Cloud SecurityScott Arveseth

@ScottArveseth

Scott.Arveseth@gmail.com

The Cloud

IaaS

AWS

Azure

Rackspace

VMWare

SaaS

SalesForce

Cloud9

Akamai

AppDynamics

PaaS

Cloud Foundry

Google App Engine

Azure

AWS

SalesForce

Software & Services

Office 365

QuickBase

Lynda.com

Agility

Scalability

Resiliency

High Availability

Security?

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon Web Services (AWS)

Regions Worldwide (11)

o Availability Zones (2-3 per Region)

Edge Locations (50+)Behind the

Cloud…

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon Web Services (AWS)

Regions Worldwide (11)

o Availability Zones (2-3 per Region)

Edge Locations (50+)

Security is a Shared Responsibility

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

SaaS

Provider

Yours

Your responsibility vs. Provider responsibility

o Type of service

o Contractual agreements

Evaluating Cloud providers

o SOC I/II, ISO 27002, PCI, HIPAA

o Contractual agreements

o Financial limits

Security is a Shared Responsibility

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

PaaS

Provider

Yours Your responsibility vs. Provider responsibility

o Type of service

o Contractual agreements

Evaluating Cloud providers

o SOC I/II, ISO 27002, PCI, HIPAA

o Contractual agreements

o Financial limits

Security is a Shared Responsibility

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

IaaS

Provider

Yours

Your responsibility vs. Provider responsibility

o Type of service

o Contractual agreements

Evaluating Cloud providers

o SOC I/II, ISO 27002, PCI, HIPAA

o Contractual agreements

o Financial limits

Amazon Web Services (AWS)

IaaS: flexible & complex

AWS offers IaaS, PaaS, and SaaS solutions

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

IaaS

PaaS

Evaluating Risk

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Where are the

biggest risks?

Data Verizon DBIR 2014

Incident Classification:Web App Attacks (35%)

Extern Discovery (88%)

Cyber-Espionage (22%)Extern Discovery (85%)

Actions:Stolen Creds (1)(3)(3)

Export Data (2)(7)(4)

Source: www.verizonenterprise.com/DBIR/2014/

DevOps Users

AWS Dashboard, CLIs, APIs

AWS CLI

Java

Python (boto)

Node.js

DMZ Subnet

Priv. Subnet

NACL

Security Groups

Amazon CloudWatch

AWS CloudFormation

Region: US-East

Users

DMZ Subnet

Priv. Subnet

Amazon CloudWatch

AWS CloudFormation

SSH Key

Admins

Admins

Amazon CloudWatch

AWS CloudFormation

MFA

MFA token

Admins

AWS Access Key

AWS CLI

role

AWS CLIrole

Security in the Cloud

Monitor, Assess, Defend (MAD)

Monitor

o Detection is important

o Built on a foundation of logs

Assess / Test

o Evaluate security controls

o Dangerous ground when scanning your app on provider’s

infrastructure

Defend

o Prevent security incidents from occurring

o Raise the bar Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Monitor (MAD)

Monitor

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Web Application Firewall (WAF)

o Bursting thresholds

o OWASP Top 10

o Tuned to the application

Application, RDS logs

o AuthN/Z

o Security related

o Anomaly detection

ELB – Log user requests

o Anomaly detection

Monitor

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

S3 Access Logging

o If there is sensitive information in

S3 buckets (S3 access logs not

part of CloudTrail)

CloudWatch

o Availability & performance of EC2

instances

Monitor

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

CloudTrail – AWS account actions

o Any root account activity

o StopLogging / UpdateTrail

o Create/DeleteVPC

o CreateAccessKey

o Privileged Role assignments

o DeleteHostedZone

o ChangeResourceRecordSet

o RunInstance (dramatic change)

o Public Security Group modification

IAM

o AWS Access Keys

o Inventory (owner) / Last recycle dateSecurity

Monitor

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

OS / Instances

o “Treat them as cattle, not pets”

o One of these things is not like the

others

o Update FIM snapshot

• New AMI

• New Code

o Collect Syslogs / Event logs

(forensics)FIM FIM

FIM FIM

Event Monitoring System

Collect & correlate

logs to detect

security events

o Oh $4!#! principle

Amazon CloudWatch

Assess (MAD)

Assess / Test

Do you like working with technology, or would you rather make

license plates, do laundry, and be watched 24/7 by armed

guards…

o TALK WITH YOUR CLOUD PROVIDER BEFORE DOING SECURITY TESTING!

o GET WRITTEN PERMISSION!

Assess / Test

Static code analysis

o Secure coding practices

o Plain text credentials

o AWS access keys

Security architecture reviews

o Dev – Sec – Ops?

