E MPIRICAL C S LOUD ECURITY LICENSE, DISCLAIMER OF LIABILITY, AND LIMITED WARRANTY By purchasing or using this book (the “Work”), you agree that this license grants permission to use the contents contained herein, but does not give you the right of ownership to any of the textual content in the book or ownership to any of the information or products contained in it. This license does not permit uploading of the Work onto the Internet or on a network (of any kind) without the writ- ten consent of the Publisher. Duplication or dissemination of any text, code, simulations, images, etc. contained herein is limited to and subject to licensing terms for the respective products, and permission must be obtained from the Publisher or the owner of the content, etc., in order to reproduce or network any portion of the textual material (in any media) that is contained in the Work. MERCURY LEARNING AND INFORMATION (“MLI” or “the Publisher”) and any- one involved in the creation, writing, production, accompanying algorithms, code, or computer programs (“the software”), and any accompanying Web site or software of the Work, cannot and do not warrant the performance or results that might be obtained by using the contents of the Work. The author, develop- ers, and the Publisher have used their best efforts to ensure the accuracy and functionality of the textual material and/or programs contained in this package; we, however, make no warranty of any kind, express or implied, regarding the performance of these contents or programs. The Work is sold “as is” without warranty (except for defective materials used in manufacturing the book or due to faulty workmanship). The author, developers, and the publisher of any accompanying content, and anyone involved in the composition, production, and manufacturing of this work will not be liable for damages of any kind arising out of the use of (or the inability to use) the algorithms, source code, computer programs, or textual material contained in this publication. This includes, but is not limited to, loss of revenue or profit, or other incidental, physical, or consequential damages arising out of the use of this Work. The sole remedy in the event of a claim of any kind is expressly limited to re- placement of the book and only at the discretion of the Publisher. The use of “implied warranty” and certain “exclusions” vary from state to state, and might not apply to the purchaser of this product. E MPIRICAL C S LOUD ECURITY Practical Intelligence to Evaluate Risks and Attacks A K. S DITYA OOD MERCURY LEARNING AND INFORMATION Dulles, Virginia Boston, Massachusetts New Delhi Copyright ©2021 by MERCURY LEARNING AND INFORMATION LLC. All rights reserved. This publication, portions of it, or any accompanying software may not be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means, media, electronic display or mechanical display, including, but not limited to, photocopy, recording, Internet postings, or scanning, without prior permission in writing from the publisher. Publisher: David Pallai MERCURY LEARNING AND INFORMATION 22841 Quicksilver Drive Dulles, VA 20166 [email protected] www.merclearning.com 800-232-0223 Aditya K. Sood. Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks. ISBN: 978-1-68392-685-6 The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. All brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse (of any kind) of service marks or trademarks, etc. is not an attempt to infringe on the property of others. Library of Congress Control Number: 2021934304 212223321 This book is printed on acid-free paper in the United States of America. Our titles are available for adoption, license, or bulk purchase by institutions, corporations, etc. For additional information, please contact the Customer Service Dept. at 800-232-0223(toll free). All of our titles are available in digital format at academiccourseware.com and other digital vendors. The sole obligation of MERCURY LEARNING AND INFORMATION to the purchaser is to replace the book, based on defective materials or faulty workmanship, but not based on the operation or functionality of the product. I would like to dedicate this book to my family, my wonderful wife, Roshni K Sood, and my son, Divye K Sood, for providing continuous support to complete this book. I am also indebted to my parents, my brother, my sister, and my mentor. CONTENTS Preface xvii Acknowledgments xxi About the Author xxiii Chapter 1 Cloud Architecture and Security Fundamentals 1 Understanding Cloud Virtualization 2 Cloud Computing Models 4 Comparing Virtualization and Cloud Computing 5 Containerization in the Cloud 6 Components of Containerized Applications 7 Serverless Computing in the Cloud 9 