Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018

Data privacy and security are top concerns for customers in the cloud. In this session, the AWS Automated Reasoning group shares the advanced technologies, rooted in mathematical proof, that help provide the highest levels of security assurance in today's data-driven world. The Automated Reasoning group co-presents with Bridgewater, a customer that has leveraged these technologies to help confirm that security requirements are being met, an assurance not previously available from conventional tools.

  • Be the first to comment

The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The Theory and Math Behind Data Privacy and Security Assurance Neha Rungta Principal Software Development Engineer AWS S E C 3 0 1 Dan Peebles Senior Software Development Engineer Bridgewater Associates Greg Frascadore Security Architect Bridgewater Associates
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Need to Automate access controls for organizations How AWS is Scaling provable security across AWS offerings Peek under the hood, the Math and Logic driving provable security Learn from an enterprise Use Case, Bridgewater Associates
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and data privacy in the cloud is moving from obligation to advantage.
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Multiple forces are impacting cloud security The cloud security and privacy landscape is evolving, and so are customer needs Customers need to scale rapidly Highly dynamic security threat landscape, globally Consumers cite security and data privacy as top priority in the cloud Rising data volumes lead to need for security management at scale
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advent of Next Gen Security Tech, Provable Security
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
  8. 8. ZELKOVA
  9. 9. ZELKOVA provides provable security for customers in the cloud by leveraging automated reasoning to verify key IAM enterprise governance & data privacy controls are implemented as intended, at scale ZELKOVA
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Does ZELKOVA Do?
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Checks in the S3 Console
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon S3 Block Public Access
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Config Managed Rules
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  16. 16. “The ability to formally prove a policy in AWS enables automation that can provide an accurate holistic view of access in your environment and bolsters compliance adherence.” Will Bengtson Principal Security Engineer Netflix
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What do I want as an AWS customer?
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Does the Math and Logic Buy Me?
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] } ] }
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] } ] }
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] } ] }
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"], "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" } } } ] }
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"], "Condition": { "ForAllValues:StringEquals": { "aws:sourceVpc": "vpc-12345678" } } } ] }
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Regex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"], "Condition": { "StringEquals": { "aws:sourceVpc": "${aws:sourceVpc}" } } } ] }
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reg-ex Scanner { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] }, { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"] "Condition": { "StringNotLike": { "aws:sourceVpc": "vpc-12345678" } } } ] }
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Other things to consider aws:PrincipalOrgId aws:SourceAccount aws:SourceOwner aws:userid NotPrincipal NotAction ForAnyValue IpAddress
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Need a more principled approach
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logic Modern symbolic logic began in the 19th century with Boolean algebra, introduced in 1847 by the English mathematician George Boole.
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Symbolic logic Formula not x or (y and z) means Either x is false or y and z are true (or both)
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Boolean Satisfiability – SAT Solving not x or (y and z) x = false, y = true, z = false is satisfiable
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Boolean Satisfiability – SAT Solving not x and x is unsatisfiable
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Theoretical Importance First NP-complete problem (Cook, 1971) No known algorithm to efficiently determine satisfiability of every possible Boolean formula. Hard in theory. Efficient in practice.
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Satisfiability Modulo Theories x2 – 4 = 0 is satisfiable Solution 1: x = 2 Solution 2: x = -2
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Modern SMT Solvers • Microprocessor Verification • Aerospace Applications • Protocol Verification • Software Verification • Planning in AI • Automated Theorem Proving
  36. 36. What did we build?
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Encode IAM Policies as Logical Formulas! • Allow Statements • Deny Statements • Access is denied by default • Access granted by allow statements • Access revoked by deny statements • Deny trumps allow
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Problem Space 1012 AWS accounts × 5000 Actions × 1013 Resources in AWS × ∞ Condition key values
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. { Principal: AWS:999999999999, Action : s3:listBucket, Resource : docs, Condition: { aws:sourceVpc: vpc-12345678 }}
  43. 43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. { Principal: AWS:999999999999, Action : s3:listBucket, Resource : docs, Condition: { aws:sourceVpc: vpc-12345678 }
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. { Principal: AWS:111111111111, Action : s3:deleteBucket, Resource : docs } { Principal: AWS:999999999999, Action : s3:listBucket, Resource : docs, Condition: { aws:sourceVpc: vpc-12345678 }
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to encode Policies as Logical Formulas?
