- Cloud Security Lab a Week (S.L.A.W)
- Posts
- CloudSLAW Monthly: The Thick of It!
CloudSLAW Monthly: The Thick of It!
As our community rockets, let's take a peek at where we are going, and check out some other awesome communities.
Rich Mogull
April 09, 2024 • Estimated Reading Time: 11 minutes
Since everyone runs through the labs at their own pace, I like to send out a short monthly update to share news, bring the community together, and sync up on the big picture.
Before I get into this month’s update I want to welcome all our new members, most of whom came over from Daring Fireball. One of my goals with this project is to help improve security even outside the security profession, and I hope things are hitting the mark. You can always email me with suggestions and comments at [email protected].
Back when I started scheming on CloudSLAW I put together a planning list for the labs. Now, if you know me, this is… quite unlike me. I’m good at planning — I’m just really lazy and bad at writing things down. If you dig up any of my high school or college notebooks you’ll see about a week or two of actual notes at the beginning of every semester, then some pages with maybe keywords, then… a lot of trees gave their life for nothing. I’m sorry, trees — maybe someday you’ll be recycled into toilet paper?
My list didn’t survive long. One thing I’ve learned in the four months since we started this trip is that I can’t fully predict how long a lab will take, where to put the breaks to hit our time goals, and all the little dependencies. I’m learning as we go, and building these labs is already strengthening my own skills and knowledge because I need to really understand something to properly teach it. Those of you just getting started can see the next 2-4 months of labs we already built, but for the rest of you I thought I’d give a peek into my rough plans for the next couple months.
Before that I’d like to thank Sonrai Security for sponsoring. This is a ton of work and there’s some infrastructure cost, and this sponsorship helps me offer what I hope is the best damn free security training on the face of the planet.
SPONSOR SHOUTOUT! Sonrai Security
🔒One-click least privilege. Zero disruption.
With over 42,000 permissions in AWS, Azure, and Google, tens of thousands of human and machine identities to manage, and a constantly evolving cloud, achieving least privilege has been a Herculean task… until now.
The Cloud Permissions Firewall is a one-click solution that removes excessive sensitive permissions, quarantines unused identities, and disables unused services and regions in your cloud. The average company saw a 92% reduction in cloud permissions attack surface.
Not only is least privilege now achievable, it’s sustainable, as new identities are automatically protected falling under the default deny policy.
Worried about disrupting developers or not getting the access you need? Any restricted permission or quarantined identity can be alleviated with a quick ChatOps approval workflow.
Curious to see how it all works?
CloudSLAW Plans and News
Our big-picture objective is to build out a true enterprise-class AWS organization with all the security best practices. Then we’ll start building out different application stacks so we can learn the security ins and outs of the major services, then eventually keep going into some of the lesser-used services. Right now we are deep in the opening gambit of implementing the core of the org.
This week we’ll have a Stage Check for those on the leading edge of the labs. We just finished a huge block of content, building out our organization structure. Our next batch will take us into GuardDuty and some other AWS security monitoring tools, plus we will learn about and set up delegated administration so we can run things without having to log into our management account.
Then we will set up more of our central security services and use that to dive in deeper on IAM and Identity Center. Since we will need someplace to test all these new skills out, I’ll set up a CloudFormation template for a workload account we can turn on and off and play with. The end of that next stage is to have most of our core shared services and IAM in place.
CloudSLAW Azure is still in the works, and I hope to have more to say about that soon.
The annual RSA Security Conference is coming up in almost exactly a month, and if you are going and want to meet up there’s no better place than our 14th Annual Disaster Recovery Breakfast on Thursday! Absolutely everyone is welcome. You don’t have to RSVP but I appreciate it so we can plan the food. And if you are a potential sponsor or corporate partner who wants a one-on-one meeting, just drop me a line.
