Building Bulletproof AWS Environments with Secure CDK Constructs

[Music] my name is ke and Justice and this is a talk about building bulletproof AWS environments with secure cdk constructs a little bit about me I've worked as a cloud security engineer at guidepoint security we're a full service uh security consulting firm um I've been a devack Ops engineer at several early stage startups and started the security program from a ground up all way from idea to um to Sock 2 to live customers gone through several security audits I have a bachelor's degree in management information systems from the local Washington State University and I hold over a doen dozen active industry certifications mostly in cloud and security I guess um I should give you a

brief overview of security of McLoud and then up end I'll go over the code um something that's really important to know is that there's a shared responsibility model in the cloud this is not talked about enough um there Cloud providers are responsible for more of the physical security of the data centers and then the customers are actually responsible for a lot of the configuration of their applications within the cloud there's there's split duties and it's important because you might be Hippa compliant on paper AWS may be Hippa compliant but if you want to become Hippa compliant client there's actually additional steps that you have to do there's there's part partly provider Cloud providers responsibility and partly your

responsibility um I'll give you a brief overview of a cloud security Alliance they're a great um platform or they they have some tools and standards for setting up Cloud controls I they're highly recommended they're an industry leader in determining controls for with Cloud um but I'll touch on them very briefly um but when it comes to deploying the cloud historically um before infrastructures code there was something called click Ops and it sounds exactly what you think is you go into the console you click click on I want to launch an ec2 instance I want to launch an RDS instance and you do that and it's good if you're just trying to set up something really simple you don't really

care about security and you just need it really fast you don't need to reproduce it but if you tried to get specific configuration you have to do it repeatedly comes very easy to make an error even say becomes exponential the more things you add because you're like oh I forgot to add this tag I forgot to add this Security Group I forgot to add the CER block and stuff you you forget about things and the thing about most platform as a cloud services in the cloud is that uh I would I would say misconfigurations are even more important than a pent test having it's it's these these things that you forget about and you don't configure them

correctly and you don't know about it and that's where you really really leaves you to be vulnerable um which comes into infrastructures code this was a n Evolution allowed you to have repeatable builds automation efficiency you can put this into your pipeline deploy your VPC deploy your different resources your data bases your applications and just have everything be configured as code and no more going into AWS console clicking on random buttons and hoping that you clicked everything correctly um there were several iterations of structures code a common one from AWS is cloud information it's only on AWS it's a native AWS service if you have ads support they'll even help you with it it's usually yampo format um

it's also can be Jon I've only really seen yaml in my professional experience just because it's easier to debug and comment out and iterate um but a huge downside was it wasn't really modulized so you tend to not have dry coat you tend to repeat a lot of what you need to do if you need like five ec2 instances or five databases and they're not all within an autoscaling group really what you're doing is you're copying the code and writing like your Amal is five times as large as it was before um then there was terraform and then later open tofu they're very related uh open tofu was a fork of terraform um this helped some of the dry

components of code cuz you could actually do modules you could modulized the code it has its own DCF L hashy Corp um configuration language and this this was a step up but it was still because of the language constraints you were limited in what you could do like you you it was a huge upgrade but it was not perfect um something that when you're looking at Cloud controls if we're going off a compliance Benchmark something we might want to look at is the CIS Benchmark for AWS assuming you're in AWS this talk is mostly for AWS but there you can't apply this to other clouds and I'll cover that a little bit later but these are common

things in the CIS Benchmark in version three where you want all buckets to have access logging enabled you want S3 buckets to all require SSL and you want RDS instances to have encryption at rest these are just like some standard stuff best practices and it depending on your GRC policies you probably want these enabled for every resource every bucket should have access every bucket should have SSL or all databases should have encryption at rest but when you're when you're helping developers you you it's a lot like hurting cats you'll the larger organization people will be deploying resources and you like okay all S3 buckets must have SSL you spend a little bit of time and you're like oh somebody

launched an S3 bucket and it wasn't using our template oh no they launched another S3 bucket using the console and then all of a sudden you're you're managing you know you were 100% compliant today six hours later you're not compliant and this this is that startups which aren't very big at an Enterprise large organizations you it it becomes almost unwinable you need you need a solution where you can actually have a developers deploy secure constructs and take into account what they're doing and this brings us to a cloud um development kit or cdk it was created by AWS allows you to uh use a programming language like typescript python Java you can actually use Java script too my

preferred is typescript just because the static typing is very useful for this I think that you don't it's light weight enough that you can you can write code pretty quickly but it will come down to your comfort level and then there's also a terraform cdk this is where most of the aspects of regular AWS cdk are applicable here however terraform cdk in my experience it's not stable yet it's still in beta they say use it at your own risk I've used it I would not use it in production this may change in the future this when with terraform cdk you can probably do this to Azure gcp IBM Cloud any cloud provider but at the moment I

