BSidesCT 2019: Building Castles in the Cloud: AWS Security and Self-Assessment

On November 9th, 2019, I gave a 50-minute talk at BSidesCT. The details are recorded here for posterity.

Abstract

As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. As a consultant, I’ve had experience breaking into a AWS environments with varying sophistication of security posture, and then helping those clients patch holes and harden their environments. This talk with lean on those experiences to provide you with a guide on securing your AWS enviornment, and then validating that security.

We’ll start by walking through AWS’s Shared Responsibility Model. Then we’ll identify the features of AWS that are most important for security, and give tips on best practices and easy wins. After establishing these security standards, we’ll take a quick look at a few (free) tools for auditing AWS configurations, including NCC Group’s own open-source ScoutSuite. You’ll leave this talk with concrete next steps for improving your own cloud security posture.

Materials

The slide deck is available on SpeakerDeck.

A recording of the talk is available, but I’ll leave that for you to track down if you so choose!