On October 19th, 2019, I gave a 4-hour workshop at Boston Application Security Conference (BASC), with my coworker Josh Dow (@0xJDow). The details are recorded here for posterity.
As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.
First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC’s own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.
Next, we’ll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we’ll speak to Amazon’s built-in security tooling, including:
- Security Hub
- Trusted Advisor
- Macie (and why it’s probably wrong for you!)
We’ll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we’ll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we’ll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.
Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.
The slide deck is available on SpeakerDeck.
A cheatsheet of key takeaways is available as a PDF on GitHub