would say stick with AWS if you're using cdk um cdk has several command line um arguments or commandline um commands uh bootstrap is how you set up a project deploy destroy pretty self-explanatory bring up the stacks destroying the stacks synthesize is pretty interesting so cdk compiles to cloud formation so with synthesize you actually turn it into cloud formation templat so you can write all your code AS typescript have all this logic and have a ro really robust um validations and then you can turn into CL information if you want it um parts of a construct so there's a scope this determines what stack it's in if it's a nested stack where is um it's usually this and JavaScript typescript

self and python um by this is a unique identifier and then the props are really the arguments for constract so like if you look in cloud formation these are the the properties that you're setting for a different platform as a service uh when you're creating cdk constructs um actually just in cloud in general is how much access to give because developers and Engineers always want more access they want to be able to deploy as much as they can and as Security Professionals we want to limit what they can do because we don't want account to be compromis or or privileg escalation or some sort of attack on credentials um there's multiple ways you can do this but um in AWS one way to do

this is to give them more access give them the access that they want or give them more access than you normally do but then add service control policies or explicit denies so they have illusion of administrator access but they don't actually have administrator access so they say oh I have ec2 star they do but then we have an explicit deny elsewhere where they don't see actually denies all the stuff that we don't want them to do um it's it's a way to diplomatically give them access and at least make everyone happy initially and um also using a cnap platform is pretty important especially to look at imem roles there's a variety of platforms there's even a a vendor here which is a

cnap platform um I highly recommend using a cnap um but something that you need to look at when you're creating cdk constructs and this will make more sense in a code and I'll I'll I'll show some examples and I'll deploy but is how much documentation how much self-service so I've worked with multiple clients where they come up with these really abstract constract they're super secure but they're not well documented or they have to support them so but more you deviate and actually make them more secure more things that you change from default properties the more documentation and more support you're going to have to do like I've seen Enterprise clients where they have whole team

supporting you know their custom code where there's documentation and you could get AWS support or another type of Enterprise support if they just left them alone so knowing the needs of a business how big you are your budget and knowing when to do this and then I've also seen knowing how to throw exceptions so a lot of clients they say we don't want to block developers we don't want to give warnings when there's a misconfiguration like we want to make something like if a developer does not choose S3 black have SSL then we just want them to have a warning the problem with a warning is it doesn't give an error code so in their

pipeline in their GitHub actions they see a green check mark most people don't go into the logs and look for the little line which says warning they tend to just say this is good let's keep going and what happens is that you really didn't do anything you just had this very small message in the code and it just is obscure I would always error on the side of throwing errors in this case you want you want to break things when things aren't secure you want to basically Force developers to create secure code you can also if you want to you could overwrite things in the code and I'll show that briefly where you can actually go in and say hey developer did

not choose encryption let's always Force encryption the the downside of this is it comes back to maintainability you you know you you create these these values you're forcing SSL and then the developer said hey I spent like four hours why is this value always changing when I deploy um aspect oriented program is pretty useful so I'm not sure how many of you are software Engineers but um cdk is just all op Orient programing and you can use aspects to actually apply without modifying the existing code to add addition functionality or overwrite values and I'll demonstrate this briefly um there's also you can do full tests the unit test you would use whatever testing framework you use locally to

test like JavaScript you would use mocha chai Etc um there's a variety of testing uh Frameworks for each language however these are not comprehensive when testing locally you really need to deploy the code so you need to do some in integration tests usually by deploying the stack and then testing there too um I'll cover a couple of the different resources before I go to the code so just an example of ec2 ec2 for those of you not familiar is just a standard VM and AWS but you can have logic where you can actually change the SSH key you could say only allow these SSH Keys only allow SSH keys with these values or do not allow any ec2 instance to be

launched with SSH key this is different than what you can do with terraform or cloud formation you can use any you know you can use regx Expressions you can do M and Max you can you can basically put any type of code you want and you just have a lot more robust and granularity with a details you can add to the code you could go in then change cider blocks and say do not allow Port 22 with these cider blocks if you do throw an error in the code and not that this is impossible with terraform modules but it would be a lot harder it would be clunky definitely clunky um IEM what if you don't want

these privileg escalation on IM what what if you want to be able to have roles on ec2 not be able to have IM IM pass roll or create access key you could say any IM RO with this trust policy to ec2 Lambda Etc you say you could say throw an error if it contains any of these actions or if it contains a star in any of these actions you can be very explicit in the control um API Gateway is another common service so um API Gateway is aws's manage API Gateway but it's usually not very secure by default it's very hard to configure but you could actually enable a lot of configuration and I'll demonstrate the

code in in a second uh but you could say Force authentication only authenticate with IM or Cognito do not allow a Expos HTTP endpoint always put a web application firewall on it do not allow web wafts where or apis without wafts uh Force logging to be turned on Force cores to be turned on require SSL certificates you don't have to do all of these but if you're concerned about security you're concerned about misconfigurations you can mandate it you can actually say anytime somebody launches this do not let them launch it you you're limited in service control policies cuz it's just Json objects and you're limited what you do but if you give users a explicit denies in the code

