Cloud Security

theirs that they could use some of your love um for a 40 event they've really offered a lot and they're the only reason that we're able to have these nice badges and all this content for such a low price um so after the talks go downstairs get some swag leave your name on the mailing list if you're interested in their products and thank them for what they've done here

our speaker here is scott arviseth he's going to speak on cloud security his presentation is sponsored by cyber 11. scott is a security architect for a small local organization that some of you may have heard of the church of jesus christ of latter-day saints small he's worked the security field for over 15 years and worn several hats from developer to architect he holds in a gcfa a gcih and a g-pin he earned his bachelor's in computer engineering and when not at work he enjoys spending time with his family

the abstract of this talk here um the cloud is here to stay organizations are moving to the cloud to reap the benefits of agility and simplicity that it provides security is possible in the cloud but it's going to require us to take a different approach that approach depends on the cloud service the organization is consuming many cloud vendors are saying that security is a shared responsibility but what does that really mean what are the boundaries and how does that affect my network controls and so on and i'm going to leave it up to scott to tell us about that hear it for scott

can you hear me all right

oh this one okay maybe if i move it closer does that work better

sorry i promise it was working 10 minutes ago all right

all right well thank you let's talk a little bit about cloud security um we talk about the cloud the cloud means a lot of different things to a lot of different people and it really depends on what you're looking at if you're looking at infrastructure as a service platform as a service software as a service or software and services they're all different types of things of services that you can get in the cloud and usually when we're talking about moving into the cloud you hear a lot of things like agility scalability resiliency high availability but where does security fit into all of that and that's what we're going to talk a little bit about today

and when you talk about the cloud what is really what's really behind the cloud um we're going to focus today a whole lot on amazon web services if you look at the gartner reports obviously amazon is the clear market leader in cloud services in the case of amazon web services you're looking at regions that are worldwide they have 11 different regions all around the world and basically what a region is is it's a set of separate and distinct data centers they call those things availability zones and they have separate power they have separate network they have all different types of things there they also have about 50 edge locations or basically your cdn stuff your static content

if you look at each one of those data centers there you've got your traditional application stack there where you've got your data up up up on top you've got your application uh you have framework operating system your virtual network which is basically your vms there running on a hypervisor on on down to the physical facilities so we approach this we're going to look at that stack and how do we go about securing our applications out in the cloud you see this phrase all over the place security is a shared responsibility and that's especially true inside of the cloud what you need to understand is what is your responsibility and what is your provider's responsibility and that

really depends on the type of service that you're trying to purchase from the cloud if you're looking for software as a services you may only be responsible for that top that top layer the data if you're looking at platform as a service you're looking at about the app framework on up if you're looking for infrastructure as a service you're really looking at from that virtual network on up when you're evaluating cloud providers there's a few things that you really need to look at right really what sort of things are they going to be willing to go what what sort of contracts are they going to be willing to enter with you um as far as their responsibility as far

as your responsibility when you look you know when you look at what's actually in the contract what are they putting on their limits there what are the financial limits what sort of things what sort of assurances are they willing to give you also looking to see what those providers provide in the way of attestations right if you're if you're working on for example building a pci implementation out in the cloud does your provider have a level one um pci compliance at a station that they're willing to give you and is that has that been done by a third party rather than that organization and you really need to make sure that those fit the need that or fit the

application that you're putting out there in the cloud so as we talk as i said earlier we're going to really focus in on amazon web services there's plenty of other services out there this is just this is just the one that i think is the most interesting um to talk about and we're going to build our application we're going to build a basic web application essentially out on amazon web services we're going to talk about how we're going to secure so really what we're looking at is infrastructure as a service on up so virtual network on up and then we're going to use some pass solutions as well with relational databases how do we secure those things on up

before we build any sort of application i think the first step we always need to do is evaluate the risk right what what are the things that we need to be most concerned about with our application when you look at it where on this stack do you think our biggest risks lie are they down at the virtual network layer the data layer the application layer where those those risks lie if you look at the verizon data breach and incident report from 2014 you see a couple things um first off i've got the actions down there i don't want those numbers to confuse you the one three three two seven seven those are the the um

