Abstract image of a woman sitting on books and studying on a laptop

Cloud Summit Canada com Rodrigo Montoro

Clavis Segurança da Informação, profile picture
Clavis Segurança da Informação

The document discusses the AWS Shared Responsibility Model and highlights security insights derived from analyzing AWS services, including statistics on findings and services covered. It emphasizes the importance of understanding default configurations, managing permissions across accounts, and improving security knowledge within organizations. The author encourages continual learning and adaptation in cloud security practices.

Technology
1 of 39
Downloaded 23 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
The deFAULT truth of AWS Shared Responsibility Model Rodrigo Montoro Head of Threat & Detection Research @spookerlabs
$ aws --profile Rodrigo Montoro sts get-caller-identity Clavis Segurança da Informação ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting
Motivation
Some numbers(*) about security ‘IN’ the cloud (AWS) Clavis Segurança da Informação ● CSPM Detections (cloudsploit) ○ 460 findings (AWS) ○ 87 services covered (around 29% of services) ● Services with Passrole ○ 330 actions ○ 92 services (around 30.7% of services) ● Detections from Elastic rules ○ 59 detections ○ ~22 services covered (around 7.3% of services) ● Detections from Sigma ○ 31 detections ○ ~20 services covered (around 6.7% of services) * based on my analysis in open source tool and public content
With some ideas in mind … Clavis Segurança da Informação
Security Operations Center (SOC) AGENDA 1 AWS ecosystem / Control Plane DeFAULT Design Data Plane 1 1 Cross Account 1 Uncommon Services Conclusions
7 Clavis Segurança da Informação AWS Ecosystem / Control Plane
AWS Shared Responsibility Model Clavis Segurança da Informação
AWS In Numbers Clavis Segurança da Informação ● Around 13k actions ● 973 Managed policies ● Around 300 Services ● 18 regions ● 5 actions access level Source: https://aws.permissions.cloud/
How authentication and authorization works Clavis Segurança da Informação
AWS IAM policy flow analysis Clavis Segurança da Informação
Management Events Clavis Segurança da Informação
13 Clavis Segurança da Informação DeFAULT Design
How many problems an AWS account start (with an Admin user) ? Clavis Segurança da Informação
Next let’s add an ec2 instance Clavis Segurança da Informação
Just to finish a s3 bucket … Clavis Segurança da Informação
Simple scenario (only 3 services) the "deFAULT problems” Clavis Segurança da Informação
Some more details Clavis Segurança da Informação ● VPC Endpoint ○ Policy Resource : * ● IAM ○ Managed Policies ■ Resource: * ■ No Conditional ■ No control
service enumeration is possible by design with account id Clavis Segurança da Informação source: https://www.sidechannel.blog/en/enumerating-services-in-aws-accounts-in-an-anonymous-and-unauthenticated-manner/
20 Clavis Segurança da Informação Data Plane
Data Plane Clavis Segurança da Informação ● S3 buckets data events ● RDS Audit logs ● EKS (Kubernetes)
S3 buckets Clavis Segurança da Informação
VPC Flow Logs Clavis Segurança da Informação
GuardDuty Clavis Segurança da Informação source: https://xmind.app/m/K3fmSB/# Events analyzed are NOT saved. Only the payload saved is the content that triggered the finding.
25 Clavis Segurança da Informação Cross Account
What is Cross Account ? Clavis Segurança da Informação source: https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-and-amazon-cloudwatch-events/
Vendors / Partners Clavis Segurança da Informação ● Splunk history ● ReadOnlyAccess policy
Splunk history Clavis Segurança da Informação
ReadOnlyAccess World (1/3) - Unwanted Permissions Clavis Segurança da Informação source: https://www.sidechannel.blog/en/unwanted-permissions-that-may-impact-security-when-using-the-readonlyaccess-policy-in-aws/ ● s3:GetObject ● lambda:GetFunction ● ec2:DescribeInstanceAttribute ● dynamodb:{Query,Scan} ● cloudtrail:LookupEvents
ReadOnlyAccess World (2/3) - bad use everywhere Clavis Segurança da Informação source: https://www.wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data
ReadOnlyAccess World (3/3) - Sample of products Clavis Segurança da Informação Tenable - https://docs.tenable.com/tenablecs/quick-reference/AWS/Content/QuickReference/SetUpA WSReadOnlyAccess.htm Site24x7 - https://www.site24x7.com/help/aws/enable-aws-account-access.html NewRelic - https://docs.newrelic.com/docs/infrastructure/amazon-integrations/get-started/integrations- managed-policies/ Autocloud - https://docs.autocloud.dev/aws-account DivvyCloud - https://docs.divvycloud.com/docs/policies (some minor denies http://get.divvycloud.com/policies/ReadOnlywithAWSReadOnly.json ) Cloudockit - https://www.cloudockit.com/documentation/aws-create-user-for-cloudockit/ Hava.io - https://docs.hava.io/importing/aws/getting-started-with-aws/read-only-iam-user Cloudcraft - https://help.cloudcraft.co/article/87-connect-aws-account-with-cloudcraft
32 Clavis Segurança da Informação Uncommon Services
What do I consider uncommon ? Clavis Segurança da Informação ● Services without security research related ○ big part of 300 services ○ almost 13000 actions ● Very specific services with only "few" customers
So what is _REALLY_ uncommon ? How about Identity Center (SSO)? Clavis Segurança da Informação
Passrole world Clavis Segurança da Informação source: https://twitter.com/noamdahan/status/1349384948998922240
Appstream 2.0 Edition Clavis Segurança da Informação
37 Clavis Segurança da Informação Future & Conclusions
Future and Conclusions Clavis Segurança da Informação ● Make sure you understand default configurations ● Validate cross account / partners permissions ● Know what you are running ● Find your knowledge gaps ● Keep researching and improving detections ● Make sure you train your team
Thank you! See you at Sector Rodrigo Montoro @spookerlabs rodrigo.montoro@clavis.com.br

