Embed Size (px)
Citation preview
Luisenstr. 11, D-86415 Mering [email protected] +49 151 5875 0634 twitter: @ekkards
Dr. Ekkard SchnedermannFounder Elephantshop AWS Solution Architect, CSK, CGEIT, CISA, CISSP (disclaimer: I am not from AWS)
The risk of cloud users may be quite high
Cloud usersHigh expectations for cloud usage models + Quick time to market + Low initial cost - Limited inhouse knowhow of provider API
Security of providers Focus topic of previous years Market of IaaS providers consolidates Issues settled, all is well? Not quite….
RisksAuditors don´t recognize special cloud risks Executives don´t treat security risks seriously ⇒ Risks may appear late and severely
Why risk matters: 10 years of stock prices
Fundamental Properties of S3Global Service and the Owner’s Responsibility AWS S3 Outage Surprising EffectsGlobal Namespace Data Location
S3 Access ControlAccess Control with ACLs, with Policies Policies in Many Places, Policy Simulator and the Finer Details Recommendations
Configuration Checks, Access Checks Encryption, Key Management Hacking, Security Bulletins, Patching and Emergencies
Practical lessons to be learned from using AWS S3
AmazonS3
≅
≅…
Stands for a category, is not a comparison
Object Storage
Walk through AWS S3 as model for public cloud use
Amazon Web Services (AWS)Market leader Security certifications Security documentation Simple Storage Service (S3) Object storage since in 2006, now 1012 objects S3 compliant API also from Google, OpenStack
Focus on Security Management = Identify issues
Plan measures Prepare your teams
Check outcomes
Challenge: Enjoy advantages of cloud storage and keep caution
Amazon responsibilityInfrastructure, hardware, networking, operating system, application, server-side encryption. Advantage: High security levelSecurity operations would be very expensive for your team
Your responsibility: Customer Data, IAM, client-side encryption Caution: Every mistake countsNo layers of defense The security of your data in S3 relies fully on the correct access control settings.
AWS S3 Outage - Facts, Consequences
AWS Dashboard for S3 28 Feb 2017 in us-east-1 for S3 (18:37 someone mistyped command, AWS report) 20:37 CET: Confirmed high error rates 21:54 CET: Recovery of read, list, delete 22:13 CET: Recovery of write 23:08 CET: fully recovered
AWS S3 Outage - Facts, Consequences
AWS Dashboard for S3 28 Feb 2017 in us-east-1 for S3 (18:37 someone mistyped command, AWS report) 20:37 CET: Confirmed high error rates 21:54 CET: Recovery of read, list, delete 22:13 CET: Recovery of write 23:08 CET: fully recovered
Consequences45 AWS services in us-east-1 affected AWS dashboard did not show correct color Hundreds of websites & apps affected from 18:45: Docker's Registry Hub, Trello, Travis CI, GitHub, GitLab, Quora, Medium, Slack, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Twilio, Mailchimp, Citrix, Expedia, IoT devices
AWS S3 Outage - Facts, Consequences
AWS Dashboard for S3 28 Feb 2017 in us-east-1 for S3 (18:37 someone mistyped command, AWS report) 20:37 CET: Confirmed high error rates 21:54 CET: Recovery of read, list, delete 22:13 CET: Recovery of write 23:08 CET: fully recovered
Consequences45 AWS services in us-east-1 affected AWS dashboard did not show correct color Hundreds of websites & apps affected from 18:45: Docker's Registry Hub, Trello, Travis CI, GitHub, GitLab, Quora, Medium, Slack, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Twilio, Mailchimp, Citrix, Expedia, IoT devices
AWS S3 Outage - Facts, Consequences
AWS Dashboard for S3 28 Feb 2017 in us-east-1 for S3 (18:37 someone mistyped command, AWS report) 20:37 CET: Confirmed high error rates 21:54 CET: Recovery of read, list, delete 22:13 CET: Recovery of write 23:08 CET: fully recovered
Consequences45 AWS services in us-east-1 affected AWS dashboard did not show correct color Hundreds of websites & apps affected from 18:45: Docker's Registry Hub, Trello, Travis CI, GitHub, GitLab, Quora, Medium, Slack, Adobe's cloud, Zendesk, Heroku, Coursera, Bitbucket, Twilio, Mailchimp, Citrix, Expedia, IoT devices
AWS S3 Outage - Alternatives, Recommendations