the free the the most occurring actions that the attackers took so for 2014 um stolen creds were number one exporting data were number two the previous year three and seven previous year three and four so we're really looking at the things as we trend over the last three years these are really the top things that attackers are trying to do let's go up to look at instant incident classification web application attacks number one on the list that that as verizon says in the report that is the proverbial punching bag of the internet every web application is different you don't have a lot of people developing those things there are a lot of vulnerabilities in that

even more interesting 88 of those applications those organizations whose web applications were attacked did not detect it number two on the list obviously cyber espionage basically people clicking on a link or getting sent some sort of malware and email or or picking up a usb drive or doing something again external disk externally discovered most of the time so when we look at where those risks lie you're looking at the higher layer of the staff we're not worried you know the network type of thing is is something we need to worry about but our application is what they're going after and that's what's going to be compromised and we're not seeing it as organizations when was the last time you heard of

somebody breaking into a data center and and taking some you just don't hear about that right doesn't occur today so also you know who are who are the attackers going to target are they going to target our users or developers or our devops teams i think that's pretty obvious they're going to be going after our devops teams so let's go ahead and start building our application here is the amazon aws dashboard we don't have near enough time to go through all of this stuff but this gives you an idea after you get your account set up and you get logged in

not only that they also have a whole bunch of clis and apis that you can integrate with the whole purpose of amazon cloud services is moving into well moving into the cloud but also getting things automated so the less that you have to do manually the better off you're going to be that gives you the scalability that gives you the availability the resiliency that you want we're going to hit up on that throughout the presentation so here's our basic uh architecture and we're just going to kind of drill through a very quick um pace all the different services i'm going to i'm going to use in this this simple implementation we start out with our

account right that account is what's assigned to me has my credit card information on my business information on it everything that i do out there it's going to be charged back to me there are with that account i can set up essentially virtual private clouds bbc's anywhere in the world we talked about the 11 regions us us east is one of those regions they have them on the west coast they have them in europe they have them in australia they have them all over everything that i do with my account i manage with their iam service identity and access management everything that those users do with that account i can't track it with cloudtrail so when they spin up a new vpc when they

delete vpc when they create instances all those types of things i can clock i can track in cloud trail when we talk about data storage there's a lot of different options here we're just going to talk about s3 s3 simple storage service since i want this to scale globally and i may want to spin up vpcs in other areas besides usc i'm going to use amazon's route 53 which will basically take a look at the clients the users that are connecting to my service decide which is the nearest or the best location for them to go to to interact with my application and i'll route them that way i'm going to use a cdn as well

which is in amazon terms it's called they their their service is called cloud front there's obviously other ones besides amazon's cdn services um some of those other cdn services allow you to put the web application firewall out there as well but in this in this case we're not going to do that we talked about the vpc that's my virtual private cloud and inside of that vpc well i've got my internet gateway that i'm going to put on my my public subnet my dmz subnet and then um i have knackles network asset access control list that i can put around those subnets and then inside those subnets i have security we're going to talk about all

this again in just a minute i'm just doing an overview here all my traffic is going to come into my elastic load balancer and that's going to basically round robin to my instances i've got a whole bunch of instances these are built with amis if you're not familiar with that term amazon machine image which is basically just a vm image that i can use to deploy that i can spin up my instances with so i have several different instances here as i mentioned i also am using platform as a service with amazon's relational databases i have a master and slave that i'm going to be using everything that i do within this environment within this

account i'm going to be able to monitor with amazon's cloud watch so we'll be able to look at cpu usage look at disk usage all that type of thing i'll be able to monitor that remotely and then for the real key infrastructure that i have here i'm going to have auto scaling groups so as more and more traffic comes into my website i'm going to be uh be able to automatically scale my web application servers and my app servers to scale horizontally to meet that demand one of the coolest things about amazon now when it comes to capacity planning i don't really have to worry about that as much what i have to make sure i do is

