SlideShare una empresa de Scribd logo

My AWS Access Key Nightmares... and Solutions

E
EmilyGladstoneCole

A talk about what to do and what not to do with AWS Access Keys.

Tecnología
1 de 28
Descargar para leer sin conexión
Emily Gladstone Cole @UnixGeekEm My AWS Access Key Nightmares… and Solutions
Emily Gladstone Cole @UnixGeekEm Agenda 1. Introduction 2. Nightmare #1: Access Keys in Source Code 3. Nightmare #2: Old Access Keys 4. Nightmare #3: Keys on Disk 5. Access Key Best Practices
Emily Gladstone Cole @UnixGeekEm Who is this Emily Person Anyway? PAST CURRENT FUN FACTS ● UNIX SysAdmin/Operations background ● Experience in Security Incident Response, Security Research, Security Engineering ● Senior Security Engineer at ● Mentor for SANS’ Women’s CyberTalent Immersion Academy ● My favorite computer game is Nethack ● None of the cats you will see here today are mine
Emily Gladstone Cole @UnixGeekEm Disclaimers I am not affiliated with Amazon or AWS. I’m not being paid to give this talk. I’m sharing what I have learned. There are many others who know more about AWS and Access Keys than I do. Some of them are cited in the references.
Emily Gladstone Cole @UnixGeekEm What is an AWS Access Key? Access Key ID: ● Always starts with AKIA… ● Is the equivalent to your username Secret Access Key: ● Secret really means secret ● Treat this key like a password
Emily Gladstone Cole @UnixGeekEm When your Access Key is compromised, an attacker can do anything you can.
Emily Gladstone Cole @UnixGeekEm For those of you who already knew all this, this slide is for you. On to the good stuff!
Emily Gladstone Cole @UnixGeekEm Nightmare #1 Access Keys in Source Code
Emily Gladstone Cole @UnixGeekEm Access Keys in Source Code When the repo is public, this means almost instant compromise of the keys. Remember: attackers can do anything you can, using your Access Key and Secret Key. ● View and copy customer data ● Bitcoin Mining
Emily Gladstone Cole @UnixGeekEm Oh shhgit
Emily Gladstone Cole @UnixGeekEm How can YOU find Access Keys in Source Code? We can detect them with source code scanners! ● truffleHog ● git-secrets ● detect-secrets (can be run as a pre-commit hook)!
Emily Gladstone Cole @UnixGeekEm What if I find an Access Key ● Rotate the key so it’s no longer valid ● Delete the commit that contained the Access Key so it’s not sitting in the commit history ● Talk with your Dev team about storing keys differently
Emily Gladstone Cole @UnixGeekEm DIY Honeypots: Canary Tokens Canary Tokens are one implementation of a honeytoken. ● Can be in the form of a document, a key, a QR code, a DNS record… ● Alerts can be generated when the token is accessed, either to an email address or a webhook ● You can know if someone is in your data ● Your Dev team will probably find this idea fun
Emily Gladstone Cole @UnixGeekEm Nightmare #2 Old Access Keys
Emily Gladstone Cole @UnixGeekEm Access Keys get old The longer an Access Key is around, the greater the chance it can be found somewhere it shouldn’t.
Emily Gladstone Cole @UnixGeekEm The longer Access Keys are around, the higher the chances something may happen to them accidentally.
Emily Gladstone Cole @UnixGeekEm Solution: Rotate your Access Keys You can rotate your Access Keys manually, and it’s fairly straightforward. There are tools to help you rotate your Access Keys automatically, like aws-rotate-iam-keys which works well for individuals, but for application users, it’s not that simple.
Emily Gladstone Cole @UnixGeekEm Nightmare #3 Access Keys On Disk
Emily Gladstone Cole @UnixGeekEm Bars and Cars
Emily Gladstone Cole @UnixGeekEm Other ways to expose keys on disk ● Store them in environment variables ● Write them to log files ● Expose them through the Amazon Meta Data service v1 (Capital One)
Emily Gladstone Cole @UnixGeekEm Hide Access Keys: aws-vault and vault Using a vault tool will allow you to store your keys in a keystore, and interact with the pointers, not the actual keys. I don’t recommend storing shared AWS Access Keys in password managers.
Emily Gladstone Cole @UnixGeekEm Don’t use permanent Access Keys at all ● Security Token Service can generate temporary credentials ○ Credentials inherently expire ● Roles use STS to delegate permissions ○ Roles can be created with Policies assigned ○ Can be used to grant access to a user in another account (cross-account) ○ Can be used by instances or applications
Emily Gladstone Cole @UnixGeekEm Access Key Best Practices
Emily Gladstone Cole @UnixGeekEm If you were napping during the first part of my talk, here’s a quick meme to catch you up.
Emily Gladstone Cole @UnixGeekEm Squad Goals: Access Keys are accessible only when needed ● Don’t have permanently-valid Keys sitting around in your source code ● Don’t have them sitting on disk ● Don’t have them loaded in environment variables ● Do have Keys that are only valid for a short amount of time ● Do have unique Keys for each user and application ● Only request a Key when you are about to use it
Emily Gladstone Cole @UnixGeekEm Coming Soon: SSO and AWS Can be used with Okta, Onelogin, Ping... Here are some Okta-based integrations: ● okta-aws ● okta-awscli ● okta-aws-cli-assume-role ● AWS recently came out with an Okta integration as well! Tying AWS into our SSO provider is our next step. We haven’t built that yet at my company, but we’re working on it right now.
Emily Gladstone Cole @UnixGeekEm References 1. truffleHog: https://github.com/dxa4481/truffleHog 2. git-secrets: https://github.com/awslabs/git-secrets 3. detect-secrets: https://github.com/Yelp/detect-secrets 4. shhgit: https://shhgit.darkport.co.uk/ 5. Canary Tokens: https://canarytokens.org/generate 6. Cuckoo’s Egg: https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg 7. aws-rotate-iam-keys: https://github.com/rhyeal/aws-rotate-iam-keys 8. aws-vault: https://github.com/99designs/aws-vault 9. https://github.com/RiotGames/key-conjurer 10. Vault: https://www.vaultproject.io/docs 11. Amazon Meta Data Service v2: https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv 2-2ad03a1f3650 12. https://static.sched.com/hosted_files/bsidessf2020/83/How%20to%20Kill%20an%20Access%20Key%20 rev%2020200223.pdf
Emily Gladstone Cole @UnixGeekEm Thank you!

