Reducing Cloud Attack Surface In Aws Via Service Control Policies In A Multi Account Environment

AWS provides over 250 services and over 25 regions allowing for a wide range of possible configurations and misconfigurations. Ensuring that all services and regions are being used safely is even more difficult to control and monitor in a multi-account environment. Service control policies are a feature in AWS Organizations that provides a guarantee on what permissions are allowed in member accounts. In this talk, we discuss our experiences with using service control policies to implement a security baseline at Stripe and our lessons learned. The main focus will be how our Cloud Security team was able to reduce the set of allowed AWS services by over 70%, in particular our analysis of data sources such as AWS CloudTrail, billing data, and AWS Config for determining service usage and the testing and deployment process across all our AWS accounts.

About the Speaker
Ava Wang is a Senior Security Engineer on the Cloud Security team at Stripe, where she works on building centralized security controls and detections for the company's cloud environment. She also worked in AWS as a software engineer and was part of the teams that launched Amazon Braket, a quantum computing service, and AWS Security Hub, a cloud security posture management service.

View upcoming Summits: sans.org/u/DuS
Download the presentation slides (SANS account required) at sans.org/u/1iaE

SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.

SANS Cloud Security Curriculum: sans.org/cloud-security
Follow us on social:
SANS Cloud Security on Twitter: @SANSCloudSec
SANS Cloud Security on LinkedIn: linkedin.com/showcase/sanscloudsec/
SANS Cloud Security on YouTube: youtube.com/SANSCloudSecurity

  • Reducing Cloud Attack Surface in AWS via Service Control Policies in a Multi-Account Environment ( Download)
  • Reducing the Attack Surface ( Download)
  • How To: Service Control Policies In AWS Organizations (2 Min) | Restrict Permissions Using SCP & OU ( Download)
  • Terraform to create AWS Service Control Policies (SCP) | GitHub Actions ( Download)
  • AWS SCP Demo - only allow selected regions ( Download)
  • Introduction to AWS Service Control Policies SCPs ( Download)
  • Keynote: Cloud Attack Surface Management - Alex Shulman Peleg ( Download)
  • AWS re:Inforce 2022 - Getting more out of your service control policies, featuring Morgan Stanley ( Download)
  • Real Zero Trust Security for Containerized Environments | Ammar Khan | Conf42 JavaScript 2024 ( Download)
  • Uncover 5 Hidden Risks That Can Expand Your Cloud Infrastructure Attack Surface ( Download)
  • How to reduce attack surface with IT security audit | Cybersecurity Leadership ( Download)
  • AWS re:Inforce 2019: How FINRA Achieves DevOps Agility While Securing Its AWS Environments (GRC339) ( Download)
  • External Attack Surface for Initial Access in AWS Cloud Webinar 🌩️ | CyberWarFare Labs ( Download)
  • AWS Summit DC 2022 - Securing container and serverless applications ( Download)
  • On-demand Webinar: AWS Network & IAM Security Best Practices ( Download)

Author

Ariyani

Como educador, estou profundamente engajado no desenvolvimento dos estudantes em ambiente escolar, adotando métodos pedagógicos que valorizam conexões genuínas e são movidos por inovação e fervor. É minha vocação guiar os alunos na jornada de se tornarem uma geração notável, empregando estratégias de ensino amplamente aclamadas por prestigiadas instituições acadêmicas ao redor do globo - events.zulekhahospitals.com