Compare damage to SLA AWS guarantees 99,9% per month ⇒ max. 40 min. down Refund: 10% for 99,0% ⇒ up to 6 h 43 minutes downtime, 25% if worse Cost for using 2nd AWS regionSwitch on versioning & replication of bucket to 2nd region 2 x cost for S3 (+network) Code failover logic (read and/or writes) Operational plan for failover and fallback DR with other cloud providers (Google, Azure)Same as above + Replication logic + DevOps know-how for 2nd provider On-Site or private cloudNetwork reliability Bandwidth
Fundamental Properties of S3 and their Surprising Effects
Global Service and the Owner’s ResponsibilityUniversal connectivity: S3 data are on the Internet S3 is organized as buckets assigned to exactly 1 owner. Owner defines access to the objects in the bucket. Global NamespaceThe name of every bucket is defined in a worldwide context. You cannot choose a bucket name as you like More than 1 million accounts on AWS share the same namespace. Do not delete a bucket which you may need later.
Fundamental Properties of S3 and their Surprising Effects
Global Service and the Owner’s ResponsibilityUniversal connectivity: S3 data are on the Internet S3 is organized as buckets assigned to exactly 1 owner. Owner defines access to the objects in the bucket. Global NamespaceThe name of every bucket is defined in a worldwide context. You cannot choose a bucket name as you like More than 1 million accounts on AWS share the same namespace. Do not delete a bucket which you may need later.
Fundamental Properties of S3 and their Surprising Effects
Global Service and the Owner’s ResponsibilityUniversal connectivity: S3 data are on the Internet S3 is organized as buckets assigned to exactly 1 owner. Owner defines access to the objects in the bucket. Global NamespaceThe name of every bucket is defined in a worldwide context. You cannot choose a bucket name as you like More than 1 million accounts on AWS share the same namespace. Do not delete a bucket which you may need later.
Fundamental Properties of S3 and their Surprising Effects
Global Service and the Owner’s ResponsibilityUniversal connectivity: S3 data are on the Internet S3 is organized as buckets assigned to exactly 1 owner. Owner defines access to the objects in the bucket. Global NamespaceThe name of every bucket is defined in a worldwide context. You cannot choose a bucket name as you like More than 1 million accounts on AWS share the same namespace. Do not delete a bucket which you may need later.
Legacy Access Control with ACLs
Access Control List (ACL)
DO not use ACLs. Use Bucket Policy or IAM Policy.
Only specific use cases require ACLs: • Object Level Permissions for Object ACL • LogDelivery in Bucket ACL and • Bucket Owner: „Full Control“
„Full Control“ =
Access Control with Policies
Policies Policy is AWS’s universal access language Bucket policy is the successor to ACLs Syntax: JSON = Java Script Object Notation Semantics: Policy Grammar 53 specific actions s3:GetObject, PutObject, Specific condition keys: s3:LocationConstraint Construct by copy/paste or build with AWS Policy GeneratorCheck with AWS Trusted Advisor only basic
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AddPerm", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"] "Resource":["arn:aws:s3:::example.com/*"] } ] }
From AWS reference: Website on S with read access for everyone
Access Control with Policies
Policies Policy is AWS’s universal access language Bucket policy is the successor to ACLs Syntax: JSON = Java Script Object Notation Semantics: Policy Grammar 53 specific actions s3:GetObject, PutObject, Specific condition keys: s3:LocationConstraint Construct by copy/paste or build with AWS Policy GeneratorCheck with AWS Trusted Advisor only basic
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AddPerm", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"] "Resource":["arn:aws:s3:::example.com/*"] } ] }
From AWS reference: Website on S with read access for everyone
Access Control with Policies
Policies Policy is AWS’s universal access language Bucket policy is the successor to ACLs Syntax: JSON = Java Script Object Notation Semantics: Policy Grammar 53 specific actions s3:GetObject, PutObject, Specific condition keys: s3:LocationConstraint Construct by copy/paste or build with AWS Policy GeneratorCheck with AWS Trusted Advisor only basic
