• Home

  • Documents

  • SEC304 Building Security from Scratch - AWS re: Invent 2012
21

SEC304 Building Security from Scratch - AWS re: Invent 2012

Tags:

Embed Size (px)

Citation preview

Page 1: SEC304 Building Security from Scratch - AWS re: Invent 2012
Page 2: SEC304 Building Security from Scratch - AWS re: Invent 2012
Page 3: SEC304 Building Security from Scratch - AWS re: Invent 2012

[email protected]

.secure

and we are building it on AWS

mailto:[email protected]
Page 4: SEC304 Building Security from Scratch - AWS re: Invent 2012

Who shapes it?

Page 5: SEC304 Building Security from Scratch - AWS re: Invent 2012

Who is that?

Cloud Providers Security Vendors Old Guard

Page 6: SEC304 Building Security from Scratch - AWS re: Invent 2012

Where is it?

Page 7: SEC304 Building Security from Scratch - AWS re: Invent 2012

What is it?

Page 8: SEC304 Building Security from Scratch - AWS re: Invent 2012

What is it?

Very slow moving

Created by non-technologists

Defined in the age of

traditional infrastructures

REALITY!

Page 9: SEC304 Building Security from Scratch - AWS re: Invent 2012

Where does it go wrong?

Web VLAN

Load Balancers

Web Servers

App Server VLANApp Servers

DB VLAN

Corporate Network

Support VLAN

Backup SNMP

Logging Bastion

Internet

LBs

Page 10: SEC304 Building Security from Scratch - AWS re: Invent 2012

Bugs we’ve seen

Page 11: SEC304 Building Security from Scratch - AWS re: Invent 2012

Bugs we haven’t seen

Page 12: SEC304 Building Security from Scratch - AWS re: Invent 2012

Controls that match real risks

• Limited accounts via IAM

• Keep powerful creds off of instances

• Use key managers to distribute creds, not on AMIs

• Use limited accounts from Day 1

• MFA on top-level accounts

• Limit direct access, use management platforms when possible

• Use multiple top-level accounts with shared billing

• No developers on production

• Require all access via bastion host

• Log every keystroke, all syslog to separate top-level account

Page 13: SEC304 Building Security from Scratch - AWS re: Invent 2012

Controls that match real risks

• Continuous external and semi-external scanning

• Auto-discover all instances via API

• Use highly limited AMIs, install or chroot major services

• Build control plane and asymmetric trust into AMI

• Avoid SSH keys in AMI

• SSH key per admin, revocable

• Deploy corporate controls: • Proxy or DPI firewall

• NFR

• Use VPCs to strongly isolate critical services

Page 14: SEC304 Building Security from Scratch - AWS re: Invent 2012

Controls that match real risks

• Security is a targeted feature

• Create security engineering group early

• Build small set of trusted, core components • Input validation

• Escaping on compositing

• Session management

• Crypto

• Build a separate, protected authentication cluster

• Use self-proving requests internally, do not trust caller blindly

• Provision internal certs to all instances, use when possible

Page 15: SEC304 Building Security from Scratch - AWS re: Invent 2012

“What do we have on the spacecraft that’s good?”

Page 16: SEC304 Building Security from Scratch - AWS re: Invent 2012

Sic Parvis Magna

Page 17: SEC304 Building Security from Scratch - AWS re: Invent 2012
Page 18: SEC304 Building Security from Scratch - AWS re: Invent 2012
Page 19: SEC304 Building Security from Scratch - AWS re: Invent 2012

C=E(P,Ks)

C + {Ks}User1 + {Ks}GroupA+ {Ks}Service1 + {Ks}Master

Page 20: SEC304 Building Security from Scratch - AWS re: Invent 2012

1. Do not trust the conventional wisdom

2. Consider realistic threats for your org, adversaries

1. Build controls based upon AWS’s strengths

2. Build a paranoid application on any platform

Page 21: SEC304 Building Security from Scratch - AWS re: Invent 2012

We are sincerely eager to

hear your FEEDBACK on this

presentation and on re:Invent.

Please fill out an evaluation

form when you have a

chance.

[email protected]

mailto:[email protected]
mailto:[email protected]

10 OM- Invent

10 OM- Invent

Documents
Analisis Juridico Invent

Analisis Juridico Invent

Documents
Shopper Marketing - INVENT

Shopper Marketing - INVENT

Documents
Invent CHE 100

Invent CHE 100

Documents
Invent Nations

Invent Nations

Documents
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013

Encryption and key management in AWS (SEC304) | AWS re:Invent 2013

Technology
Tycho’s SNR SNR G292.0+1.8. "To make an apple pie from scratch, you must first invent the universe." ~Carl Sagan

Tycho’s SNR SNR G292.0+1.8. "To make an apple pie from scratch, you must first invent the universe." ~Carl Sagan

Documents
Stopwatch Cards Stopwatch Cards - Invent To Learninventtolearn.com/wp-content/uploads/2018/08/Scratch-cards-for-mi… · your stopwatch to figure it out. 5 Change the number to affect

Stopwatch Cards Stopwatch Cards - Invent To Learninventtolearn.com/wp-content/uploads/2018/08/Scratch-cards-for-mi… · your stopwatch to figure it out. 5 Change the number to affect

Documents
Invent explore-discover

Invent explore-discover

Documents
SciGirls Invent

SciGirls Invent

Documents
Invent (outdated)

Invent (outdated)

Documents
Superhero Colorables - Invent

Superhero Colorables - Invent

Documents
Invent AFRL

Invent AFRL

Documents
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent 2014

(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environment | AWS re:Invent 2014

Technology
Lets Invent Freedom

Lets Invent Freedom

Documents
Invent a Rios

Invent a Rios

Documents
Invent Mgmt

Invent Mgmt

Documents
INVENT THE FUTURE!

INVENT THE FUTURE!

Documents
V Forge Contents - Amazon Web Services...Scratch - stop Scratch - switchthaclock1 Scratch - take1 Scratch - take2 Scratch - thesebeats1 Scratch - thesebeats2 Scratch - thesebeats3

V Forge Contents - Amazon Web Services...Scratch - stop Scratch - switchthaclock1 Scratch - take1 Scratch - take2 Scratch - thesebeats1 Scratch - thesebeats2 Scratch - thesebeats3

Documents
Invent Memory

Invent Memory

Documents
Invent a Rio

Invent a Rio

Documents
AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service (SEC304)

AWS re:Invent 2016: Reduce Your Blast Radius by Using Multiple AWS Accounts Per Region and Service (SEC304)

Technology
(SEC304) Architecting for HIPAA Compliance on AWS

(SEC304) Architecting for HIPAA Compliance on AWS

Technology
Invent this!aprilfool14

Invent this!aprilfool14

Technology
Invent this! update0314

Invent this! update0314

Technology
The Big Bang!. “To make an apple pie from scratch, you must first invent the universe” Carl Sagan 1980

The Big Bang!. “To make an apple pie from scratch, you must first invent the universe” Carl Sagan 1980

Documents
Treinamento Intraemprededorismo INVENT

Treinamento Intraemprededorismo INVENT

Education
2-FACTOR AUTHENTICATION TOWN HALL€¦ · Account Recovery Options . 1872 Invent the 4:42 PM Invent the Future University 2-factor authentication . 1872 Invent the Invent the Future

2-FACTOR AUTHENTICATION TOWN HALL€¦ · Account Recovery Options . 1872 Invent the 4:42 PM Invent the Future University 2-factor authentication . 1872 Invent the Invent the Future

Documents
RE-INVENT BUSINESS

RE-INVENT BUSINESS

Documents
Invent a Species

Invent a Species

Education