Ranging from Scratch in a brand new AWS account and constructing out a safe structure
It is a recap and a little bit of group of my collection on Automating Cybersecurity Metrics. The Code.
Once I initially began penning this collection on Safety Metrics Automation, I used to be going to create a fundamental safety structure for safe automation of batch jobs. I really wish to use this framework in my very own enterprise for penetration assessments and safety assessments.
The issue was as I received down the road utilizing an account the place I had deployed AWS Management Tower and was utilizing AWS SSO from AWS Identification Heart I hit too many points. I made a decision to begin over at that time and construct out a brand new AWS account and group from scratch utilizing AWS IAM, probably with Okta as an IdP. (You might additionally person Azure AD in the same method). I’ve tried to make use of AWS Management Tower and AWS SSO however simply discovering too many points.
Right here’s the preliminary put up the place I began rebuilding with some rationalization of why. It gives a number of safety suggestions you need to take into account whenever you create a brand new AWS account, so issues ended up being a bit out of order.
If you wish to observe alongside and construct out an account from scratch you can begin right here and observe alongside.
From that time ahead I’ll constructed out all the things I’ve finished up to now in a brand new AWS account. Anybody following alongside can check and construct out their very own account and study cloud safety within the course of. The ideas are additionally relevant to Azure and GCP, which I point out periodically, however the terminology and particular implementation will fluctuate.
So does beginning over in a brand new account imply I’m going to need to throw out all of the code I’ve already written? Completely not. I’m already re-using the code I used to deploy CloudFormation stacks with a naming conference that helps you:
- Establish the useful resource kind
- Establish who deployed it
- Solely enable a job modify their very own stacks.
A part of the above features a frequent capabilities file used for deployment of all sources. That is nonetheless related as I begin my AWS account over from scratch.
I’ve determined to attempt integrating with Okta to forestall privilege escalation as described in these posts.
My code for IAM roles continues to be related however must be modified to match the format from roles used with SAML federation.
All the opposite IAM insurance policies and roles I created are nonetheless legitimate, however they’ll should be modified to be SAML roles — and I’m going to maintain each the IAM and the SAML roles within the listing so individuals can use whichever one works in their very own setting. I’m undecided I’ll nonetheless use AWS Teams.
As soon as I get the IAM construction rebuilt, a number of the remainder of the code will stay the identical. We’ll nonetheless use the only KMS key CloudFormation template I created to deploy keys all through our group, however we’ll in all probability begin looking at cross-account entry.
Observe that key coverage above received some modifications as I found some points because the collection progressed. Learn all of the KMS posts for extra data and a few points you might have considered trying to concentrate on associated to AWS KMS.
Our community structure can also be reusable. That doesn’t change a lot. See the underside of this listing for the community associated posts.
I’m discovering a number of rabbit holes as I implement all this code. I begin out in a single course and find yourself down a windy path exploring another safety downside or requirement that popped up alongside the best way. It’s all a part of one thing I’ve needed to do for a very long time — create a code framework for safe cloud infrastructure from the bottom up in a brand new account and group. We will’t simply skip over inconvenient particulars. In truth, I wrote about inconveniences as they relate to safety right here:
I like to think about this weblog collection like these individuals who watch individuals play video video games on-line. You get to look at me write and troubleshoot code, although I’m not doing it on a reside video stream (but). I’ve a normal define however the posts will evolve as I am going.
I’ve began placing just a few of the posts behind a paywall as a result of it is a very time-consuming endeavor and sure, I do must make a residing. We’ll see how that works out. Maybe Medium pays me greater than $2 monthly. It already will increase my funds a bit however nowhere close to what I would wish to do to jot down full time and publish a couple of put up each day.
As I get into the main points of constructing out an IdP — it begins getting difficult and much more time-consuming. Additionally, Okta will not be low-cost. For anybody following alongside who dislikes paywalls, I get it. I’ve a tough time paying for each information supply that desires me to pay for a subscription. However take into account this: You might pay for a $7,000 class reminiscent of these I used to show for a sure group.
Or you may assist an creator out and join Medium utilizing my referral hyperlink as a substitute.
You’ll get a each day does of actionable cloud safety ideas that will help you enhance the safety in your cloud account. You might also receive sufficient information to go an AWS safety certification should you’re into that. I’ll cowl all of it finally, if I can.
However right here’s what I don’t know. I get essentially the most earnings after I refer a brand new subscriber, however I’ve no approach know if I really received paid for somebody I referred. If you happen to do enroll as a referral from me, please let me know so I can see if I get the corresponding referral charge. As a result of proper know I get precisely one referral monthly — all the time — which appears odd. By no means zero or two or 5— all the time one.
I get just a few different cents when individuals learn or like posts however I don’t even get the way it all works. I’m too busy to determine it out.
An alternative choice to the paywall could be to spend so much of time turning this right into a e-book, pay an editor, and put the ultimate chapters within the e-book like I did with my collection on cybersecurity for executives. You would wish to purchase the e-book to get the ultimate chapters which I feel cowl an important elements of organizational safety. Additionally the e-book could have much less typos. 🙂
It’s exhausting to know the best way to proceed as an creator as a result of there’s a lot data on the market and also you wish to be sure you’re offering worth. On the similar time, authors must earn a residing too. No, I don’t wish to write a e-book for Packt or train courses by way of a third-party. Folks can attain out straight in the event that they wish to take a category from me on LinkedIn. I write courses as nicely. The latest class I taught was a 6 week two hour class on Azure safety. I do train courses by way of IANS Analysis however you’ll have to work with them to rearrange a contract with a 50% up entrance cost.
In any case, I’ll proceed to publish some free and a few paid posts in an effort to assist as many individuals as potential as I work by way of this safe cloud structure from scratch. I additionally recognize if individuals put up points on GitHub and I’ll attempt to repair them. I don’t all the time see them straight away however I’ll get to them finally. The code is all on the market without cost — no paywall at the moment. 🙂
Observe for updates.
Teri Radichel | © 2nd Sight Lab 2023
Like this story? Present your help so I can write extra!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clap for this story or refer others to observe me.
Observe on Medium: Teri Radichel
Join for E mail Listing: Teri Radichel
Observe on Twitter: @teriradichel
Observe on Mastodon: @teriradichel@infosec.change
Observe on Put up: @teriradichel
Observe or Like on Fb: 2nd Sight Lab
Observe or like on YouTube: @2ndsightlab
Purchase a Guide: Teri Radichel on Amazon
Purchase me a espresso: Teri Radichel
Request a penetration check, safety evaluation, or coaching
through LinkedIn: Teri Radichel
Schedule a consulting name with me by way of IANS Analysis
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Slideshare: Shows by Teri Radichel
Speakerdeck: Shows by Teri Radichel
Recognition: SANS Distinction Makers Award, AWS Hero, IANS School
Certifications: SANS
Schooling: BA Enterprise, Grasp of Sofware Engineering, Grasp of Infosec
How I received into safety: Lady in tech
Firm ~ Cloud Penetration Assessments, Assessments, Coaching ~ 2nd Sight Lab
Cybersecurity for Executives within the Age of Cloud on Amazon
