Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Netflix Cloud Security Overview
Next

Share

Netflix Cloud Security Overview

by Will Bengtson, Netflix

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Netflix Cloud Security Overview

  1. 1. RepoingIAMPermissions OurstrategyforAWSLeastPrivilege PatrickKelley TravisMcPeak
  2. 2. Agenda ●Introandcontextsetting ●Approaches ●Aardvark&Repokid ●Futurework
  3. 3. Intro
  4. 4. ●GeneralDynamics->eBay->Netflix ●Decenttrampolinejumper ●SecurityMonkey,CloudAux,Aardvark,Repokid PatrickKelley
  5. 5. ●Symantec->HP->IBM->Netflix ●OpenStackSecurity,CloudFoundrySecurity,OWASPBayArea ●Bandit,Recon,Aardvark,Repokid TravisMcPeak
  6. 6. Netflix LargeAWSdeployment ●100K+instances ●Thousandsofapplications ●Over50AWSaccounts Mediumengineering ●~2000inproduct ●~50securityengineers
  7. 7. Netflix Culturedrivesourdecisions,includingthiswork ●FreedomandResponsibility ●Context,notControl
  8. 8. IAMRecap
  9. 9. LeastPrivilege Onlygranttherequiredaccess necessarytoperformlegitimate functions. SeemscontrarytoNetflixFreedomand Responsibilityvalue. Thetrickistobalance.
  10. 10. FirstCut
  11. 11. Developersrequestspecific permissionstheyneedtodeployand runtheirapp. Soundsreasonable...
  12. 12. ●86services* ●2318permissions* ●Hardtoknowbasedonname ●Whataboutdependencies? ●Hardtogetrightonfirst,second,thirdpass... Developersdon’tknowwhattheyneed *AccordingtoPolicyUniverse,updated5/31
  13. 13. PossibleApproaches
  14. 14. Profileintest,thendeploytoprod
  15. 15. Startwithnopermissions,add incrementally
  16. 16. Havedevelopersaddtheirown permissionswithself-service model
  17. 17. OurApproach
  18. 18. ●Appsgivenpermissionscommonlyusedduringdeployment ○Ifmoreneeded,wehaveaquickconversation ●Profiletherolecontinuously ●Takeawayunusedpermissions ●Deletetherolewhenit’snolongerused (Mostly)automatedrolelifecycle
  19. 19. ●DevelopersuseSpinnaker ●Spinnaker->Lambdawithinformation abouttheapp ●Lambdacreatesaroleandgives “base”permissions ○Basepermissionsdependon typeofappandaccount. Developerdeploysnewapp
  20. 20. ●CurrentlyusingAccessAdvisor ○WilluseCloudTrailsoon ●Findoutwhichpermissionsanappisusing ●Watchdenied/AAforservicesthataren’tallowed ○Eithermisconfigurationorattack Profilerolecontinuously
  21. 21. ●Takeawaypermissionsthathaven’tbeenusedrecently ○Hasthesidebenefitthatunusedappslosepriv ●Storeoldversionofpolicysowecanrollbackifneeded ●Soon:automaticallyrollbackifCloudTrailshowsdenied Repounusedpermissions
  22. 22. Attack! ●Alreadydemonstratedreal-worldbenefits ○Internaltesting ○Responsibledisclosureprogram ●Somestopped,somenot ○Wecan’trepopermissionstheappactuallyneeds!
  23. 23. ●Unusedappswillalreadyhavebeenrepoedto0 ●Finalstepistocleanuprolesthatarenolonger attachedtoapplications Deletetherolewhennolongerused
  24. 24. Aardvark
  25. 25. ●RetrieveandcacheAccessAdvisordatafromthe console ●Mostlyfeaturecomplete,plantoswitchtoAccess AdvisorAPIwhenavailablefromAWS Aardvark(NetflixOSS)
  26. 26. Repokid
  27. 27. ●Scanroles,lookforunusedpermissions,takethem away,makeiteasytorollback ●Chat-opsintegration:what’sbeingrepoed,opt-out, rollback ●LongtermstrategicforNetflixSecurity ○CloudTrailintegration ○Notificationsandreportstoappowner Repokid(NetflixOSS)
  28. 28. Considerations/Edge-cases
  29. 29. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions Needtoconsider
  30. 30. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery Needtoconsider
  31. 31. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery ●Whatifsomethingbreaks? Needtoconsider
  32. 32. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery ●Whatifsomethingbreaks? ●Untrackedservices(Lightsail) Needtoconsider
  33. 33. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery ●Whatifsomethingbreaks? ●Untrackedservices(Lightsail) ●NewlyreleasedservicesmightnotbeinCT/AAyet Needtoconsider
  34. 34. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery ●Whatifsomethingbreaks? ●Untrackedservices(Lightsail) ●NewlyreleasedservicesmightnotbeinCT/AAyet ●Ifpoliciesuseawildcard,newpermissionsmightbeautomaticallyadded ○rds:create*mightgrowmorepowerfulovertime Needtoconsider
  35. 35. ●Newpermissionsshouldn’tgetrepoedforawhile ○Needtomakeiteasyfordeveloperstogetnewpermissions ●Whatshouldwedotopreserveinfrequentlyusedpermissions? ○Suchasthoseusedindisasterrecovery ●Whatifsomethingbreaks? ●Untrackedservices(Lightsail) ●NewlyreleasedservicesmightnotbeinCT/AAyet ●Ifpoliciesuseawildcard,newpermissionsmightbeautomaticallyadded ○rds:create*mightgrowmorepowerfulovertime ●CloudTraildoesn’tmap1:1withpermissions Needtoconsider
  36. 36. FutureWork
  37. 37. UserepodatatotightenbaseIAM FrequentlyrepoedservicesshouldnotbeincludedinbaseIAMinthefirstplace. -Wecantolerateasmallpercentageofdevelopersrequestingadditionalaccess
  38. 38. Introspection Examineapplicationsastheyarebeingdeployedandgivethempermissionsbasedon whattheyneed. Example:canseethat: -AspecificDynamotableisused -Theapplicationreadsfromaspecificqueue
  39. 39. Thankyou.
  • rahulreddymara

    Jun. 1, 2018
  • PrashantSaxena55

    Aug. 11, 2017

by Will Bengtson, Netflix

Views

Total views

1,002

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×