Recomendados

LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendEmilyGladstoneCole
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Securing your Bitcoin wallet
Securing your Bitcoin walletSecuring your Bitcoin wallet
Securing your Bitcoin walletRon Reiter
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with EncryptionEd Leighton-Dick
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Week12
Week12Week12
Week12s1180181
 
Forward Secrecy
Forward SecrecyForward Secrecy
Forward SecrecyKevin OBrien
 

Recomendados

LISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendLISA18 - How to be your Security Team's Best Friend
LISA18 - How to be your Security Team's Best FriendEmilyGladstoneCole
 
Password Management
Password ManagementPassword Management
Password ManagementRick Chin
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Securing your Bitcoin wallet
Securing your Bitcoin walletSecuring your Bitcoin wallet
Securing your Bitcoin walletRon Reiter
 
Protecting Your Data with Encryption
Protecting Your Data with EncryptionProtecting Your Data with Encryption
Protecting Your Data with EncryptionEd Leighton-Dick
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Week12
Week12Week12
Week12s1180181
 
Forward Secrecy
Forward SecrecyForward Secrecy
Forward SecrecyKevin OBrien
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
PBU-Intro_to_PGP
PBU-Intro_to_PGPPBU-Intro_to_PGP
PBU-Intro_to_PGPauremoser
 
amer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptamer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptnavidkamrava
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Securing password
Securing passwordSecuring password
Securing passwordsplendorcollege
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwarePositive Hack Days
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Public Vs. Private Keys
Public Vs. Private KeysPublic Vs. Private Keys
Public Vs. Private Keys101 Blockchains
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsConnectSafely
 
Security in the face of adversity
Security in the face of adversitySecurity in the face of adversity
Security in the face of adversityDavid Tibbs
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Future Insights
 
Encryption basics
Encryption basicsEncryption basics
Encryption basicsKevin OBrien
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad JournalAmirul Wiramuda
 
Subtle Encipherment Hall
Subtle Encipherment HallSubtle Encipherment Hall
Subtle Encipherment HallVenkateshwarGS
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Más contenido relacionado