More Related Content

PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PPTX
Network security - Defense in Depth
Dilum Bandara
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Network security - Defense in Depth
Dilum Bandara
 
Next-Gen security operation center
Muhammad Sahputra
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 

What's hot (20)

PPTX
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
PDF
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Tenchi Security
 
PDF
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
PPTX
SOAR and SIEM.pptx
Ajit Wadhawan
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPTX
Cybersecurity Strategies for Effective Attack Surface Reduction
SecPod
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PPTX
Security operation center
MuthuKumaran267
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
PPTX
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
PDF
Cyber threat intelligence ppt
Kumar Gaurav
 
PPTX
Introduction to SIEM.pptx
neoalt
 
PPTX
Penetration Testing
RomSoft SRL
 
PPTX
Lost in Translation - Blackhat Brazil 2014
Rodrigo Montoro
 
PPTX
Cybersecurity Training
WindstoneHealth
 
PDF
Cyber Threat Intelligence
mohamed nasri
 
PDF
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Tenchi Security
 
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
SOAR and SIEM.pptx
Ajit Wadhawan
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Cybersecurity Strategies for Effective Attack Surface Reduction
SecPod
 
Security Operation Center - Design & Build
Sameer Paradia
 
Security operation center
MuthuKumaran267
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Cybersecurity
Eng Hasan Shamroukh CISCO Exams Author
 
Cyber threat intelligence ppt
Kumar Gaurav
 
Introduction to SIEM.pptx
neoalt
 
Penetration Testing
RomSoft SRL
 
Lost in Translation - Blackhat Brazil 2014
Rodrigo Montoro
 
Cybersecurity Training
WindstoneHealth
 
Cyber Threat Intelligence
mohamed nasri
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
Security operation center (SOC)
Ahmed Ayman
 
Ad

Similar to Cloud Summit Canada com Rodrigo Montoro (20)

