View
502
Download
0
Category
Preview:
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Lucas, AWS Security
November 29, 2016
SEC309
Proactive Security Testing in AWSFrom Early Implementation to Deployment Penetration Testing
What to expect from this session
• How to think about your AWS assets
• Threat modeling and attack surface
• Security baseline
• Testing for security
• Automation
• Continuous Security
• Close
Threat modeling
• Why?
• External dependencies and assumptions
• System edges and entry points
• Assets and information flows
• Classes of user and action / trust
• Risks and mitigations
Threat modeling assets
• What is an asset?
• Amazon EC2 instance
• Amazon S3 bucket
• Amazon RDS
• Access management
• Networking
• Deployment and development
Threat modeling actors
• Users
• Services
• Access to shared assets
Threat model architecture
Unknown user
Authenticated
user
Web
server
Cache
RDBMS
Web admin DB admin
DB users?CMS
1.1 Login
1. 2 Post2.1 Admin
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Table of flows, STRIDE etc
Data flow ID Description
1.1 An unauthenticated user can logon onto the CMS
system with valid credentials at this point a
session identifying the user controls their identity.
STRIDE • Spoofing – A user could assume an incorrect
identity if not checked properly
• Repudiation – Attempts to login and failed
login attempts may not be traced
• Denial of service (DoS) - If the login flow is
too expensive (computationally complex) the
login call could potentially be used to deny
service to other users
• Elevation of Privilege (EoP) – Incorrectly
logging in a user would result in this
Feature Id Mitigation Description
SESSION-104 To address spoofing concerns an external audit of
the code by [X] will take place. All changes to the
code post-event will undergo code review.
AUDIT-7 For repudiation all login attempts will be logged
into the application log and stored to Amazon
CloudWatch Logs.
AUDIT-7-1 In support of LOGIN-102 the team will investigate
the feasibility of using CloudWatch alarms with
thresholds for failed logins.
LOGIN-11 For DoS prevention we will do extensive profiling
of the login flow and ensure that failed and
successful logins represent log computational
burden. A single web server instance should be
able to support O(x) login calls simultaneously.
LOGIN-12 To prevent EoP we will follow the same principals
Management layer
Private subnetPublic subnet
ws
Internet
gateway
Router
Route
table
Route
table
Endpoint
S3 bucket
Instance role
IAM
ElastiCache
Route 53CloudFormation
KMSAmazon
Inspector
CloudTrail Config
Security baseline
• Core:
• Instances are patched and remain so
• Instances are safe to use post-startup as long as security
groups only expose the expected services to the Internet
• Account AWS infrastructure management is correctly
controlled
• Application:
• The application has been security tested
Demo – patch level
• Any outstanding security patches?
• Using EC2 Simple Systems Manager (SSM) run
command.
Build security testing in
• Static analysis on code push to central repository
• Adding a trigger to look for security issues
• Check staging and pre-deployment
• Check your application access controls
Demo – source code
• AWS CodeCommit trigger to look for AWS stored secrets
Demo – deployment assessment
• Using Amazon Inspector to assess a pre-production
environment and move it to production.
Security testing
• Penetration test request process:
https://aws.amazon.com/security/penetration-testing/
• Focus on baseline
• Know your tools
• Be selective
Demo – network profile
• Enumerate Internet endpoints
• Confirm availability
Continuous security
• Integrated testing
• Point in time questions
• Monitor for changes
Thank you!
Remember to complete
your evaluations!
Related sessions
• SEC301 - Audit Your AWS Account Against Industry Best
Practices: The CIS AWS Benchmarks
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC401 - 5 Security Automation Improvements You Can
Make by Using Amazon CloudWatch Events and AWS
Config Rules
Recommended