Presented at the Seattle AWS Architects and Engineers meetup on 11/3/2014.

1. Cloud&Security&@&Ne0lix
Adap%ng(Security(for(Modern(So4ware
Jason&Chan
chan@ne'lix.com.:.@chanjbs
Sea$le&AWS&Architects&&&Engineers

3. Me
Current:(Ne*lix(Security
Product,)app,)ops,)infra,)corp,)fraud,)privacy,)abuse,)IR
Previous:
Infosec(@(VMware,(consul2ng:(@stake,(iSEC(Partners

6. 14m$users$in$1+$year

7. 14m$users$in$1+$year
150m%photos

8. 14m$users$in$1+$year
150m%photos
3"engineers

9. 14m$users$in$1+$year
150m%photos
3"engineers
$1B$acquisi+on$by$FB

11. So#.#.#.

12. idea%+%cloud%=%profit!

15. So#.#.#.

17. Goal:&Cloud&&&AWS&benefits,&securely

18. Typically,)how)do)you:

19. Create&a&user&account

20. Create&a&user&account
Inventory)your)systems

21. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config

22. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image

23. Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image
Disable(a(MFA(token

24. In#AWS#.#.#.

25. CreateUser()
DescribeInstances()
AuthorizeSecurityGroupIngress()
CreateSnapshot()
Deac%vateMFADevice()

29. So#ware,)now

30. Agile

31. Microservices

32. Immutable)
Infrastructure

33. DevOps/NoOps

34. So#.#.#.#what#about#security?

41. Visibility
Knowing'the'Environment

43. Discover

44. Discover
Inventory

45. Discover
Inventory
Test

46. Discover
Inventory
Test
Report

48. Open%ELB%Example
1. Dump'list'of'ELBs'with'listeners
2. Connect'to'ELBs'from'arbitrary'Internet'IP
3. Evaluate'status'code'(200/300'or'403)
4. Compare'results'against'expected
5. Fix'anomalies,'educate'engineers,'and'update'expected'(manual)'

49. Knowing'the'Environment'/'Takeaways
Tailor'discovery'to'rate'of'change
Think&about&normaliza0on&of&discovery&data

50. Visibility
Risk%Priori)za)on

52. Connec&vity+
Analysis+via+Ne1lix+
OSS

56. Risk%Priori)za)on%-%Takeaways
What%is%measurable?%(objec3vely)
Use$as$an$input,$not$law

57. Visibility
Mul$%Layer+Security+Tes$ng

58. Deconstruc*ng,security,tes*ng

61. Ne#lix'Deployment'Pipeline

63. Integrated)tes+ng)for)CI/CD

66. Mul$%Layer+Security+Tes$ng+%+Takeaways
What%conversa-ons%can%you%avoid?
Is#there#a#pyramid#you#can#leverage?

67. Visibility
Configura)on*Monitoring

69. AWS$Op'ons

70. Bill$as$IDS
AWS$Billing$Alerts

72. CloudTrail
Logging&of&API&calls

74. {
"Records": [{
"eventVersion": "1.0",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::123456789012:user/Alice",
"accessKeyId": "EXAMPLE_KEY_ID",
"accountId": "123456789012",
"userName": "Alice"
},
"eventTime": "2014-03-06T21:22:54Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "205.251.233.176",
"userAgent": "ec2-api-tools 1.6.12.2",
"requestParameters": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2"
}]
}
},

75. "responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}]
}
}
},
... additional entries ...
]
}

76. Trusted(Advisor
Checks'config'vs.'best'prac3ces

79. Shameless(Plug(Sec-on(of(the(Talk

80. Edda
AWS$config$history

81. What%instance%has%a%given%public%IP?
$ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
["i-0123456789","i-012345678a","i-012345678b"]

82. What%is%the%most%recent%change%to%a%security%
group?
$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"

83. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"
--- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810
+++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504
@@ -1,33 +1,33 @@
{
"class" : "com.amazonaws.services.ec2.model.SecurityGroup",
"description" : "App1",
"groupId" : "sg-0123456789",
"groupName" : "app1-frontend",
"ipPermissions" : [
{
"class" : "com.amazonaws.services.ec2.model.IpPermission",
"fromPort" : 80,
"ipProtocol" : "tcp",
"ipRanges" : [
"10.10.1.1/32",
"10.10.1.2/32",
+ "10.10.1.3/32",
- "10.10.1.4/32"
],
"toPort" : 80,
"userIdGroupPairs" : [ ]
}
],
"ipPermissionsEgress" : [ ],
"ownerId" : "2345678912345",
"tags" : [ ],
"vpcId" : null
}

84. Security)Monkey

86. Configura)on*Monitoring*.*Takeaways
Config&changes&have&a&con-nuum&of&safety
Find%ways%to%observe%and%differen1ate

87. Conclusions

91. AWS$Security$Resources
h"p://&ny.cc/awssecurity

92. Thank&you!
chan@ne'lix.com.:.@chanjbs