Components of Serverless Applications 10 The Characteristics of VMs, Containers, and Serverless Computing 11 Embedding Security in the DevOps Model 11 Understanding Cloud Security Pillars 13 Cloud Security Testing and Assessment Methodologies 16 References 22 Chapter 2 IAM for Authentication and Authorization: Security Assessment 23 Understanding Identity and Access Management Policies 24 IAM Policy Types and Elements 25 IAM Policy Variables and Identifiers 27 Managed and Inline Policy Characterization 30 IAM Users, Groups, and Roles 31 Trust Relationships and Cross-Account Access 33 IAM Access Policy Examples 34 IAM Access Permission Policy 34 IAM Resource-based Policy 35 Role Trust Policy 36 Identity and Resource Policies: Security Misconfigurations 38 Confused Deputy Problems 38 Over-Permissive Role Trust Policy 41 Guessable Identifiers in Role Trust Policy 43 Privilege Escalation via an Unrestricted IAM Resource 45 Insecure Policies for Serverless Functions 46 Unrestricted Access to Serverless Functions 46 viii • CONTENTS Serverless Functions with Administrative Privileges 47 Serverless Function Untrusted Cross-Account Access 48 Unrestricted Access to the VPC Endpoints 49 Insecure Configuration in Passing IAM Roles to Services 50 Uploading Unencrypted Objects to Storage Buckets Without Ownership 52 Misconfigured Origin Access Identity for CDN Distribution 56 Authentication and Authorization Controls Review 58 Multi Factor Authentication (MFA) 59 User Credential Rotation 60 Password Policy Configuration 60 Administrative or Root Privileges 61 SSH Access Keys for Cloud Instances 62 Unused Accounts, Credentials, and Resources 64 API Gateway Client-Side Certificates for Authenticity 65 Key Management Service (KMS) Customer Master Keys 66 Users Authentication from Approved IP Addresses and Locations 68 Recommendations 69 Automation Scripts for Security Testing 70 MFA Check (mfa_check.sh) 71 IAM Users Administrator Privileges Analysis (iam_users_admin_root_privileges.sh ) 72 IAM Users SSH Keys Analysis (iam_users_ssh_keys_check.sh) 73 References 74 Chapter 3 Cloud Infrastructure: Network Security Assessment 75 Network Security: Threats and Flaws 77 Why Perform a Network Security Assessment? 78 Understanding Security Groups and Network Access Control Lists 78 Understanding VPC Peering 79 Security Misconfigurations in SGs and NACLs 80 Unrestricted Egress Traffic via SGs Outbound Rules 81 Unrestricted Egress Traffic via NACLs Outbound Rules 82 Insecure NACL Rule Ordering 83 Over-Permissive Ingress Rules 85 Cloud Network Infrastructure: Practical Security Issues 85 Insecure Configuration of Virtual Private Clouds 85 Public IP Assignment for Cloud Instances in Subnets 85 Over-Permissive Routing Table Entries 86 Lateral Movement via VPC Peering 88 CONTENTS • ix Insecure Bastion Hosts Implementation 89 Outbound Connectivity to the Internet 90 Missing Malware Protection and File Integrity Monitoring (FIM) 90 Password-Based Authentication for the Bastion SSH Service 92 Insecure Cloud VPN Configuration 93 Insecure and Obsolete SSL/TLS Encryption Support for OpenVPN 94 Unrestricted VPN Web Client and Administrator Interface 96 Exposed Remote Management SSH Service on VPN Host 97 IPSec and Internet Key Exchange (IKE) Assessment 97 Reviewing Deployment Schemes for Load Balancers 99 Application Load Balancer Listener Security 99 Network Load Balancer Listener Security 100 Insecure Implementation of Network Security Resiliency Services 101 Universal WAF not Configured 101 Non-Integration of WAF with a Cloud API Gateway 102 Non-Integration of WAF with CDN 103 Missing DDoS Protection with Critical Cloud Services 104 Exposed Cloud Network Services: Case Studies 105 AWS Credential Leakage via Directory Indexing 105 OpenSSH Service Leaking OS Information 106 OpenSSH Service Authentication Type Enumeration 107 OpenSSH Service with Weak Encryption Ciphers 108 RDP Services with Insecure TLS Configurations 109 Portmapper Service Abuse for Reflective DDoS Attacks 111 Information Disclosure via NTP Service 113 Leaked REST API Interfaces via Unsecured Software 114 Unauthorized Operations via Unsecured Cloud Data Flow Server 115 Information Disclosure via Container Monitoring Software Interfaces 116 Credential Leakage via Unrestricted Automation Server Interfaces 116 Data Disclosure via Search Cluster Visualization Interfaces 118 Insecure DNS Servers Prone to Multiple Attacks 119 Recommendations 120 References 122 Chapter 4 Database and Storage Services: Security Assessment 125 Database Cloud Deployments 126 Deploying Databases as Cloud Services 127 Databases Running on Virtual Machines 127 Containerized Databases 128 Cloud Databases 128 Cloud Databases: Practical Security Issues 130