AWS security

In DevOps

Secure Global Infrastructure and Compliance

Regions, Availability Zones, and Endpoints
- Regions: (dotted line in diagram) compliance, latency
- Availability zones: (letter after region id) independent datacenters in regions
- Endpoints: webconsole and AWS-CLI
VPC Endpoints
- Methods of accessing AWS environments, connect resources without going through the Internet
- 2 Types
  - Interface (Elastic Network Interface) -> EC2
  - Gateway (target for Route Table environment) -> DBs
- Limitations
  - Same region only
  - IPv6 only
  - Only direct connections, no VPN or VPC peering connection
IAM and Compliance
- global scope across AWS
- allows central management
- IAM = 1 of main topics

Shared responsibility

Shared Responsibility Model (not include S3)
- Infrastructure services (VPC, EC2, autoscaling)
  - AWS: security off-the-cloud, foundations
  - User: code deployed, data, OS and network configurations, IAM. Encryption + integrity
- Container (RDS, EMR, ED2)
  - AWS: platform, foundations
  - User: customer data, customer IAM, Encryption + integrity. Encryption + integrity
- Abstracted services (lambda)
  - Netwok traffic protection

Trusted Advisor

Reports on our environment
- cost optimization, performance, security, fault tolerance, service limits
- available to all customers: core checks (6)
- available to business/enterprise (all)

Identity and Access Management (IAM)

Root User
- credentials: email and password on sign up for AWS account
- should not be used for daily work, no access keys and have MFA
Users and Groups
- Users
  - admin rights (daily work)
  - users need policies to access resources
  - deny policies override grant policies
  - credentials should not be shared
  - do not store EC2 credentials, forward them
- Groups
  - users can be members of groups, which have policies attached
  - organize users by functions (DB admin, SysAdmin…)
Roles
- IAM roles
  - Temporary security credential by Secure Token Service (STS, single endoint sts.amazon.com in us-east-1 (N-Virginia), reduce latensy using APIs, default time given: 1h)
  - For AWS recources or user outside AWS
- Roles and AWS
  - used because policies can not be attached to AWS recources
  - 1 service -> ONLY 1 roles
  - roles are attached to resources, no credentials
  - can be changes on running instances via CLI or console
- Other uses
  - crosss account access (delegation)
  - identity federation (non-AWS. link identity through different systems - recommend use of AWS Cognito, use SAML (Security Acknoledge Markup Language) for corporate domain accounts)
Policies
- json document taht states permissions
- deny overrides allow
- templates (admin, power-user (no user creation), view-only)
- you may use policy generatorcreate them from scratch or use the visual editor
- users can have more than 1 policy
- not for resources
Access Advisor
- user should have as few perissions as possible
- unused permissions can be deteced with access advisor (audit user, group or role)

Encryption essentials

Overview
- Key: cypher (AES-256, block cyphers): Message -> Scrambler with key -> Encryption
  - Server side encryption (at rest): on disk (read/write)
  - Client side encryption (in transit): on message (sent/received)
- Enveloping: using keys to cypher keys (master key, KEK=Key encryption keys)
Symmetric encryption
- same key to encrypt-decrypt
Asymmetric encryption (SSL, SSH)
- different keys to encrypt decrypt (encrypt=public, decrypt=private)
HSM and KMS (Amazon Elastic File System)
- Hardware security model (HSM)
  - Physical device to store keys on premise
  - AWS-cloudHSM: HSM can be in multiple regions (clusters)
  - Load balñancer replicates keys
- Key Management Service (KMS) -> KMS service
  - Create and control encryption keys
  - Advantage over HSM: integration on AWS, can use IAM policies for access
  - Customer Master key are stored in KMS
  - Both data and encrypted key are stored
```
graph LR
A[Plain text date]
B(key-DataKey)
C[Cypher text]
D[Storage]
E(EncryptedKey)
F(MasterKey)
G((DataKey))
A--use-->B;
B--encrypt-->C;
C-->D;
E-->D;
F--encrypt-->E;
G--generate-->F;
```

S3 bucket encryption policies override the settings of the folders within them.
If you need to use separate encryption keys for some documents within a bucket, you will need to change the settings on each document individually.

OS-level access

Overview
- EC2 is under infrastructure model: user thinks about IAM, encryption, security groups and NACL
- Unix-> Linux = (cloudinet) terminal SSH, auth keys
- Windows -> (ec2config) Windows = remote desktop
- Windows -> Linux = PuTTY
SSH
- connection (symmetric): faster
- key pair authentication (asymmetric)
  - RSA in ~/.ssh/authorized_keys, chmod 400 <keyname>.pem
- process
  1. Client: connection request
  2. Server: public key
  3. Both: Cypher negociation
  4. Both: Key exchange algortithm
  5. Both: Connection encrypted using SSH key
Bastion Host
- “jump box” (go to security groups, configure inbound & outbound)
- deploy in 2 availability zones, with autoscalinginpublic subnets, access form a list of addresses

graph LR
A[User]
B(Internet gateway)
C[Autoscaling]
D[Bastion]
E((Private subnet))

subgraph Public subnet
    C
    D
end

C-->D;

A-->B;
B--NAT gateway-->C;
D-->E;

Linux example

SH forwarding whenever is possible

chmod 400 <path-to-key>.pem
ssh-agent bash
ssh add <path-to-key>.pem
# add first host (-A, e get to instance)
ssh -A ec2-user@<ip-address>
# second host, we are already there
# due to ssh forwarding
ssh ec2-user@<ip-private-address>

Windows remote desktop example (RDP protocol)
- AWS get script, add key on console, double click and go
Windows Bash example
1. Go to update and security - for developers - bash shell (beta)
2. Add or remove windows features -> Windows subsystem for Linux
3. Windows store -> choose distro Linux on Windows (Ubuntu)
Windows PuTTY example
- Download and add pem, change it to ppk, go on

Data Security

Securing data at rest
- Concerns
  - accidental information disclosure
  - data integrity compromised
  - accidental deletion
  - availability
- S3
  - permissions: bucket, object level, IAM policies, delete MFS
  - versioning: helps against accidental deletion
  - replication: automatic on availabilty zones
  - backup: replication and versioning = unnecessary. Rules to store on another region?
  - server-side encryption: S3 master key or KMS
  - VPC endpoint: use data inside VPC without making it public
- Glacier
  - server-side encryption: encrypted in AES-256, 1 archive = 1 unique key, there is a master key created and stored securely
- EBS
  - replication: 2 copies of each volume in each availability zone (for disk failure)
  - backup: snapshots of volumes + IAM for access
  - server -side encryption: AWS MNS master key, OS tools
- RDS
  - permission: IAM policies
  - encryption: KMS (except micro-instances), DB cryptographic options (reference on DB fields)
- DynamoDB
  - permissions: IAM
  - encryption: Application level encryption, same as RDS,
  - VPC endpoint: can use data inside VPC without making it public
- EMR
  - Amazon managed service: AWS provides AMIs, no custom
  - data store: S3 or DynamoDB, HDFS (Hadoop Distributed File System -> defaults to Hadoop KMS)
  - techniques to improve data security: SSL, application level encryption, hybrid
Decommissioning data and Media
- different from on-prem decomission
  - delete -> blocks become unallocated, reassigned somewhere
- reading and writing to blocks
  - write = overwrite existing
  - read = data or hypervisor returns 0
- end of life
  - DoD 5220-M (National Industrial Security Operating Manual)
  - NIST SP 800-88 (Guidelines for media sanitization)
  - Both previous
  - None of previous = destroy device
Securing data in transit
- Concerns with communicating over public links (Internet)
- Approaches
  - use HTTPS
  - offload traffic to ELB
  - use SSH
  - database traffic and AWS console and traafic use SSL/TLS
- X.509 certificates (client browser, use public key)
- AWS certificate manager (free)
  - SSL/TSL certificates (ELB, Cloudfront, API gateway, Cloudformation)
  - automatic renewal, import 3rd party

OS Security

Recommendations
- Disable root user API access keys
- Use limited source IPs in security groups
- Password protect pem files
- Keep authorized_key file up to date
- Rotate credentials (access keys)
- Use Access Advisorto identify and remove unnecessary permissions
- Bastion hosts
Custom AMIs
- Base configuration, “snapshots”
- Clean up/hardening tasks before upload
  - protect credentials (disable insecure apps, software should not use default accounts, SSH keys must not be published, disable guest account)
  - protect data (delete shell history)
  - remove shared devices (e.g. printers)
  - Do not violate AWS Acceptable Use Policy (example: SMTP/proxy server)
Bootstrapping
- cloud-init, cfn-init, tools like Puppet and Chef
- patching/updates: update AMIs frequently!
  - consider dependecies
  - security software updates might update beyond the patch level of AMI
  - application updates might patch beyond the build in the AMI
- take into account environment differences (production, test…)
- instance updates might break external management and security monitoring (tst 1st on non-critical)
AWS Systems Manager - Patching/Automation
- Resource groups (logically)
- Insights (CloudTrail, CloudWatch, Trusted Advisor…)
- Inventory (can collect data on apps, files, network configs, services…)
- Automation (via scheduling, alarm triggering…)
- Run command (secure remote management replacing bastion host or ssh)
- Patch manager (deploy OS and software patches on demand)
- Maintenace Window (scheduling administrative and maintenance tasks)
- State manager and parameter store (for config management)
Mitigating problems
- Malware
  - use only trusted AMIs
  - principle of least privilege
  - keep patches up to date
  - antivirus/antispam software
  - host-based IDS
- Abuse
  - AWS will shut down malicious abusers
  - compromised resource, unintentional abuse (web crawlers may be confused with DDOS), secondary abuse (user of your system uploaded infected file), false complaints
  - Best practices: do not ignore AWS communications follow security best practices, mitigate identified compromises

