AWS re:Inforce 2024
Establishing a Data Perimeter on Aws Featuring Capital One Iam305

Title: AWS re:Inforce 2024 - Establishing a data perimeter on AWS, featuring Capital One (IAM305)

Insights:

  • Introduction and Context: The session focuses on establishing a data perimeter in AWS to mitigate risks associated with data exposure due to configuration mistakes by developers. Capital One shares their practical implementation and experiences.
  • Concept of Data Perimeter: A data perimeter in AWS involves coarse-grained controls to ensure only trusted identities access trusted resources from expected networks. This helps in identifying and mitigating risks like data exfiltration, infiltration, and misuse of credentials.
  • Evolution of Perimeter Security: Traditional perimeters relied on physical network appliances. With cloud adoption, the perimeter now includes cloud applications and resources, necessitating new security models.
  • AWS Tools for Data Perimeter: AWS provides tools like VPC endpoint policies, service control policies (SCPs), and condition keys (e.g., source IP, source VPC) to enforce data perimeter controls.
  • Implementation Challenges: Implementing data perimeter controls involves understanding trusted identities, resources, and networks. It requires designing and testing policies to avoid unintended access patterns and ensuring compliance.
  • Capital One's Journey: Capital One transitioned from a few AWS accounts to thousands, necessitating scalable governance processes. They faced challenges in maintaining security while enabling developer agility.
  • Service Control Policies (SCPs): Capital One used SCPs to restrict the use of vended tokens (e.g., from EC2 and Lambda) to within their network. They faced challenges with service-specific nuances and maintaining a list of VPCs.
  • Scaling Issues: Managing SCPs across thousands of accounts and services is complex. Capital One automated processes to handle VPC changes and faced limits on the number of SCPs.
  • Future Strategy: Capital One aims to standardize data perimeter controls across all services, reducing the need for per-service assessments. They created a new organizational unit (OU) to test and implement these controls.
  • Troubleshooting and Bypass Tags: They used bypass tags within SCPs to isolate and troubleshoot access issues, allowing for more efficient problem resolution.
  • Developer Experience: The goal is to provide a secure yet flexible environment for developers to innovate without compromising security. This involves continuous monitoring and adjusting controls as needed.
  • Lessons Learned: Key takeaways include the importance of understanding access patterns, anticipating SCP limits, and collaborating with AWS to address gaps and improve features.

Quotes:

  • "Have you ever worried that your developers will make a configuration mistake and publish company data out in the, yeah. Well, I worry about that too."
  • "Data parameters is a set of coarse game controls that allows you to assert that only trusted identities can access trusted resources from expected networks."
  • "Customers have told us, actually, that data parameters enables their security team to feel more confident about hosting sensitive data in the cloud."
  • "Scaling this in a regulated environment is hard."
  • "We successfully enabled a number of new services within our data perimeter OU within a matter of weeks instead of the normal multi-quarter assessment process."
  • "We have seen a ton of value within the data perimeter concepts and believe it strikes a good balance between security and developer freedom."
  • "The data perimeter is flexible. Understand your access patterns."
  • "If you are dealing with similar issues where you want to implement the data perimeter, but you're worried about API exceptions or you're missing some global condition keys, reach out to your AWS partners."
Enhance Appsec Generative Ai Integration in Aws Testing Aps301Evolving from Patch Management to Risk Mitigation Tdr229 S