PDF
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Clavis Segurança da Informação
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Top 5 AWS Security Mistakes and How to Stop Them Before You Lose Data
DevOps.com
 
PDF
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
PPTX
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
PDF
The AWS Shared Responsibility Model: Presented by Amazon Web Services
Alert Logic
 
PDF
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Riyadh User Group
 
PDF
AWS Security 101: Understanding the Shared Security Model - Jeff Westphal, Mi...
AWS Chicago
 
PDF
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
Alert Logic
 
PDF
Information Security in AWS - Dave Walker
East Midlands Cyber Security Forum
 
PPTX
Managing Security on AWS
AWS Summits
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PPTX
shared-responsibilitysecurity-roadshowlondon-160317131610.pptx
aalshrif
 
PPT
Security and compliance
TATA LILIAN SHULIKA
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
CloudHesive
 
PPTX
How to think like a threat actor for Kubernetes.pptx
LibbySchulze1
 
PPTX
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
PPTX
Modernizing Technology Governance
Alert Logic
 
PDF
Beginners guide to aws security monitoring
rahuldesh
 
PPTX
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
AWS Chicago
 
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Clavis Segurança da Informação
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Top 5 AWS Security Mistakes and How to Stop Them Before You Lose Data
DevOps.com
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Priyanka Aash
 
Pitt Immersion Day Module 5 - security overview
EagleDream Technologies
 
The AWS Shared Responsibility Model: Presented by Amazon Web Services
Alert Logic
 
AWS Technical Day Riyadh Nov 2019 - Scaling threat detection and response in aws
AWS Riyadh User Group
 
AWS Security 101: Understanding the Shared Security Model - Jeff Westphal, Mi...
AWS Chicago
 
The AWS Shared Responsibility Model in Practice - Nirav Kothari, AWS
Alert Logic
 
Information Security in AWS - Dave Walker
East Midlands Cyber Security Forum
 
Managing Security on AWS
AWS Summits
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
shared-responsibilitysecurity-roadshowlondon-160317131610.pptx
aalshrif
 
Security and compliance
TATA LILIAN SHULIKA
 
AWS Spotlight Series - Modernization and Security with AWS
CloudHesive
 
How to think like a threat actor for Kubernetes.pptx
LibbySchulze1
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Modernizing Technology Governance
Alert Logic
 
Beginners guide to aws security monitoring
rahuldesh
 
Ryan Smith's talk from the AWS Chicago user group May 22 - Security
AWS Chicago
 
Ad

More from Clavis Segurança da Informação (20)

PPTX
Bsides SP 2022 - EPSS - Final.pptx
Clavis Segurança da Informação
 
PDF
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
PPTX
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
PDF
A maldição do local admin - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
PDF
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
PDF
Palestra GlobalSign
Clavis Segurança da Informação
 
PDF
Palestra Clavis - Octopus
Clavis Segurança da Informação
 
PDF
Palestra Exceda - Clavis 2016
Clavis Segurança da Informação
 
PDF
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis Segurança da Informação
 
PDF
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Clavis Segurança da Informação
 
PDF
Webinar # 21 – Análise Forense de Redes
Clavis Segurança da Informação
 
PDF
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Clavis Segurança da Informação
 
PDF
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Clavis Segurança da Informação
 
PDF
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Clavis Segurança da Informação
 
PDF
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Clavis Segurança da Informação
 
PDF
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Clavis Segurança da Informação
 
PDF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Clavis Segurança da Informação
 
PPT
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Clavis Segurança da Informação
 
PPT
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Clavis Segurança da Informação
 
PDF
Webinar #18 – A Nova Lei de Cibercrimes
Clavis Segurança da Informação
 
Bsides SP 2022 - EPSS - Final.pptx
Clavis Segurança da Informação
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
A maldição do local admin - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Clavis Segurança da Informação
 
Palestra GlobalSign
Clavis Segurança da Informação
 
Palestra Clavis - Octopus
Clavis Segurança da Informação
 
Palestra Exceda - Clavis 2016
Clavis Segurança da Informação
 
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis Segurança da Informação
 
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Clavis Segurança da Informação
 