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AddPerm", "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"] "Resource":["arn:aws:s3:::example.com/*"] } ] }
From AWS reference: Website on S with read access for everyone
S3 Access Control is Nice to Set and Hard to Maintain
• Policies in IAM (Identity & Access Management) • AWS-managed policy attached to
a user, a group or a role
• Self-managed policy attached to a user, a group or a role
• Inline policy for a user, a group, or a role
„Policy“ attribute of S3 bucket
Flexibility in implementationResource attribute applies to: * = whole S3 (e.g. for CreateBucket) bucketname: applies to configuration (DeleteBucket) bucketname/*: Content and Paths inside buckets
Effort in maintenance1. Check every location for a policy 2. Understand JSON 3. Identify that S3 is targeted 4. Evaluate the effect
(GetObject, PutObject, DeleteBucket,..) IAM policy simulator, Trusted Advisor: not much help
Policy Simulator may not be helpful
Policy SimulationSimulates an actual API call ⇒ all parameters are fixed ⇒ does not give an overview
OK are „allowed“ results:“Has a specific user read access to all buckets”, OK
Misleading are „denied“ results:„Has a special user access to a certain bucket“, WRONG Dave has access for a path ”/dave/*” inside the bucket.
Policy Simulator may not be helpful
Policy SimulationSimulates an actual API call ⇒ all parameters are fixed ⇒ does not give an overview
OK are „allowed“ results:“Has a specific user read access to all buckets”, OK
Misleading are „denied“ results:„Has a special user access to a certain bucket“, WRONG Dave has access for a path ”/dave/*” inside the bucket.
Policy Simulator may not be helpful
Policy SimulationSimulates an actual API call ⇒ all parameters are fixed ⇒ does not give an overview
OK are „allowed“ results:“Has a specific user read access to all buckets”, OK
Misleading are „denied“ results:„Has a special user access to a certain bucket“, WRONG Dave has access for a path ”/dave/*” inside the bucket.
Policy Simulator may not be helpful
Policy SimulationSimulates an actual API call ⇒ all parameters are fixed ⇒ does not give an overview
OK are „allowed“ results:“Has a specific user read access to all buckets”, OK
Misleading are „denied“ results:„Has a special user access to a certain bucket“, WRONG Dave has access for a path ”/dave/*” inside the bucket.
Recommendations on Legal Todos and Configuration
Legal Todos and Data LocationLocation of buckets may have legal implications Sign the paper for EU model clauses and send to AWS Claim your bucket names in the global namespace WebsitesEvery S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53 Only with AWS CloudFront: your domain with SSL Recovery StrategiesVersioning, Replication, Lifecycle policies Logging (into a S3 bucket)www-style access logs: no guarantee, no cost CloudTrail Data Level Events: full solution, add. costs
Recommendations on Legal Todos and Configuration
Legal Todos and Data LocationLocation of buckets may have legal implications Sign the paper for EU model clauses and send to AWS Claim your bucket names in the global namespace WebsitesEvery S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53 Only with AWS CloudFront: your domain with SSL Recovery StrategiesVersioning, Replication, Lifecycle policies Logging (into a S3 bucket)www-style access logs: no guarantee, no cost CloudTrail Data Level Events: full solution, add. costs
URLs for website, browser-friendly, no SSL: http://bucketname.s3-website-region.amazonaws.com
REST API endpoint with http/https, but not browser-friendly: https://s3.region.amazonaws.com/bucketname/file.html
Recommendations on Legal Todos and Configuration
Legal Todos and Data LocationLocation of buckets may have legal implications Sign the paper for EU model clauses and send to AWS Claim your bucket names in the global namespace WebsitesEvery S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53 Only with AWS CloudFront: your domain with SSL Recovery StrategiesVersioning, Replication, Lifecycle policies Logging (into a S3 bucket)www-style access logs: no guarantee, no cost CloudTrail Data Level Events: full solution, add. costs
