Security invariants: From enterprise chaos to cloud order (DEV401)

Security Invariants

Introduction

  • Chris Ferris and Rich Mogull discussed the concept of "Security Invariants" and how to implement them using various AWS security controls.
  • Security Invariants are preventative controls that always hold true for a business, reducing the security burden and providing consistency.

Security Spectrum

  • The presenters discussed the security spectrum, ranging from educating and empowering developers to vulnerability management.
  • Security Invariants fit within this spectrum, acting as guard rails to prevent security issues from happening in the first place.

Defining Security Invariants

  • Security Invariants should be:
    • Specific
    • Enforceable
    • Realistic
    • Avoid exceptions

Enforcement Options

  • Service Control Policies (SCPs)
  • Resource Control Policies (RCPs)
  • Declarative Policies
  • Auto Remediation

Service Control Policies (SCPs)

  • SCPs are managed by AWS Organizations, defining the maximum permissions for an account, including the root user.
  • SCPs apply to the identities in your organization.

Resource Control Policies (RCPs)

  • RCPs apply to all identities in AWS, whether in your organization or not, and restrict access to specific resources.
  • RCPs currently support S3, STS, SQS, and Secrets Manager.

Declarative Policies

  • Declarative Policies enforce configurations at the service level, outside of the IAM policy evaluation logic.
  • They currently support features like blocking public EBS snapshots and enforcing IMDSv2.

Writing Effective Invariants

  • Start by defining the invariant in plain English or plain language.
  • Determine the actions and resources to be controlled.
  • Leverage condition keys, such as the principal ARN and IP address, to enforce the invariant.
  • Avoid exceptions by building them into the invariant.

Deploying and Maintaining Invariants

  • Be cautious and deliberate when rolling out invariants to avoid breaking production workloads.
  • Leverage tools like AWS CloudTrail and Access Analyzer to understand the impact of the invariants.
  • Communicate the invariants to developers and maintain them as infrastructure as code.
  • Manage the organizational hierarchy, including the use of an "Exceptions OU" and an "Onboarding OU", to handle exceptions and new acquisitions.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.