SlideShare a Scribd company logo

Core strategies to develop defense in depth in AWS

S
Shane Peden

The document outlines core strategies for establishing robust security measures in AWS cloud environments, emphasizing the importance of logging, access management, and layered defenses. Key strategies include enabling cloud-centric logging, restricting root access, developing IAM management strategies, rotating access keys, and ensuring S3 data security. The document highlights that while security tools are valuable, foundational security practices should remain a priority.

Technology
Related topics:
Information Security Cyber-Security
1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
Core Strategy #5 –Layered Defense Model Continued…
Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty

More Related Content

PPT
Equipments In An Internet Cafe
Gener Luis Morada
 
PPTX
R.A. 7610
Jen_castle
 
PPTX
RA 9208
F Mad
 
DOC
100127520 partnership-midterm-reviewer-cc
homeworkping7
 
PDF
Republic Act 9262.pdf
MAIDA LYNN N. JAGUIT
 
PDF
Napolcom reviewer e book 2015
Gerald Anthony Lazaro
 
PDF
Business Plan Sample - Great Example For Anyone Writing a Business Plan
The Business Plan Team
 
DOC
Republic act 8353
manuel hidalgo
 
Equipments In An Internet Cafe
Gener Luis Morada
 
R.A. 7610
Jen_castle
 
RA 9208
F Mad
 
100127520 partnership-midterm-reviewer-cc
homeworkping7
 
Republic Act 9262.pdf
MAIDA LYNN N. JAGUIT
 
Napolcom reviewer e book 2015
Gerald Anthony Lazaro
 
Business Plan Sample - Great Example For Anyone Writing a Business Plan
The Business Plan Team
 
Republic act 8353
manuel hidalgo
 

Similar to Core strategies to develop defense in depth in AWS (20)

PDF
The 3 Recommendations for Cloud Security
VAST
 
PPTX
CSPM UNIT 4 HPS PRESENTATION FOR REFERENCE
sanskritijhabtech202
 
PDF
Top 20 AWS Security Questions with Detailed Answers (2025) (1).pdf
daksh908982
 
PPTX
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar
 
PDF
AWS Cloud Security
Amazon Web Services LATAM
 
PPTX
Cloud computing and Cloud security fundamentals
Viresh Suri
 
PPTX
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
PPTX
AWS Security Strategy
2nd Sight Lab
 
PPT
Aws training in bangalore
apponix123
 
PDF
Beginners guide to aws security monitoring
rahuldesh
 
PPTX
Top 10 AWS Security and Compliance best practices
Ahmad Khan
 
PPTX
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
PPTX
Aws security best practices
Sundeep Roxx
 
PPTX
Securing AWS environments by Ankit Giri
OWASP Delhi
 
PPTX
I am sharing 'Unit-2' with youuuuuu.PPTX
padhaipadhai639
 
PPTX
How to prepare for & respond to security incidents in your AWS environment
Nathan Case
 
PPTX
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
lefty8778
 
PDF
Aws security-pillar
saifam
 
PDF
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
PPTX
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
The 3 Recommendations for Cloud Security
VAST
 
CSPM UNIT 4 HPS PRESENTATION FOR REFERENCE
sanskritijhabtech202
 
Top 20 AWS Security Questions with Detailed Answers (2025) (1).pdf
daksh908982
 
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar
 
AWS Cloud Security
Amazon Web Services LATAM
 
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
AWS Security Strategy
2nd Sight Lab
 
Aws training in bangalore
apponix123
 
Beginners guide to aws security monitoring
rahuldesh
 
Top 10 AWS Security and Compliance best practices
Ahmad Khan
 
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Aws security best practices
Sundeep Roxx
 
Securing AWS environments by Ankit Giri
OWASP Delhi
 
I am sharing 'Unit-2' with youuuuuu.PPTX
padhaipadhai639
 
How to prepare for & respond to security incidents in your AWS environment
Nathan Case
 
