Automating Cybersecurity Metrics (ACM)

A series of blog posts on cybersecurity metrics and security automation

GitHub Repo (In Progress):

SecurityMetricsAutomation/README.md at main · tradichel/SecurityMetricsAutomation

I’m adding a preliminary post to this series to explain what it’s all about and where you may want to start. I decided to start over with a new account and rebuild everything out for reasons I explained along the way. All the initial posts are relevant and will be used in the new architecture. To decide where you want to start check out this post:

Baking Security In From the Ground Up on AWS

Walk through the thought process of creating secure Batch Jobs to capture and report on cybersecurity metrics in this blog series. Please note that this series contains information related to governance and secure deployments — not just the batch jobs themselves. I’m basically coding every day and writing about it as I go to complete a project I’m working on to help customers with security metrics.

Cybersecurity Book Review: How to Measure Anything in Cybersecurity Risk

Should We Apply Statistics to Cybersecurity Risk Decisions?

A Value-Based Approach to Cybersecurity Metrics

How Batch Jobs Can Help Cybersecurity

Creating an AWS Batch Job That Requires MFA

Components of an AWS Batch Job

Threat Modeling for Containers

A C2 Channel on WordPress to Access AWS IAM Role Credentials

Cloud Architecture and KMS Keys

Welcome to AWS Identity Center

The Yubikey CLI and AWS MFA

Automate AWS Account Creation

Architecting Automated Operations That Require MFA on AWS

Security Architecture is Not A Checklist

Create an IAM User with CloudFormation

Create an IAM role for a Batch Job

Adding Conditions to AWS IAM Policies

Generic AWS KMS Key Deployments

Defining Requirements for KMS Encryption Key Policies

A Role for Automated Credential Deployments

Create a Batch Job Trigger Role

Limiting Access to KMS Keys via Secrets Manager

A KMS Key Administrator Role and IAM Policy

Resource, IAM, and Trust Policies on AWS

Why You Should Consider Separate IAM Administrators

Test Automation for Deployments

Deploy A KMS Key and Key Policy with CloudFormation

Using an AWS CLI Profile with MFA

Unique AWS Policy Templates for a Common Role Template

Modifying A Role CloudFormation Template to Pass in an ARN to Assume the Role

Confused Deputy Attack in IAM, Resource, and AssumeRole Policies

Conditions and Mappings in CloudFormation Templates

Specifying the Roles an IAM Identity Can Assume

Protecting KMS keys, S3 buckets and other resources from unintended exposure

Creating Automation Credentials Without Exposing Them To Users

Creating Zero Trust AWS Policies

Querying CloudTrail with CloudTrailLake

Adding a KMS Key Alias With CloudFormation

AWS Lambda and Batch jobs for Steps in a Process

AWS Resources Organization and Naming Conventions

Cloud Network Architecture and Naming Conventions

Refactoring Existing Code to Use IAM Naming Conventions: Part 1

Refactoring Existing Code to Use IAM Naming Conventions: Part 2

Refactoring Existing Code to Use IAM Naming Conventions: Part 3

Assigning a Group to a Trust Policy in an AWS IAM Role

Creating Shared Repositories and Code in an Organization

Limiting which CloudFormation Stacks an AWS principal can update

Keeping Credentials Out of GitHub

Cloud Security Architecture — Batch Jobs

Lambda Networking

Cryptographically Secure Random

Automating a Lambda Function Deployment

Which Programming Language Should You Use?

