PAUL SCHWARZENBERGER
Access keys in GitHub, open security group rules, misconfigured Identity and Access Management roles, private SSL certificate keys kept in code repositories and open S3 buckets. Just some of the security issues which led to a journey towards automated compliance solutions for cloud infrastructure and applications. Paul describes a framework for Continuous Cloud Compliance, and demonstrates some of the techniques and tools he has used while working on cloud migration projects and operational cloud applications for both public and private sector organisations.
DevSecCon London 2018: A Journey to Continuous Cloud Compliance
1. LONDON 18-19 OCT 2018
A journey to continuous cloud
compliance
PAUL SCHWARZENBERGER
2. LONDON 18-19 OCT 2018
A journey to continuous cloud compliance
• I joined a DevOps team as their first hands-on security specialist
• I started by being polite and nice
• This is the story of what happened next …
3. LONDON 18-19 OCT 2018
• Production application in AWS
• 30 – 40 DevOps / Cloud Ops
• Agile development
• 2 week sprints
• Most infrastructure coded
• Some manual configuration
A journey to continuous cloud compliance
… my job was to make sure it was secure
4. LONDON 18-19 OCT 2018
AWS Foundations
• 43 controls across 4 domains
• IAM
• logging
• monitoring
• networking
I downloaded the CIS AWS Benchmark
5. LONDON 18-19 OCT 2018
and started with a manual review using the console …
• Open security groups
• Password policies not compliant
• Dangerous IAM policies
• Public S3 buckets
• Access keys not rotated
• I fixed some things myself
• I asked people nicely to fix things …
6. LONDON 18-19 OCT 2018
Then I downloaded NCC’s Scout2 …
Can you rotate your
access key please?
Can you reconfigure your
security group please?
7. LONDON 18-19 OCT 2018
and moved from detection to prevention …
• I wrote security tests in Python
• Integrated to CI / CD pipeline
• That helped
• But only for those repos integrated with the security tests
8. LONDON 18-19 OCT 2018
So I put in automated remediation and enforcement …
Tech
• Cloud Custodian – Capital One
• Lambda functions for notifications
Example policies
• Require MFA token
• Access key rotation
• Remove open security group rules
9. LONDON 18-19 OCT 2018
And then started looking for keys and secrets …
GitRob
• Keys
• Secrets
• Passwords
• Public and private repositories
10. LONDON 18-19 OCT 2018
Continuous Cloud Compliance Framework
Prevention Policy as
code
CI / CD
pipeline tests
Detection Infrastructure
scans
Data
Discovery
Remediation Serverless
functions
Runbooks
11. LONDON 18-19 OCT 2018
Contact details
info@celidor.net
Paul Schwarzenberger
Cloud Security | DevSecOps
www.celidor.co.uk
@paulschwarzen
Paul Schwarzenberger