i've designed my architecture so they can do that automatic scaling i've also put my all my architecture in two different availability zones so so for example availa availability zone one goes out in amazon i can immediately roll over seamlessly to availability zone two and get that high availability up time that i'm that i'm searching for finally if i do things right in the cloud again we talk all about automation automation is key it's important that's where cloud formation templates i can spin up this whole environment have it automated with cloud formation templates so that not only can i build this in production i can also build the exact same thing for test if i want to

move to a new region because i'm expanding my business i don't have to go through that whole design and deployment process again i use i use a cloud formation templates and immediately it spun up so let's go through a typical user connection here user is going to go out and connect to route 53 it's going to tell them the data center that they're going to go to actually we'll send it on to the cloud front where i've got my cdn content and then if the if that doesn't have the content obviously it's going to send it on to my load balancers which is going to take that request send it to my web application firewall we'll decide

whether this this request is malicious or not malicious if it isn't it's going to forward it on to my second load balancer which is then going to send it on to my application servers and if they need data of other databases and then the re and then the data goes back out the way it came in also there may be need for me to get updates like maybe my lap needs to get updates maybe my app servers need to get updates so i've set up a nat services device as well so that's our architecture now let's talk about administration of this right my administration i've got admins that are going to be able they're going to

authenticate into my account they're going to have username and passwords if i'm really smart i'm going to require my admin set multi-factor amazon supports this right so now i don't have to worry so much about my admins but they if their username password could compromise i don't have to worry so much if i if they're compromised i'm in big trouble if i've also set things up properly everybody that logs into my system is going to get assigned a role that role is going to tell them what privileges they have and what privileges they don't have alternatively there are these things called aws access keys which are basically a really long username and password if i have that

access key i no longer have to have multi-factor authentication that's a good thing for automation that's a bad thing if those keys get compromised but again those when i authenticate with those keys this is what i'm going to use for my my automation right this is what i have to use for automation so the security of that stuff is very important again i'm going to get assigned to role and i'll be able to do things within that amazon account now we haven't talked about the instances or the machines themselves in that case whenever i spin up a new instance amazon goes ahead and creates an ssh key that i can i can decide which one they're going to

use with that ssh key i'll log into my bastion and i'll be able to get into all my internal hosts to do whatever management i want so those are some some key things to think about in in measuring so how do we go about securing this simple architecture we're going to take the the traditional um strategy that we hear in security right monitor assess the fan we're going to start out with monitoring right detection is important most of the time people are missing just on the detection piece alone so that's what we're going to focus on first detection is important and that has to be built on a foundation of logs if i am not collecting logs from absolutely

everywhere my ability to go to detect and then maybe even forensicate if i maybe i didn't text i've just just gone out the window so those are those are crucial pieces whoops secondly assess and test right i want to be able to evaluate my security controls but there's we're on dangerous ground because now we've got all of our infrastructure running on a service provider we need to make sure you know what we're doing when we do that and finally defense right we want to raise the bar we want to prevent things from from coming in and being attacks being successful so let's focus in on monitor first all right we're basically we started out with that stack we're going to start at

the top generally speaking and drill down because as we as we talked about before that's where my highest risks are risks are so obviously we created our web application firewall we're going to turn it on so that we can catch bursting threshold so if we see like maybe evidence of denial of service attack going on that i can detect that i'm going to have it configured around the oauth top 10. i'm not going to go into that too much detail here and we're going to have it tuned to the application the laugh is going to be absolutely no value to me or my organization if i haven't taken the time to tune my web application firewall

we talked about collecting logs and we collect those logs from my application for my rds's i'm really going to look at authorization authentication authorization logs right we talked about stolen creds was number two on the list of what people were going to go after so i'm going to want to maybe build a baseline and figure out what is regular behavior and what is anomalous behavior i'm going to collect my elb um elastic load balancer logs as well right and really what i'm looking for there is i need feedback into my web how effective is my waff is it configured properly am i finding the right things what things am i missing if i don't have

