Transitioning to AWS in a hurry without getting owned (Hopefully...)
Devina Dhawan
02/06/2017 - Women & Non-Binary Focused intro to AWS
Email: 3@etsy.com
Twitter: @theulzo
1
Transitioning to AWS in a hurry without getting owned (Hopefully...)
Devina Dhawan
02/06/2017 - Women & Non-Binary Focused intro to AWS
Email: 3@etsy.com
Twitter: @theulzo
2
Introduction
3
Etsy operates a global marketplace where people around the world connect,
both online and offline, to make, sell and buy unique goods.
4
Security at Etsy
5
What is this talk about?
6
“Securing Amazon Web Services”
7
Infrastructure
8
Where to begin?
10
Evident.io
11
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Scout2
13
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Changes I made… like a goon
14
Password Policies
My first Etsy communication
Hello X,
Looks like you still do not have MFA set up on your AWS account.
Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device.
Note: If you no longer need your AWS account, please let me know!
Devina
Version 2.0
Hello X,
Looks like you still do not have MFA set up on your AWS account. It looks like you used your AWS account recently as well, so please sign up for MFA by 03/31/16 or your account will be suspended.
Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device.
Note: If you no longer need your AWS account, please let me know!
Your neighborhood candy provider,
Devina
Oops...
Multiple statements which allow you to:
Other policies:
Oof…
Aws-cli for account creation
Becoming really used to the aws client is really useful too!
Using Terraform for IAM
Static Creds
24
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Logging in AWS - Cloudtrail
ELK
Alert Types
Email:
IRC/Slack/Jabber:
Collect the alerts:
31
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Scout2
# Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Inbound/Outbound
EC2 Roles
34
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Scout2
# Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Bucket Policies
39
So… it happened, what do I do now?
THANKS!
3@etsy.com
@theulzo
Introduction
41
Etsy operates a global marketplace where people around the world connect,
both online and offline, to make, sell and buy unique goods.
42
Security at Etsy
43
What is this talk about?
44
“Securing Amazon Web Services”
45
Infrastructure
46
Where to begin?
48
Evident.io
49
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Scout2
51
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Changes I made… like a goon
52
Password Policies
My first Etsy communication
Hello X,
Looks like you still do not have MFA set up on your AWS account.
Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device.
Note: If you no longer need your AWS account, please let me know!
Devina
Version 2.0
Hello X,
Looks like you still do not have MFA set up on your AWS account. It looks like you used your AWS account recently as well, so please sign up for MFA by 03/31/16 or your account will be suspended.
Go ahead and go to Identity & Access Management in your Amazon Web Services console -> find your username -> Manage MFA Device.
Note: If you no longer need your AWS account, please let me know!
Your neighborhood candy provider,
Devina
Oops...
Multiple statements which allow you to:
Other policies:
Oof…
Aws-cli for account creation
Becoming really used to the aws client is really useful too!
Using Terraform for IAM
Static Creds
62
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Cloudtrail Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Logging in AWS - Cloudtrail
ELK
Alert Types
Email:
IRC/Slack/Jabber:
Collect the alerts:
69
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Scout2
# Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Inbound/Outbound
EC2 Roles
72
Low-hanging IAM Fruit
# Password Policy
# Multi-factor auth
Monitoring
# Scout2
# Logging
EC2
# Netwerkin’
# EC2 Roles
S3
# S3 Bucket Policies
Bucket Policies
77
So… it happened, what do I do now?
THANKS!
3@etsy.com
@theulzo