Reducing Cloud Attack Surface in AWS via Service Control Policies in a Multi-Account Environment

AWS provides over 250 services and over 25 regions allowing for a wide range of possible configurations and misconfigurations. Ensuring that all services and regions are being used safely is even more difficult to control and monitor in a multi-account environment. Service control policies are a feature in AWS Organizations that provides a guarantee on what permissions are allowed in member accounts. In this talk, we discuss our experiences with using service control policies to implement a security baseline at Stripe and our lessons learned. The main focus will be how our Cloud Security team was able to reduce the set of allowed AWS services by over 70%, in particular our analysis of data sources such as AWS CloudTrail, billing data, and AWS Config for determining service usage and the testing and deployment process across all our AWS accounts.

About the Speaker
Ava Wang is a Senior Security Engineer on the Cloud Security team at Stripe, where she works on building centralized security controls and detections for the company's cloud environment. She also worked in AWS as a software engineer and was part of the teams that launched Amazon Braket, a quantum computing service, and AWS Security Hub, a cloud security posture management service.

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE

SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.

SANS Cloud Security Curriculum: www.sans.org/cloud-security
Follow us on social:
SANS Cloud Security on Twitter: @SANSCloudSec
SANS Cloud Security on LinkedIn: https://www.linkedin.com/showcase/sanscloudsec/
SANS Cloud Security on YouTube: https://www.youtube.com/SANSCloudSecurity
Be the first to comment