URLs for website, browser-friendly, no SSL: http://bucketname.s3-website-region.amazonaws.com
REST API endpoint with http/https, but not browser-friendly: https://s3.region.amazonaws.com/bucketname/file.html
Recommendations on Legal Todos and Configuration
Legal Todos and Data LocationLocation of buckets may have legal implications Sign the paper for EU model clauses and send to AWS Claim your bucket names in the global namespace WebsitesEvery S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53 Only with AWS CloudFront: your domain with SSL Recovery StrategiesVersioning, Replication, Lifecycle policies Logging (into a S3 bucket)www-style access logs: no guarantee, no cost CloudTrail Data Level Events: full solution, add. costs
URLs for website, browser-friendly, no SSL: http://bucketname.s3-website-region.amazonaws.com
REST API endpoint with http/https, but not browser-friendly: https://s3.region.amazonaws.com/bucketname/file.html
Recommendations on Legal Todos and Configuration
Legal Todos and Data LocationLocation of buckets may have legal implications Sign the paper for EU model clauses and send to AWS Claim your bucket names in the global namespace WebsitesEvery S3 bucket always responds like a website
DNS names customized via CNAMEs from Route53 Only with AWS CloudFront: your domain with SSL Recovery StrategiesVersioning, Replication, Lifecycle policies Logging (into a S3 bucket)www-style access logs: no guarantee, no cost CloudTrail Data Level Events: full solution, add. costs
URLs for website, browser-friendly, no SSL: http://bucketname.s3-website-region.amazonaws.com
REST API endpoint with http/https, but not browser-friendly: https://s3.region.amazonaws.com/bucketname/file.html
curl https://s3.amazonaws.com/elephant-ok/file.txt
Recommendations for Access Control: Manage Operations
Manage Access ControlDefine IAM policies for role-based access control Attach policies to groups, and groups to users Avoid resource="*" and "s3:*" Use Bucket Policy for „Everyone“ access Restrict „delete bucket“ operations with MFA device:
1. “MFA delete” for root user 2. “aws:MultiFactorAuthPresent“ for IAM user
Rewrite all ACLs as Policies
Review „Who has access to what“ Repeat the access review on a regular frequency
Encryption and Key Management
EncryptionData-in-transit: SSL, default sslEnabled = true Data-at-rest: Attribute on object, no setting for the bucket: Server-side AES-256 (on object)Encryption transparent for the user ⇒ enable it, at no cost Protection against some threats inside AWS Enable on write. How to check later? AWS Key Management Service (KMS)More protection with key management (also transparent) But additional risk of losing the key⇒ manage it Client side encryption and your own key managementFor backup, but difficult for most other use cases
Key Management in HSM Device erases the keys when tampered with, your data lost
Security Operations
Service DashboardCurrent availability worldwide HackingExploitation of a vulnerability may be possible Security BulletinsAWS informs with Security Bulletins (12 total in 2016, 1 with level „informational“ for S3)
PatchingAWS responsibility for patching S3 (Heartbleed) Replaced OpenSSL (500.000) with s2n (6000 lines code) EmergenciesDevelop your own emergency plan
https://aws.amazon.com/security/security-bulletins/
23 Jan 2017: Shodan found almost 200.000 servers worldwide vulnerable to Heartbleed.
https://status.aws.amazon.com
Call to action: Be realistic about cloud consumption
Start governance of cloud usage
GoalsContracts, SLAs, Shared Responsibility Model
StrategyServices, Security Policies, Architecture
ActivitiesTraining, Security Procedures, Security Tools
MeasureSecurity Reviews
Measure
Strategy
ActivitiesGoalsBusiness
Luisenstr. 11, D-86415 Mering [email protected] +49 151 5875 0634 twitter: @ekkards
Dr. Ekkard SchnedermannFounder Elephantshop AWS Solution Architect, CSK, CGEIT, CISA, CISSP
Thank You for Your Attention