Sending an SMS Message from a Lambda Function

Using Python and Boto3 in AWS

Parameters in Lambda Functions that lead to XSS and Injection

Validating Input Parameters in A Lambda Function

Using AWS Systems Manager Parameter Store with AWS Lambda

Adding a KMS Key Id to AWS SSM Parameter Store

Automate Creation of a VPC

Public and Private VPCs and Subnets (Route Tables)

Remove extraneous VPC route tables

VPC Flow Logs Governance

Automated Creation and CIDR Allocation for Subnets on AWS

Why You Need a VPC

Automated Creation of NACLS on AWS

Automated Creation of Security Groups on AWS

AWS Credentials in Boto3 and CLI Debug Output

Troubleshooting CloudFormation

Network Services on AWS

Default VPC Security Group Names and Set Rules

Network Design: Developer Network

Network Design: Serverless Applications

DNS and NTP on AWS

AWS PrivateLink and VPC Endpoints

Developer Virtual Machines as Bastion Hosts

Mechanisms of Authenticating to a Linux VM (EC2 Instance) on AWS

Automated Creation of an SSH Key for an AWS User

When What You Deleted is Not Really Deleted

AWS Nitro Enclaves and TPMs

Creating and Storing an EC2 SSH Key in Secrets Manager

User-Specific Secrets on AWS: IAM Policies

User-Specific Secrets on AWS: Separation of Duties

User-Specific Secrets on AWS: KMS and MFA with Developer Credentials

Creating an AppSec Group to Administer Secrets Manager Secrets

AppSec Role for Secrets Management

Ensuring Your CloudFormation Scripts Deploy Properly in Production

Automated Deployment of an EC2 Instance with the Latest AWS Linux AMI

Deploy an EC2 Instance with a KMS Encryption Key

Updating Test Scripts With Dependencies in Mind

Autogenerated Passwords in CloudFormation for AWS Console Access

Automatically Deleting a Failed CloudFormation Stack in a Rollback State

User-Specific Secrets: Console Access

AWS Changing ARNs in Trust Policies — Big Problems

Deleting CloudFormation Stacks

Deleting CloudFormation resources with IAM and Resource Policy Dependencies

Allowing Users to Start Encrypted EC2 Instances in the AWS Console

Connecting to an EC2 instance via SSH (and when you can’t)

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

Deploying an AWS Elastic IP Address

Local Firewall Rules to Connect to an AWS EIP via SSH

Limiting Access to an AWS EIP in GitHub

Prefix Lists in Network Rules to Access AWS Services Without CIDRs

How an EIPAssociation in CloudFormation can Help Prevent Dependency Issues

Creating an AWS Security Group rule to Access GitHub with a Customer-Managed Prefix List

VPC Endpoint for CloudFormation

Creating a Role for an EC2 Instance with CloudFormation

Validating VPC Endpoint Connections Occur Via the Private Network

Add a Policy to an AWS VPC Endpoint

How to Fix CloudFormation

How CloudFormation Helps Security

Stop Writing Paper Policies

Why You Should Not Swallow Errors

User-Specific Security Group for Remote Access

User-Specific EC2 Instance

Bypassing the User-Specific Restrictions We Created for Cloud VMs

Automatically Stop VMs on AWS

Customer-Managed KMS Keys vs. AWS Managed Encryption

AWS Secrets Manager vs. SSM Parameter Store

Multiple MFA Devices for AWS IAM

Authentication Flow for Batch Jobs

Biggest Data Breaches of 2022

Oktapus

Domain Name Registration Security

Governance for DNS on AWS

AWS SSO (IAM Identity Center) for Separation of Duties

AWS CLI for an SSO User

Can I Restrict an AWS SSO user to Console Only?

Transferring Files in S3 Between AWS Accounts

IAM Administrator Permissions for An AWS Organization

To NotResource or To Not NotResource In an AWS IAM Policy

AWS IAM Permission Boundaries

Privilege Escalation Via a Cloud Compute Resource

Backdoors and Privilege Escalation Via Cloud Account Users

Abstraction in Cybersecurity

DRY — Don’t Repeat Yourself

AWS Service Control Policies

Would You Accept an Inconvenience To Prevent a Data Breach?