Similar a My AWS Access Key Nightmares... and Solutions

Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
PBU-Intro_to_PGP
PBU-Intro_to_PGPPBU-Intro_to_PGP
PBU-Intro_to_PGPauremoser
 
amer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptamer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptnavidkamrava
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyJoshua McDougall
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Homezaimorkai
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwarePositive Hack Days
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsConnectSafely
 
Security in the face of adversity
Security in the face of adversitySecurity in the face of adversity
Security in the face of adversityDavid Tibbs
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Future Insights
 
Subtle Encipherment Hall
Subtle Encipherment HallSubtle Encipherment Hall
Subtle Encipherment HallVenkateshwarGS
 

Similar a My AWS Access Key Nightmares... and Solutions (20)

Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
PBU-Intro_to_PGP
PBU-Intro_to_PGPPBU-Intro_to_PGP
PBU-Intro_to_PGP
 
amer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.pptamer-network-sihubconferances-security.ppt
amer-network-sihubconferances-security.ppt
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
BTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation CeremonyBTC2019 - The Key Creation Ceremony
BTC2019 - The Key Creation Ceremony
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
Securing password
Securing passwordSecuring password
Securing password
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi Cracking
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malware
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Public Vs. Private Keys
Public Vs. Private KeysPublic Vs. Private Keys
Public Vs. Private Keys
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - Lastpass
 
How to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique PasswordsHow to Create (use use) Strong & Unique Passwords
How to Create (use use) Strong & Unique Passwords
 
Security in the face of adversity
Security in the face of adversitySecurity in the face of adversity
Security in the face of adversity
 
Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)Privacy is a UX problem (David Dahl)
Privacy is a UX problem (David Dahl)
 
Encryption basics
Encryption basicsEncryption basics
Encryption basics
 
One Time Pad Journal
One Time Pad JournalOne Time Pad Journal
One Time Pad Journal
 
Subtle Encipherment Hall
Subtle Encipherment HallSubtle Encipherment Hall
Subtle Encipherment Hall
 

Último

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Último (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