UNEC__1732702810.pptxddgdfvcfgg hxh f f g h s s. Rcyctcecec
lefty8778
 
Aws security-pillar
saifam
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Ad

Recently uploaded (20)

PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
Ad

Core strategies to develop defense in depth in AWS

  • 1. Welcome to risk3sixty North West Atlanta AWS Establishing a Stronghold: Core strategies to develop defense in depth in AWS Proudly co-hosted by: Simplifying security and compliance so you can focus on business.
  • 2. Grit ◊ Team ◊ Steadfast ◊Craftsmanship◊Freedom Fastest Growing Atlanta-Based Cybersecurity Consulting Firm What is risk3sixty? Founded in 2016, risk3sixty has quickly become one of the most respected boutique security advisory firms in the nation. Serving the high growth technology sector, we are on the cutting edge of security, privacy, and compliance. Summary Practice Areas: Advisory Compliance Virtual CISO Offensive Security Privacy Programs Security Programs Internal Audit Crisis Management SOC 2 Reporting PCI DSS Certification ISO 27001 GDPR/CCPA NYDFS Cyber NIST 800-53 www.risk3sixty.com
  • 3. Context and Introduction Misconfiguration, poor credential management & insider threat are the top causes of Cloud Infrastructure data breaches • In the past two years alone, the US Department of Defense, US Central and Pacific Command, Accenture, GoDaddy, FedEx, and Cisco all encountered data breaches/unauthorized disclosures due to AWS misconfigurations. • According to the global research and advisory firm Gartner, approximately 80% of all cloud infrastructure breaches are due to: • Mismanagement of Credentials • Infrastructure Misconfiguration • Insider Theft (preventable with proper access, segregation of duties control, and monitoring/alerting)
  • 4. Security IRL Are these the same old problems we have always contended with, or has the root cause evolved? Some things to consider: • Deployment of new web-scale cloud infrastructure is rapid and low effort. A few incorrect clicks can expose it all to the public internet. • The concept of deploying a strong firewalled perimeter to wall off a weak internal network cannot be taken for granted in the web-scale cloud infrastructure. • Modern web-scale cloud infrastructure favors a developer approach to management. The negative implications of the skills gap for IT ops personnel without dev expertise is magnified in web-scale cloud infrastructure. • The types of issues we are identifying during penetration tests over web-scale cloud infrastructure differ considerably from what is typical in traditional enterprise IT environments.
  • 5. Core Strategy #1 – Enable Cloud-centric Logging Logging is a necessity for capturing security events, tracking configuration changes, and meeting compliance requirements. AWS Native Solution: Enable AWS CloudTrail to capture all API activity. Considerations: • What are the access restrictions for who can read, modify and delete? • Are logs being stored in S3 buckets? How are these protected? Is encryption enabled on the bucket? • Are logs encrypted in transit? You can do so using S3 Server Side Encryption in conjunction with Amazon KMS. • Have retention policies been defined and implemented? Is a lifecycle policy in place in S3? • Are you centrally locating log data (if logging against multiple Availability Zones?
  • 6. Core Strategy #2 –Restrict Root & Console Access & Enable MFA Everywhere The Root account can touch and modify all assets, billing and more. This account should almost never be accessed or use. AWS Native Solution(s): Identity Access Management and Multifactor Authentication Considerations: • Create a super strong password and enable multi-factor authentication with a time based token (and properly secure that token). • Set up AWS IAM users, groups and roles to handle all other aspects of account management enable MFA tokens across the organization. • Segregate accounts with console and programmatic access to create further segregation of duties. • Disable/delete the Root accounts API access keys (it doesn’t need it). • Make sure CloudTrail is logging security events (including Root account activity). • Field Experience Note: What happens if you lose your MFA token for you AWS Root account?
