Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here - - PowerPoint PPT Presentation

cloud security
SMART_READER_LITE
LIVE PREVIEW

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here - - PowerPoint PPT Presentation

Jan 10, 2023 779 likes •1.12k views

Cloud Security An IAM GAME Nathaniel Beckstead whoami I am here because I love to give presentations. @scriptingislife https:/ /scriptingis.life https:/ /glimpseid.com 2 What is the cloud? 3 What is the cloud? 4 What is the cloud? 5

slide-1
SLIDE 1

Cloud Security

An IAM GAME

Nathaniel Beckstead

slide-2
SLIDE 2

whoami

I am here because I love to give presentations. @scriptingislife https:/ /scriptingis.life https:/ /glimpseid.com

2

slide-3
SLIDE 3

What is the cloud?

3

slide-4
SLIDE 4

What is the cloud?

4

slide-5
SLIDE 5

What is the cloud?

5

slide-6
SLIDE 6

“Definitions”

▪ EC2 - Virtual Machine but in the cloud ▪ S3 - Key-value storage (mostly for files) ▪ DynamoDB - NoSQL database

6

slide-7
SLIDE 7

7

slide-8
SLIDE 8

Why is it so hard to secure?

▪ It’s not

8

slide-9
SLIDE 9

9

slide-10
SLIDE 10

What’s different about the cloud?

▪ Speed ▪ IaaS, PaaS, SaaS ▪ No rules!

10

slide-11
SLIDE 11

11

https://www.episerver.com/learn/resources/blog/fred-bals/pizza-as-a-service/

slide-12
SLIDE 12

What is IAM?

▪ Identity and Access Management ▪ Users, API Keys, Roles, Policies ▪ Omnipresent in the cloud

12

slide-13
SLIDE 13

Roles

▪ Like a user, but can be assumed by anyone who needs it.

13

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

slide-14
SLIDE 14

Roles

14

slide-15
SLIDE 15

Policies

▪ Defines permissions for an action.

15

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#targetText=Policies%20and%20Permissio ns,or%20resource%2C%20defines%20their%20permissions.

slide-16
SLIDE 16

Access Keys

▪ Used for programmatic access

16

slide-17
SLIDE 17

17

https://blog.trendmicro.com/the-code-spaces-nightmare/

slide-18
SLIDE 18

Why is IAM so hard?

▪ It’s complicated.

18

slide-19
SLIDE 19

Why is IAM so hard?

19

slide-20
SLIDE 20

Why is IAM so hard?

20

slide-21
SLIDE 21

Why is IAM so hard?

21

slide-22
SLIDE 22

Why is IAM so hard?

22

slide-23
SLIDE 23

Why is IAM so hard?

23

slide-24
SLIDE 24

Why is IAM so hard?

24

slide-25
SLIDE 25

Why is IAM so hard?

▪ It’s preventive.

25

Every developer using the

  • cloud. (Circa 2019)
slide-26
SLIDE 26

AWS Metadata Service

26

slide-27
SLIDE 27

AWS Metadata Service

27

slide-28
SLIDE 28

Capital One

▪ Some application was vulnerable to SSRF ▪ WAF let SSRF through ▪ Role had read access to all S3 buckets

28

slide-29
SLIDE 29

What is the solution?

▪ Cloud is special ▪ Least privilege is best privilege ▪ Monitor API key usage ▪ Automate, automate, automate

29

slide-30
SLIDE 30

Least Privilege in AWS

30

AWS Access Advisor

slide-31
SLIDE 31

Resources

https:/ /flaws.cloud https:/ /flaws2.cloud https:/ /expel.io/blog/

slide-32
SLIDE 32

32

Questions?