DevOps Belfast: ‘AWS Certified Security - Speciality’

AWS Certified Security – Specialty An overview Simon Whittaker Cyber Security Director - Vertical Structure Ltd

Prepare, Protect, Persist ® • Prepare • We help you and your partners to understand how to identify and resolve potential security issues at the earliest stages with hands on 'hack yourself first', threat modelling and GDPR compliance workshops as well as security training for non-technical colleagues. • Protect • Using automated and manual penetration testing techniques, we provide a comprehensive security report for your Web and mobile applications, including API testing, and networks. The report highlights potential issues and their resolutions. • Persist • We ensure that your organisation benefits from continual improvements in security levels through information assurance processes, auditing and certification including ISO27001:2013 and Cyber Essentials. © Vertical Structure Ltd where applicable [email protected]

The certification

We’re doing it wrong https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible © Vertical Structure Ltd where applicable [email protected]

Lies, damn lies and statistics • 14 improperly configured IaaS instances running at any given time • Roughly one in every 20 AWS S3 buckets are left wide open to the public internet • The average business uses around 1,900 cloud instances, but most of the companies they surveyed only thought they used around 30 We’re doing it wrong https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible © Vertical Structure Ltd where applicable [email protected]

Example Elasticsearch is a search engine based on Lucene. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. https://en.wikipedia.org/wiki/Elasticsearch © Vertical Structure Ltd where applicable [email protected]

Elasticsearch in AWS © Vertical Structure Ltd where applicable [email protected]

Access Restrictions • Resource based • Assigned access to a account, user or role to a domain in AWS • Identity based • Assigned access to a account, user or role to a domain in AWS • Tend to be more generic • IP based • Anyone from the right IP can access anything © Vertical Structure Ltd where applicable [email protected]

Methodology • Shodan for understanding initial numbers • Basic interrogation of top 1000 instances in export to understand: • • • • • • Cluster Name Health Number of documents Size of data Index Names Key names within index • Regex to understand key name and rate “interesting-ness” © Vertical Structure Ltd where applicable [email protected]

Some figures © Vertical Structure Ltd where applicable [email protected]

Versions of Elasticsearch © Vertical Structure Ltd where applicable [email protected]

Version End of Life? Currently maintained? 5.5.2 2019-01-06 No 6.2.2 2019-08-06 Yes 2.3.2 2017-09-30 No 1.5.2 2016-09-23 No 5.3.2 2018-09-28 No 5.1.1 2018-06-08 No 6.0.1 2019-05-14 Yes © Vertical Structure Ltd where applicable [email protected]

AWS Usage © Vertical Structure Ltd where applicable [email protected]

Amount of Documents © Vertical Structure Ltd where applicable [email protected]

Amount of Data Total Data is 24,510.49 GB © Vertical Structure Ltd where applicable [email protected]

Who doesn’t love a wordcloud? © Vertical Structure Ltd where applicable [email protected]

Interesting Clusters © Vertical Structure Ltd where applicable [email protected]

Interesting clusters pt 2 © Vertical Structure Ltd where applicable [email protected]

Interesting clusters pt 3 Store receipts © Vertical Structure Ltd where applicable [email protected]

Interesting clusters pt 4 - a lot of logs base64 -D -i testingb64.txt | gunzip © Vertical Structure Ltd where applicable [email protected]

Interesting clusters pt 4 - a lot of logs © Vertical Structure Ltd where applicable [email protected]

Interesting clusters pt 5 • Major brand names • Broadcaster • Online services • Games providers • Interesting index names • • • • Inventory-gdpr-dev kicsps-staging Storeapp-prod-logs Gisapi-prod © Vertical Structure Ltd where applicable [email protected]

We’re doing it wrong © Vertical Structure Ltd where applicable [email protected]

AWS answer © Vertical Structure Ltd where applicable [email protected]

