Put your subtitle here. Feel free to pick from the handful of pretty Google colors available to you. Make the subtitle something clever. People will think it’s neat. Welcome! DoiT International Practicing multi-cloud & cloud cyber security since 2010.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Put your subtitle here. Feel free to pick from the handful of pretty Google colors available to you.Make the subtitle something clever. People will think it’s neat.
Welcome!DoiT InternationalPracticing multi-cloud & cloud cyber security since 2010.
DoIT International confidential │ Do not distribute
DoIT International confidential │ Do not distribute
DoIT International confidential │ Do not distribute
● Customer Operations Engineer
● Big Data Engineering
● Cloud Sales Rep.
Looking for Talent
Put your subtitle here. Feel free to pick from the handful of pretty Google colors available to you.Make the subtitle something clever. People will think it’s neat.
AWS Cyber Security Best PracticesShay Kirshenboim - Cloud Cyber Security // DoiT International
Agenda
1
2
3
4
5
AWS Security Components
MFA Authentication
Logging, Audit and Monitoring tools
AWS Shield & WAF
Centralize logs using AWS Elastic6
AWS Monitoring and Security Controls
& Trusted Advisor
ElasticSearch Service
AWS Shared Security Model
AWS Security Groups and Network ACLs
Security Groups
Affects Instances (1st protection layer)
Only "Allow" rules & by default "Deny"
Stateful (Return traffic is allowed)Rules order is insignificant as all
rules are “allow” rulesMany to many relationship
10
Network ACL’s
Affects an entire subnet (2nd protection layer)
Support “Allow” & “Deny” rulesStateless (You must explicitly allow
return trafficEvaluates rules in number order (like
traditional firewall)
Security Groups & Network ACL’s
Security Groups
Avoid using the “default VPC security group” which enables inbound communication from all members of the SG and outbound communication to any destination
Delete “any to any” rules and configure specific name servers and other services rules as needed
Use easy to understand names (and naming convention)Create functional related SG (db servers, web server etc.)Create default SG for Infra services (Windows RDP or Linux ssh etc.)Try to balance simplicity of SG and amount of SG per instance to achieve
simple management.Enable VPC flow logs
Security Groups & NACL’s - Best Practices
Monitor changes to SG (Demo)
Identify your critical SGs (sg-8f9ee8f7)Create Lambda execution role and policyCreate Lambda function:
2. Edit the AWS CLI credentials file, which defaults to ~/.aws/credentials with returned values:[profile-name]aws_access_key_id = <Access-key-as-in-returned-output>aws_secret_access_key = <Secret-access-key-as-in-returned-output>aws_session_token = <Session-Token-as-in-returned-output>
3. <Demo> ec2 describe-instances only to MFA enabled users using “AWS CLI"
4. Check out AWS Security Blog for very useful guides (an excellent example: How to Record SSH Sessions Established Through a Bastion Host)
AWS Inspector Findings (examples)Security Best Practices-1.0:Finding Instance xxxx is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack.Description This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as root.Recommendation It is recommended that you configure your EC2 instance to prevent root logins over SSH. Instead, log in as a non-root user and use sudo to escalate privileges when necessary. To disable SSH root logins, set PermitRootLogin to "no" in /etc/ssh/sshd_config and restart sshd
AWSLabs GitHub links: https://github.com/awslabs/amazon-inspector-agent-autodeploy Lambda job in Python to automatically deploy Inspector agent to newly-launched EC2 instances.
Lambda script that receives findings from the Amazon Inspector service in AWS, via SNS, and forwards them to a destination email address.https://github.com/awslabs/aws-security-benchmarkCollection of resources related to security benchmark currently: CIS AWS Foundations Benchmark 1.1
How to Remediate Amazon Inspector Security Findings Automatically
parses CloudFront access logs to identify suspicious behavior, such as an abnormal amount of requests or errors. It then blocks those IP addresses for a customer-defined period of time. Default Parameters: RequestThreshold:400, ErrorThreshold:50, WAFBlockPeriod:240(min)
IP Lists Parser:checks third-party IP reputation lists hourly for new IP ranges to block. These lists include the Spamhaus Don't Route Or Peer (DROP) and Extended Drop (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
BadBot Parser:intercepts and inspects trap endpoint requests to extract its IP address, and then add it to an AWS WAF block list.
Forensics on logs with AWS ElasticSearch (or your own)
Create your Elasticsearch domain
Stream all relevant logs (CloudWatch)
Create Dashboards by topic
Monitor and Investigate
Section Slide Template Option 2
Put your subtitle here. Feel free to pick from the handful of pretty Google colors available to you.Make the subtitle something clever. People will think it’s neat.
Questions?
Put your subtitle here. Feel free to pick from the handful of pretty Google colors available to you.Make the subtitle something clever. People will think it’s neat.
Thank You!DoiT International
Practicing multi-cloud & cloud cyber security since 2010.