uh you can control this and you can even do something similar in kubernetes with eks there's manifest files and I'll go over this in a second but you could uh you could do something similar to open policy agent in the code and you can really you can have uh granular control over the code so let me go to the code I have this cdk uh stack um I imported several cdk subjects um this is my vanilla S3 bucket this is my secure S3 bucket I have this inherent S3 bucket and then I have this aspect that I'm applying um so vanilla S3 is very simple this is all typescript it's just an S3 bucket you we can see this is the the

scope this is the stack it's just the basic stack this is viid and then props I did not give it any props if I go to bucket we can see the different props which can be assigned to it but I'm just giving it the default props if I go to secure S3 I've now built on top of it and I've added an s a kmsk key I'm saying whenever you create with secure S3 bucket always give it the KMS key we can even get more granular by controlling what's in the key adding a variety of logic to say only allow certain access on the key change the key policy but I'm also enforcing SSL um I'm blocking Public Access so now

whenever somebody deploys this secure S3 it's a lot harder it's a it's a lot more secure um on top of that we can actually do inheritance so we can actually use this object and we can inherit from the AWS based S3 and we can go into the props and then we can overwrite them we can put them in here and we could even say if this is undefined throw an error so if somebody tries to create an S3 bu it with block p Public Access and they don't Define a value we can explicitly say Do not continue stop this do not deploy the stack and this is a way where a developer could go in here and if they

didn't Supply this name or they didn't Supply some of these values it would just stop it would just it would just it would just stop um then we have aspects and aspects aspect Orient programing we can apply an aspect so here I'm looking to see if it's a S3 bucket and if a website is false and if it is let's say let's throw an error so this way if this value is website equals false we could say throw an error and let me just deploy and you can see I actually deployed this a little bit earlier but now we are explicitly throwing an error because it's not a website but if we want to go to warning

we can deploy and then all of a sudden we just get warnings and we can say if we want to continue I click yes and down here you can see I'm actually there's different levels to the cloud formation stack I can actually specify there's there's different levels of abstraction but if I go to CNF it's usually a cloud formation resource I can I can manually say if version is not enabled I can overwrite it and turn on enabled so these are just a couple of ways um this is a 20-minute talk so I couldn't talk through every construct so I could only really cover S3 in some detail but it's really about maintainability and choosing choosing like you just have so

much more control over making secure constructs by default and you can then hand your developers some of this code they just import it and say don't use regular S3 use this secure S3 use this S3 inherent S3 and then you you should have Security in default and you spend less time going in and trying to manually change a bunch of resources what were created earlier and then uh very briefly I'll cover Cloud security Matrix this is from cloud security Alliance Alli with a variety of Mis controls but if you're looking for a cloud security policy that's something you can look at too yeah well Sam is built on top of cloud formation and serverless is built on top

of cloud formation to they have some abstraction and they have a bunch of plugins so this this would do I mean I would I would think this is a replacement for terraform there is but of course was terraform cdk which is not ready yet don't use it quite yet use it when it's ready but has the same function you can get the same functionality um when you deploy cdk you get confirmation Stacks similar to serverless it manages State the same way as cloud formation I would say like there are reasons to use form there's a large ecosystem there's open tofu but it comes down well I found it has limitations like you get it like

real coding problem so like we've moved to a password bow and I want to get rid of any secret and Par so I got a poll from password Ball but it doesn't have I mean it it does looping weird it does you know lists and Maps weird like you got to do all this abstraction where you know you're writing everything in JavaScript or typescript or python you're just using the native absolutely like it's it's you there stuff like that where terraform sort of falls apart like you you're you're limited by the zsl you it gets really hacky maturity level I think like yeah you can actually write actual applications and you can actually package you know like your front end

code with the infrastructure all using the same language with same linters um it's just like you can add regular Expressions you can look through and doing that in terraform I I'm sure you can but it's not it's not it's not recommended and you you can package Lambda functions up in here I did not not include that example but you definitely can and you can even write the Lambda function with the dependencies in cdk and bundle it up so no with types typescript is definitely the language I would prefer it's uh strongly typed right and and if you try to do this in JavaScript or python you're going to run into some strange errors and you're not going to be able

to figure them out without the typing system so that's that would be my recommendation Java would probably be fine too I think Java is it's a lot of code for what you're trying to do here but it's definitely do what you're comfortable with yeah there in the AWS console under Cloud information there's some visualization for bacs so it this compiles to cloud formation so anything that you could use with cloud formation you can visualize it that way too so it's definitely possible there's probably some open source projects too but within AWS console they have a way where you can navigate you can see okay what resources were launched how are they connected I will say my company we

resell cnaps and we res sell multiple of them so I do not want to give a vendor preference but if come talk to me after a talk and I can discuss okay

[Music] w