that feedback i've got an unstable system there

that's going to be something i'm going to export we'll talk about that so another thing we talked about s3 s3 is simple storage service right i can put data in there as well s3 access logging is not part of cloudtrail logging it's something that i need to go turn on individually in my s3 buckets and then i've also got cloudwatch your devops team are going to be very interested in cloudwatch because that's how they're going to measure the availability and performance of their their application okay next thing we talked about cloudtrail a whole lot we talked about you know when we're looking at what sort of things we want to monitor we want to use the

oh oh shoot principle right if if there are there are certain things that if that happens if i get my users are getting 404 errors i'm like oh darn you know that's that's that's i probably want to take care of that if i see um like delete vpc show up that's a that's an oh shoot situation right and so when i build my monitoring i want to start at those oh shoot moments right where those where those things are really going to impact me the amazon root account is the account that has all privileges and if you go in and try to take privileges away from that they just ignore it you have all privileges with

that root account so that is one account that i want to make sure is locked down and i'll make sure that for the most part it's never used if i see my cloudtrail logs if i see that root account any activity that's a phone call i need to call someone and find out what's going on with that because that should be that should be multi-factor authentication and probably someone else should have the the hardware token to that the other thing that i'd be very interested in is if someone goes in and turns off logging for a minute right luckily amazon will send you the message before it stops logging but that's very important same same if i got somebody

maybe a little bit sneaky maybe they update where that cloudtrail is logging it's logging into an s3 bucket if they change it to log to a different bucket maybe that's another way to hide so that's another thing uh create clean bpc um that's a bad day in the cloud if you see that event come across your screen did you have a question

so the question is how often do we do testing and we should be testing all the time on the security team we should have operation team saying hey is this still firing and then also you know when you're building this when you're setting this up you have to ask the question this is what i'm expecting but when what's in real use is is what am i expecting what am i seeing the same thing and how is that changing over time and so yes obviously continuously continuous testing is very important um create access key amazon access keys we're going to talk a lot about this right those are essentially if i depending on the privileges given to

them the role that's given to them right but those are keys into my data center they can spin up instances they can delete instances they can do whatever they want you know those are key those are virtual keys into your data center so anytime an access key is created i'm going to want to investigate that i'm going to say hey is this expected who has it what are the privileges on it those types of things any sort of privileged role assignment i should be probably following up on that i'm looking at some of the route 53 delete hosted zone so a lot of my dns entries if i see an event like that what's going on you know

change resource record set again changes not maybe deleting it but changes to it um another really interesting we're going to hit thing is we're going to hit upon this again later is run instance i want to look at how many new vm images are being started up right if that dramatically increases did i did someone just have their account compromised or did we just lose some aws access keys or someone's account compromise and maybe someone's now spinning up instances to do bitcoin mining we'll talk about that in a minute as well any sort of public security group those security groups around our instances any modification to those in that public zone that's probably something i want to

investigate on top of that we talked about iam is very important access keys i'm not going to be able to inventory any of that stuff with cloudtrail again it's just telling me the changes i'm going to spin up a security instance here in my application that i can go in and i can use amazon apis and i can go in and do i can go in and take a look at the access keys who are the owners who's the who's the owner when was the last date that key was recycled because i'm probably going to want to recycle those every 60 to 90 days all those types of things i'm going to be interested let's go down the stack a

little bit os instances we talked about the cloud we talk about agility right if we're these os instances are going to be spun up spun down based on the the um the load that's coming to my application as a security expert i need to be able to support my development my dev my ops team and i have to treat those instances this is a perfect quote that we've used in the church we have to be able to treat them as cattle if we're treating them as pets we're doing it wrong so our security strategy has to be able to meet meet the new the changes that the cloud is pushing at us and one of the ways that i think really

makes sense is file integrity monitoring for a long time i looked at file integrity monitoring i said this makes sense but it is really hard here's a here's a situation or a scenario where i think file integrity monitoring makes sense right i want to take those instances those amis that i've got i want to snapshot them right these things are going to be spun up automatically spun down automatically i should it should be easy for me to tell if one of these things is not like the others right and if it is if it isn't then that's something i probably want to investigate it's going to require me to put a little more process be a little bit more

