CSA Talk May 2018: Difference between revisions

Abstract

AWS introduces many new capabilities for provisinf IT services. They do so in a software defined way and give you lots of options.

All of the services provided by AWS take se

A Grab Bag of Security Practices

• tools to help with securoty
  • some free some not free
  • cloudcheckr
  • aws-config-rules https://github.com/awslabs/aws-config-rules
    • Sample implement 2 of these
  • truffle hog
  • cloud custodian
  • cfn nag

• AWS NTP time sync + dhcp.

• root mfa
• using roles to access account from a central place.
• using peering to central manage.
  • Diagram
• using config rules
• IAM policy best practices.

• Auditing and forensics.
  • the cloudtrail -> s3 -> cloudwatch trinity
  • s3 replication
  • s3 imutablity
  • Anomaly detection datadog

• anti patterns
  • egress backhaul

• Partners and Vendor: what can my vendor do?

10 AWS security blunders and how to avoid them | InfoWorld

https://www.infoworld.com/article/3132023/security/10-aws-security-blunders-and-how-to-avoid-them.html

Mistake 1: Not knowing who is in charge of security
Mistake 2: Forgetting about logs
Mistake 3: Giving away too many privileges
Mistake 4: Having powerful users and broad roles
Mistake 5: Relying heavily on passwords
Mistake 6: Exposed secrets and keys
Mistake 7: Not taking root seriously
Mistake 8: Putting everything in one VPC or account
Mistake 9: Leaving wide open connections
Mistake 10: Skimping on encryption