Using Security To Build With Confidence In AWS Sasha Pavlovic Director, Cloud and Datacenter Security | APAC

The Story

More at aws.trendmicro.com

2012 re:Invent SPR203 : Cloud Security is a Shared Responsibility http://bit.ly/2012-spr203

2013 re:Invent SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud http://bit.ly/2013-sec208

SEC307: How Trend Micro Build their Enterprise Security Offering on AWS http://bit.ly/2013-sec307

2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313

SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualisation

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualisation

You

Operating System

Applications

Data

Service Configuration

More at aws.amazon.com/security

Vulnerability Respond Repair

Vulnerability

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

by Andreas Lindh (@addelindh)

bash is a common command line interpreter

a:() { b; } | attack

10 | 10 vulnerability. Widespread & easy to exploit

Shellshock Impact

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

"MicroTAC" by Redrum0486 at English Wikipedia

12.3oz

Time Since Last Event Event Action Action Timeline

1989-­‐08-­‐05  8:32   Added  to  codebase  

27  days,  10:20:00   Released  to  public  

9141  days,  21:18:35   Ini?al  report   React   Clock  starts  

1  day,  22:19:13   More  details   React  

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5  days,  9:16:35   Limited  disclosure  ::  CVE-­‐2014-­‐6271   React  

2  days,  4:37:25   More  details   React  

3:44:00   More  details   React  

0:27:51   Public  disclosure   React  

0:36:30   More  details   React  

0:34:39   Public  disclosure  ::  CVE-­‐2014-­‐7169   React  

1:19:16   More  details   React  

15:15:44   More  details   React  

4:45:26   More  details   React  

3:03:34   More  details   React  

11:34:00   Mi?ga?on  ::  CVE-­‐2014-­‐7169   React  

4:58:00   More  details   React  

3:34:51   More  details   React  

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

1:09:00   More  details   React  

2:07:00   Mi?ga?on  ::  CVE-­‐2014-­‐7169   React  

2:27:00   More  details   React  

23:50:00   More  details   React  

17:46:00   More  details   React  

7:24:00   More  details   React  

2  days,  7:21:00   Public  disclosure  ::  CVE-­‐2014-­‐6277  &  CVE-­‐2014-­‐6278   React  

0:11:00   More  details   React  

3:15:00 Official  patch  ::  CVE-­‐2014-­‐7186,  CVE-­‐2014-­‐7187   Patch   4  days,  17:30:00  

1 day, 11:55:00 Official  patch  ::  CVE-­‐2014-­‐6277   Patch   1  day,  11:55:00  

2  days,  20:24:00   Official  patch  ::  CVE-­‐2014-­‐6278   Patch   2  days,  20:24:00  

Important Shellshock Events Time Since Last Event Event Action Action Timeline

1989-­‐08-­‐05  8:32   Added  to  codebase  

27  days,  10:20:00   Released  to  public  

9141  days,  21:18:35   Ini?al  report   React   Clock  starts  

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official  patch  ::  CVE-­‐2014-­‐7186,  CVE-­‐2014-­‐7187   Patch   4  days,  17:30:00  

1 day, 11:55:00 Official  patch  ::  CVE-­‐2014-­‐6277   Patch   1  day,  11:55:00  

2  days,  20:24:00   Official  patch  ::  CVE-­‐2014-­‐6278   Patch   2  days,  20:24:00  

Respond

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Day 1

aws.amazon.com/architecture : Web application hosting

aws.amazon.com/architecture : Web application hosting

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Primary workflow for our deployment

AWS VPC Review

AWS VPC Checklist

Review

IAM roles

Security groups

Network segmentation

Network access control lists (NACL)

More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Primary workflow for our deployment

HTTPS HTTPS HTTPS SQLi SSH

Intrusion prevention can look at each packet and then take action depending on what it finds

aws.amazon.com/architecture : Web application hosting

Intrusion Prevention in Action

Review

All instances covered

Workload appropriate rules

Centrally managed

Security controls must scale out automatically with the deployment

Repair

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved

Day 2

aws.amazon.com/architecture : Web application hosting

All instances deployment from task-specific AMI

TCP : 443 TCP : 443 TCP : 4433 TCP : 4433

Workflow should be completely automated

Instantiate Destroy Configure

AMI Creation Workflow

Bake Instantiate Test

AMI Creation

aws.amazon.com/architecture : Web application hosting

Instances tend to drift from the known good state, monitoring key files & processes is important

AMI Instance

Alert Integrity Monitoring

Integrity Monitoring

Keys

Respond

Review configuration

Apply intrusion prevention Repair

Patch vulnerability in new AMI

Leverage integrity monitoring

Keys

Automation

aws.trendmicro.com

KUALA LUMPUR

KUALA LUMPUR

©2015,  Amazon  Web  Services,  Inc.  or  its  affiliates.  All  rights  reserved