Protecting the AWS ecosystem - Misconfigurations, IAM, and Monitoring

Presented at DEF CON 31 (2023), Aug. 10, 2023, 9 a.m. (240 minutes)

Cloud providers' ecosystems have brought a lot of new challenges to companies and Security teams. Many new attack vectors create known and unknown attack vectors, generating a considerable need for further research and detection in this field. In the current cloud security world, access keys are the new perimeter, and permissions associated with those keys are the limits. In many real-world scenarios, leaked access keys are the initial vectors to get into an organization's cloud environments. Therefore, the least privilege and detection in real-time becomes critical. Specifically, in AWS, we are talking about more than three hundred (300+) services that an attacker could create their specific attack path to achieve their goal. Considering this chaotic scenario, we developed this workshop to teach how to mitigate those new vectors and improve the company's overall cloud security posture. The workshop will cover misconfigurations, AWS IAM (Identity and Access Management) least privilege, and control plane (Cloudtrail) monitoring. This workshop will help organizations improve their cloud security posture in these three fields - misconfigurations, IAM permissions management, and control plane monitoring. There will be practical demonstrations, hands-on labs, and some Capture The Flag (CTF) to practice incident response. Skill Level: Intermediate Prerequisites for students: - AWS basic to intermediate knowledge Materials or Equipment students will need to bring to participate: - Laptop. - Demonstrations and Capture The Flag (CTF) exercises will be executed in my AWS account and using CTFd.

Presenters:

• Rodrigo Montoro - Head of Threat & Detection Research at Clavis Security
  Rodrigo Montoro has over 23 years of experience in Information Technology and Computer Security. For most of his career, he has worked with open-source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, and Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several open source and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).

Similar Presentations:

• Black Hat USA 2016 / Hardening AWS Environments and Automating Incident Response for AWS Compromises
• ToorCamp 2016 / The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles
• THOTCON 0x8 (2017) / Transitioning to AWS in a Hurry Without Getting Owned