iam:CreateAccessKey 22 LAUNCH INSTANCES MODULE Auto detects configuration for launching EC2 instances
Can launch one or multiple instances Can execute setup scripts 23 LOCKOUT USERS MODULE
Requires an IAM admin role (created by previous module) Enumerates all users and access keys Accepts a user to keep Locks out all other accounts
24 DISCLAIMER This is not an Amazon Web Services issue This is a DevOps education issue It is the users responsibility to understand the technology being used With power user privileges comes great responsibilities 25
Demo Putting it all Together AWS API IGW 1
SSH API 3 Prox y Attack
er Jenkins 10.0.0.0/1 6 27 2 How do we stay safe in the
Cloud? Staying Safe in the Cloud IAM Best Practices Add MFA to Root user and remove Root user access keys Create individual IAM users Use groups to assign permissions to IAM users Grant least privilege Configure a strong password policy for users Enable MFA for all users
Use roles for Applications running on EC2 Detach roles from applications that don't need them (*New) 29 Staying Safe in the Cloud IAM Best Practices Delegate by using roles instead of by sharing credentials Rotate passwords and access keys regularly Remove unnecessary credentials
Use policy conditions for extra security Monitor activity in your AWS account (CloudTrail) See: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html 30 Staying Safe in the Cloud Practice separation of duties Can all your users perform IAM actions?
Only a subset of users should be IAM Admins Can any instance perform IAM actions? Heavily restrict IAM actions on Instances Audit your Users/Groups/Roles 31 Staying Safe in the Cloud
Beware of tunnels Do you use VPN tunnels between AWS and Datacenters Other AWS accounts (or VPC Peering) Other hosts Attacks can traverse these tunnels Lock down security groups 32
Staying Safe in the Cloud Monitor your CloudTrail Will someone notice when a new user is created in your account a resource is created in an unused region Will you notice right away or at the end of the month?
33 Staying Safe in the Cloud Test for Security Is your AWS footprint covered by
Threat Models Vulns scanners Penetration tests RedTeam 34 Staying Safe in the Cloud
Awareness Security training Conferences like this one Read IAM Best Practices and security whitepapers Build a community around Cloud security 35
Questions? Javier Godinez Thank you! Cumulus - A Cloud Exploitation Toolkit https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ See cumulus branch: https://github.com/godinezj/metasploit-framework
Control Plane: https://github.com/devsecops/controlplane/ Javier Godinez APPENDIX HOW APPLY THIS KNOWLEDGE Read the AWS IAM Best Practices Documents: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Monitor IAM actions using AWS CloudTrail
Audit your AWS Account IAM Policies and Roles Red Team your applications and instances: https://www.metasploit.com Think to yourself: How would an attacker use this against me? Use repeatable secure patterns: https://github.com/devsecops Help build awareness through community: http://www.devsecops.org 39 UNDERSTANDING THE TECHNOLOGY YOU USE
How fast can I move while still staying safe? Always develop in separate account (Blast Radius Containment) Read the docs for everything and make conscious choices Attackers will try to leverage everything against you Bleeding edge does not mean stable and secure. However, it can be with enough testing 40
Attention Focus on what matters What is Attention? Selection Needed to avoid "information overload" Related to Limited Capacity Concentration Applying Mental Resources Control Attention's relation to Automaticity and Action Early Studies and Basic Phenomena Dichotic Listening Shadowing Whether it is...
Alpha-tocopherol is the form of vitamin E absorbed by the human body. The other forms cannot be distrubuted. The supplement form contains 8 different isomers, only ½ of which are active in the body. Vitamin E absorption depends on normal...
2012 Legislative Update. HB 1301, Item 367 #2c Waste Tire Fund. Notwithstanding the provisions of § 10.1-1422.3 of the Code of Virginia, $2,330,000 the first year from the WTTF shall be used for costs associated with DEQ's land protection &...
X-rays. X-rays were invented by Conrad Rontgen in 1895 describing it as new kind of rays which can penetrate almost anything. He described the diagnostic capabilities of X-rays for imaging the human body and received the Noble Prize in 1901.
Online Unit Review - Family Fun - "Faith Jeopardy" https:// www.loyolapress.com. Sadlier . www.religion.sadlierconnect.com. To fully take advantage of the curriculum, create an account and you will receive access to the curriculum and activities offered.
Chomsky's generative grammar ignores semantics and language use, focusing on the set of rules that would generate syntactically correct strings. What is innate was claimed to be a universal grammar, initially connected to an organ called the language acquisition device(LAD).
What is a Portfolio? "A . portfolio. is a purposeful and longitudinal collection of tangible evidence of learner-selected work that exhibits the learner's efforts, progress or achievement. This portfolio features . the criteria for selection and judging merit, and ....
Ready to download the document? Go ahead and hit continue!