Cloud Automation and Other Cloud Threats

  • Scripting

    • Basy, python, powershell, ruby, etc

    • If its worth doing once, its worth automating

    • Scripts: Collection of commands that can be run without human intervention

    • Static and error-prone

  • Orchestration

    • Next level after scripts

    • Automation and creation of the sequence of tasks to be executed

    • Automation of automation

    • Features

      • Implicit validation

      • Resource dependency evaluation

      • State knowledge

      • Idempotency – Apply the same workflow multiple times over the same set of resources.

    • Examples

      • Terraform

      • Ansible

      • Chef

      • Puppet

      • Docker, Kubernetes

  • FaaS / Serverless Computing

    • Based on microservices

    • No concerns about the infrastructure, just provide the code to be run

    • Code runs in instantiated short-lived container which is immediately destroyed upon completion of execution

    • Only pay for how long your code runs

    • Code security is your responsibility

  • Common Cloud Security Issues

    • Cloud APIs

      • HTTPS

      • API input validation

      • Rate limiting, anti-DDoS

      • Unintended data exposure

    • Improper key management

      • API keys (cloud APIs included) required for authentication of every request

      • Avoid hardcoding API keys in code

      • Least privilege

      • Unused keys

      • Key rotation

      • Key storage

      • Workstation security posture

    • Unprotected storage

      • Access control policies to storage

      • Permissions on cloud storage can be complex

      • Careful with write permissions on read only content

      • Careful with read permissions on sensitive content

    • Logging and monitoring

      • Generally, less visibility in the cloud

      • But better integrated cloud native tools

Last updated