Escolar Documentos
Profissional Documentos
Cultura Documentos
Securing IaaS
Orchestration
Insecure Management
instances console
Cloud
attack
vectors
Side channel Multi tenancy &
attack virtualization
Automation
Automation
Chain of supply &
&
API
API
Anatomy of a cloud hack
BrowserStack story
Using API
Found
Shell shock Found API key opened Attached a
database
vulnerability key on a firewall backup Connected
credential
on unused hacked rule and volume to to DB
on backup
server server launch an the instance
device
instance
The billing cycle is reducing
1 hour
10 min
1 min
How to do security when servers
alive for 10 minutes?
Patch Maintenance
management windows
Periodic
vulnerability Hardening
scanning
Introducing Cloudefigo
A fully automatic tool for:
Configure Move to
Launch and harden Scan
production
S3
3
Server encrypts
disk volumes
4
Server scanned
for vulnerabilities
5
Server moves
to production
Components
Object Storage - AWS S3 Security Scanner
A storage architecture that manage data as object. We use Nessus since its very popular. There are
Files are stored along with metadata and unique commercial products with built in integration to AWS
identifier. Access is usually by HTTP/S. though:
http://www.tenable.com/products/nessus
Terminate Update
Production Control
Scan
Launch o Each machine manage its own attributes
o Encryption keys
o Remediation vs production groups.
Prepare
o Management of these attributes require
permissions.
CloudInit
o Permissions during launch > production
Prepare
CloudInit
Launch o Executed in root permissions when
image is launching.
Prepare
CloudInit
Update o CloudInit to update & upgrade software
packages.
OS
update o Primary goal is to make sure the cloud
instance is secure once upgraded.
Pre-
requisites
Update o CloudInit to install the software packages
required to operate:
Python + pip + wheel.
OS
update AWS SDK (Boto)
Chef Client + Chef SDK (PyChef)
Pre-
requisites o Download configurations and scripts from S3:
Cloudefigo script.
Chef client initialization files.
Pre-
requisites
Control o The Chef clients register to the Chef
Management server using the
initialization files loaded from S3.
Chef
Registration
o Once the client is registered, a policy is
loaded and enforced on the instance.
Encrypt
Control o The volume to be encrypted using
randomly generated key.
The key is kept in S3 for later use.
Chef
Registration
o The application database to be installed
in the encrypted volume.
Encrypt
Control o Dynamic S3 policy: access to key
require a referrer header that is
generated based on attributes from the
Chef
Registration instance.
Encrypt
Control
Chef
Registration
Encrypt
o A vulnerability scan to be launched
Scan automatically by CloudInit script.
Automatic
Scan o The deeper the scan, the longer it takes
to move to production.
Analyze
o The results of the scan are analyzed by
Scan the Cloudefigo script.
Automatic
Scan o Based on scan results the instance to
move to production or remain in the
remediation group.
Analyze
Analyze
o Reminder: Permissions in launch >
Production production
Manage
o For the ongoing operations a
Production compensating control is required to locate
unmanaged instances.
Least
privileged o Cloudefigo management script lists cloud
role instances and validates they are managed
by Chef.
Least
privileged
role
Manage
Terminate o The life cycle ends once a server is
terminated along with:
Attached volumes
instance IAM role
Encryption
Keys
Terminate o The instance data still exist in
backups/snapshots or provider storage.
o Moved to production.