Data Perimeter Guardrails 🚧 in AWS + Building Threat Detection in GCP ⚠️ ⚠️

Learn how to protect your AWS using Data perimeter and find those threats in your GCP !

Author

Shilpi Bhattacharjee
July 13, 2023

Thank You - This Newsletter is for You

We are so grateful for all the love to our newsletter and sharing it with others 🙏🏻, big massive thank you.

AWS Security Month was quite the month and we had some incredible guests.

What we learnt from John Burgess

Understanding Data Perimeters in the Cloud

  • A data perimeter is essentially a set of guardrails that help manage and control access through the boundaries of your AWS organization.

  • The importance of this concept lies in the distinction between internal and external IAM Principals. In general, you would trust your own accounts more than external ones.

  • So, if there's an external entity trying to access your resources or vice versa, that's a point of concern. Ideally, you'd want to block such access by default and only allow specific cases through a whitelist.

  • The key takeaway here is that AWS data perimeters provide that control mechanism to manage access through your organizational boundary.

How to Start Building a Data Perimeter

John also gave us valuable insights into how to start building your data perimeter. Here are the crucial steps:

  • The first thing to understand is that building a data perimeter isn't the first step in your cloud security journey. There are other fundamental requirements you need to fullfil before you get to this stage.

  • AWS Organizations need to be set up, and CloudTrail should be enabled. This is to keep a tab on the kind of access taking place within your organization.

  • Implement fundamental Service Control Policies (SCPs) like denying root user access before you start to create your data perimeter.

  • Additionally, he emphasized the importance of following the best practices such as enabling S3 block public access.

  • Once you have these basics in place, only then should you start considering the use of more advanced tools like data perimeters.

Remember, AWS security isn't a sprint but a marathon. Each step is critical to building a robust security framework.

These are some of the resources John found helpful for data perimeter:

Before we dive into a brand new month and the big kick off we had for Google Cloud Security Month, a note to share that we are always looking to bring to you more of what you are looking to learn and hear about in the world of cloud security, cloud native security and AI security. So if there is a topic or theme you would love to see on Cloud Security Podcast definitely let us know!

Cloud Security Podcast This Week:

Google Cloud Security Month is kicked off this week with a thrilling episode with none other than Day Johnson of Cyberwox about Threat Detection in Google Cloud.

What Day Johnson shared with us

Common Threats in GCP

In the latest episode of the cloud security podcast with Day Johnson of Cyberwox, he spoke about the various threats present in Google Cloud Platform (GCP). Here are the key takeaways:

  • Service Accounts: These accounts, particularly when overly permissive, are a big threat. Without proper guardrails in place, these accounts can grant access across folders and projects, leading to potential lateral movement or privilege escalation vectors. Moreover, service account keys, if publicly exposed, can be misused as they essentially have an 'immortal' lifespan.

  • Storage Buckets: Exfiltration with storage buckets is another concern. Low visibility in certain activities can pose a security threat in GCP.

  • Compute Instances: Misconfiguration of compute instances or mishandling of SSH keys could lead to compromises with the project metadata.

Remember, the major threat lies with the service account due to its role as a major identity within Google Cloud.

Getting Started with Threat Detection in GCP

How should you go about detecting threats in GCP? Day Johnson provided some valuable advice:

  • Understand Your Environment: Start by understanding how your cloud environment works. Familiarize yourself with the configuration of resources and what resources exist. You can't detect threats if you don't know how things can be misconfigured or what threats exist against them.

  • Know Your Services: Explore how services are used by developers, cloud engineers, and DevOps engineers. Understand what 'normal' looks like for these services and then think about how an attacker could potentially exploit them.

  • Self-Education: Day emphasized the value of reading Google Cloud docs and watching YouTube videos. Learning Google Cloud and how to detect threats within it can often be a process of self-education and hands-on experience.

Don't Lift and Shift Cloud Knowledge

Day warned us against assuming that knowledge from one cloud provider will directly translate to another.

While there are commonalities across all cloud providers, there are also significant differences.

For instance, the way identity and access management works in Google Cloud is completely different from how it works in AWS. When it comes to detecting threats, it's crucial to look at each cloud provider holistically, understanding the services and how things work specifically within that environment.

Threat Modelling by Service

Finally, Day discussed how to approach threat detection for each service. The steps to this approach are as follows:

  • Understand the Service: What is it able to do? What are the various API actions?

  • Consider Normal and Malicious Use: How would a developer use this service, and how might an attacker misuse it?

  • Identify What Deviates From Normal: What deviates from the norm within your Google Cloud environment? What does an attacker potentially doing with this service to exploit it within your cloud environment?

By examining each service holistically and understanding both its intended and potentially malicious uses, you can generate a variety of detection possibilities and then narrow your scope to what fits the threat model of your particular Google Cloud environment.

These are some of the resources Day found helpful for threat detection in GCP along with some resources he mentioned + his talk

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

But in the spirit to continuing the learning together, we have kicked off another Free Cloud Security Bootcamp, running once every month LIVE. If you want to join in or know someone who will benefit from it - you/they can subscribe to it here.

Cloud Security Podcast in July

Next up in Google Cloud Security Month, we are chatting with Caleb Tennis, Information Security Principal Sequoia Capital

Join us LIVE + have those questions ready !

As you know, our newsletter is on a path of self improvement and reinvention, Ashish and I have challenged ourselves to bring you even more value as we continue to evolve this each week & we would love to hear from you 📢 as to how can we make this newsletter even more awesome for you (On that note! Thank you for subscribing💙)


Hope you are enjoying this new look Cloud Security Newsletter, theres plenty more to come.

Peace!

Was this forwarded to you? Sign up here

Want to partner with Cloud Security Podcast ! Lets make it happen

Have a topic or idea to share? Submit it here

Need Cloud Security or AI Security advice? Ask Ashish and Shilpi here