Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
After running a security audit on your AWS accounts, you found some issues and want to prohibit unauthorized access.
So, you successfully ran Trusted Advisor, Scout2, Access Advisor, or hired an external firm to audit your AWS accounts. You found that the co-founder is still logging in using root keys and that you have security groups allowing 0.0.0.0/0 access from the internet. Not to mention the 20 developers offshore that are sharing the same IAM user and access keys. Oops! Now what?
The obvious answer is to remediate those items. Great, we’re done!
Uhh… not quite. Knowing is half the battle. Fixing is 10%. Making sure it doesn’t happen again is the other half of the battle(aka Security Maturity).
And it’s sometimes a real battle for sure. It’s about disseminating a culture that it’s not OK to share accounts. It’s about educating your users on WHY and what THEIR role in security is.
So back to your AWS accounts. What can you do to prevent such findings in the future?
There are several things you can do to improve the security posture of your company. In fact, here’s a list for you to follow of preventative controls designed to stop bad things from happening. Following it will arguably make your security 50% better in terms of cloud security!
In the cloud, the front door is not the network, but IAM. Limiting who has access to create users and keys will decrease the likelihood of rogue access. It is also important to educate those who have IAM access to prevent abuse or any issues from occurring.
If they have a heartbeat, they should have their own account and password that only they know. You may be tempted to make separate accounts with the same password, but avoid doing that, too. Shared passwords are bad in and of themselves. Read my article on why shared passwords are bad here.
Enable 2FA, delete any access keys, and lock the creds in a safe. Some argue to delete the account altogether, especially if you have enterprise support. Here are the only tasks that require a root key.
Make sure that when users leave, their accounts and keys are disabled. Utilize SSO for console and CLI access if you can to centralize access. There are so many 3rd party options in this space these days; we’re quite lucky. HashiCorp Vault is one of them.
This reduces the need to issue access keys for services running on EC2.
Next (or first depending on your situation) is to find out all the “unknown unknowns.” You can’t fix what you don’t know is broken. You can’t justify your actions if you don’t have data to prove it. Also, you need to have enough logs to find out the Who, What, Where, and How of a security incident should it ever happen to you.
Here is a list of things to help you out:
Continue adding and centralizing your logs and find a SIEM or log aggregator you’re comfortable with to ingest the data. This is the detection part of security: knowing what is going on in your environment.
Once you have some security maturity and hygiene to your cloud accounts, you can start automating some tasks. This may be considered advanced by some, but I encourage you to tackle this sooner than later as it will pay dividends right away!
These are corrective controls that will fix bad things before they become worse. If you’re interested in a tool to help you out, Cloud Custodian by Capital One is an open-source tool that can help automate some of these tasks.
These are just a few ways to dramatically improve your AWS Security Posture. Implementing all of the above will require a culture change. It will require hand holding, guidance, and good bedside manners (emotional intelligence). Take small steps and get some wins behind you, and build momentum from there! For more information and a comprehensive list of controls, refer to the CIS Benchmark on AWS or other online resources.
If you’re feeling overwhelmed in securing your AWS environments, contact me at firstname.lastname@example.org.
This article first appeared on LinkedIn on October 17, 2018.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).