Webinar # 21 – Análise Forense de Redes
Clavis Segurança da Informação
 
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Clavis Segurança da Informação
 
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Clavis Segurança da Informação
 
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Clavis Segurança da Informação
 
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Clavis Segurança da Informação
 
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Clavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Clavis Segurança da Informação
 
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Clavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Clavis Segurança da Informação
 
Webinar #18 – A Nova Lei de Cibercrimes
Clavis Segurança da Informação
 

Recently uploaded (20)

PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
PDF
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
PDF
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PDF
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
PDF
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PPTX
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
PPTX
future_of_ai_comprehensive_20250822032121.pptx
forrandomuse090
 
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
PDF
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
NU_I_TODALAB
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
PPTX
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
PPTX
agenticai-neweraofintelligence-250529192801-1b5e6870.pptx
sakibulsmccpg
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
Auditboard EB SOX Playbook 2023 edition.
DROK2
 
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Kalilur Rahman
 
SaaS reusability assessment using machine learning techniques
IAESIJAI
 
Advancing precision in air quality forecasting through machine learning integ...
IAESIJAI
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
MENA-ECEONOMIC-CONTEXT-VC MENA-ECEONOMIC
Mustafa Kuğu
 
Co-training pseudo-labeling for text classification with support vector machi...
IAESIJAI
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
MuleSoft-Compete-Deck for midddleware integrations
zupittejas
 
future_of_ai_comprehensive_20250822032121.pptx
forrandomuse090
 
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
DROK2
 
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
NU_I_TODALAB
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
Rapid Prototyping: A lecture on prototyping techniques for interface design
Mark Billinghurst
 
SGT Report The Beast Plan and Cyberphysical Systems of Control
hopegirl587
 
agenticai-neweraofintelligence-250529192801-1b5e6870.pptx
sakibulsmccpg
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 

