Hiko Amane's Blog
Services: Security
CloudTrail
- Provides governance, compliance and audit for your AWS account
- CloudTrail is enabled by default
- Get a history of events / API calls made within your AWS account
- Can put logs from CloudTrail to CloudWatch Logs
- CloudTrail console only shows the past 90 days of activity
- The default UI only shows Create, Modify, and Delete events
CloudTrail Trail
- Get a detailed list of all the events you choose
- Can include events happening at the object level in S3
- Ability to store these events in S3 for further analysis
- Can be region specific or be global
Architecture: Delivery to S3
- CloudTrail can send events to S3 every 5 minutes
- Use SSE-S3 encryption by default or SSE-KMS
- Notification
- Use CloudTrail Delivery Notifications
- Send notifications to SNS, can further send to SQS or Lambda
- Use S3 Events
- Send S3 events to SQS, SNS, or Lambda
- All benefits of S3
- Versioning
- MFA Delete protection
- Lifecycle Policy
- Object Lock
- Encryption (SSE-S3, SSE-KMS)
- SHA-256 for integrity validation
Architecture: Multi-Account, Multi-Region Logging
- Send CloudTrail events from different accounts to S3 bucket in one account
- S3 bucket policy is necessary for cross-account delivery
- Two options to access log files from other accounts
- Assume cross-account role
- Edit bucket policy to allow cross-account access
Architecture: Alert for API calls
- Stream CloudTrail events to CloudWatch Logs
- Create Metric Filters that trigger CloudWatch Alarm
- CloudWatch Alarm can send notifications to SNS
Delivery Time
- Overall
- CloudWatch Events
- Can be triggered for any API call in CloudTrail
- The fastest way
- CloudTrail Delivery in CloudWatch Logs
- CloudTrail Delivery in S3
- Events are delivery every 5 minutes
KMS
- Encryption for AWS Services
- EBS: encrypt volumes
- S3: SSE-KMS
- Redshift
- RDS
- SSM: Parameter Store
- etc.
- Encrypt your own data
- KMS APIs (Encrypt / Decrypt)
- CMK can never be retrieved bu user
- CMK can be rotated for extra security
- KMS can only encrypt up to 4KB of data per call
- To access KMS
- Make sure the KEY Policy allows the user
- Make sure the IAM Policy allows the API calls
- CloudTrail tracks API calls made to KMS
Types of CMK
- Customer Managed CMK
- Users can create, manage, use, or enable/disable the Keys
- Possibility of rotation policy
- New key generated every year
- Old key will be preserved
- Can add key policy
- AWS Managed CMK
- Used by AWS services (aws/s3, aws/ebs, aws/redshift, etc.)
AWS Systems Manager (SSM) Parameter Store
- Secure storage for configuration and secrets
- Secrets can be encrypted by KMS
- Support version tracking
- Secrets are stored in path
- Notifications with CloudWatch Events
- Integration with CloudFormation
- Can retrieve secrets from Secrets Manager using the SSM Parameter Store API
AWS Secrets Manager
- A newer service for storing secrets
- Capability to force rotation of secrets every X days
- Can automatically generate secrets on rotation using Lambda
- Integration with RDS (MySQL, PostgreSQL, Aurora)
- Encrypted using KMS
RDS Security
- KMS encryption at rest for underlying EBS volumes and snapshots
- Transparent Data Encryption (TDE) for Oracle and SQL Server
- SSL encryption for all kinds of DB
- IAM authentication for MySQL and postgreSQL
- Authorization still happens within RDS
- Can copy an un-encryption RDS snapshot into an encrypted one
- CloudTrail cannot be used to track queries made within RDS
SSL
Server Name Indication (SNI)
- Use SNI to find the correct SSL certificate when you have multiple hostname pointed to one web server
- Only works for ALB, NLB and CloudFront
- Does not work for CLB
Protection for Man-in-the-middle Attacks
- Always use HTTPS instead of HTTP
- Use DNSSEC
- Route 53 support DNSSEC for domain registration
- Route 53 does not support DNSSEC for DNS service
- You must use another DNS service provider if you want to configure DNSSEC (ex. run a custom DNS server on EC2)
AWS Certificate Manager (ACM)
- Loads SSL certificate on the following integrations
- ELB
- CloudFront
- API Gateways
- ACM supports
- Public certificates issued by a trusted certificate authority (CA)
- Private certificates
- Certificate renewal
- Automatically done if generated by ACM
- Need manually re-uploaded if certificate is user-uploaded
- ACM is a regional service
- To use with a global application, you need to issue an SSL certificate in each region
- You cannot copy certificates across regions
CloudHSM
- HSM = Hardware Security Module (dedicated hardware)
- CloudHSM = AWS provisions HSM
- You manage your keys entirely
- Supports both symmetric and asymmetric encryption
- Must use the CloudHSM Client Software to manage CloudHSM
- Use cases
- Redshift supports CloudHSM for database encryption
- Use CloudHSM to generate keys for SSE-C encryption
- SSL/TLS acceleration and Oracle TDE acceleration
CloudHSM management
- IAM
- CloudHSM software
- Manage the keys and users
- CloudHSM is deployed and managed form a VPC
- CloudHSM clusters are spread across multi-AZ
- Access to a CloudHSM cluster can be shared across VPCs using VPC peering
Architecture: SSL Offloading using CloudHSM
- You can offload SSL from your web servers to CloudHSM
- Many web servers (ex. NGINX, Apache Web Server) support SSL Offloading
- Extra security: SSL private keys never leaves the HSM device
- Must setup a cryptographic user on the CloudHSM device
S3 Security
S3 Encryption
- SSE-S3
- SSE-KMS
- SSE-C (keys can be provided by CloudHSM)
- CSE
Encryption in transit (SSL)
- HTTPS endpoints
- HTTPS is mandatory for SSE-C
Events in S3
- S3 Access Logs
- Records for the requests that are made to a bucket
- Might take hours to deliver
- Might be incomplete (best effort)
- S3 Event Notifications
- Emit notifications when certain events happen in your bucket
- Events can be send to SNS, SQS, Lambda
- Events are delivered in seconds, sometimes in minutes
- Events might only be delivered once if two same object write done simultaneously
- Trusted Advisor
- Check the bucket permission
- CloudWatch Events
- Enable CloudTrail object level logging on S3 first
- Target can be SNS, SQS, Lambda, etc.
