SlideShare a Scribd company logo

Introduction to AWS Security

L
LalitMohanSharma8

This document provides an introduction to securing Amazon Web Services (AWS). It describes AWS services including EC2, S3, RDS, and DynamoDB. It outlines tools for testing AWS security like AWS Inspector and NMAP. It discusses risks like compromising AWS IAM keys and provides recommendations for securing an AWS implementation using services like IAM, WAF, and GuardDuty. The document recommends practicing penetration testing skills on resources like CloudGoat and following security best practices.

Technology
1 of 13
1
2
3
4
5
6
7
8
9
10
11
12
13
INTRODUCTION TO AWS SECURITY
ABOUT ME • Lalit Sharma • Working with Paytm as Security Engineer • Reachable via: https://twitter.com/0xklaue https://www.linkedin.com/in/0xklaue/
CLOUD =! AWS Top service providers: • Amazon Web Services • Google Cloud • Microsoft Azure • IBM • Oracle • Alibaba Cloud • And many more…
AMAZON WEB SERVICES • Started in 2006 • Currently offers more than 175 services • Services revolve around computing, storage, database, and much more • Significant services: EC2, S3, RDS, DynamoDB, AWS Lambda • Some services are free (to a certain limit). Some are “Pay as you use. Not when you need it.” • Others bill right from the provisioning.
TESTING YOUR AWS • Run basics tools to identify low-hanging fruits • AWS Inspector • NMAP • Identify misconfigured AWS S3 Buckets • Perform VAPT. Specially for your publicly exposed web applications / APIs / publicly exposed EC2 instances. • Secure data storage. Specially for situations when PII is involved.
AWS INSPECTOR • AWS Inspector for low-hanging fruits
AWS INSPECTOR • Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. • Helps in: • Identify application security issues • Security compliance (checks w.r.t. CIS controls) • Checks against security standards • Inspector != Qualys / Nessus
COMPRMISING AWS IAM KEYS • Many times you would find AWS IAM credentials on GitHub. • This will be found in cases when developers want to take their organization’s workbench from their office to home for development. • This, however, is a security violation. • Notably, bug bounty programs rate this issue as high to critical when a security researchers submits issue like this.
COMPROMISING AWS IAM KEYS: WEB APPLICATIONS • Web applications that are running on EC2 instances communicate with back-end resources. • Sometimes, web applications use native OS commands to communicate with these resources, or call files • In case the web application suffers from SSRF, local file reads or worse RCE, you can get a dump of AWS credentials #508459 SSRF in webhooks leads to AWS private keys disclosure (hackerone.com) Fig.: Local File Read
SECURING YOUR AWS • To secure your cloud environment / infrastructure, it is recommended to: 1.Know the services offered by cloud service provider 2.Know how the cloud services provided works 3.Understand technicalities of each service offered - To secure your implementation 4.Use the cloud services more - You cannot think of ways to secure a service if you don't use it. • Use a framework to secure your cloud infrastructure has its advantages: 1. Reduces the burden of satisfying auditors that infrastructure is compliant 2. Showcase maturity and improvement 3. Helps in obtaining support from management for resources and changes • NIST SP 800-144 points out security considerations to organizations and individuals when outsourcing information to cloud service providers • Some AWS services are already compliant to certain existing standards. • CIS Controls can be really helpful for reviewing your AWS EC2 AMIs and instances • Perform routine audits and VAPT
• The following services can become a cornerstone for securing your AWS cloud instances • Web Application Firewall (WAF) • Identity and Access Management (IAM) • Segregation of roles, users and their responsibilities • Helps in identifying which users are allowed to what services • Key Management Service (KMS) • Security Groups • Alerting and Monitoring Services (CloudWatch) • Logging (CloudTrail) • Billing • GuardDuty • Macie (Data Classification) • Cognito (SSO) • VPC • Amazon Organizations SECURING YOUR AWS
• To practice your penetration testing skills for AWS, you can follow these resources: • CloudGoat • flaws.cloud • Blogs from RhinoSecurity Labs • SANS Book: Practical Guide to Security in Cloud • AWS YouTube Channel (re:Invent) • AWS Documentation for services such as KMS, VPC, IAM, etc. SECURING YOUR AWS
REFERENCES • Top cloud service providers - ZDNET • Penetration Testing – AWS • AWS Pre-Compliant Services • AWS Shared Responsibility Model

More Related Content

PPTX
Shared Security in AWS
PolarSeven Pty Ltd
 
PDF
Aws security Fundamentals
Christopher Caplan
 
PPTX
AWS - Security and Compliance Overview
RightScale
 
PPTX
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
AWS Shared Security Model in Practice
Alert Logic
 
PPTX
AWS Security Architecture - Overview
Sai Kesavamatham
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
PDF
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
 
Shared Security in AWS
PolarSeven Pty Ltd
 
Aws security Fundamentals
Christopher Caplan
 
AWS - Security and Compliance Overview
RightScale
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
Alert Logic
 
AWS Shared Security Model in Practice
Alert Logic
 
AWS Security Architecture - Overview
Sai Kesavamatham
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
Practical AWS Security - Scott Hogg
Trish McGinity, CCSK
 

Similar to Introduction to AWS Security (20)

PDF
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
PPTX
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
PDF
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
PDF
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Amazon Web Services Korea
 
PPTX
Deep dive - AWS security by design
Richard Harvey
 
DOCX
Basic understanding of aws
Pinto Das
 
PDF
Security in the cloud
Reham Maher El-Safarini
 
PPT
Aws training in bangalore
apponix123
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PPTX
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Oas un llamado a la accion
Marcela Cárdenas Hidalgo
 
