Upload
amazon-web-services
View
1.823
Download
1
Tags:
Embed Size (px)
Citation preview
Who shapes it?
Who is that?
Cloud Providers Security Vendors Old Guard
Where is it?
What is it?
What is it?
Very slow moving
Created by non-technologists
Defined in the age of
traditional infrastructures
REALITY!
Where does it go wrong?
Web VLAN
Load Balancers
Web Servers
App Server VLANApp Servers
DB VLAN
Corporate Network
Support VLAN
Backup SNMP
Logging Bastion
Internet
LBs
Bugs we’ve seen
Bugs we haven’t seen
Controls that match real risks
• Limited accounts via IAM
• Keep powerful creds off of instances
• Use key managers to distribute creds, not on AMIs
• Use limited accounts from Day 1
• MFA on top-level accounts
• Limit direct access, use management platforms when possible
• Use multiple top-level accounts with shared billing
• No developers on production
• Require all access via bastion host
• Log every keystroke, all syslog to separate top-level account
Controls that match real risks
• Continuous external and semi-external scanning
• Auto-discover all instances via API
• Use highly limited AMIs, install or chroot major services
• Build control plane and asymmetric trust into AMI
• Avoid SSH keys in AMI
• SSH key per admin, revocable
• Deploy corporate controls: • Proxy or DPI firewall
• NFR
• Use VPCs to strongly isolate critical services
Controls that match real risks
• Security is a targeted feature
• Create security engineering group early
• Build small set of trusted, core components • Input validation
• Escaping on compositing
• Session management
• Crypto
• Build a separate, protected authentication cluster
• Use self-proving requests internally, do not trust caller blindly
• Provision internal certs to all instances, use when possible
“What do we have on the spacecraft that’s good?”
Sic Parvis Magna
C=E(P,Ks)
C + {Ks}User1 + {Ks}GroupA+ {Ks}Service1 + {Ks}Master
1. Do not trust the conventional wisdom
2. Consider realistic threats for your org, adversaries
1. Build controls based upon AWS’s strengths
2. Build a paranoid application on any platform
We are sincerely eager to
hear your FEEDBACK on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.