Cloud Formation Templates

o Review before running in production Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Assess / Test

IAM

o Roles

• Responsibility

o Users / Instances with privileged roles

o Separation of duties

EC2 AMIs that are in use

Security Group Configuration

Trusted AdvisorPhysical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Security

Assess: Trusted Advisor

Defense (MAD)

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Defense

Contractual agreements

Vendor attestations

Resilient architecture

o Decoupled

o Auto-Scaling

o Multi-AZ

o Secure

o Automation

o Snapshots/backups

• EBS, RDS, S3

Users

AWS CloudFormation

Amazon CloudWatch

Priv. Subnet

Defense

Encryption: Amazon Key

Management Service (KMS)

o Centralized key management

(CloudTrail)

o Encrypt Elastic Block Storage

(EBS) without impacting

performance

o Encrypt credentials or other

sensitive data

http://aws.amazon.com/kms/

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Defense

Web Application Firewall (WAF)

o Tune and re-tune it

o Block malicious traffic

o Turn on rate limiting to save $

Evaluate WAF effectiveness by

reviewing HTTP request logs

Amazon CloudWatch

Defense

Use Your Identity Provider

o AssumeRoleWithSAML()

o Does anyone have time to manage two IdPs?

Limit creation of AWS Access Keys

o DevOps – temporary access keys

o Applications – EC2 instance roles

o Permanent – least privilege

• Rotate keys regularly

• Scour code and configs

Source: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSMgmtConsole-SAML.html

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Defense

AWS Access Keys Anyone?

o “When I got to GitHub, I checked … and sure enough it [had] my API

keys…crap!”

o “I reverted the last few commits, and deleted all traces from GitHub …

within about 5 minutes.”

o “When I woke up the next morning I had four emails from Amazon AWS

and a missed phone call … something about 140 servers running on my

AWS account.”

o “Boom! A $2375 bill”

o “Amazon was kind enough to drop the charges this time!”

Source: http://www.devfactor.net/2014/12/30/2375-amazon-mistake/

IAM

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Defense

MFA on AWS root and highly privileged accounts

Separation of Duties & Least Privilege

o IAM, VPC Privileges, Route53, etc.

o Access to backups and snapshots need special protection

CodeSpaces

o “Code Spaces will not be able to operate beyond this point”

o “upon seeing us make the attempted recovery of the account [attacker] proceeded to randomly delete artifacts”

o “[attacker deleted] all EBS snapshots, S3 buckets, all AMI's, some EBS instances and several machine instances”

Source: http://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack/d/d-id/1278743

IAM

Defense: Incident Response

Investigate without tipping off the attacker

Automate your response, assume the attacker has automated his

Defense

OS / AMI

o Use trusted, securely configured AMIs - Update Often (patching)

o AWS Marketplace has DISA STIG compliant AMIs

o If FIM tests fail: investigate, new instance, isolate old (SG)

o Auto-scaling will use the AMI(s) you configure – make sure it’s the right one

o SSH Keys / Admin Passwords

o Bastion

o Prod and non-prod

o Managed in your custom AMIsPhysical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

FIM FIM

FIM FIM

Defense

NACLs

o IPv4

o Stateless

o Inbound/Outbound

o Soft Limit of 20/20 per subnet

o Block 22, 3389, etc.

o (Don’t lose hope yet)

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

NACL

Defense

Security Groups

o IPv4

o Stateful

o Inbound/Outbound

o Apply to an instance or group of

instances (across AZ)

o AWS limits on the number of

security groups and rules per

security group

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Security Groups

Defense: Security Groups

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Source

(in)

Protocol Port(s) Comment

0.0.0.0/0 TCP 80 HTTP

0.0.0.0/0 TCP 443 HTTPS

0.0.0.0/0 ICMP N/A Ping

Default Deny

Dest (out) Protocol Port(s) Comment

SG_WAF TCP 8080 WAFs

Default Deny

X

Defense: Security Groups

Physical Facilities

Infrastructure

Compute & Storage

Hypervisor

Virtual Network

Operating System

App Framework

Application

Data

Amazon CloudWatch

Source

(in)

Protocol Port(s) Comment

BAST_SG ANY All Admin

SG_IN_ELB TCP 8888 Internal

Default Deny

Dest (out) Protocol Port(s) Comment

SG_DB TCP 1433

Default Deny

Defense

Bastion Host

o Leave it off (Stopped) until you

need it

Amazon CloudWatch

AWS CloudFormation

Cloud Nirvana

Do you need admin access to production?

o AWS or Bastion

o Automation -> APIs, CloudFormationTemplates, Logs

Additional Resources

AWS Security Whitepapers

o http://aws.amazon.com/whitepapers/

Re:Invent 2014 - Building a DDoS Resilient Architecture with AWS

o https://www.youtube.com/watch?v=OT2y3DzMEmQ

AWS Key Management System

o http://aws.amazon.com/kms/

RDS Logging

o http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

AWS QwikLABS

o https://run.qwiklab.com/