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to encode Policies as Logical Formulas? Principal = “aws:999999999999” and Action = “s3:get*” and Resource = “docs/manual.pdf” or Principal = “aws:777777777777” and Action = “s3:get*” and Resource = “docs/manual.pdf” or “docs/secret.pdf”
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check A Governance Rule
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check A Governance Rule Action = “s3:get*” and Resource = “docs/secret.pdf” => Principal = “aws:777777777777”
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principal = “aws:999999999999” and Action = “s3:get*” and Resource = “docs/manual.pdf” or Principal = “aws:777777777777” and Action = “s3:get*” and Resource = “docs/manual.pdf” or “docs/secret.pdf” Action = “s3:get*” and Resource = “docs/secret.pdf” => Principal =“aws:777777777777”
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principal = “aws:999999999999” and Action = “s3:get*” and Resource = “docs/manual.pdf” or Principal = “aws:777777777777” and Action = “s3:get*” and Resource = “docs/manual.pdf” or “docs/secret.pdf” Action = “s3:get*” and Resource = “docs/secret.pdf” => Principal =“aws:777777777777”
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. NotPrincipal How to encode Policies as Logical Formulas?
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Principal = “aws:999999999999” and Action = “s3:get*” and Resource = “docs/manual.pdf” or Principal != “aws:777777777777” and Action = “s3:get*” and Resource = “docs/manual.pdf” or “docs/secret.pdf” Action = “s3:get*” and Resource = “docs/secret.pdf” => Principal =“aws:777777777777”
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon SNS Amazon SNS SNS Message Lambda Lambda Function calls on Zelkova AWS Lambda Config AWS Config Zelkova = Automated threat checking IAM S3 IoT Device Defender
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Enterprise, Fortune 100 Customers From a variety of verticals
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Then, this happened…
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bridgewater and Zelkova • Who we are • What we want • Why Zelkova helps • How to call Zelkova • Bridgewater use cases
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Bridgewater The world's largest hedge fund Our mission is to build great portfolios for our clients 350 of the largest global institutional clients
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bridgewater uses AWS We use AWS to help systematize our understanding of the global economy and financial markets Our workloads span a fleet of AWS accounts
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What we want To identify and reduce risk • Eliminate vulnerabilities in cloud configuration that threaten data security, access controls, and compliance By ensuring that security controls are working • IAM policies do what we want • Without unexpected secondary-effects • In a methodical, automated, rigorous way • Minimizing false positives and false negatives ”... I just want folks to run tools that encode our best understanding of IAM policies, against their real or hypothetical infrastructure, and quickly learn how they messed up." - Dan Peebles Identity and Access Mgt Compliance Availability Governance DR/BC Data Protection Scope of talk
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Zelkova helps Bridgewater We use Zelkova to: • Detect misconfigurations that expose data • Identify policy statements that need to change • Check planned changes for defects • Audit polices across all our accounts and deployment pipelines We'd say ACID, but that's taken
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Zelkova (what good looks like) • Monitor and collect policy JSON • And call Zelkova • Properties and comparisons Threat Model Constraints Check with Zelkova AWS Policy Change Vuln. Tracking Findings Policy Change Event Apply Remediation
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using Zelkova (what better looks like) • Collect policies pre-deployment • Across all CI/CD pipelines • And call Zelkova • Properties and comparisons • Detect trouble before it can hurt us Threat Model Constraints Check with Zelkova Vuln. Tracking Config Change AWS Findings Plan Apply
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova - check_policy(Policy, Effect, Constraints)
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova - check_policy(Policy, Effect, Constraints) check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] } )
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova - check_policy(Policy, Effect, Constraints) check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] } ) Policy .. ALLOWS_SOMETHING ..
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova - check_policy(Policy, Effect, Constraints) check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] } ) Policy .. ALLOWS_SOMETHING .. That meets the Constraints
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova - check_policy(Policy, Effect, Constraints) check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] } ) Policy .. ALLOWS_SOMETHING .. That meets the Constraints ⇒ ??? ⇒ ???
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObjectAcl"] } ) ⇒ { Property: FALSE } - check_policy(Policy, Effect, Constraints) Policy .. ALLOWS_SOMETHING .. That meets the Constraints ⇒ FALSE
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova (2) - check_policy returns examples
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova (2) - check_policy returns examples check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObject"] } )
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova (2) - check_policy returns examples check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObject"] } ) Policy .. ALLOWS_SOMETHING .. That meets the Constraints ⇒ ??? ⇒ ???
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Calling Zelkova (2) - check_policy returns examples check_policy( Policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::my-bucket", "Condition": { "StringEquals": { "aws:sourceVpc": "vpc-12345678" }..}, Effect = ALLOWS_SOMETHING, Constraints = { Actions: ["s3:ListAll*", "s3:Put*", "s3:GetObject"] } ) Policy .. ALLOWS_SOMETHING .. That meets the Constraints ⇒ TRUE (with example) ⇒ { Property: TRUE, Model: {"Action":"s3:listall","Resource":"arn:aws:s3:::my-bucket","aws:SourceVpc":"vpc-12345678"} }
  75. 75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case 1 • Detect misconfigurations that expose data • A type of permissions 'perimeter' scanner
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remember S3 badges?
