Marius Aharonovich Cloud Security Architect ClickSoftware · Security Best Practices checklist: CIS...

Platform Security Marius Aharonovich

Cloud Security Architect ClickSoftware

Platform Security

Management

Secure API keys

Increase Your Visibility

Host Security

Encryption and Key Management

Platform Security

Security Best Practices checklist:

CIS AWS AZURE GOOGLE

Cloud Platform

AWS Infrastructure

Management Services EC2

Instance 3rd party

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

https://docs.microsoft.com/en-us/azure/security/security-best-practices-and-patterns

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

Management

Amazon Web Services

Root

Limited use

Support plan

Payment

Close account

Request PenTest

Two-Factor-Authentication

TOTP enabled virtual TFA

Google

authenticator Authy

IAM Users

Two-Factor-

Authentication User Groups

DevOps, NOC,

R&D Lead, DBA,

Security

IAM Policies

"Effect":

"Allow",

"Action":

"s3:ListBucket

", "Resource":

"arn:aws:s3:::

example_bucket

"

Services

Resource

Based Policies

" “Effect": "Deny", Principal":

"*",

"Action":

"s3:*",

Resource":

"arn:aws:s3:::

example

Condition": {“BoolIfExists":{ "aws:MultiFactorAuthPresent": false

Cross

Account

Effect":

"Allow", "Principal": {

"AWS":

"arn:aws:iam::

AccountID"}, "Action":

"sts:

AssumeRole", "Condition": {

"StringEquals"

: {

"sts:

ExternalId":

“IAMUSerID"

Services – Secure API keys

Use temporary

keys (STS)

Don't embed API

keys directly

into code

Rotate API keys

periodically

Delete unused

API keys

Use unique API

keys for

applications

Increase Your Visibility

AWS

EC2 CloudTrail

Dashboard APIs

CASB Access & Activities

Trusted Advisor

Credentials Report

IAM User “List Events”

Cloud Security Control SG Changes & Risk & Compliance Forensics traffic layers 3/4

Web traffic analysis

IAM Cross Account Role “List Configuration”

IAM Cross Account Role “IP Traffic”

log

VPC Flow-Log

log

S3 log

Other Cloud Services

log

Service User “List Events”

Infrastructure

EC2 Instance

log Load Balancer

log

Web Traffic (syslog)

Log Collector Security event alerting Security reports Forensics

Domain Auditor Domain changes reporting Forensics

Events Domain Config

Web Traffic (syslog)

Host Security

VPN Gateway

Two-Factor-

Authentication

Encrypted

TLS

Patch Hosts

WSUS Systems

Manager

New

Deployed

AMI

DoS Protection

AWS Shield

Basic Advanced

3rd party

solution

SIEM

Access

& Activities

Infra

Changes Analysis

Firewall

Inbound

&

outbound

rules

Security

Groups 3rd party

Harden Hosts (CIS)

User groups & Permissions

Antimalware & HIPS

Scan Hosts 3rd party Vulnerabilities

https://learn.cisecurity.org/benchmarks

Encryption and Key Management

Why to Encrypt ?

Contracts Regulations Standards

Data in Transit

TLSv1.2 AES-256bit

GCM

ELB

ALB

CloudFront

3rd party

Certificate

Manager Data at Rest

Storage / Volume

Encryption

EBS

Encryption

RDS

Storage

Encryption

KMS

Data Backup

Encryption

SQL Backup

Encryption

RDS

Snapshot

Encryption

KMS

HSM

FIPS 140-2 Level 2 FIPS 140-2 Level 3

Marius Aharonovich Cloud Security Architect ClickSoftware · Security Best Practices checklist: CIS...

Documents

Transcript of Marius Aharonovich Cloud Security Architect ClickSoftware · Security Best Practices checklist: CIS...