Upload
amazon-web-services
View
354
Download
0
Embed Size (px)
Citation preview
Using Security To Build With Confidence In AWS Sasha Pavlovic Director, Cloud and Datacenter Security | APAC
The Story
More at aws.trendmicro.com
2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203
2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208
SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307
2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313
SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualisation
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualisation
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
Vulnerability Respond Repair
Vulnerability
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
by Andreas Lindh (@addelindh)
bash is a common command line interpreter
a:() { b; } | attack
10 | 10 vulnerability. Widespread & easy to exploit
Shellshock Impact
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
"MicroTAC" by Redrum0486 at English Wikipedia
12.3oz
Time Since Last Event Event Action Action Timeline
1989-‐08-‐05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Ini?al report React Clock starts
1 day, 22:19:13 More details React
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
5 days, 9:16:35 Limited disclosure :: CVE-‐2014-‐6271 React
2 days, 4:37:25 More details React
3:44:00 More details React
0:27:51 Public disclosure React
0:36:30 More details React
0:34:39 Public disclosure :: CVE-‐2014-‐7169 React
1:19:16 More details React
15:15:44 More details React
4:45:26 More details React
3:03:34 More details React
11:34:00 Mi?ga?on :: CVE-‐2014-‐7169 React
4:58:00 More details React
3:34:51 More details React
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
1:09:00 More details React
2:07:00 Mi?ga?on :: CVE-‐2014-‐7169 React
2:27:00 More details React
23:50:00 More details React
17:46:00 More details React
7:24:00 More details React
2 days, 7:21:00 Public disclosure :: CVE-‐2014-‐6277 & CVE-‐2014-‐6278 React
0:11:00 More details React
3:15:00 Official patch :: CVE-‐2014-‐7186, CVE-‐2014-‐7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-‐2014-‐6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-‐2014-‐6278 Patch 2 days, 20:24:00
Important Shellshock Events Time Since Last Event Event Action Action Timeline
1989-‐08-‐05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Ini?al report React Clock starts
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
3:15:00 Official patch :: CVE-‐2014-‐7186, CVE-‐2014-‐7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-‐2014-‐6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-‐2014-‐6278 Patch 2 days, 20:24:00
Respond
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 1
aws.amazon.com/architecture : Web application hosting
aws.amazon.com/architecture : Web application hosting
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Primary workflow for our deployment
AWS VPC Review
AWS VPC Checklist
Review
IAM roles
Security groups
Network segmentation
Network access control lists (NACL)
More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Primary workflow for our deployment
HTTPS HTTPS HTTPS SQLi SSH
Intrusion prevention can look at each packet and then take action depending on what it finds
aws.amazon.com/architecture : Web application hosting
Intrusion Prevention in Action
Review
All instances covered
Workload appropriate rules
Centrally managed
Security controls must scale out automatically with the deployment
Repair
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Day 2
aws.amazon.com/architecture : Web application hosting
All instances deployment from task-specific AMI
TCP : 443 TCP : 443 TCP : 4433 TCP : 4433
Workflow should be completely automated
Instantiate Destroy Configure
AMI Creation Workflow
Bake Instantiate Test
AMI Creation
aws.amazon.com/architecture : Web application hosting
Instances tend to drift from the known good state, monitoring key files & processes is important
AMI Instance
Alert Integrity Monitoring
Integrity Monitoring
Keys
Respond
Review configuration
Apply intrusion prevention Repair
Patch vulnerability in new AMI
Leverage integrity monitoring
Keys
Automation
aws.trendmicro.com
KUALA LUMPUR
KUALA LUMPUR
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved