(sec309) amazon vpc configuration: when least privilege meets the penetration tester | aws re:invent...
DESCRIPTION
Enterprises trying to deploy infrastructure to the cloud and independent software companies trying to deliver a service have similar problems to solve. They need to know how to create an environment in AWS that enforces least-privilege access between components while also allowing administration and change management. Amazon Elastic Cloud Compute (EC2) and Identity and Access Management (IAM), coupled with services like AWS Security Token Service (STS), offer the necessary building blocks. In this session, we walk through some of the mechanisms available to control access in an Amazon Virtual Private Cloud (VPC). Next, we focus on using IAM and STS to create a least-privilege access model. Finally, we discuss auditing strategies to catch common mistakes and discuss techniques to audit and maintain your infrastructure.TRANSCRIPT
November 13, 2014 | Las Vegas, NV
Jason Bubolz, iSEC Partners
Default
Inbound
22 TCP 0.0.0.0/0
80 TCP 0.0.0.0/0
443 TCP 0.0.0.0/0
WebServers-SG
Inbound
22 TCP JumpHosts-SG
80 TCP 0.0.0.0/0
443 TCP 0.0.0.0/0
JumpHosts-SG
Inbound
22 TCP 192.168.10.0/24
Amazon S3
Administrators
Web Front End
Application Layer
Data LayerETL Host Data Warehouse
Amazon S3: Storage
& Configuration
Amazon SNS: Mobile Push
Admin Jump Host
Amazon DynamoDB:
Session Management
Amazon S3: Storage
& Configuration
Amazon DynamoDB:
Session Management
Amazon SNS: Mobile Push
Web Front End
Application Layer
Data LayerETL Host Data Warehouse
Admin Jump Host
Admin HostNAT Front End
ELB
Data LayerETL Host
App LayerWeb Front End
Data Warehouse
Monkeybuffer.org VPC
private subnet: Data Storage
private subnet: Application Servers
private subnet: Analytics
VPN Connection to Corpnet
public subnet: Internet Access Layer
Internet Gateway
default
In 22 TCP 192.168.10.0/24
In 80 TCP 0.0.0.0/0
In 443 TCP 0.0.0.0/0
In 3306 TCP 192.168.10.0/24
Out ALL TCP 0.0.0.0/0
Web Front End Application
Layer
Data
WarehouseAdmin
Jump Host
Web Front End Application Layer Data Layer Data Warehouse ETL Host Admin Jump Host
Web Front End Data LayerApplication
LayerData
WarehouseAdmin
Jump Host
ETL Host
HTTP Listener WS Client AWS Client Admin Client
Admin Listener
Web Front End
Web Front End
Application Layer
Data Layer
ETL Host
Data Warehouse
Admin Jump Host
Admin
Client
Admin
Client
Admin
Client
Admin
Client
Admin
Client
Admin
Listener
HTTP
Listener
WS
Listener
Data
Client
WS
Client
Data
Listener
Data
ClientEDW
Client
EDW
Listener
AWS
Client
AWS
Client
Web Front End
Application Layer
Data Layer
ETL Host
Data Warehouse
Admin Jump Host
aws:SecureTransport Enforce HTTPS use for API access
aws:MultiFactorAuthAge Using a Null check comparison, force MFA
authentication for sensitive operations (works with
AssumeRole workflows)
aws:CurrentTime Using a DateLessThan comparison, limit the lifetime
of temporary privilege escalations
aws:SourceIp Restrict deployment-altering actions to requests
originating from the corporate network
Operations
Engineering
Business
Intelligence
Support
{"Version": "2012-10-17","Statement": [
{ "Action": "ec2:*", "Effect": "Allow", "Resource": "*" }, { "Action": "s3:*", "Effect": "Allow", "Resource": "*" }, { "Action": "dynamodb:*", "Effect": "Allow", "Resource": "*" },{ "Action": "sns:*", "Effect": "Allow", "Resource": "*" },
] }
Initial Engineering Policy Document
EC2 Instance
MgmtEC2
Configuration
Readers
EC2 Admin
S3
Configuration
Bucket
Readers
S3 Writers
IAM Readers
Engineering User
Web Front End
Application Layer
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["s3:ListBucket"],"Resource": ["arn:aws:s3:::monkeybufferfiles"]
},{"Effect": "Allow","Action": [ "s3:GetObject" ],"Resource": [
"arn:aws:s3:::monkeybufferfiles/configuration” ]}
]}
WebFrontEndInstance Role Policy Document
{"Id": "Policy1412633321994","Statement": [{"Sid": "Stmt1412633314407","Action": [ "s3:ListBucket", "s3:GetObject"
],"Effect": "Allow","Resource":
"arn:aws:s3:::monkeybufferfiles/configuration","Principal": {"AWS": [
"arn:aws:iam::accountid:role/WebFrontEndInstance","arn:aws:iam::accountid:role/AppLayerInstance" ]
}}
]} MonkeyBufferFiles S3 Bucket Policy Document
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "*"
}, { "Effect": "Allow", "Action": "iam:PassRole", "Resource":
"arn:aws:iam::accountid:role/WebFrontEndInstance" }
] }
PassRole User Policy Document
Does the account follow IAM Best Practices?
Is CloudTrail logging enabled?
Do IAM and resource access policies match requirements
and are they minimal?
Are AWS access keys, cryptography keys, or other
passwords exposed in source or configuration?
Does the account follow proper security design for all
additional AWS services?
https://github.com/Netflix/security_monkey
https://github.com/iSECPartners/Scout2
To Begin • Ensure consistency across regions
• Enable CloudTrail logging
• Enforce IAM Best Practices: manage user accounts like you
would manage your own infrastructure
• Limit access to "* on *" policies
Next Steps • Match access to roles and requirements
• Employ IAM roles and Amazon EC2 instance credentials
• Strictly limit policies assigned to static service credentials
• Eliminate access to unused AWS services
• Lock down storage services to mitigate information leaks
Finally • Establish regular reviews
• Investigate changes and challenge expansive privileges
