Newsletter
An actionable newsletter where I break down complex security topics for non-security people
TABLE OF CONTENTS
KEYNOTE: BSides Knoxville - Why We Break Things… The Neuroscience Of Hackers!Pacific Hackers: Applying Pareto’s Principle To Securing AWS OrganizationsDEF CON 27 Cloud VillageFederating AWS IAM Authentication using STS and ShibbolethTranscript: BSidesSF 2015 - Federating AWS CLI (Ayman Elsawah, Paul Moreno)Sam Bowne: Cloud Security Overview and Infosec Careers
KEYNOTE: BSides Knoxville - Why We Break Things… The Neuroscience Of Hackers!
A highlight of my career, I was able to combine the my research in Neuroscience with my experience on the Getting Into Infosec Podcast and present my findings and reflections.
Pacific Hackers: Applying Pareto’s Principle To Securing AWS Organizations
DEF CON 27 Cloud Village
Ayman Elsawah - Using Paretos Principle for Securing AWS with SCPs - DEF CON 27 Cloud Village
Abstract
In this talk I will walk through the use of pareto’s 80/20 rule to add significant security to your AWS accounts at scale with little effort (but lots of testing). We will be leveraging the power of AWS Organizations and Service Control Policies (SCPs) to accomplish our goals. This will be a technical talk and guide on taking advantage of AWS Organizations and SCP from scratch and lessons learned from using it in the wild. If you have not yet utilized AWS Organizations and have (or plan to have) multiple AWS accounts, this talk is for you.
This talk assumes you have secured your individual AWS accounts at the basic level by locking down your root accounts with 2FA, and etc.
- Introduction
- Pareto's Principle
- Explanations of Pareto’s principle
- Common Cloud Security Issues
- IAM permissions
- IAM is the new perimeter
- Examples from recent history
- S3 Bucket leaks
- Examples from recent history
- AWS Organizations & SCP
- Why Organizations and SCP?
- Minimal configuration, large impact
- Guardrails for your environment
- Scales well
- Part of AWS Well Architected Framework
- Overview of ideal AWS Organization
- AWS Org and SCP Steps list4
- Organize your Organization
- Go through steps to begin getting your accounts in order
- Master Account
- Must not have any resources
- Policies applied here can lock you out
- Mention life experience, challenges, and tips with migrating Master account
- Logging Account
- Separate account with limited access for logs, preserving integrity
- OU Structure
- Prod, QA, Dev, etc
- Centralized Logging
- CloudTrail configuration at Master account
- This will automatically enable CloudTrail for all accounts, and all new accounts.
- Bucket destination must be in logging account
- SCPs to
- Protect CloudTrals
- Protect VPC Flow Logs
- Limit Region usage
- Limit root account usage
- Require S3 encryption
- Other SCPs
- Resources
- Q & A
Federating AWS IAM Authentication using STS and Shibboleth
- At Pinterest I created an SSO helper tool (in Python) using STS, Shibboleth (yeah I know), that would provide temporary access to engineers.
- No one had anything like this available out there it was beyond it’s time.
- I discovered a bug in their metadata system that made calling STS a problem
Transcript: BSidesSF 2015 - Federating AWS CLI (Ayman Elsawah, Paul Moreno)
Sam Bowne: Cloud Security Overview and Infosec Careers
Related Posts
Press & Interviews
Ayman Elsawah is a keynote speaker, podcast host, author, and practitioner. He’s worked with some brand name companies and takes a HUMAN approach towards security.
Made with Bullet