  • 7. Core Strategy #3 – Develop an IAM Management Strategy AWS IAM can be used to implement a zero-trust security policy where access is highly restricted based on least privilege. AWS Native Solution(s): Identity Access Management, Secure Token Service Considerations: • Start with AWS Managed Policies which are pre-made by AWS for common use cases. • Take the time to map User Groups to required permissions truly based on least privilege. • Use Managed Policies instead of Inline Policies. Managed can be attached to multiple identities. Inline exists only for a single user, group, or role. • Make use of Security Token Service (AWS STS) to create dynamic, short term access credentials to production resources that auto-expire in a short time (within minutes). Highly restrict persistent access to production (limit to SRE team or use immutable and go TNO) • Field Experience Note: AWS IAM integration with Okta and Duo, immutable infrastructure and AWS Security Token Service to hyper lock down production. Sexy.
  • 8. Core Strategy #4 – Rotate Access Keys & Use AWS STS Access keys are required for AWS Command Line, SDKs, and direct API calls. Key rotation drastically reduces the impact of stolen credentials. AWS Native Solution(s): Identity Access Management, Lambda, Security Token Service Considerations: For Databases: • For database key rotation, consider Lambda key rotation functions. AWS provides templates. For Everything Else: • Avoid embedding static access keys in applications. Use IAM Roles instead (Google: Using an IAM Role to Grant Permissions to Applications). • Use IAM roles to grant access to apps/resources with temporary security credentials (STS) to obtain auto rotation. As opposed to IAM user access keys that never expire. • Also consider using different access keys for different applications. To minimize impact of stolen keys and create distinct CloudTrail logs.
  • 9. Core Strategy #5 –Layered Defense Model for Web Apps The majority of organizations utilizing AWS do so to host web apps and publicly accessible services. Use a layered defense approach to protect them. AWS Native Solution(s): CloudFront with S3 Buckets, Elastic Load Balancer, Web Application Firewall, Availability Zones, Virtual Private Cloud with Network Access Control Lists, and Security Groups Considerations: • Identify and define business needs for all open ports and lines of communication including both ingress and egress traffic from public sources and server to server communication needs. • Note that AWS Security Groups are stateful. A request allowed to come in is allowed to go out. • But VPC NACLs are stateless! Anything allowed to come in is not automatically allowed out. NACLs are designed to allow explicit rules for web applications. • Strategies surrounding TLS termination will vary. Outside the scope of this talk. • Field Experience Note: Every team architects their solution differently. I’ve never seen the same set up twice.
  • 10. Core Strategy #5 –Layered Defense Model Continued…
  • 11. Core Strategy #6 – Make Sure S3 Data is Locked Down AWS S3 provides comprehensive security and compliance capabilities, but with that flexibility and complexity comes risk. AWS Native Solution(s): Amazon S3, CloudFront, IAM, Amazon Macie Considerations: • Start with Bucket and User Policies and restrict public access. Google search for “Bucket Policies to Secure S3”. • Pay close attention to how IAM permissions are applied. S3 is locked down by default but as you have to open up access to make communication with apps work, errors abound. • When public access is needed, use an Origin Access Identity in CloudFront. Google search for “Restricting Access to Amazon S3 Content by Using an Origin Access Identity”. • Look for the “Public” flag in the S3 Management Console. • Consider Amazon Macie to automatically scan your S3 buckets for security concerns. • Consider community tools like S3-inspector to perform security checks. Google search “github s3-inspector”
  • 12. Core Strategy #7 – Consider but Don’t over Rely on Security Tools AWS is releasing new features and tools all the time, but they should never be considered a replacement for foundational security practices. AWS Native Solution(s): AWS Inspector, Amazon Macie, Amazon WAF, AWS GuardDuty, AWS Security Hub, AWS Shield Considerations: Most common and solutions encountered in the wild: • AWS Inspector: Automated security assessment scanner which can evaluate security loopholes and deviation from the best practices. • Amazon Macie: Automatically discover, classify, and protect sensitive data • AWS WAF: Protect your web applications from common web exploits • Amazon GuardDuty: Threat detection service and continuous monitoring. • AWS Shield: Managed DDOS Service • AWS Security Hub: Comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
  • 13. Fastest Growing Companies Questions or Comments? Security Craftsmanship Top 5 Cybersecurity Companies risk3sixty