Explore the security challenges and vulnerabilities associated with migrating applications to Amazon Web Services (AWS) in this conference talk from AppSecUSA 2014. Delve into concrete examples and new techniques that reveal "full stack" vulnerabilities in AWS environments, from simple mistakes like exposing credentials to unexpected issues such as XXE injection and data leakage. Learn about a free assessment tool designed to map interactions between infrastructure and code, helping organizations navigate the complexities of AWS security. Gain insights into AWS as an operating system, its attack surface, and common pitfalls in cloud migration. Discover strategies for controlling API access, managing metadata, and leveraging advanced capabilities to enhance security in AWS deployments.
Bringing a Machete to the Amazon: Securing AWS Applications
Overview
Syllabus
Intro
Welcome
Agenda
Cloud is an Operating System
Infrastructure is my code
Typical AWS application
AppSec perspective
The challenge
What does AWS offer
Problems with AWS
AWS as an operating system
AWS attack surface
Merchant insecurity
Strict change control
API
Vulnerabilities
Metadata
AWS Metadata
Examples
Controlling API Access
Private IP Addresses
Lack of Access Control
Tags
IP Address
Lack of Awareness
Cloud Atlas
Cloud Out
Cloud Trail Data
Advanced Cap Capabilities
Other Tools
Questions
Taught by
OWASP Foundation
