Cloud Security, Compliance, and Incident Response in the Amazon EC2 Cloud

Brad DispensaSenior Solutions Architect (WWPS), Amazon Cloud Services, Amazon

Tom ArnoldHead of Digital Forensics, Payment Software Company (PSC)

TopicsSelect list of topics important to Cloud-based PCI DSS compliance

Security in the Amazon EC2 cloud Services and tools provided by AWS

Best practices for setting up instances and the environment Access controls (IAM and 2 factor authentication to console)

Logging and tracking (Introduce AWS CloudTrail and other services)

Securing hosts and configuration of hosts How configuration standards for systems might need to be altered Segmenting and layering the virtual network Firewall functionality

Preparing for a PCI DSS compliance audit for systems in EC2 What artifacts and evidence needs to be collected

What changes to policies and procedures need to be done

Incident Response Why prepare for an incident Focus on the first responder and actions that should be taken

Security in Amazon Web Services

Services and toolsAvailable from AWS to help secure EC2 resources

Amazon

CloudWatch

AWS

CloudTrail

AWS

Config

Amazon

Inspector

AWS

WAF

flow

logs

Amazon

VPC

AWS Shared Responsibility Model

. Scope of responsibility depends on the type of service offered by AWS: Infrastructure, Container, Abstracted Services

Understanding who is responsible for what is critical to ensuring your AWS data and systems are secure!

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Applications

Proper service configuration

AuthN & acct management

Authorization policies

+ =

Customer

Shared Responsibility Model

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability

Zones Edge

Locations

Client-side Data

Encryption

Server-side Data

Encryption

Network Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content Customers are responsible for their security and

compliance IN the Cloud

AWS is responsible for the

security OF the Cloud

Cu

sto

mer

AW

S

Defense-in-Depth

AWS Compliance

Program

Third Party

AttestationsPhysic

al

Security Groups

VPC Configuration

Ne

two

rk Web App Firewalls

Bastion Hosts

Encryption In-Transit

Hardened AMIs

OS and AppPatch Mgmt.

IAM Roles for EC2

IAM Credentials

Syste

m S

ecuri

ty

Logical Access Controls

User Authentication

Encryption At-RestD

ata

Se

curi

ty

AWS CloudTrailWeb service that records AWS API calls for your account and delivers logs.

CloudTrail

Console AWS SDK CLI

S3

AWS Partner

NetworkCloudSearch EMR/Redshift

AWS CloudWatchMonitoring services for AWA Resources and AWS-based Applications.

EC2

AutoScaling

ELB

Route 53

EBS

Storage Gateway

CloudFront

DynamoDB

ElastiCache

RDS

EMR

SNS

SQS

EBS

Billing

Collect an

d T

rack

Metr

ics

Custom

Monitor and Store Logs

Set Alarms

View Graphs and Statistics

AWS ConfigManaged service for tracking AWS inventory and configuration, and configuration change notification.

AW

S C

on

fig

EC2

VPC

EBS

CloudTrail

Change

ManagementAudit ComplianceSecurity Analysis Troubleshooting Discovery

Best Practicesfor setting up instances

virtual private cloud

security group

Amazon machine image

Account A Account B

orELK

Best Practices cont.for setting up instances

Preparing for an assessment

Preparation is keyCloud assessments can be more time consuming and costly

No magic when youre in the Cloud

Cover most all 12 major areas of PCI DSS Network and perimeter security

Servers and system hardening

Protection of stored data

Transport security

Anti-malware

Software and application security

Authorization and Authentication controls

Logging and monitoring

Security controls

Policy and procedural controls

PCI DSS Assessment ReadinessLets examine some of the differences

Network and perimeter security

Firewalls still exists Standard adapted for AWS Security Groups

Security groups for egress, ingress and DMZ control

Network segmentation Methods for logical control of intra-Cloud communications

Tied to access controls

Servers and systems

Standards and approach for system hardening

Harden server administrative accounts

Use AWS config tools & scanning tools to test

Assessment ReadinessReview of key differences and approaches

Protection of stored data Retention

Numerous AWS cloud services can be leveraged

Approach for data removal may be different

Encryption Key management and key storage

Transport security Ingress encryption and certificates

Load balancers

Outbound encryption to payment gateway

Anti-malware Reporting and alerting

Applications are the MOST significant area to focus on

Application security Area of most exposure Development of secure applications Testing of applications Access controls and permissions Vulnerability review and patching done every 2-weeks

Access controls Front-line of defense

Change group admin accountsCreate local accounts

Remote console access must be filtered and protected Leverage AWS Multi-factor auth controls Leverage AWS Security groups to filter access

Frequent pen-testing of applications and access (quarterly)!

Assessment Readiness

A few final thoughts

Logging and monitoring Central logging should leverage AWS tools

Isolate access to logs Review logs at least daily for access violations

Security controls Scanning, testing, and penetration testing controls same Test FIM daily on production, public facing servers

Policy and procedural controls Update all documents to fit environment

Incident response readiness changes dramatically

Assessment Readiness

Incident response planning

Consider this.What do you think of this log extract?

Log extract from forensic investigation

Examination of wtmp

So, what happened next?Heres the rest of the story

1. There were15,000 unsuccessful ssh login attempts; each six seconds apart

2. End user types name and password in login field, then hits enter (this is what last output showed)

3. Real end-user logs in at some time later using root account

4. At shell prompt, end user types in a curl command to outside sites

5. Uses wget command to downloaded a file into web-root/images folder

6. End user launches the file through a remote web browser

7. Modifies php script to write all encoded card data to a .jpg file in images

8. End user logs out

9. Each time a customer clicks on the buy it button, a connection to http://authorizet.com/ opens

And then, there is thisDDoS and AWS are like water on a fire

This is a DDoS extortion attack

AWS EC2 are uniquely

constructed to respond to this

How would this attack affect your

incident response plan?

RefresherWhat is an incident? Most important fact to agree on

Classic definition

The strict definition of an incident is any violation of policy, law, or unacceptable act that involves information assets, such as computers, networks, smartphones, tablets, voice recording systems, cameras, and etc.

Bejtlich, R. (2005). The Tao of network security monitoring: Beyond intrusion detection. Boston: Addison-Wesley.

Planning objectivesReview the components of an incident response plan

Rapid detection of an incident Understand the nature of the threat Minimize loss or destruction Initial short-term mitigation Implement clear first-response plan Complete short-term containment Restoration and recovery

Planning for EC2 responseHow and why a first response plan for EC2 is important

Influencers on plan EC2 environment is dynamic

Physical v. logical environments Scalability of environment that dynamically evolves

Application security threat vectors

First responders impact Knee-jerk response can make matters worse

Termination v. stopping of systems may destroy evidence Rebuilding systems may re-introduce vulnerabilities

Reality checkAppropriate planning and detail response objectives are key

Amazon Elastic Compute Cloud Richest and most robust cloud environments

Even cottage entrepreneur has computing power and Internet presence of a Fortune 500

Numerous security features

Two of the weakest factors: Humans

They still screw things up

Applications and programmatic interfaces

Must establish detailed