disciplined right anytime i have new code deployed anytime we start using new amis patching i'm going to keep those up to date but again it's just here's my here's my image boom if it changes i need to be aware of that right i'm also going to want to collect syslog and event logs because if something does occur i may want to do some forensics there all right so we talked about the event monitoring system i call it event monitoring system because i think in the cloud it makes a lot of sense that the events and the things that i'm looking at from a security perspective is also available to my um my developer my operations team right

there's a good synergy there whoops a good synergy there that they want to go they're going to want to look at their logs for operational performance i don't want to look for security if we can bring those things together that makes a lot of sense in my mind again we talked about that oh shoot principle that's the type of those are the things i'm going to want to start looking at and then once i've got those in place i'm going to want to start looking looking down into the system moving forward let's go into assess all right so do you like working in the technology field you want to keep it that way you need to

be very careful about how you do assessment in the cloud you're running on someone else's infrastructure and so you know if you just go out there and do that you can get yourself into a lot of trouble um i'll you know not just talking to the cloud provider you also need to talk to the organization you're working at because you may have permission from the cloud provider but not from your organization that will get you into just as much trouble right pen testers talk about getting written written permission they call that their get out of jail free card right if i have that written permission that tells me what i can do and that i have been

given that authorization to do it so word of warning to you okay so let's let's start looking at assess and test going back down to our step our our stack so static code analysis there are a lot of tools out there that you can buy right now that will do static code analysis look for secure coding practices look for plain text credentials we're also going to want to look for plain text access keys in there right if if those access keys are in there then anybody who has access to that code they can get those keys and i'm going to have an oh shoot moment for sure right we talked we talked about devops all the time

but why don't we insert security into that whole process who on my debt and my devops team is the belly button the person responsible for security i think that's something that we got to look at when we move to the cloud we should have we could have risk managers we have security architects that these people can come to and talk to but when it comes down to it who is responsible for security on that dev team and as they're building this as they're writing their code as they're doing all these things who's responsible make sure that all those security tasks gets done um cloud formation templates we talked about that the ability to spin to create

our our um our application out there in the cloud we should have a process about you know reviewing that before running that and and pushing things out into production um drilling down a little bit we talked about this before incident identity and access management we should be looking at what roles and who has the responsibility to make sure that those roles assigned or people moving in and out of the development team make sure that that's up to date um remember in in the cloud users and instances can have privileged roles and if i am maybe a user that has lower roles but i have it i can ssh into an instance that has elevated roles i just got

elevation of privs by sshing to that application so i should be looking at real closely what type of roles i'm assigning to my instances and what's going on there and another important thing is separation of duties this is not anything new to anybody here we're going to talk about why that's really important in the cloud though um one thing again this is something that we should be able to automate in the cloud we have those apis we have the cli this is not a manual process we need to think about making this an automated process that way it's done automatically i don't have to spend a lot of time or resources in in order to do this

okay we want to look at the amy's amazon machine image we want to make sure that we're looking at those to see what ones are in use there's a lot of amis that are out there they're built by other people we don't know who those people are we we start using those what sort of what sort of risk that we just exposed our organization to right so assessing what we're using there security group configuration we talked we'll talk about that more that's the that's the network at the network controls around each instance or group of instances and amazon has another thing called trusted advisor that is basically um basically a amazon's way of looking at all the best

practices i apologize this isn't a very clear capture that i've got here but it's going to go through and look at all the common mistakes that people have made in moving to the cloud so for example mfa not on the root account that is a check and you will get that entrusted advisor and this is this is the console view of it this is also available in the cli that's something you can automate if anything that sees it shows up here as being a thing a risk you can put it into your event management system and have someone look at it it does it looks at s3 bucket access controls it looks at cloudtrail logging it looks at a whole

