© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Aaron C. Newman

October 2015

SEC205

Learn How to Hackproof Your Cloud Using Native AWS Tools

Founder, CloudCheckrAaron.Newman@CloudCheckr.com

Agenda

• Changing your perspective on security• AWS security controls• AWS threats• Security tools• Questions

Changing Your Perspective

How do I secure my business applications in AWS?

Moving to the cloud =

• Rethinking your perimeter security

Rethinking how you perform common security tasks:

• Network-based IPS/IDS

• Network scanning

• Penetration tests

• Vulnerability assessments

Photo credit: Sys Sentry / Missouri Secretary of State

In the Data Center•Setting up perimeter security:

• Setting up your infrastructure• Setting up access points to the Internet• Configuring firewall, IDS, IPS, etc., at the access points

•Auditing your perimeter security:

• Gather set of IP address blocks to poke at• Do a port scan (using tools such as Nmap) • Determine which ports are open on the target • Try various exploits on the open ports• Sniff lots of packets• Dig around to make sure no back doors into the network

• Wireless access points, secondary T1 lines, DSL connections• VPN access from some other network

AWS: What’s Different?

• Physical assets secured• AWS availability zone and region level

• But we still need to guard the AWS API• IAM access is your new physical security

The idea of physical security morphs as infrastructure becomes virtualized by AWS APIs. In a new world of ephemeral, auto-

scaling infrastructure, you need to adapt your security architecture to meet both compliance and security threats.

Photo credit: HD imagelib / Saffwood / Folha de Campinas

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

NetworkSecurity

Inventory & Config

Customer applications & contentYou get to define your controls IN the Cloud

AWS takes care of the security OF the Cloud

You

AWS and You Share Responsibility for Security

DataSecurity

Access Control

Minimizing Attack Vectors

• Principles don’t change• Reduce your surface area!• Defense-in-depth

• Some attack vectors don’t change• Application level (user-privilege escalation, web app vulnerabilities, XSS)• Operating system vulnerabilities• Database vulnerabilities

• Some attack vectors change• Homogeneous environment• Polymorphic targets/mapping• Reduced network sniffing

Photo credit: TrendMicro

Perimeter Assessments in the Cloud

• How do I assess the perimeter of my cloud?

• Old world – Nmap, port scans, ping sweeps, etc.• Give me your network block

• New world – Let me see your configuration• List of publicly accessible resources• Security groups (EC2-Classic, EC2-VPC, Redshift, RDS, etc.)• Routing tables, Network ACL• VPC, subnets • S3 buckets and permissions• IAM policies

Photo credit: Honeywell Security Group

Rules For Running Pen Tests on AWShttp://aws.amazon.com/security/penetration-testing/• “…complete and submit the AWS Vulnerability/Penetration Testing Request Form to

request authorization for penetration testing or scanning of your resources.”

• CaveatsAt this time, our policy does not permit testing m1.small or t1.micro instance types. This is to prevent potential adverse performance impacts on the resources you may be sharing with other customers in a multi-tenant environment.

• Demo https://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSSecurityPenTestRequest

• Need to know• IP addresses to be scanned (Destination)• Instances IDs• Scanning IP addresses (Source)

Photo credit: Monitor.Us

What Else Do We Need To Cover?

• Amazon EC2 is not our only attack surface

• AWS is a robust, complex platform with many moving parts

• Over 40 different services• Many have unique access control systems

• Some companies have 100s of AWS accounts

• We need a complete inventory• All publicly accessible endpoints and resources

Hackers find the single weak linkPhoto credit: BuiltLean

Amazon EC2-VPC• Default VPC is created in every region

• VPCs are wide open by default

• VPC is composed of:• Internet and VPN gateways

• Connect to the rest of the world• 1+ subnets• Routing tables – How to move traffic around the VPC• Network ACLs – A firewall but stateless• Security groups – Host-based firewall stateful• Resources – EC2, Amazon RDS, Emazon Redshift, Amazon

ElastiCachePhoto credit: AmazingAWS

Amazon S3 (Simple Storage Service)

• Up to 1,000 buckets in an account• Unlimited number of objects (billions is not uncommon)

• Location• Within a region, across multiple Availability Zones, not housed in a VPC• Can’t sit between client and storage

• Security• Access control thru IAM policies, bucket policies, ACLs, and query string authentication• Server-side encryption, HTTPS support• Server-access logs (does not integrate with AWS CloudTrail)

• Don’t grant FULL_CONTROL, WRITE_ACP, WRITE permissions to everyone EVER!!!