Letting Governance Teams Govern

Creating an AWS Governance Account

Delegated Administrator for AWS Organizations

Analyzing CloudTrail Requests Related to SCPs

Delegating SCP Management to Governance Team via AWS Organizations

re:Boot ~ Creating an AWS Account

Mitigating CreateUser Privilege Escalation and Back Doors

What are AWS’s Security Responsibilities, Anyway?

AWS CLI Session Compromise

Multi-Session Compromise

Security Product Assessments

What is an identity provider (IdP)?

Okta for Directory, IdP, and SSO

SCIM (System for Cross-domain Identity Management)

AWS SCIM and AWS IAM Identity Center

Automated AWS Organization Creation

Risk Associated with the Root User for a New AWS Organizations Account

Risk Associated With Default AWS Service-Linked Roles

Risk Associated With The Role Created In New AWS Organizations Accounts

A Safer AWS Organizations Management Role

Organizational Root User for Initial Setup on AWS

Cross-Account Access to an Account in an AWS Organization

AWS IAM Architecture for New AWS Accounts

Federating AWS Authentication to Okta with SAML

Assessing Okta’s Protection of Customer’s AWS Credentials and User Directory

Cloud (CSPM) and SaaS Security Posture Management (SSPM)

Okta Networking

Okta IAM

Okta MFA

Okta Logging, Monitoring, and Alerts

AWS SAML Federation to Okta Architecture

Close an AWS Account in an Organization

AWS Service Control Policy Architecture

Root OU Service Control Policies

Creating an Organizational Unit (OU) and Service Control Policies (SCPs) with CloudFormation

Okta SAML Integration with AWS IAM Step 1: Obtaining the Metadata

Okta SAML Integration with AWS IAM Step 2: AWS IAM Identity Provider

Okta SAML Integration with AWS IAM Step 3: Creating SAML Roles

Okta SAML Integration with AWS IAM Step 4: Granting Okta Users Access to AWS Roles

Security Risks Associated with Support Teams

Risks Using a Third Party Identity Provider with Azure

Create an AWS Account with CloudFormation

Proposal: Revisions for CIS Controls #1 and #2

ACM.x Credentials for EC2

ACM.x Protecting CloudFormation stacks

ACM.x Account deletion policies

ACM.x MFA for Okta

ACM.x Organizational Services

ACM.x Finalizing our governance infrastructure (roles, organizational resource policy, additional SCPs, permission boundaries)

ACM.x NS records used in separate AWS account

ACM.x TLS in AWS

ACM.x Automate S3 bucket

ACM.x Automate S3 bucket for static website

ACM.x Form submission from static website to Lambda

ACM.x Authentication on web site using Okta (maybe)

ACM.x Yubikey (maybe)

ACM.x VPC Endpoints for Lambda functions

ACM.x Role Assumption in a Container

ACM.x Secure Messaging

ACM.x Separating Authentication from Applications

ACM.x Data Security for Batch Jobs

ACM.x Batch job POC

ACM.x Assuming a Role in a Batch Job (With MFA hopefully)

To be continued…

Teri Radichel | © 2nd Sight Lab 2023

Like this story? Show your support so I can write more!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clap for this story or refer others to follow me.
Follow on Medium: Teri Radichel
Sign up for Email List: Teri Radichel
Follow on Twitter: @teriradichel
Follow on Mastodon: @teriradichel@infosec.exchange
Follow on Post: @teriradichel
Follow or Like on Facebook: 2nd Sight Lab
Follow or like on YouTube: @2ndsightlab
Buy a Book: Teri Radichel on Amazon
Buy me a coffee: Teri Radichel
Request a penetration test, security assessment, or training
 via LinkedIn: Teri Radichel 
Schedule a consulting call with me through IANS Research

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Slideshare: Presentations by Teri Radichel 
Speakerdeck: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Company ~ Cloud Penetration Tests, Assessments, Training ~ 2nd Sight Lab

Cybersecurity for Executives in the Age of Cloud on Amazon