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 'Badge' for Lambda and KMS Can any outsider access our data? • Not just Yes/No Who (Principal)? How (Action/Condition)? What (Resource)? • Considering: Multiple accounts, VPC endpoints, Whitelisted public CIDRs Other AWS services operating on our behalf Harder to do than one might think • Many services allow cross-account access in subtle ways: S3, SQS, SNS, IAM roles, KMS, Secrets Manager, Lambda, API gateway, … • AWS services call each other • Need excellent signal/noise ratio or risk being ignored
  78. 78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Two simple policies … KMS { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::345:role/Admin" }, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::345:user/bob" }, "Action": "kms:Encrypt", "Resource": "*" } { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::345:user/bob" }, "Resource": "arn:aws:lambda:…:345:function:foo" }, { "Action": "lambda:InvokeFunction", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com” }, "Resource": "arn:aws:lambda:…:345:function:foo" }
  79. 79. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One Constraint • Resources must be inaccessible from external accounts KMS {
 "Action": "lambda:InvokeFunction",
 "Effect": "Allow",
 "Principal": { "AWS": "arn:aws:iam::345:user/bob" },
 "Resource": "arn:aws:lambda:…:345:function:foo" }, {
 "Action": "lambda:InvokeFunction",
 "Effect": "Allow",
 "Principal": { "Service": "apigateway.amazonaws.com” },
 "Resource": "arn:aws:lambda:…:345:function:foo" }
 { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::345:role/Admin" }, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::345:user/bob" }, "Action": "kms:Encrypt", "Resource": "*" }
  80. 80. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One Constraint Here is the Zelkova check: Constraints = { "NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] } }
  81. 81. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One Constraint Here is the Zelkova check: { "Property": "TRUE", "Model": { "Principal": { "Service":"apigateway.amazonaws.com”}, "Action":"lambda:invokefunction", "Resource": "arn:aws:lambda:…:345:function:foo"} } { "Property": "FALSE", } KMS Constraints = { "NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] } }
  82. 82. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One Constraint Here is the Zelkova check: { "Property": "TRUE", "Model": { "Principal": { "Service":"apigateway.amazonaws.com”}, "Action":"lambda:invokefunction", "Resource": "arn:aws:lambda:…:345:function:foo"} } { "Property": "FALSE", } KMS Constraints = { "NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] } }
  83. 83. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. One Constraint Here is the Zelkova check: { "Property": "TRUE", "Model": { "Principal": { "Service":"apigateway.amazonaws.com”}, "Action":"lambda:invokefunction", "Resource": "arn:aws:lambda:…:345:function:foo"} } { "Property": "FALSE", } KMS Constraints = { "NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] } }
  84. 84. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Confused deputy Lock Bob Bob’s Resource Permission Alice (Deputy) Bob’s Resource Alice Does X for Bob Lock Bob’s Resource Alice Does X for Trudy Lock Trudy Time 1 Time 2 Time 3
  85. 85. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common concern in AWS permissions • Called out as sts:ExternalId for third parties • But also applies to AWS services calling each other
  86. 86. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common concern in AWS permissions • Called out as sts:ExternalId for third parties • But also applies to AWS services calling each other
  87. 87. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common concern in AWS permissions • Called out as sts:ExternalId for third parties • But also applies to AWS services calling each other
  88. 88. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common concern in AWS permissions • Called out as sts:ExternalId for third parties • But also applies to AWS services calling each other
  89. 89. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common concern in AWS permissions • Called out as sts:ExternalId for third parties • But also applies to AWS services calling each other
  90. 90. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • Lets us specify many kinds of “known” outsiders
  91. 91. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • If a service calls SQS, aws:SourceArn must match known ARN pattern • Lets us specify many kinds of “known” outsiders
  92. 92. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • If a service calls SQS, aws:SourceArn must match known ARN pattern • If SES calls S3, aws:Referer must match known account IDs • Lets us specify many kinds of “known” outsiders
  93. 93. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • If a service calls SQS, aws:SourceArn must match known ARN pattern • If SES calls S3, aws:Referer must match known account IDs • If API Gateway calls Lambda, aws:SourceArn must match a known ARN pattern • Lets us specify many kinds of “known” outsiders
  94. 94. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • If a service calls SQS, aws:SourceArn must match known ARN pattern • If SES calls S3, aws:Referer must match known account IDs • If API Gateway calls Lambda, aws:SourceArn must match a known ARN pattern • If S3 calls KMS, kms:ViaService must be “s3.*.amazonaws.com” and kms:EncryptionContext:aws:s3:arn must be a known bucket ARN • Lets us specify many kinds of “known” outsiders
  95. 95. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Perimeter scanner • Checks for outsiders • Formally encodes safe cross-service access patterns: • If a service calls SQS, aws:SourceArn must match known ARN pattern • If SES calls S3, aws:Referer must match known account IDs • If API Gateway calls Lambda, aws:SourceArn must match a known ARN pattern • If S3 calls KMS, kms:ViaService must be “s3.*.amazonaws.com” and kms:EncryptionContext:aws:s3:arn must be a known bucket ARN • Many other examples • Lets us specify many kinds of “known” outsiders
  96. 96. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Does a change to a VPC endpoint policy create an exfiltration risk?
