ACM.116 Different safety controls and insurance policies to contemplate for user-specific EC2 cases
It is a continuation of my collection on Automating Cybersecurity Metrics.
Code within the final put up routinely stops a VM after deploying it to assist get monetary savings when sources are created earlier than they’re wanted to be used.
https://medium.com/@2ndsightlab/automatically-stop-vms-on-aws-792cded54578
Now that we’ve deployed our user-specific VM we will take into consideration how the controls we put in place could also be bypassed.
We have now created numerous restrictions to attempt to lock down entry to a VM to a single consumer.
As it’s now:
- We solely have one SSH key related to the occasion for the precise consumer that’s allowed to login to that occasion.
- The safety group solely permits that particular consumer’s IP tackle to entry the occasion (within the state of affairs the place you’ve got distant customers and every consumer has a unique distant IP tackle.)
- If one consumer tries to log into one other consumer’s occasion, their SSH key received’t work.
- They received’t be capable of get via the community controls.
What might a consumer do to get round these restrictions?
- As defined in a previous put up there’s a approach so as to add or change an SSH key. If the consumer can swap out an SSH key on an EC2 occasion with their very own, they may login.
- If a consumer within the developer group has backup and restore permissions they may be capable of again up a quantity and connect it to their very own occasion. Since we created a single KMS key for all members of the developer consumer group, they might not be restricted by encryption controls.
- If a developer has permission to detach a quantity then they may connect it to a unique host.
- If a consumer has permission to alter the safety teams on an occasion (which is a part of the ec2.* permission set) then they will add their very own user-specific safety group to a unique ec2 occasion.
No useful resource insurance policies for EC2 cases or Safety Teams
EC2 cases don’t supply useful resource insurance policies. Neither do safety teams. (#awswishlist). I’ve wished that you might apply insurance policies to networking since I used to be engaged on the Capital One cloud community and cloud engineering groups.
After I carried out the networking for bastion hosts and a proxy on AWS these hosts wanted direct entry to different networks. Anybody with permission to alter the safety teams and networking or deploy a brand new EC2 occasion (VM) might deploy it in that networking with broad entry.
In actual fact, I bear in mind when the one that accepted community safety modifications seen that somebody had put safety teams related to totally different tiers in a 3 tier community to their EC2 occasion. He wasn’t too comfortable. I believe our NACLs and routes would have helped considerably however he was anxious that the particular person had successfully created a proxy to bypass our networking requirements.
Consumer-Particular and zero-trust IAM Insurance policies for EC2 Occasion Actions
That is the place your IAM insurance policies may also help you. You’d wish to disallow dangerous actions or restrict them to an VM with a reputation that matches the consumer taking the motion.
- Disallow customers from taking EC2 actions on any occasion however one which matches a specific naming conference (and ensure they can not soehow bypass the naming conference)
- Disallow customers from reassigning safety teams to these they shouldn’t be capable of use.
- Disallow EC2 deployments with SSH entry to any IP apart from their very own by way of their very own user-specific SSH safety group.
- Disallow attaching and reattaching volumes or making snapshots except required.
- Leverage an automatic backup course of — that isn’t related to a single consumer’s credentials! (Sure, I’ve seen that. I received’t say the place.)
- Be cautious in your structure concerning who can get to or leverage the backup credentials. This additionally helps you defend in opposition to ransomware infecting all of your backups.
- Make certain customers can not assign permissions higher than their very own to an EC2 occasion.
I’m not going to jot down the code to guard in opposition to all the above proper now, however one thing to contemplate when making an attempt to guard your EC2 sources.
Comply with for updates.
Teri Radichel
Should you preferred this story please clap and comply with:
******************************************************************
Medium: Teri Radichel or E-mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies by way of LinkedIn: Teri Radichel or IANS Analysis
******************************************************************
© 2nd Sight Lab 2022
All of the posts on this collection:
____________________________________________
Writer:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts