Cloud Automation and Other Cloud Threats

Scripting

• Basy, python, powershell, ruby, etc

• If its worth doing once, its worth automating

• Scripts: Collection of commands that can be run without human intervention

• Static and error-prone

Orchestration

• Next level after scripts

• Automation and creation of the sequence of tasks to be executed

• Automation of automation

• Features

  • Implicit validation

  • Resource dependency evaluation

  • State knowledge

  • Idempotency – Apply the same workflow multiple times over the same set of resources.

• Examples

  • Terraform

  • Ansible

  • Chef

  • Puppet

  • Docker, Kubernetes

FaaS / Serverless Computing

• Based on microservices

• No concerns about the infrastructure, just provide the code to be run

• Code runs in instantiated short-lived container which is immediately destroyed upon completion of execution

• Only pay for how long your code runs

• Code security is your responsibility

Common Cloud Security Issues

• Cloud APIs

  • HTTPS

  • API input validation

  • Rate limiting, anti-DDoS

  • Unintended data exposure

• Improper key management

  • API keys (cloud APIs included) required for authentication of every request

  • Avoid hardcoding API keys in code

  • Least privilege

  • Unused keys

  • Key rotation

  • Key storage

  • Workstation security posture

• Unprotected storage

  • Access control policies to storage

  • Permissions on cloud storage can be complex

  • Careful with write permissions on read only content

  • Careful with read permissions on sensitive content

• Logging and monitoring

  • Generally, less visibility in the cloud

  • But better integrated cloud native tools