S3 Policies
- IAM Policies (user based)
- Bucket Policies (resource based)
S3 Buckets Policies
- Use cases
- Grant public access to the bucket
- Force objects to be encrypted at upload
- Grant access to another account (cross account access)
- Conditions can be
- Public IP or Elastic IP (not private IP)
- Source VPC (AWS:SourceVpc) or Source VPC Endpoints (AWS:SourceVpce)
- CloudFront Origin Identity
- MFA
Pre-signed URLs
- Pre-signed URL has the same permissions as the IAM user who created it for only GET/PUT
- Valid for a default of 3600 seconds can change timeout with argument
- Use cases
- Only allow particular users to download/upload objects on the S3 bucket
- Allow temporarily a user to download/upload objects on the S3 bucket
S3 Object Lock & Glacier Vault Lock
- S3 Object Lock
- Block an object version deletion for a specified amount of time
- Glacier Vault Lock
- Lock the objects for future edits
Network Security
VPC Security
Security Groups
- Attached to ENI, works for anything in VPC (like EC2, RDS, Lambda)
- Stateful (any traffic is allowed go in/out, can also go back out/in)
- The source can be CIDR or another security group ID
- Can be security group in another VPC using VPC peering
- Allowed rule only
- Default: no inbound rule, an all outbound allowed rule
Network ACLs
- Attached to subnet
- Stateless
- The source can be CIDR
- Default: allow all inbound, allow all outbound
- New ACL: deny all inbound, deny all outbound
AWS Shield
- AWS Shield Standard
- Free
- Provides layer 3 / layer 4 DDoS attack protection
- AWS Shield Advanced
- $3000 per month per organization
- Provides protection against more sophisticated DDoS attacks
- 7*24 access to AWS DDoS response team
- No extra fees during usage spikes due to DDoS
AWS Web Application Firewall (WAF)
- Provides layer 7 attack protection
- Can only be deployed to ALB, API Gateway, CloudFront
- Need define Web ACL
- Rule can be IP addresses, HTTP headers, HTTP body, or URI strings
- Protects from SQL injection and XSS
- Size constraints
- Geo match
- Rate-based rules
AWS Firewall Manager
- Manage rules in all accounts of an AWS Organization
- Security Groups
- AWS Shield Advanced
- WAF rules
DDoS Protection
- AWS Shield: protects against DDoS attack
- AWS WAF: filter specific requests based on rules
- CloudFront and Route 53: combined with AWS Shield
- Use Auto Scaling
- Separate static resources to S3 or CloudFront from dynamic ones (EC2 or ELB)
Blocking an IP Address
- NACL
- WAF with ALB or CloudFront
- NACL will not work when using CloudFront (because access is from CloudFront)
AWS Inspector
- Analyze running EC2 instances against known vulnerabilities and unintended network accessibility
- AWS Inspector Agent must be installed in EC2 instances
- Define template with AWS managed rules
AWS Config
- Records configurations and changes over time to audit and record compliance of your AWS resources
- You can receive SNS notifications for any changes
- Is a regional service
- Can be aggregated across regions and accounts
AWS Config Resource
- View compliance of a resource over time
- View configuration of a resource over time
- View CloudTrail API calls if enabled
AWS Config Rules
- Use AWS managed config rules
- Make custom config rules (defined in AWS Lambda)
- Rules will be evaluated
- For each config change
- At regular time intervals
- Can trigger CloudWatch Events if the rule is non-compliant
- Rules can have auto remediations
- If a resource is not compliant, you can trigger an auto remediation
- Define the remediation through SSM Automations
AWS Managed Logs
- CloudTrail Logs -> S3 and CloudWatch Logs
- VPC FLow Logs -> S3 and CloudWatch Logs
- ELB Access Logs -> S3
- Route 53 Access Logs -> CloudWatch Logs
- S3 Access Logs -> S3
- CloudFront Access Logs -> S3
- AWS Config -> S3
AWS GuardDuty
- Intelligent Threat discovery to Protect AWS Account
- Input data
- CloudTrail Logs
- VPC Flow Logs
- DNS Logs
- Can setup CloudWatch Event rules to be notified