bunch of things we're not going to go into all those here all right let's talk about defense real quickly okay we're going to look at this this covers the whole stack initially right contractual agreements vendor attestations right i want to make sure that the portion that the vendor is responsible for my cloud provider is responsible for is covered in my contract if it's not even though i may think that i'm i don't have to worry about those things i still do because it's not in my contract i also want to look at vendor attestations right that's important to make sure that what they're saying has been validated by a third party all right we talked about a resilient

architecture and we're going to go over that a lot when you're looking at the cloud resilient architecture means a lot of things first your application has to be decoupled your instances that are out there running have to do one thing and that one thing really well if it's doing a lot of things and is relying on state on other systems and stuff like that i've not become my application it's likely that i'm not going to be successful in a auto scaling implementation in the cloud we talked about multi availability zones so if one available is the availabilities and goes down that i can roll over to the other one without it affecting my up time

and obviously security is important we talked about automation is key in the cloud also i want to make sure that all of my snapshots and my backups of my data that have a process in place there my um class excuse me ebs those basically that's going to be my elastic block storage when i spin up a new instance there is a portion of that instance that is volatile and that when i stop or shut down that instant it it disappears it's no longer there and then i have my attached storage uh the ec e ebs that's going to be non-volatile and i can take that ebs and i can detach it from one instance and attach it to

another one that's where i'm going to be able to keep my my data static i'm going to need to have backups and all that okay let's start out with encryption amazon has a great service um called key management service kms it's basically centralized key management anything that any access to those keys is going to be tracked in cloudtrail with those keys i'll be able to encrypt my ebs my elastic block storage i'll be able to encrypt other types of data and in the case of my instances amazon guarantees that encryption of those of that storage is not going to affect the performance of those instances they guarantee the performance of those instances based on what you subscribe for so this

is this is a no-brainer right this is not going to impact your application by encrypting your data that's maybe on the drive i can encrypt credentials and maybe other other sensitive data

right talk to me about that after because pci is going to be a little bit different i i i know that people are making peace are are achieving pci compliance in the cloud but that's that's a pretty involved um response i think so let's talk about that after amazon

right they do have that service

yeah i mean our only solution was

right so looking at uh our application um we're gonna hit up on this again web application firewall we had it out there in monitor mode we need in order to really defend our organization we need to get it to blocking mode that's again going to require some discipline on me working with or whoever it is that handles the web application for our firewall working with the dev team making sure that i'm in the change control process so anytime they roll something out i'm there with my new app um policy and that we're able to validate that right we want to block obviously the malicious traffic and if i get this into blocking mode you know if i get

like a denial of a cert denial of service attack coming to me and i block that at my firewall then i am not spinning up instances behind my my back-end web application servers i'm not spinning those up and paying those additional charges um to service that additional traffic i have to do that with my web application firewall but i don't want to have to do that in two places so again rate limiting being able to if i'm getting the same ip hit me over and over again and turn that on and save some money and let's let's talk about a little bit about evaluating our waff effectiveness through our http request logs i think maybe this may be a common

practice but if you ever take a look at your request logs and let's say that what i want to do is i just want to see the length of the request like maybe the full url request the url and the query string and i just want to do a histogram plot of that let's say that i see the average the average request that i'm seeing is 50 bytes those are usually 50 bytes long i'm just totally making that up right and that's the majority of it then i have this corner case where it's a whole lot more than 50 bytes maybe it's 200 bytes or something like that and so maybe i focus in on that wow

that's abnormal behavior let's take a look at that data let's take a look at let's also throw in what the status code is you know is the 200 okay is it a 404 is it a is it a 500 error let's take a look at those status codes oh wow i've got a whole bunch of 500 error codes or maybe no responses or stuff like that let's drill into those oh wow i've got sql injection going on there or i may have cross-site scripting i may have someone trying to upload a malicious file let's go back and see hey is there a wife catching that is it seeing that you know good feedback test there

