOWS_SOMETHING,
Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] }
)

Calling Zelkova
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
Policy ..
ALLOWS_SOMETHING ..

Calling Zelkova
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
Policy ..
ALLOWS_SOMETHING ..
That meets the Constraints

Calling Zelkova
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
Policy ..
ALLOWS_SOMETHING ..
⇒ ???
⇒ ???

Calling Zelkova
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
⇒ { Property: FALSE }
Policy ..
ALLOWS_SOMETHING ..
⇒ FALSE

Calling Zelkova (2)
- check_policy returns examples

Calling Zelkova (2)
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:List*", "s3:Get*" ],
"Condition": {
"StringEquals": {
}..},
Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObject"] }
)

Calling Zelkova (2)
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
Policy ..
ALLOWS_SOMETHING ..
⇒ ???
⇒ ???

Calling Zelkova (2)
check_policy(
Policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
}..},
)
Policy ..
ALLOWS_SOMETHING ..
⇒ TRUE (with example)
⇒ {
Property: TRUE,
Model: {"Action":"s3:listall","Resource":"arn:aws:s3:::my-bucket","aws:SourceVpc":"vpc-12345678"}
}

Use Case 1
• Detect misconfigurations that expose data
• A type of permissions 'perimeter' scanner

Remember S3 badges?

'Badge' for Lambda and KMS
Can any outsider access our data?
• Not just Yes/No
Who (Principal)? How (Action/Condition)? What (Resource)?
• Considering:
Multiple accounts, VPC endpoints, Whitelisted public CIDRs
Other AWS services operating on our behalf
Harder to do than one might think
• Many services allow cross-account access in subtle ways:
S3, SQS, SNS, IAM roles, KMS, Secrets Manager, Lambda, API gateway, …
• AWS services call each other
• Need excellent signal/noise ratio or risk being ignored

Two simple policies …
KMS
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::345:role/Admin" },
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::345:user/bob" },
"Action": "kms:Encrypt",
"Resource": "*"
}
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Principal": {
"Resource": "arn:aws:lambda:…:345:function:foo"
},
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com” },
}

One Constraint
• Resources must be inaccessible from external accounts
KMS
{ 
"Action": "lambda:InvokeFunction", 
"Effect": "Allow", 
"Principal": {
"AWS": "arn:aws:iam::345:user/bob" }, 
},
{ 
"Action": "lambda:InvokeFunction", 
"Effect": "Allow", 
"Principal": {
"Service": "apigateway.amazonaws.com” }, 
} 
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::345:role/Admin" },
"Action": "kms:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Action": "kms:Encrypt",
"Resource": "*"
}

One Constraint
Here is the Zelkova check:
Constraints = {
"NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] }
}

One Constraint
Here is the Zelkova check:
{
"Property": "TRUE",
"Model": {
"Principal": {
"Service":"apigateway.amazonaws.com”},
"Action":"lambda:invokefunction",
"Resource":
"arn:aws:lambda:…:345:function:foo"}
}
{
"Property": "FALSE",
}
KMS
Constraints = {
"NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] }
}

Confused deputy
Lock
Bob
Bob’s Resource
Permission
Alice
(Deputy)
Bob’s Resource
Alice
Does X
for Bob
Lock
Bob’s Resource
Alice
Does X
for Trudy
Lock
Trudy
Time 1 Time 2 Time 3

Common concern in AWS permissions
• Called out as sts:ExternalId for third parties
• But also applies to AWS services calling each other

Perimeter scanner
• Checks for outsiders
• Formally encodes safe cross-service access patterns:
• Lets us specify many kinds of “known” outsiders

Perimeter scanner
• If a service calls SQS, aws:SourceArn must match known ARN pattern

Perimeter scanner
• If SES calls S3, aws:Referer must match known account IDs

Perimeter scanner
• If API Gateway calls Lambda, aws:SourceArn must match a known ARN pattern

Perimeter scanner
• If S3 calls KMS, kms:ViaService must be “s3.*.amazonaws.com” and
kms:EncryptionContext:aws:s3:arn must be a known bucket ARN

Perimeter scanner
• If S3 calls KMS, kms:ViaService must be “s3.*.amazonaws.com” and
kms:EncryptionContext:aws:s3:arn must be a known bucket ARN
• Many other examples

Use Case – Check Changes
Does a change to a VPC endpoint policy create an exfiltration risk?