• Inventory your sensitive data

Photo credit: AWS

Amazon RDS (Relational Database Service)

• Location• Within a VPC or not, multiple Availability Zones or not

• Security options• DB security groups (if not in a VPC) or EC2-VPC security groups• Select a nondefault database port

• Publicly accessible option • Not a good idea, but if you do this:

• Make sure you use security groups to restrict source IP address• Make sure you have latest patches applied

• Secure your database snapshots• Keys to the kingdom if someone can get a copy• Brute-force passwords, restore to their own account

Photo credit: AWS

Amazon SQS (Simple Queue Service)

• Where does SQS live?• Within a region, not within a VPC• Uses a URL such as https://sqs.us-east-1.amazonaws.com/123456789012/MySQS

• Security based on policy documents:{ "Version": "2008-10-17", "Id": "arn:aws:sqs:us-east-1:123456789012:MySQS/SQSDefaultPolicy", "Statement": [ { "Sid": "Sid1415217272568", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "SQS:ReceiveMessage", "SQS:SendMessage" ], "Resource": "arn:aws:sqs:us-east-1:123456789012:MySQS" },

Photo credit: AWS

Amazon SNS (Simple Notification Service)

• SNS does not live inside your VPC• Permissions based on topic policies:

Using AWS CloudTrail

• An AWS service that records each time the AWS API is called• Currently supports most AWS services • http://docs.aws.amazon.com/awscloudtrail/latest/userguide/dochistory.html

• Conveniently most actions in AWS go through the API• Even actions in the AWS Management Console go through the API

• CloudTrail writes files into an S3 bucket• Near real-time (every five minutes)• Files are in JSON format

Get started at http://aws.amazon.com/cloudtrail/

Photo credit: Openclipart / AWS

Using Amazon VPC Flow Logs

• An AWS service that records each time packets enter or leave a VPChttp://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

• Security team comes to you and says:We need logs going to ourwebsite.com for

IP address ranges 52.205.16.0 - 52.205.31.255

• Monitor for DENY connectionsGives you both security group and NACL denies

Announcement:https://aws.amazon.com/about-aws/

whats-new/2015/06/aws-launches-amazon-vpc-flow-logs/

Internal vs. External Threats

• Understanding who the threat is

• Internal threats• Disgruntled or malicious DevOps• Such as Edward Snowden

• External threats• Hacker groups, script kiddies• Such as Anonymous

Each requires different controls and monitoring

Photo credit: Independent Journal/ Westender

Example: CodeSpaces

• How not to end up like CodeSpaces• This is their website now:

• CodeSpaces hacked• No disaster recovery• No “offsite” backups

• “CodeSpaces: A Lesson In Cloud Backup”

Source: http://www.networkcomputing.com/cloud-infrastructure/code-spaces-a-lesson-in-cloud-backup/a/d-id/1279116

Photo credit: Codespaces

Tools for securing AWS

• Generic tools fall short

• Purpose-built, not cloud-washed• Make sure tools don’t fall over in the cloud• Tools have to understand dynamic, ephemeral IPs

• Need a deep understanding of AWS• What does this means• Context is important• Actionable intelligence

Questions?

On:• AWS security• CloudCheckr

Thank you!Sign up today for free evaluation

at http://cloudcheckr.com

Aaron Newman is the founder of CloudCheckr (www.cloudcheckr.com)

Please contact me with additional questions at:aaron.newman@cloudcheckr.com

Remember to complete your evaluations!