PDF
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Marcela Cárdenas Hidalgo
 
PDF
Security Best Practices_John Hildebrandt
Helen Rogers
 
PDF
Security and Compliance Better on AWS_John Hildebrandt
Helen Rogers
 
PDF
Security best practices on AWS cloud
Martin Yan
 
PPTX
Building Bulletproof Infrastructure on AWS
2nd Watch
 
PPTX
Modernizing Technology Governance
Alert Logic
 
PDF
Security Best Practices
Ian Massingham
 
AWS Webinar CZSK 02 Bezpecnost v AWS cloudu
Vladimir Simek
 
Hack proof your aws cloud cloudcheckr_040416
Jarrett Plante
 
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Amazon Web Services Korea
 
Deep dive - AWS security by design
Richard Harvey
 
Basic understanding of aws
Pinto Das
 
Security in the cloud
Reham Maher El-Safarini
 
Aws training in bangalore
apponix123
 
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Hackproof Your Cloud: Responding to 2016 Threats
CloudCheckr
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Oas un llamado a la accion
Marcela Cárdenas Hidalgo
 
Oas un llamado a la accion para proteger a ciudadanos-Sector Privado y Gobi...
Marcela Cárdenas Hidalgo
 
Security Best Practices_John Hildebrandt
Helen Rogers
 
Security and Compliance Better on AWS_John Hildebrandt
Helen Rogers
 
Security best practices on AWS cloud
Martin Yan
 
Building Bulletproof Infrastructure on AWS
2nd Watch
 
Modernizing Technology Governance
Alert Logic
 
Security Best Practices
Ian Massingham
 
Ad

Recently uploaded (20)

PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
The Future of Artificial Intelligence (AI)
Mukul
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Ad

Introduction to AWS Security

  • 2. ABOUT ME • Lalit Sharma • Working with Paytm as Security Engineer • Reachable via: https://twitter.com/0xklaue https://www.linkedin.com/in/0xklaue/
  • 3. CLOUD =! AWS Top service providers: • Amazon Web Services • Google Cloud • Microsoft Azure • IBM • Oracle • Alibaba Cloud • And many more…
  • 4. AMAZON WEB SERVICES • Started in 2006 • Currently offers more than 175 services • Services revolve around computing, storage, database, and much more • Significant services: EC2, S3, RDS, DynamoDB, AWS Lambda • Some services are free (to a certain limit). Some are “Pay as you use. Not when you need it.” • Others bill right from the provisioning.
  • 5. TESTING YOUR AWS • Run basics tools to identify low-hanging fruits • AWS Inspector • NMAP • Identify misconfigured AWS S3 Buckets • Perform VAPT. Specially for your publicly exposed web applications / APIs / publicly exposed EC2 instances. • Secure data storage. Specially for situations when PII is involved.
  • 6. AWS INSPECTOR • AWS Inspector for low-hanging fruits
  • 7. AWS INSPECTOR • Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. • Helps in: • Identify application security issues • Security compliance (checks w.r.t. CIS controls) • Checks against security standards • Inspector != Qualys / Nessus
  • 8. COMPRMISING AWS IAM KEYS • Many times you would find AWS IAM credentials on GitHub. • This will be found in cases when developers want to take their organization’s workbench from their office to home for development. • This, however, is a security violation. • Notably, bug bounty programs rate this issue as high to critical when a security researchers submits issue like this.
  • 9. COMPROMISING AWS IAM KEYS: WEB APPLICATIONS • Web applications that are running on EC2 instances communicate with back-end resources. • Sometimes, web applications use native OS commands to communicate with these resources, or call files • In case the web application suffers from SSRF, local file reads or worse RCE, you can get a dump of AWS credentials #508459 SSRF in webhooks leads to AWS private keys disclosure (hackerone.com) Fig.: Local File Read
  • 10. SECURING YOUR AWS • To secure your cloud environment / infrastructure, it is recommended to: 1.Know the services offered by cloud service provider 2.Know how the cloud services provided works 3.Understand technicalities of each service offered - To secure your implementation 4.Use the cloud services more - You cannot think of ways to secure a service if you don't use it. • Use a framework to secure your cloud infrastructure has its advantages: 1. Reduces the burden of satisfying auditors that infrastructure is compliant 2. Showcase maturity and improvement 3. Helps in obtaining support from management for resources and changes • NIST SP 800-144 points out security considerations to organizations and individuals when outsourcing information to cloud service providers • Some AWS services are already compliant to certain existing standards. • CIS Controls can be really helpful for reviewing your AWS EC2 AMIs and instances • Perform routine audits and VAPT
  • 11. • The following services can become a cornerstone for securing your AWS cloud instances • Web Application Firewall (WAF) • Identity and Access Management (IAM) • Segregation of roles, users and their responsibilities • Helps in identifying which users are allowed to what services • Key Management Service (KMS) • Security Groups • Alerting and Monitoring Services (CloudWatch) • Logging (CloudTrail) • Billing • GuardDuty • Macie (Data Classification) • Cognito (SSO) • VPC • Amazon Organizations SECURING YOUR AWS
  • 12. • To practice your penetration testing skills for AWS, you can follow these resources: • CloudGoat • flaws.cloud • Blogs from RhinoSecurity Labs • SANS Book: Practical Guide to Security in Cloud • AWS YouTube Channel (re:Invent) • AWS Documentation for services such as KMS, VPC, IAM, etc. SECURING YOUR AWS
  • 13. REFERENCES • Top cloud service providers - ZDNET • Penetration Testing – AWS • AWS Pre-Compliant Services • AWS Shared Responsibility Model