Zelkova Constraint
Constraints = {
"NotActions": [ "s3:GetObject" ],
"NotResources": [
"arn:aws:s3:::mycorp-stuff",
"arn:aws:s3:::mycorp-stuff/*"
]
}

Zelkova Constraint
Constraints = {
"NotResources": [
]
}
Are any actions besides GetObject
allowed on buckets outside mycorp?
(e.g. Can someone Put data outside
mycorp?)

Zelkova Constraint
Constraints = {
"NotResources": [
]
}
Are any actions besides GetObject allowed on
buckets outside mycorp?
(e.g. Can someone Put data outside mycorp?)
Hint: Zelkova’s NotActions and
NotResources represent set complement

Does this change create exfiltration risk?
VPCE policy
{
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:*”],
"Resource": [
]
}
New VPCE policy
{
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:*”],
"Resource": [
]
}, {
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:*”],
"Resource": [
"arn:aws:s3:::…-starport-layer-bucket",
"arn:aws:s3:::…-starport-layer-bucket/*"
]
}

Zelkova results:
Old: "Property": "FALSE”
New: "Property": "TRUE, Model: {"Action":"s3:",
"Resource":"arn:aws:s3:::prod-us-east-1-starport-layer-bucket"}"
VPCE policy New VPCE policy
Constraints = {
"NotResources": [
]
}
{
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:*”],
"Resource": [
]
}
{
"Effect": "Allow",
"Principal": "*",
"Action": [ "s3:*”],
"Resource": [
]
}, {
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:*”],
"Resource": [
"arn:aws:s3:::…-starport-layer-bucket",
"arn:aws:s3:::…-starport-layer-bucket/*"
]
}

How BW Uses Zelkova
Constraints = {
"NotPrincipals": {
"AWS": [ "arn:aws:iam::345:*" ] }
}
Constraints = {
"NotResources": [
]
}
…
Threat
Model
Constraints
Check
with
Zelkova

Workflow
Repo
Dev
Branch
Prod
Branch
Terraform
Policy
Change
Plan
Git + Gerrit
AWS
Terraform
DSL
Terraform
Apply
Findings
Gerrit
Check
with
Zelkova

Zelkova's Importance for Bridgewater
• Zelkova is formal and accurate
 We don't get called at 3am because of a false positive
• Zelkova is thorough
 We don't lose sleep over evil-doers writing clever policies
• We deeply understand what our IAM policies mean

Key takeaways
Automate enterprise access controls using provable security
How AWS is Scaling provable security across AWS offerings
Peek under the hood, the Math and Logic driving provable security
Learn from an enterprise Use Case, Bridgewater Associates

Related Breakouts
Thursday, November 29
Automating Compliance Certification with Automated Mathematical Proof
1:45-2:45 | Aria West, Level 3, Ironwood 3
How LogMeIn Automates Governance and Empowers Developers at Scale
1:45-2:45 | MGM, Level 1, Grand Ballroom 116
Packetless Port Scanning: Automate DevSecOps with Amazon Inspector
3:15-4:15 | Mirage St., Thomas B
Wednesday, November 28
Build a Vulnerability Management Program Using AWS for AWS
6:15-7:15 | Venetian, Level 4, Lando 4205
Wednesday, November 28
Policy Verification and Enforcement at Scale with AWS-Featuring Goldman Sachs
2:30-3:30 | Venetian, Level 4, Lando 4202

Yes, You Want More…

Thank you!

The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018

Similar to The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018