Recommended Reading
I consume a ton of security content on a weekly basis, but the news hits so fast and heavy these days I find it impossible to keep up. This week I want to highlight 5 newsletters I subscribe to which help keep me informed. These aren’t all of them, so stay tuned as I share more in coming months:
Vulnerable U by Matt Johansen: Matt is my go-to for collecting and analyzing the latest breaches and vulnerabilities. This is my favorite source for tracking news-making adversarial activity.
tl;dr sec by Clint Gibler: Odds are you already know this one. Clint covers an insane spectrum of news, broken out into coverage areas like ‘cloud’ and ‘appsec’. This is the best newsletter for the big picture, and I find it especially useful for finding new tools outside my core.
Return on Security by Mike Privette: Mike has deep tracking and analysis of the infosec industry and investments. As a researcher and recovering analyst myself, I find it important to keep track of how the industry moves and shakes.
Cartomancy Labs Futurecast by Allison Miller: This is the only newsletter I know of which covers bigger issues like economics and trust and safety. Allison is the former CISO of Reddit, with a long history of working to protect consumer security and privacy.
Unsupervised Learning by Daniel Miessler: Security, AI, and… self improvement. Odds are if you are in security you already read this one. But I think those of you coming from outside the profession might find Daniel’s work on AI and being human just as interesting.
From the CloudSLAW Community
A few of you have emailed with minor lab issues, and I think everyone is caught up. Pete Jansson (permission given to name him) brought up a couple things I thought worth sharing:
My confusion was about what "root account" means (and I realize AWS uses the term a lot).
They do. There’s your “root user” account, which corresponds the email associated with your AWS account (every account). This is a holdover from the days before there was IAM (yes, I was there). Back then there were no orgs, no IAM, so “root account” made more sense. And yes, AWS uses both the terms “root” and “account” in multiple ways.
I think the reason we had to do "root account recovery" is that the only way to be able to change the account name is to log in as that account, so we needed to recover the account in order to create a password credential so we could log in as that account. However, now I have an account that has a (long, and forgotten) password and no MFA, but, even if someone were to brute force the password, by placing the account in the Security OU with the SCP protection, the account can't do anything. Is that right? That's why it's OK to have no MFA. (And is there any way to remove the password from the account so it couldn't be somehow brute-forced or guessed or calculated by looking at a recording of the light from my office window?)
So… this is pretty close. What we did prevents root from doing nearly anything, other than a few minor things I listed in that original SCP post. It’s pretty solid protection, even if someone gets into that root user account. Unfortunately we can’t remove the password, but a strong random password is just as good because it’s effectively impossible to brute force. As for MFA, the SCP and no (saved) password means an attacker would need to compromise the email account or phone number associated with that root user account to perform account recovery, and the SCP blocks anything bad even if they do get that account. Since having access to that email is the same thing needed to reset an MFA, adding MFA would add no real security.
Now the management account is entirely different, and you absolutely want MFA there! You can’t protect it with an SCP.
Corrections
A couple typos, no technical corrections this month!
My Other Work and Upcoming Trainings
I’m not going to link to everything, because I post way too much in way too many places, but I will highlight some bigger things:
Chris Farris and I are speaking at RSAC. This ended up inspiring a much larger project we hope to release soon. We also had too much fun coming up with the title and description. CloudSec Hero to Zero: Self-Obsolescing Through Prolific Efficiency.
I have some 1-on-1 meeting slots open for potential sponsors and partners. Just email me at [email protected].
And don’t forget the Disaster Recovery Breakfast!
Will Bengtson and I are teaching Adversarial Cloud Incident Response at Black Hat. Although we teach cloud IR privately, this is pretty much the only place we teach the adversarial version.
Will and I have been teaching together at Black Hat for years, and he provided a 40% off discount code for CloudSLAW subscribers. Just use the super secret code, cl0udslaw.
We are very deep into updating the Cloud Security Alliance CCSK training to version 5.0. This is a ground-up rebuild and a ton of work, but initial feedback from reviewers is very positive. Mike Rothman will be teaching the first public class at Black Hat this summer.
We released version 2.0 of the Cloud Security Maturity Model.
A few Securosis blog posts to highlight:
Thank you everyone, and please keep the feedback coming!
Join the conversation