This document summarizes a presentation about defending workloads from zero-day vulnerabilities. It discusses the traditional responsibility model where the customer is responsible for security up to the operating system layer. It then introduces AWS' shared responsibility model where AWS is responsible for security of the cloud infrastructure and the customer is responsible for security in the operating system and above. The presentation covers responding to the Shellshock bash vulnerability by reviewing network and security configurations, applying intrusion prevention, creating a new AMI with the patch, and implementing integrity monitoring. It emphasizes automating response workflows and instantiating from hardened AMIs to rapidly repair systems upon discovery of new vulnerabilities.
2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
The Story
More at aws.trendmicro.com
2012 re:Invent
SPR203 : Cloud Security is a Shared Responsibility
http://bit.ly/2012-spr203
2013 re:Invent
SEC208: How to Meet Strict Security & Compliance Requirements in the Cloud
http://bit.ly/2013-sec208
SEC307: How Trend Micro Build their Enterprise Security Offering on AWS
http://bit.ly/2013-sec307
2014 re:Invent
SEC313: Updating Security Operations for the Cloud
http://bit.ly/2014-sec313
SEC314: Customer Perspectives on Implementing Security Controls with AWS
http://bit.ly/2014-sec314
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Traditional Responsibility Model
You
Physical
Infrastructure
Network
Virtualization
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
PCI DSS Level 1
SOC 1/ISAE 3402
SOC 2
SOC 3
ISO 9001
IRAP (.au)
FIPS 140-2
CJIS
CSA
FERPA
HIPAA
FedRAMP (SM)
DoD CSM 1-2, 3-5
DIACAP
ISO 27001
MTCS 3
ITAR
MPAA
G-Cloud
Section 508/VPAT
FISMA
Shared Responsibility Model
More at aws.amazon.com/compliance/
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
by Andreas Lindh (@addelindh)
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
bash is a common command line interpreter
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
a:() { b; } | attack
10 | 10 vulnerability. Widespread & easy to exploit
13.
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1989
Fantastic summary by David A. Wheeler at
http://www.dwheeler.com/essays/shellshock.html#timeline
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1989
By Norlando Pobre
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
By Gavin Stewart
1989
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
By VersusLiveQuizShow
1989
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
"MicroTAC" by Redrum0486 at English Wikipedia
1989
19. Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
1 day, 22:19:13 More details React
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React
2 days, 4:37:25 More details React
3:44:00 More details React
0:27:51 Public disclosure React
0:36:30 More details React
20. Important Shellshock Events
Time Since Last Event Event Action Action Timeline
1989-08-05 8:32 Added to codebase
27 days, 10:20:00 Released to public
9141 days, 21:18:35 Initial report React Clock starts
2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25
3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00
3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00
1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00
2 days, 20:24:00 Official patch :: CVE-2014-6278 Patch 2 days, 20:24:00
34. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS VPC Checklist
Review
IAM roles
Security groups
Network segmentation
Network access control lists (NACL)
More in the Auditing Security Checklist for Use of AWS,
media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
35. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
TCP : 443TCP : 443 TCP : 4433TCP : 4433
Primary workflow for our deployment
36. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
HTTPSTPS
Intrusion prevention can look at each packet and then take action depending on what it finds
37. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
aws.amazon.com/architecture : Web application hosting
39. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Review
All instances covered
Workload appropriate rules
Centrally managed
Security controls must scale out automatically with the deployment
41. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
aws.amazon.com/architecture : Web application hosting
42. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
All instances deployment from task-specific AMI
TCP : 443TCP : 443 TCP : 4433TCP : 4433
43. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Workflow should be completely automated
Instantiate DestroyConfigure
AMI Creation Workflow
Bake Instantiate Test
45. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
aws.amazon.com/architecture : Web application hosting
46. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Instances tend to drift from the known good state, monitoring key files & processes is important
AMI Instance
AlertIntegrity Monitoring
48. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Keys
Respond
Review configuration
Apply intrusion prevention
Repair
Patch vulnerability in new AMI
Leverage integrity monitoring
49. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Keys
Visibility Security Time
50. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
1. Look Away, Chicago
2. My Prerogative, Bobby Brown
3. Every Rose Has Its Thorn, Poison
4. Straight Up, Paula Abdul
5. Miss You Much, Janet Jackson
6. Cold Hearted, Paula Abdul
7. Wind Beneath My Wings, Bette Midler
8. Girl You Know It's True, Milli Vanilli
9. Baby, I Love Your Way / Freebird, Will To Power
10. Giving You the Best That I Got, Anita Baker
http://en.wikipedia.org/wiki/Motorola_MicroTAC
iPhone 6 Plus is 6.07oz
More on Network ACLs at http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
More on ephemeral ports at http://en.wikipedia.org/wiki/Ephemeral_port