Using Security to Build with Confidence in AWS

©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Using Security to Build

with Confidence in AWS

Mark Nunnikhoven for Trend Micro

@marknca

Mark Nunnikhoven

@marknca

aws.trendmicro.com

The Story

More at aws.trendmicro.com

2012 re:Invent

SPR203: Cloud Security Is a Shared Responsibilityhttp://bit.ly/2012-spr203

2013 re:Invent

SEC208: How to Meet Strict Security and Compliance Requirements in the Cloudhttp://bit.ly/2013-sec208

SEC307: How Trend Micro Built Their Enterprise Security Offering on AWShttp://bit.ly/2013-sec307

2014 re:Invent

SEC313: Updating Security Operations for the Cloudhttp://bit.ly/2014-sec313

SEC314: Customer Perspectives on Implementing Security Controls with AWShttp://bit.ly/2014-sec314

Shared Responsibility Model

AWS

Physical

Infrastructure

Network

Virtualization

You

Operating system

Applications

Data

Service configuration

More at aws.amazon.com/security

Vulnerability Respond Repair

Vulnerability


by Andreas Lindh (@addelindh)

bash is a common command line interpreter

a:() { b; } | attack

10 | 10 vulnerability. Widespread and easy to exploit

Shellshock Impact

1989Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline

"MicroTAC" by Redrum0486 at English Wikipedia

12.3oz

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

1 day, 22:19:13 More details React

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React

2 days, 4:37:25 More details React

3:44:00 More details React

0:27:51 Public disclosure React

0:36:30 More details React

0:34:39 Public disclosure :: CVE-2014-7169 React

Important Shellshock Events

Time Since Last Event Event Action Action Timeline

1989-08-05 8:32 Added to codebase

27 days, 10:20:00 Released to public

9141 days, 21:18:35 Initial report React Clock starts

2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25

3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00

3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00

1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00

Respond


Day 1

aws.amazon.com/architecture: Web application hosting

aws.amazon.com/architecture : Web application hosting

TCP : 443TCP: 443 TCP: 4433TCP: 4433

Primary workflow for our deployment

AWS VPC Review

AWS VPC Checklist

Review

AWS Identity and Access Management (IAM)

roles

Security groups

Network segmentation

Network access control lists (NACL)

More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf

TCP: 443TCP: 443 TCP: 4433TCP: 4433

Primary workflow for our deployment

HTTPSHTTPS

Intrusion prevention can look at each packet and then take action depending on what it finds

Intrusion Prevention in Action

Review

All instances covered

Workload appropriate rules

Centrally managed

Security controls must scale out automatically with the deployment

Repair


Day 2

All instances deployment from task-specific AMI

TCP: 443TCP: 443 TCP: 4433TCP: 4433

Workflow should be completely automated

Instantiate DestroyConfigure

AMI Creation Workflow

Bake Instantiate Test

AMI Creation

Instances tend to drift from the known good state; monitoring key files and processes is important

AMI Instance

AlertIntegrity Monitoring

Integrity Monitoring

Keys

Respond

Review configuration

Apply intrusion preventionRepair

Patch vulnerability in new AMI

Leverage integrity monitoring

Keys

Automation

Build With Confidence

SAN FRANCISCO

Using Security to Build with Confidence in AWS

Technology

Transcript of Using Security to Build with Confidence in AWS