Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Securely Deploying AWS Services

    Enviado por

    bkiefer01
    15 visualizações18 páginas
    This document discusses securely deploying AWS services. It begins with an overview of AWS S3, noting recent exposures of improperly configured S3 buckets. It then provides a checklist for securing S3, including encrypting data, using TLS, and properly configuring permissions. The document also discusses serverless website architecture and security concerns, such as data injection and authentication issues. It emphasizes that security is a shared responsibility between AWS and customers.

    Descrição original:

    Sahlberg's AWS security presentation for NEACS 2018 conference

    Título original

    Sahlberg Aws Neacs 10152018

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    This document discusses securely deploying AWS services. It begins with an overview of AWS S3, noting recent exposures of improperly configured S3 buckets. It then provides a checklist for securing S3, including encrypting data, using TLS, and properly configuring permissions. The document also discusses serverless website architecture and security concerns, such as data injection and authentication issues. It emphasizes that security is a shared responsibility between AWS and customers.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    15 visualizações18 páginas

    Securely Deploying AWS Services

    Enviado por

    bkiefer01
    This document discusses securely deploying AWS services. It begins with an overview of AWS S3, noting recent exposures of improperly configured S3 buckets. It then provides a checklist for securing S3, including encrypting data, using TLS, and properly configuring permissions. The document also discusses serverless website architecture and security concerns, such as data injection and authentication issues. It emphasizes that security is a shared responsibility between AWS and customers.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 18

    Securely Deploying

    AWS Services
    Jeremiah Sahlberg
    Director,
    Experience in security assessments, risk programs and incident support
    Information Security and
    Compliance Services • Department of Defense – DISA
    • Commercial (banking, media, manufacturing, healthcare, transportation, legal)
    • State and local governments

    Experience Services
    • Threat Services – Vulnerability Scanning, Pen Testing, Web Apps Testing, Social
    Engineering
    Certifications • Privacy, Enterprise Risk and Compliance – ISO, NIST-800-53, HIPAA, PCI, GDPR,
    HITRUST
    Certified Information Security Manager (CISM)
    Certified Information Systems Security Professional (CISSP)
    Payment Card Industry Qualified Security Assessor (QSA) Events and Activities
    HITRUST CSF Assessor
    • Publications: O’Reilly’s Secure Coding, Web Scanner
    • Speaking events: Nevada Digital Summit, NY State Cyber Security Conference, SINET,
    NCUA
    • Board of Advisors at Liberty University

    October 24, 2018 2


    Agenda

    AWS – S3 Overview, Recent Exposures, S3 Configurations

    Serverless Websites – Architecture and Checklist

    Shared Security Responsibilities – AWS and You

    Other Cloud Concerns

    Wrap-up – Open Discussion and Questions

    October 24, 2018 3


    AWS – Simple Storage Solution (S3)
    § Store and retrieve data within AWS
    • Bucket
    • Objects
    • Storage Encryption
    • Permissions
    • s3.amazonaws.com/[bucket_name]
    • [bucket_name].s3.amazonaws.com
    • [bucket_name].s3-aws-region.amazonaws.com.

    § Launched in 2006, over a decade later, we got this figured out, right?

    October 24, 2018 4


    The Problem:
    AWS Bucket Exposures 18 months

    Bongo

    Mar 2017 Sept 2017 Mar 2018 Sept 2018

    October 24, 2018 5


    Upload Process Overview

    October 24, 2018 6


    Permission Settings

    Source: http://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/

    October 24, 2018 7


    Why does this keep happening?
    Human Error
    § Unintentional misconfiguration
    § Moving with cloud with limited expertise
    § Focus on function vs. security
    § Lack of proper data management
    § Amazon’s solution: S3 Bucket Permission Check

    October 24, 2018 8


    Resolution.
    Does Everyone really need access?

    Source: https://aws.amazon.com/ (September 24, 2018)

    October 24, 2018 9


    WARNING: Public Access

    Pay attention to the warning messages!

    October 24, 2018 10


    More Problems: Attack Automation
    § Command line tools
    • inSp3ctor – Find open AWS S3 buckets
    • -a Use AWS Credentials to authenticate the request
    • AWSBucketDump.py – Enumerates AWS S3 Buckets
    • S3Scanner - Scan For Open S3 Buckets And Dump
    • BuQuikker – Finds open AWS S3 buckets

    § Online tools
    • buckets.grayhatwarfare.com – Online tool
    • Google Search - site:s3.amazonaws.com confidential
    October 24, 2018 11
    AWS S3 Security Checklist
    § Check for open buckets
    § Encrypt the data contents
    § Use Transport Layer Security TLS for connecting to S3 buckets; Use https://
    § Organize your data, use versioning
    § Enable logging
    § Retire unused S3 buckets

    § Beyond S3: Exposed Resources on AWS, Scott Piper, May 2018


    • Elasticsearch - 17% of AWS-managed ElasticSearch servers with public IPs were misconfigured
    • Glacier Service – Similar issues as S3
    Source: https://duo.com/blog/beyond-s3-exposed-resources-on-aws, https://www.andreafortuna.org/cybersecurity/aws-tips-a-security-checklist-for-s3-buckets/

    October 24, 2018 12


    Serverless Websites
    Why serverless? Cost, maintenance.

    1) AWS S3 – Static web services.


    2) AWS Cognito, Identity
    3) DynamoDB
    4) API Gateway, Lambda (Faas)
    - nodeJS, Python

    Source: https://aws.amazon.com/ (September 24, 2018)

    October 24, 2018 13


    Serverless Website
    Checklist (think OWASP)

    § Function data injection


    § Broken authentication
    § Insecure application secrets storage
    § Improper exception handling and verbose error messages
    § Inadequate function logging and monitoring – Capture events into security tools

    Challenges - Reliance on AWS, cost calculations, SEO - Search Engine Optimization

    Source: https://www.zdnet.com/article/the-top-10-risks-for-apps-on-serverless-architectures/, Charlie Osborne September 24, 2018

    October 24, 2018 14


    Amazons Artifacts

    Source: https://aws.amazon.com/artifact/ (September 24, 2018)

    October 24, 2018 15


    Amazons Shared Responsibilities

    AWS Management Console – Artifact (FedRAMP, ISO, PCI, SOC and many more)
    § Over 23 certification packages
    § Listing of included services
    § Includes security responsibilities matrix
    § Will support your compliance needs

    Source: https://aws.amazon.com/artifact/ (September 24, 2018)

    October 24, 2018 16


    Other Cloud Related Concerns

    § Identity and access management


    § Data management
    § Liability
    § Security Visibility
    § Your 3rd parties are in the cloud, maybe with your data, so you need to understand
    the risk

    October 24, 2018 17


    Jeremiah Sahlberg
    Director, Security Services
    jsahlberg@tevora.com

    Go forward. We’ve got your back.


    Compliance – Enterprise Risk Management – Data Privacy – Security Solutions – Threat Management

    18

    Você também pode gostar