Cloud Summit Canada com Rodrigo Montoro

  • 1. The deFAULT truth of AWS Shared Responsibility Model Rodrigo Montoro Head of Threat & Detection Research @spookerlabs
  • 2. $ aws --profile Rodrigo Montoro sts get-caller-identity Clavis Segurança da Informação ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting
  • 4. Some numbers(*) about security ‘IN’ the cloud (AWS) Clavis Segurança da Informação ● CSPM Detections (cloudsploit) ○ 460 findings (AWS) ○ 87 services covered (around 29% of services) ● Services with Passrole ○ 330 actions ○ 92 services (around 30.7% of services) ● Detections from Elastic rules ○ 59 detections ○ ~22 services covered (around 7.3% of services) ● Detections from Sigma ○ 31 detections ○ ~20 services covered (around 6.7% of services) * based on my analysis in open source tool and public content
  • 5. With some ideas in mind … Clavis Segurança da Informação
  • 6. Security Operations Center (SOC) AGENDA 1 AWS ecosystem / Control Plane DeFAULT Design Data Plane 1 1 Cross Account 1 Uncommon Services Conclusions
  • 7. 7 Clavis Segurança da Informação AWS Ecosystem / Control Plane
  • 8. AWS Shared Responsibility Model Clavis Segurança da Informação
  • 9. AWS In Numbers Clavis Segurança da Informação ● Around 13k actions ● 973 Managed policies ● Around 300 Services ● 18 regions ● 5 actions access level Source: https://aws.permissions.cloud/
  • 10. How authentication and authorization works Clavis Segurança da Informação
  • 11. AWS IAM policy flow analysis Clavis Segurança da Informação
  • 13. 13 Clavis Segurança da Informação DeFAULT Design
  • 14. How many problems an AWS account start (with an Admin user) ? Clavis Segurança da Informação
  • 15. Next let’s add an ec2 instance Clavis Segurança da Informação
  • 16. Just to finish a s3 bucket … Clavis Segurança da Informação
  • 17. Simple scenario (only 3 services) the "deFAULT problems” Clavis Segurança da Informação
  • 18. Some more details Clavis Segurança da Informação ● VPC Endpoint ○ Policy Resource : * ● IAM ○ Managed Policies ■ Resource: * ■ No Conditional ■ No control
  • 19. service enumeration is possible by design with account id Clavis Segurança da Informação source: https://www.sidechannel.blog/en/enumerating-services-in-aws-accounts-in-an-anonymous-and-unauthenticated-manner/
  • 20. 20 Clavis Segurança da Informação Data Plane
  • 21. Data Plane Clavis Segurança da Informação ● S3 buckets data events ● RDS Audit logs ● EKS (Kubernetes)
  • 22. S3 buckets Clavis Segurança da Informação
  • 23. VPC Flow Logs Clavis Segurança da Informação
  • 24. GuardDuty Clavis Segurança da Informação source: https://xmind.app/m/K3fmSB/# Events analyzed are NOT saved. Only the payload saved is the content that triggered the finding.
  • 25. 25 Clavis Segurança da Informação Cross Account
  • 26. What is Cross Account ? Clavis Segurança da Informação source: https://aws.amazon.com/blogs/security/how-to-audit-cross-account-roles-using-aws-cloudtrail-and-amazon-cloudwatch-events/
  • 27. Vendors / Partners Clavis Segurança da Informação ● Splunk history ● ReadOnlyAccess policy
  • 29. ReadOnlyAccess World (1/3) - Unwanted Permissions Clavis Segurança da Informação source: https://www.sidechannel.blog/en/unwanted-permissions-that-may-impact-security-when-using-the-readonlyaccess-policy-in-aws/ ● s3:GetObject ● lambda:GetFunction ● ec2:DescribeInstanceAttribute ● dynamodb:{Query,Scan} ● cloudtrail:LookupEvents
  • 30. ReadOnlyAccess World (2/3) - bad use everywhere Clavis Segurança da Informação source: https://www.wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data
  • 31. ReadOnlyAccess World (3/3) - Sample of products Clavis Segurança da Informação Tenable - https://docs.tenable.com/tenablecs/quick-reference/AWS/Content/QuickReference/SetUpA WSReadOnlyAccess.htm Site24x7 - https://www.site24x7.com/help/aws/enable-aws-account-access.html NewRelic - https://docs.newrelic.com/docs/infrastructure/amazon-integrations/get-started/integrations- managed-policies/ Autocloud - https://docs.autocloud.dev/aws-account DivvyCloud - https://docs.divvycloud.com/docs/policies (some minor denies http://get.divvycloud.com/policies/ReadOnlywithAWSReadOnly.json ) Cloudockit - https://www.cloudockit.com/documentation/aws-create-user-for-cloudockit/ Hava.io - https://docs.hava.io/importing/aws/getting-started-with-aws/read-only-iam-user Cloudcraft - https://help.cloudcraft.co/article/87-connect-aws-account-with-cloudcraft
  • 32. 32 Clavis Segurança da Informação Uncommon Services
  • 33. What do I consider uncommon ? Clavis Segurança da Informação ● Services without security research related ○ big part of 300 services ○ almost 13000 actions ● Very specific services with only "few" customers
  • 34. So what is _REALLY_ uncommon ? How about Identity Center (SSO)? Clavis Segurança da Informação
  • 35. Passrole world Clavis Segurança da Informação source: https://twitter.com/noamdahan/status/1349384948998922240
  • 36. Appstream 2.0 Edition Clavis Segurança da Informação
  • 37. 37 Clavis Segurança da Informação Future & Conclusions
  • 38. Future and Conclusions Clavis Segurança da Informação ● Make sure you understand default configurations ● Validate cross account / partners permissions ● Know what you are running ● Find your knowledge gaps ● Keep researching and improving detections ● Make sure you train your team
  • 39. Thank you! See you at Sector Rodrigo Montoro @spookerlabs [email protected]