okay so let's let's move back down to our application file application frame framework right who who here has time to manage um two identity providers right we talked about how we have iam out there in amazon you also have the stuff that you have at work well amazon has made it possible for you to use things like saml authentication so you can authenticate to your own identity provider manage all your roles your group memberships there and then take that and then when you authenticate your idp gives you back your saml token you then pass that on to amazon says hey here's my saml token and that gives you assigned your role and then with that role i can go in and

do whatever i need to also i can take that and i can do the same sort of thing with my um api or my api authentication or my or my cli authentication or i can authenticate it will give me back a temporary access token that usually is about has a maximum life of an hour so now with all my devops rather than giving them permanent access keys i can give them temporary access keys that have an expiration date on them awesome right my applications not all applications are to this point yet but they need to get to this point where they can use those ec2 instances remember we can assign those a role to give them specific

capabilities for permissions to do things on amazon cloud or amazon services i should be all my applications should be using those instance roles again those instance roles have an access key that they can access from essentially their amazon environment that expire so every you know and they have a they have a i don't know what the expiration is it's probably about eight hours i think so those are constantly recycled here now i'm reducing the number of keys i have to generate that is a very good thing um and i've even read so so much that if you're not using those two if you're you're you're sorry your applications are not using the roles you're doing cloud wrong

because now you have another manual process to making sure that those keys are on your ami's as those get spun up it's just creating more nightmare for you right to do it right use the roles are provided to the to the instance anytime i have to there's there's always going to be those cases where i have to create permanent access keys anytime i do that i want to make sure i do least privilege and i want to make sure that where where where they have elevated privileges that i rotate those keys regularly right and then i'll we talked about this before scour code configs looking for those things and making sure that those are taken care of

all right said we talked about maybe a few no presentations good without a few interesting stories right um here we have a developer that was going out he was wanting he was excited to learn about the cloud he was he was learning what he could do he was deploying code out there and took his credentials put him uh checked his his code in back into github and thought for me oh wait what did i just do there look looked in this code did i put my access keys in there yeah they're there he had him removed within five minutes thought oh i'm good i got him down there pretty quickly right the next morning he woke up

four emails from amazon and one phone call saying hey something's going on with your account we think you ought to take a look at it right 140 servers are spun up probably bitcoin mining and he he was stuck with a 2300 2300 bill right luckily he was able to explain to amazon um what was going on and they were kind you know this this one time um we'll drop the charges i don't think amazon's going to do that through infinity right so access key is very management is very important just a developer right not even an organization all right we talked about this a lot i'm going to head on and again right multi-factor authentication is an

important defensive measure it should be done on my route account any highly privileged account should require multi-factor authentication as well separation of duties is going to be very key in the cloud and making sure that we have leaks privileged and we're going to talk about why that's important in a second access to that backup data is key another great story right code spaces um one day the employees came into work and noticed they had a ransom note on their website right hey contact us you pay us a whole bunch of money and we won't take you down i thought oh crud what are we going to do well they started to take evasive action right we're going to try to lock this

guy out the attacker said oh yeah i expected you guys to do that deleted all of their data they didn't have good they didn't could have they didn't have good separation of duties so that that attacker had access to all that deleted all their data at which point what do you do you know all our data is gone we have to close our doors right separate separation of duties is key in the cloud one additional note on incident response right when you when you see something that indicates hey we may be compromised here this makes good sense in in organization it's especially true in the cloud right investigate without trying to tip off the attacker

because if the attacker sees hey i've been discovered or or or gets any sort of indication of that his response is probably or is most likely going to be automated so that you type in the command line is not going to be him he's going to have an automated response as organizations we when we discover things our response should also include automation automation is key in the cloud okay let's talk about operating systems um we want to make sure we use trusted amis right i if i some amis that are out there if i go out there and get that amy today and there are new patches tomorrow some of those amis will be kept updated i don't

have to patch my amis i just have to go get the new amis great great way of uh planning for your your um uh your architecture in the cloud marketplace has distinct compliant amis as well great you don't have to build those yourself you can just go out there and buy those right you pay an hourly rate on them we talked about if if our femtest fell investigate first right what's going on we understand what's really going on here once we got an idea you know blow that old instance away it's cattle which we don't want to treat it as pet it's cattle isolate it pull it away if i want to do forensics on it i can do that

