Defending & Securing AWS Applications

Abstract

It’s a well-known story that most cloud security incidents stem from customer mistakes. With almost a decade of tools telling us to close our buckets and encrypt our data, these issues still occur. Why is that? Because building a secure cloud application is not easy, and fixing an application running in production is even harder.

This two-day course will teach you how attackers can leverage these common cloud misconfigurations. You’ll understand the ease of discoverability and exploitability for several common cloud security issues.

Then you’ll learn how to fix them. Using a vulnerable by-design application, you’ll learn how to go about fixing these misconfigurations and the sharp edges that occur with any “simple change”. Our application is a functioning meme generator with simulated customer traffic. You’ll need to navigate the complexities of host-based, containerized, and serverless components to keep the attackers out and the customers (and management!) happy. Using the Fooli MemeFactory application, students will learn how to tighten IAM Policies, secure open S3 Buckets, defend against several credential exfiltration techniques, and re-encrypt their cloud resources.

At the end of this class, students will have a new appreciation for the findings that come out of common cloud security tools and an even deeper understanding of the complexities of remediating the issues.

Target Audience & Prerequisites

This class is designed for builders and the security teams that support them. Whether your title is Developer, Software Engineer, SRE, or DevOps, this class is for you. A basic understanding of AWS primitives is helpful. We won’t explain an S3 Bucket or EC2 Instance, but we will cover deeper topics like IAM, VPCs, and the myriad of services AWS offers to help its customers quickly build secure applications.

As part of a Cloud Security Assessment from PrimeHarbor, the class can be adjusted to emphasize areas of cloud security that may be more impactful to the organization. For example, if the company has a centralized network team that manages all aspects of VPCs, we might de-emphasize the section on network security and emphasize IAM or layer-7 ingress (ALBs and WAF).

Schedule

This class is offered on-site in either a two or three-day format.

The two-day format is 7 hours each day (with an hour for lunch), while the three-day format is 4 hours each day. Both formats allow busy students time to deal with daily tasks, so they’re not forced to answer emails or put out fires during class.

Curriculum Outline

Day 1

  1. Introduction to the Class
    1. Introductions
    2. What is the cloud anyway?
  2. Lab: Welcome to Fooli
    1. About the MemeFactory
    2. How the deployment pipeline works
  3. The Cloud Is Dark and Full of Terrors - A Primer on how misconfigurations occur and how attackers leverage them.
  4. IAM - The cause of, and solution to, all AWS Security Issues
    1. A brief overview of how AWS IAM works
    2. Users & Groups
    3. Roles & Identity Providers
    4. Policies
  5. Lab: Remediating IAM Users
  6. Lab: My God It’s Full of Stars: Tightening up the Fooli IAM Policies
  7. S3 Security
    1. Bucket Policies & ACLs
    2. Bucket Encryption
    3. How to properly make content public.
  8. Lab: Closing S3 Buckets
  9. Lab: Configuring CloudFront with OAI
  10. Network Security
    1. NACLs & Security Groups
    2. Route & Route Tables
    3. VPNs, Peering, and Transit Gateways, Oh My!
  11. Lab: Fixing Security Groups
  12. Lab: Public RDS Databases (optional)
  13. Capital One Debrief
    1. SSRF & Overly permissive policies
  14. Lab: Implementing IMDSv2
  15. Lab: Configuring Roles Anywhere (Optional)
  16. End of Day 1

Day 2

  1. Secrets! Secrets! Secrets!
    1. Where to find them
    2. How to manage them
    3. How attackers can exfiltrate IAM Credentials
  2. Lab: Moving Secrets from UserData
  3. Cloud Encryption: The Good, the Bad, and the Ugly
    1. Why do it
    2. How to fix it when you didn’t do it.
  4. Lab: Fixing an unencrypted RDS
  5. Serverless Security
    1. Lambda
    2. DynamoDB
    3. SNS & SQS
  6. Lab: Fixing the Fooli Meme Generator
  7. Cloud Ransomware
  8. Lab: Implementing AWS Backup
  9. AWS Native Security Tooling - What it means for you
    1. CloudTrail, GuardDuty, Logging
  10. Turning the CSPM from nemesis to ally
    1. Reports from your security team are painful and disheartening. Here’s how you can use them to your advantage
  11. Lab: Security Hub & Prowler
  12. GitHub & Pipeline Security
    1. Managing Access
    2. Finding Secrets
    3. Defending the Supply chain
    4. Shifting left
  13. Lab: Implementing Checkov in your pipelines
  14. Closing & Anatomy of the attack
  15. End of Day 2

Instructor Bio

Chris Farris is a highly experienced IT professional with a career spanning over 25 years. During this time, he has focused on various areas, including Linux, networking, and security. For the past eight years, he has been deeply involved in public-cloud and public-cloud security in media and entertainment, leveraging his expertise to build and evolve multiple cloud security programs.

Chris is passionate about enabling the broader security team’s objectives of secure design, incident response, and vulnerability management. He has developed cloud security standards and baselines to provide risk-based guidance to development and operations teams. As a practitioner, he has architected and implemented numerous serverless and traditional cloud applications, focusing on deployment, security, operations, and financial modeling.

He is one of the organizers of the fwd:cloudsec conference and presented at various AWS conferences and BSides events. He was named one of the inaugural AWS Security Heroes. Chris shares his insights on security and technology on social media platforms like Twitter, Mastodon and his website https://www.chrisfarris.com.

Pricing

On-site classes in the US & Canada are $20,000 for up to 15 students. PrimeHarbor will provide each student with their own Fooli lab environment. The hosting company only needs to provide a projector, wireless connectivity, and HTTP/HTTPS and SSH access to the internet.