Agenda What Why? Cloud controls IAM Instance Metadata The Cloud API CloudHSM Building a secure cloudy keystore What There is a need to develop robust Cloud ready services that help us keep control of our data; we need systems that: Allow us to take full advantage of the Cloud (autoscaling) Protect our most sensitive data (crypto keys) Give us (only us) access to our data (key custody) Helps us encrypt as much as possible Verifies access Separates duties Has layers of defense Why? We all want to leverage the Public Cloud, but it is different: Multitenant Shared resources (e.g., AMI & EBS) Elastic Incredibly easy to make private resources public (e.g., S3) Why? Cloud controls that amount to checkbox encryption or forces us to reveal private keys: Offloading SSL at load balancers exposes your private keys to your Cloud provider If you are using server side encryption (SSE) or transparent data encryption (TDE) your Cloud provider manages they keys (S3, EBS, RDS) TDE does not protect you against SQL injection Cloud Controls Review Cloud Controls Review Identity and Access Management Example: { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { JSON }, "Path": String, "Policies": [{ "Statement": [{ "Effect": "Allow", "Action": [ ”s3:GetObject" ], "Resource": “arn:aws:s3:::mybucket/*" }] }] } Roles: used to define permissions to access resources Instance Profiles: used to pass role information to instances (hosts in EC2) } Cloud Controls Review Identity and Access Management Dos and Don’ts Example: { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { JSON }, "Path": String, "Policies": [{ "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }] }] } Use least privilege Have few IAM administrators, don’t do this -> If I can define any policy (PutRolePolicy) I can define any policy (split responsibilities) } Cloud Controls Review The Metadata service Delivers information into an instance through the hypervisor Allows the instance to retrieve information about itself and its environment It is also a mechanism by which you can run code to configure the instance on first boot Can be accessed through a simple web call http://169.254.169.254/latest/ Cloud Controls Review The Metadata service Instance Metadata Used to retrieve network information Used to retrieve temporary application credentials Example: $ curl http://169.254.169.254/latest/metadata/local-ipv4 172.16.0.23 $ curl http://169.254.169.254/latest/metadata/iam/security-credentials/ myrole $ curl http://169.254.169.254/latest/metadata/iam/security-credentials/myrole { … "AccessKeyId" : "ASIA9JD9238JHSJH8", "SecretAccessKey" : "...", "Token" : ...", "Expiration" : "2014-10-21T10:08:07Z" } Cloud Controls Review The Metadata service – userdata Can be used to configure your instance on boot But your distro must support this feature (cloud-init) Example: $ curl http://169.254.169.254/latest/user-data #!/bin/bash -ex yum install httpd ... Cloud Controls Review The Metadata service – dynamic data Can be used to retrieve the instance identity document Can be used to retrieve the instance identity signature Example: $ curl http://169.254.169.254//latest/dynamic/i nstance-identity/document { "instanceId" : "i-ac9893a1", "billingProducts" : [ "bp-83872873" ], "accountId" : ”123456789098", "imageId" : "ami-kjhsk386s", "instanceType" : "m1.micro”, "architecture" : "x86_64", "pendingTime" : "2014-1003T16:24:13Z", "region" : "us-west-2", "version" : "2010-08-31", "availabilityZone" : "us-west-2b”, "privateIp" : "10.0.21.234" } There isn’t much documentation, but we can use the signature with an Amazon provided certificate to verify the identity $ document is valid curl http://169.254.169.254//latest/dynamic/i nstance-identity/signature kjh34ljhlk34M7ZMBwMiUWtZ1L9XgsWCznV1LwYq Cloud Controls Review Metadata service Dos and Don’ts Avoid putting sensitive data in user-data Protect it, e.g., ensure your http proxy does not relay for 169.254.169.254 Infrastructure is code, so protect your code repos (without saying) * Nimbostratus by Andres Riancho: good read! Cloud Controls Review The API Example: Can do anything that the CloudFormation and the Console can do and more You can use it to list resources, run instances, copy files… Anything you can do I can do better… Yes I can, yes I can Yes I can! API No you cant… Console > require 'aws-sdk-core' => true > conn = Aws::EC2::Client.new(region: 'us-west-2') => #<Aws::EC2::Client> > conn.describe_instance_status => #<struct instance_statuses= [#<struct instance_id="i-6461046f", availability_zone="us-west-2a", events=[], instance_state=#<struct code=16, name="running">, system_status= #<struct status="ok", details= [#<struct name="reachability", ... Cloud Controls Review The CloudHSM A hardware security module (HSM), SafeNet Luna HSM Provides secure key storage and cryptographic operations Helps you meet corporate, contractual and regulatory compliance requirements An appliance that is connected to your VPC A good place to keep symmetric and asymmetric keys Cloud Controls Review The CloudHSM Setup Configuration Example: $ ssh manager@[hsm_ip_address] Set a password lunash:> user password lunash:> hsm init -label [luna_name] Initialize the HSM lunash:> sysconf regenCert lunash:> ntls bind eth0 Create an HSM key pair Restart network interface Create a partition lunash:> hsm login lunash:> partition create -partition [partition_name] Cloud Controls Review The CloudHSM Setup CloudHSM Client Setup Copy server cert from HSM to client Example: $ cd /usr/lunasa/bin $ sudo scp -i ~/.ssh/[private_key_file] manager@[hsm_ip_address]:server.pem . $ sudo ./vtl addServer -n [hsm_ip_address] -c server.pem Register server cert with client $ sudo ./vtl createCert -n [client_name] Generate client cert $ scp -i ~/.ssh/[private_key_file] /usr/lunasa/cert/client/[client_name].pe m manager@[hsm_ip_address]: Copy client cert to HSM Register the client Assign the client partition $ ssh -i ~/.ssh/[private_key_file] manager@[hsm_ip_address] lunash:> client register -client [client_id] -hostname [client_name] lunash:> client assignPartition -client [client_id] -partition [partition_name] Cloud Controls Review A few notes about the CloudHSM Upfront setup cost of $5K If you loose your admin password you loose your data Does not play nice with autoscaling, client registration is static It is not Cloud aware, that is it does not leverage e.g., IAM to make access determinations It is built for the datacenter not for the Cloud even it if has Cloud in its name Easily integrated with Java as a crypto provider …but, it is still a good place to keep keys A Secure Cloud Environment A Secure Cloud Environment So, we have some pretty good controls that we can take advantage of, what to do…? How about combining these controls together to build a Secure Cloudy Keystore? A Secure Cloud Environment Simple deployment where the CloudHSM is used to house all secrets and all hosts have access to all secrets But it has all the weaknesses we pointed out previously A Secure Cloud Environment Secure Cloudy Keystore Centralize access to the HSM Minimizes manual setup Need to seed user pin in one place only Verify access to keys using other controls A Closer Look: AWS API Metadata Service Cloud-init A Secure Cloud Environment What can we verify through the API when an instance is requesting a secret? Instance Profile/IAM Role Role permissions Instance Identity Document (IID) fields IID signature Request IP Address Uptime Etc… A Secure Cloud Environment A review of our principles: Isolates HSM interactions Allow us to take full advantage of the Cloud Protect our most sensitive data Give us (only us) access to our data Helps us encrypt as much as possible Verifies access Separates duties Has layers of defense Questions? Thank You! Javier Godinez godinezj at gmail