My AWS Access Key Nightmares... and Solutions

  • 1. Emily Gladstone Cole @UnixGeekEm My AWS Access Key Nightmares… and Solutions
  • 2. Emily Gladstone Cole @UnixGeekEm Agenda 1. Introduction 2. Nightmare #1: Access Keys in Source Code 3. Nightmare #2: Old Access Keys 4. Nightmare #3: Keys on Disk 5. Access Key Best Practices
  • 3. Emily Gladstone Cole @UnixGeekEm Who is this Emily Person Anyway? PAST CURRENT FUN FACTS ● UNIX SysAdmin/Operations background ● Experience in Security Incident Response, Security Research, Security Engineering ● Senior Security Engineer at ● Mentor for SANS’ Women’s CyberTalent Immersion Academy ● My favorite computer game is Nethack ● None of the cats you will see here today are mine
  • 4. Emily Gladstone Cole @UnixGeekEm Disclaimers I am not affiliated with Amazon or AWS. I’m not being paid to give this talk. I’m sharing what I have learned. There are many others who know more about AWS and Access Keys than I do. Some of them are cited in the references.
  • 5. Emily Gladstone Cole @UnixGeekEm What is an AWS Access Key? Access Key ID: ● Always starts with AKIA… ● Is the equivalent to your username Secret Access Key: ● Secret really means secret ● Treat this key like a password
  • 6. Emily Gladstone Cole @UnixGeekEm When your Access Key is compromised, an attacker can do anything you can.
  • 7. Emily Gladstone Cole @UnixGeekEm For those of you who already knew all this, this slide is for you. On to the good stuff!
  • 8. Emily Gladstone Cole @UnixGeekEm Nightmare #1 Access Keys in Source Code
  • 9. Emily Gladstone Cole @UnixGeekEm Access Keys in Source Code When the repo is public, this means almost instant compromise of the keys. Remember: attackers can do anything you can, using your Access Key and Secret Key. ● View and copy customer data ● Bitcoin Mining
  • 10. Emily Gladstone Cole @UnixGeekEm Oh shhgit
  • 11. Emily Gladstone Cole @UnixGeekEm How can YOU find Access Keys in Source Code? We can detect them with source code scanners! ● truffleHog ● git-secrets ● detect-secrets (can be run as a pre-commit hook)!
  • 12. Emily Gladstone Cole @UnixGeekEm What if I find an Access Key ● Rotate the key so it’s no longer valid ● Delete the commit that contained the Access Key so it’s not sitting in the commit history ● Talk with your Dev team about storing keys differently
  • 13. Emily Gladstone Cole @UnixGeekEm DIY Honeypots: Canary Tokens Canary Tokens are one implementation of a honeytoken. ● Can be in the form of a document, a key, a QR code, a DNS record… ● Alerts can be generated when the token is accessed, either to an email address or a webhook ● You can know if someone is in your data ● Your Dev team will probably find this idea fun
  • 14. Emily Gladstone Cole @UnixGeekEm Nightmare #2 Old Access Keys
  • 15. Emily Gladstone Cole @UnixGeekEm Access Keys get old The longer an Access Key is around, the greater the chance it can be found somewhere it shouldn’t.
  • 16. Emily Gladstone Cole @UnixGeekEm The longer Access Keys are around, the higher the chances something may happen to them accidentally.
  • 17. Emily Gladstone Cole @UnixGeekEm Solution: Rotate your Access Keys You can rotate your Access Keys manually, and it’s fairly straightforward. There are tools to help you rotate your Access Keys automatically, like aws-rotate-iam-keys which works well for individuals, but for application users, it’s not that simple.
  • 18. Emily Gladstone Cole @UnixGeekEm Nightmare #3 Access Keys On Disk
  • 19. Emily Gladstone Cole @UnixGeekEm Bars and Cars
  • 20. Emily Gladstone Cole @UnixGeekEm Other ways to expose keys on disk ● Store them in environment variables ● Write them to log files ● Expose them through the Amazon Meta Data service v1 (Capital One)
  • 21. Emily Gladstone Cole @UnixGeekEm Hide Access Keys: aws-vault and vault Using a vault tool will allow you to store your keys in a keystore, and interact with the pointers, not the actual keys. I don’t recommend storing shared AWS Access Keys in password managers.
  • 22. Emily Gladstone Cole @UnixGeekEm Don’t use permanent Access Keys at all ● Security Token Service can generate temporary credentials ○ Credentials inherently expire ● Roles use STS to delegate permissions ○ Roles can be created with Policies assigned ○ Can be used to grant access to a user in another account (cross-account) ○ Can be used by instances or applications
  • 23. Emily Gladstone Cole @UnixGeekEm Access Key Best Practices
  • 24. Emily Gladstone Cole @UnixGeekEm If you were napping during the first part of my talk, here’s a quick meme to catch you up.
  • 25. Emily Gladstone Cole @UnixGeekEm Squad Goals: Access Keys are accessible only when needed ● Don’t have permanently-valid Keys sitting around in your source code ● Don’t have them sitting on disk ● Don’t have them loaded in environment variables ● Do have Keys that are only valid for a short amount of time ● Do have unique Keys for each user and application ● Only request a Key when you are about to use it
  • 26. Emily Gladstone Cole @UnixGeekEm Coming Soon: SSO and AWS Can be used with Okta, Onelogin, Ping... Here are some Okta-based integrations: ● okta-aws ● okta-awscli ● okta-aws-cli-assume-role ● AWS recently came out with an Okta integration as well! Tying AWS into our SSO provider is our next step. We haven’t built that yet at my company, but we’re working on it right now.
  • 27. Emily Gladstone Cole @UnixGeekEm References 1. truffleHog: https://github.com/dxa4481/truffleHog 2. git-secrets: https://github.com/awslabs/git-secrets 3. detect-secrets: https://github.com/Yelp/detect-secrets 4. shhgit: https://shhgit.darkport.co.uk/ 5. Canary Tokens: https://canarytokens.org/generate 6. Cuckoo’s Egg: https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg 7. aws-rotate-iam-keys: https://github.com/rhyeal/aws-rotate-iam-keys 8. aws-vault: https://github.com/99designs/aws-vault 9. https://github.com/RiotGames/key-conjurer 10. Vault: https://www.vaultproject.io/docs 11. Amazon Meta Data Service v2: https://blog.appsecco.com/getting-started-with-version-2-of-aws-ec2-instance-metadata-service-imdsv 2-2ad03a1f3650 12. https://static.sched.com/hosted_files/bsidessf2020/83/How%20to%20Kill%20an%20Access%20Key%20 rev%2020200223.pdf
  • 28. Emily Gladstone Cole @UnixGeekEm Thank you!