  97. 97. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Does a change to a VPC endpoint policy create an exfiltration risk? Zelkova Constraint Constraints = { "NotActions": [ "s3:GetObject" ], "NotResources": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] }
  98. 98. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Does a change to a VPC endpoint policy create an exfiltration risk? Zelkova Constraint Constraints = { "NotActions": [ "s3:GetObject" ], "NotResources": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } Are any actions besides GetObject allowed on buckets outside mycorp? (e.g. Can someone Put data outside mycorp?)
  99. 99. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Does a change to a VPC endpoint policy create an exfiltration risk? Zelkova Constraint Constraints = { "NotActions": [ "s3:GetObject" ], "NotResources": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } Are any actions besides GetObject allowed on buckets outside mycorp? (e.g. Can someone Put data outside mycorp?) Hint: Zelkova’s NotActions and NotResources represent set complement
  100. 100. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Does this change create exfiltration risk? VPCE policy { "Effect": "Allow", "Principal": "*", "Action": [ "s3:*”], "Resource": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } New VPCE policy { "Effect": "Allow", "Principal": "*", "Action": [ "s3:*”], "Resource": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] }, { "Effect": "Allow", "Principal": "*", "Action": ["s3:*”], "Resource": [ "arn:aws:s3:::…-starport-layer-bucket", "arn:aws:s3:::…-starport-layer-bucket/*" ] }
  101. 101. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case – Check Changes Zelkova results: Old: "Property": "FALSE” New: "Property": "TRUE, Model: {"Action":"s3:", "Resource":"arn:aws:s3:::prod-us-east-1-starport-layer-bucket"}" VPCE policy New VPCE policy Constraints = { "NotActions": [ "s3:GetObject" ], "NotResources": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } { "Effect": "Allow", "Principal": "*", "Action": [ "s3:*”], "Resource": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } { "Effect": "Allow", "Principal": "*", "Action": [ "s3:*”], "Resource": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] }, { "Effect": "Allow", "Principal": "*", "Action": ["s3:*”], "Resource": [ "arn:aws:s3:::…-starport-layer-bucket", "arn:aws:s3:::…-starport-layer-bucket/*" ] }
  102. 102. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How BW Uses Zelkova Constraints = { "NotPrincipals": { "AWS": [ "arn:aws:iam::345:*" ] } } Constraints = { "NotActions": [ "s3:GetObject" ], "NotResources": [ "arn:aws:s3:::mycorp-stuff", "arn:aws:s3:::mycorp-stuff/*" ] } … Threat Model Constraints Check with Zelkova
  103. 103. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workflow Repo Dev Branch Prod Branch Terraform Policy Change Plan Git + Gerrit AWS Terraform DSL Terraform Apply Findings Gerrit Check with Zelkova
  104. 104. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Zelkova's Importance for Bridgewater • Zelkova is formal and accurate  We don't get called at 3am because of a false positive • Zelkova is thorough  We don't lose sleep over evil-doers writing clever policies • We deeply understand what our IAM policies mean
  105. 105. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Automate enterprise access controls using provable security How AWS is Scaling provable security across AWS offerings Peek under the hood, the Math and Logic driving provable security Learn from an enterprise Use Case, Bridgewater Associates
  106. 106. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related Breakouts Thursday, November 29 Automating Compliance Certification with Automated Mathematical Proof 1:45-2:45 | Aria West, Level 3, Ironwood 3 Thursday, November 29 How LogMeIn Automates Governance and Empowers Developers at Scale 1:45-2:45 | MGM, Level 1, Grand Ballroom 116 Thursday, November 29 Packetless Port Scanning: Automate DevSecOps with Amazon Inspector 3:15-4:15 | Mirage St., Thomas B Wednesday, November 28 Build a Vulnerability Management Program Using AWS for AWS 6:15-7:15 | Venetian, Level 4, Lando 4205 Wednesday, November 28 Policy Verification and Enforcement at Scale with AWS-Featuring Goldman Sachs 2:30-3:30 | Venetian, Level 4, Lando 4202
  107. 107. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Yes, You Want More…
  108. 108. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  109. 109. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×