What do you have to demonstrate? • An understanding of specialized data classifications and AWS data protection mechanisms. • An understanding of data encryption methods and AWS mechanisms to implement them. • An understanding of secure Internet protocols and AWS mechanisms to implement them. • A working knowledge of AWS security services and features of services to provide a secure production environment. • Competency gained from two or more years of production deployment experience using AWS security services and features. • Ability to make tradeoff decisions with regard to cost, security, and deployment complexity given a set of application requirements. • An understanding of security operations and risk. © Vertical Structure Ltd where applicable [email protected]

Recommended knowledge • A minimum of five years of IT security experience designing and implementing security solutions. • At least two years of hands-on experience securing AWS workloads. • Security controls for workloads on AWS. © Vertical Structure Ltd where applicable [email protected]

Certification roadmap © Vertical Structure Ltd where applicable [email protected]

Exam format • Format: Multiple choice, multiple answer • Length: 170 minutes, 65 questions • Registration Fee: 300 USD © Vertical Structure Ltd where applicable [email protected]

Content © Vertical Structure Ltd where applicable [email protected]

Domain 1 - Incident Response • 1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys. • 1.2 Verify that the Incident Response plan includes relevant AWS services. • 1.3 Evaluate the configuration of automated alerting, and execute possible remediation of security-related incidents and emerging issues. © Vertical Structure Ltd where applicable [email protected]

Domain 2 – Logging and Monitoring • 2.1 Design and implement security monitoring and alerting. • 2.2 Troubleshoot security monitoring and alerting. • 2.3 Design and implement a logging solution. • 2.4 Troubleshoot logging solutions. © Vertical Structure Ltd where applicable [email protected]

Domain 3 – Infrastructure Security • 3.1 Design edge security on AWS. • 3.2 Design and implement a secure network infrastructure. • 3.3 Troubleshoot a secure network infrastructure. • 3.4 Design and implement host-based security. © Vertical Structure Ltd where applicable [email protected]

Domain 4 – Identity and Access Management • 4.1 Design and implement a scalable authorization and authentication system to access AWS resources. • 4.2 Troubleshoot an authorization and authentication system to access AWS resources. © Vertical Structure Ltd where applicable [email protected]

Domain 5 – Data Protection • 5.1 Design and implement key management and use. • 5.2 Troubleshoot key management. • 5.3 Design and implement a data encryption solution for data at rest and data in transit. © Vertical Structure Ltd where applicable [email protected]

The big stuff – from my experience © Vertical Structure Ltd where applicable [email protected]

Regulatory requirements • Really important but a bit of a snoozefest • FIPS and EAL compliance are possible with CloudHSM • Logging © Vertical Structure Ltd where applicable [email protected]

Logging Suggestions https://allthingscloud.io/serverless-app-aws-cloudtraillog-analytics-using-amazon-elasticsearch-servicef4612b2103c1 © Vertical Structure Ltd where applicable [email protected]

Things I wasn’t asked much about (but you may be…) • Hypervisor security • NAT instances vs gateways • VPC endpoints • API gateway © Vertical Structure Ltd where applicable [email protected]

Hide the instances • NAT gateway + Endpoint Gateways = hidden instances • Get containers and services out of the public network © Vertical Structure Ltd where applicable [email protected]

Other useful items to help prepare • Use CIS images if you would like a level of security pre-rolled • Questions about Amazon services vs self-rolled • Encrypting root EBS volumes © Vertical Structure Ltd where applicable [email protected]

Guardduty – Intelligent threat detection and continuous monitoring © Vertical Structure Ltd where applicable [email protected]

Config - Record and evaluate configurations of your AWS resources © Vertical Structure Ltd where applicable [email protected]

Trusted advisor – A service to help you reduce cost, increase performance, and improve security © Vertical Structure Ltd where applicable [email protected]

Cloudwatch - Complete Visibility of Your Cloud Resources and Applications © Vertical Structure Ltd where applicable [email protected]

In conclusion • Know and use the tools • It is not practical, there are no simulations • Certificates and keys are “key” • Learning the types of questions will help you • ACloudGuru • Whizlabs © Vertical Structure Ltd where applicable [email protected]

Fancy trying your hand? https://vsltd.co/devopsbelfastnov18

DevOps Belfast: ‘AWS Certified Security - Speciality’ - A general overview

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64