Security hardening of core AWS services

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security hardening of core AWS services
RUNCY OOMMEN | 28-Sep-2019
runcyoommen
https://runcy.me

| Today’s Agenda |
✓ Generic cloud security
❑ Route 53
❑ API Gateway
❑ Cloud Front
✓ AWS security services
✓ Shared Responsibility Model
✓ AWS services for hardening
❑ Amazon Linux
❑ Elastic Load Balancer
❑ AWS Certificates (ACM)

Let’s define “Cloud Security”
Cloud Security refers to a broad set of policies,
technologies, applications and controls utilized to
protect virtualized IP, data, applications, services and
the associated infrastructure of cloud computing.
Reference:
https://en.wikipedia.org/wiki/Cloud_computing_security

IT infrastructure & landscape has
undergone a paradigm shift…

Traditional view

Modern view
PaaS

Why should cloud security differ
from “traditional” network security?

Ubiquitous
The cloud is always reachable from
anywhere, any time, any device
Scalable
You can add new features and thousands
of users without breaking a sweat
Integrated
Security and other services talk to
each other for full visibility
Comprehensive
The Cloud scans every byte – ingress
and egress – including SSL & CDN
Intelligent
The cloud learns from every user and
connection; any new threat is blocked for all
Important facets of cloud

Early days of cloud
Move Fast OR Stay Secure
Modern day cloud
Move Fast AND Stay Secure

Cloud v/s Security
➢ Agility
➢ Self-service
➢ Scale
➢ Automation
➢ Gate Keeper
➢ Standards
➢ Control
➢ Centralized

Security hardening of core AWS services

Product Name Category Brief Description
Certificate Manager SSL/TLS Certificates Service that lets you easily provision, manage, deploy SSL/TLS
certificates
Amazon Cognito User Sign Up & Sign In Lets you add user sign-up/sign-in and access control to your
web and mobile apps
Identity Access Management Access Control Identity & Access Management to control user’s access to AWS
services. Create and manage users and groups.
Amazon Inspector Security Assessment Automated security assessment service that helps improve
security and compliance of deployed applications on AWS
Key Management Service Key Store Managed service that makes it easy to create and control the
encryption keys used to encrypt data
Amazon Macie Sensitive Data
Classification
ML powered security service to discover, classify and protect
sensitive data
Secrets Manager Secrets Management Easily rotate, manage and retrieve database credentials, API
Keys and other secrets throughout the lifecycle
AWS Shield DDoS Protection Managed Distributed Denial od Service protection service that
safeguards web applications running on AWS
Security, Identity and Compliance products from AWS

Weakness #1:
Amazon Linux 2 AMI is shipped with OpenSSH v7.4 that is
outdated and vulnerable to multiple attacks

Solution: Upgrade to OpenSSH 7.8 or later!

SITUATION RIGHT NOW!

What to do now? The elaborate way…
AWS package manager does not
even have a higher version of SSH!!!
➢ Install all the relevant dependencies
➢ Compile package from source
➢ Install the compiled package to upgrade
➢ Download the latest package from openbsd.org

Get the script - https://tinyurl.com/sshupdate

Weakness #2:
Default SSH settings (Ciphers & Key Exchange algorithms)
in Amazon Linux are deprecated and weak

Confirming the presence of weak/deprecated Ciphers & Key Exchanges

Search for ‘Ciphers’ & ‘KexAlgorithms’ in the man page
Solution:
Check for new ciphers and kex after OpenSSH upgrade

➢ Edit the /etc/ssh/sshd_config file
➢ Add default Ciphers and KexAlgorithms in preferred order
Restart the sshd service

Check the Ciphers and Key Exchange Algorithms now…

Weakness #3:
TLS 1.0 and TLS 1.1 that have weak cipher suites are set
as the default when provisioning Elastic Load Balancers

Confirming the presence of weak cipher suites…

➢ Select a more stricter and recent security policy for the ELB
Solution:
➢ Force the latest ‘security policy’ on the load balancer
instead of the default lenient one
➢ Navigate to Load Balancer (EC2) → Listeners (tab) → Edit

Reference chart of
security policies
with SSL Options
and Ciphers
Reference:
https://docs.aws.amazon.com/elasticload
balancing/latest/classic/elb-security-
policy-table.html

Changes are reflected immediately on
re-running a vulnerability scan again

Weakness #4:
API Gateway by default, provides support for
TLS 1.0 and TLS 1.1 with weak cipher suites

➢ Pick and choose the minimum required SSL for CloudFront
➢ Select the appropriate security policy for strong cipher selection
➢ Create a CloudFront distribution with the ‘Origin Domain Name’
as the API Gateway stage
Solution:
➢ Don’t serve the traffic directly from the API Gateway URL

Weakness #5:
Certificates generated by ACM and managed by Route53
does not force create a ‘CAA’ record to prevent re-issuance

Solution:
Create an entry in Route 53 for CAA when certificates
are issued by Amazon Certificate Manager (ACM)
Re-run a SSL scan (Qualys online SSL should be sufficient)

Questions | Comments | Discussions
runcyoommen
https://runcy.me

Security hardening of core AWS services

Related slideshows

More Related Content

Security hardening of core AWS services