and then auto scaling was just going to spin up a new instance right again when we look at our amis we want to make sure that our scaling is using the right one we talked about ssh keys here's here's a little bit of a headache in the cloud right we want to be able to treat these instances of cattle you need to have a good ssh key management um strategy in place maybe i manage that at the bastion maybe i manage that at a prod and non-profit level that i have ssh keys for prod maybe i spin up an instance that i can do some ident i have an active directory instance out there in my environment

that that uses that for authentication something that definitely needs to be looked at probably the worst case scenario is manage that on an ami by ami basis as people leave the organization i'm about to update my amy of new keys but that's better than not doing that okay really quickly let's talk about knuckles and security groups knackles i'm not spending a lot of time on these are stateless these are stateless i can have them inbound outbound i'm limited to 20 per subnet 20 inbound 20 outbound since they're stateless i have to open up the affirmative reports it's not going to be a great solution for me but don't lose hope yet let's look at security groups

okay knackles like we said talk or at the subnet level at security groups these are stateful inbound outbound i can apply them to a single instance or a group of instances and aws puts some limits on them and it really isn't it depends on how many security groups you have how many rules you have for security group and you have to really look at their documentation understand how to do that or how to manage that but let's take let's just take a look here let's just do a couple of examples right i've got my elastic load balancer um exposed exposed on the external site i'm going to allow 80 and 443 in from anywhere and allow ping in

and anywhere else and anything else i'm going to deny with my security group i can say hey i don't want my elastic load balancers going to my app servers without going through my lap so i create a a rule that only allows that those to talk to my web application firewalls this gives us very granular control of the network layer of who can talk to who within my within my application right i'm going to skip the laugh i'm going to jump right down into my application servers and i'm gonna allow my application servers to talk to my own databases obviously and i can call i don't have to call these out by ip address i can call them

out by security group name so i don't have to say app servers of this you know are going to be allowed to talk to these ip addresses and say anybody that's in the database security group they can talk to right and i can have my database security group spawn both availability zones so that i don't have to create one per availability zone so some great capabilities there as far as um writing um network controls a couple last notes right the bastion host that's if i don't have a vpn connection from my network or anything like that i have this bastion's host sitting out there uh when i spun one up before it took you guys are all familiar with this within

five minutes people trying to log into that right if you don't need the bastion host you don't need to administer anything you can just turn it off you know put it in a stop state and then it's just not there but let's let's take this maybe one step further right is there such a thing as cloud nirvana where nobody needs to have access to my environment i see a lot of posts out there on the internet they say everything in my environment needs to be automated it has to be automated in order for me to be able to scale at that point who really needs to be able to access my product environment one blogger talked about how if he esses

has to ssh into an instance to start doing some configuration he has to he says i'm doing this wrong what do i need to do to automate this right that's from an operational standpoint right from a security standpoint that gives us a lot of extra assurances as well but my pride environments are out there i don't have to worry about my admins being able to get into that and do things right i have to manage the processes around that but not that instance itself those that that environment itself if i can do that if i get that automation put in place i also can now um spin up take take that exact thing spin up a test environment

spin up a new uh um environment out in africa or wherever else i want to start doing businesses all automated i could probably do that within minutes right or at the worst case hours to bring up a whole new environment so additional resources amazon has a whole bunch of security white papers they're updating these constantly uh if you go to aws.amazon.com or docs they have a whole lot of great information out there um a few other things quick labs is another great thing for like forty dollars you can go out and buy amazon quick labs they have a whole lab for you to do that gives you instructions on what to do and and they have things

covering from the api cli that sort of thing to auto scaling to cloud formation templates to all sorts of stuff great research resources out there all right with that that's it thank you

any questions

um i could make them uh available i think these are being recorded right so this will be on on on youtube as well so if you want to you can send me an email um come talk to me afterwards and i'll give you my email all right thank you any other all right thanks

okay