Infrastructure security

VPC Security
- Internet only
  - Use SSL/TLS
  - Build your own VPN solution
  - Planned routing and placement
  - Security groups and NACLs
- IPsec tunel over Internet
  - Deploy VPN (AWS or other)
  - VPC networking (subnets, security groups, NACLs)
- AWS direct connect (links to peer AWS)
  - No additional security, check organization requirements
  - Terminates at Availability Zones in a region
  - VPC networking (subnets, security groups, NACLs)
- Hybrid (direct + IPsec)
  - Best practices of teh previous ones
  - VPC networking (subnets, security groups, NACLs)
Network segmentation
- VPC (isolate workload, e.g. departments)
- Security groups: stateful (TCP UDP ports in both directions)
- NACLs: stateless, granular control on protocols, work on security groups, ephimeral ports (client requests depend on OS)
- Host based firewalls (Os level)
Strengthening
- Customer side of shared responsability model (control access, network security, secure traffic)
- Best practices
  - Security groups
  - NACLs
  - Direct connect or IPSec for other selves
  - Encrypt data in transit often
  - Layer network security
  - Logs
- Secure periphery systems
  - DNS use SSL/TLS to prevent spoofing
  - Active directory/LDAP
  - Time servers (synch from trusted source)
  - Repositories (do not post credentials)
Threat Protection Layer
- Concern: untrusted connections
- Layers
  1. Threat protection (IDS, IPs, firewall)
  2. DM2 presentaion (NACL and Security groups)
  3. Application (NACL and Security groups)
  4. Data (NACL and Security groups)
Testing and measurement
- Vulnerability (risk assessment)
  - 3rd party evaluation with littel inside knowledge
- Penetration testing
  - AWS must be notified before
  - AWS vulnerability penetration form
  - m1.small or micro can not be tested
- Meassuring risk management
  - Monitor procedure
  - Meassure effectiveness
  - Review effectiveness
  - Internal audit
  - Management reviews (scope)
AWS Web Application Firewall (WAF)
- Conditions/rules set on Cloudfront or Applciation Load Balancer
- Watch cross site scripting, IP addreses, locations of requests, queryString and SQL
- Multiple conditions = ANDS (al must be true)
AWS Shield (DDOS protection)
- Basic = included with WAF
- Advanced (3000$/month per organisation)
  - Expand WAF services to ELB, Cludfront, Route53, resources with elastic IPs
  - Contact 24x7 DDOS Response Team (DRT)
  - Expandded protection DDOS and others

Monitoring, alerting, and auditing

Monitoring Basics
- Questions
  - What parameters
  - How to meassure them
  - Threshold
  - Can they be escalated?
  - Storage
- Log
  - Individual actions
  - Trail access
  - Invalid access attempt
  - IAM
  - Creation of new logs
  - Create/delete system elements
AWS Config (resources, list of supported services)
- you may
  - evaluate resources
  - snaphsot of config
  - retrieve config (resources, historical)
  - get changes notifications
  - view relationships between resources
- uses
  - administer resources
  - audit compliance
  - config troubleshooting via history
  - security analysis
AWS Systems Manager - Inventory and insights (for resource groups)
- Insights: aggregate outputs
- Inventory: -> CloudWatch dashboards
AWS Inspector
- Analizing behavious, identify potential security issues
- Target: collection of AWs resources
- Assessment template: security rules -> findings
- Assessment run: apply assessment template to target
- Features
  - configure scanning and activity monitor engine
  - built-in library content (rules, reports, recommendations)
  - API automation (allow security testing on design and dev)
- Using AWS inspector: console, API, SDK, CLI
AWS GuardDuty
- continuous security monitoring solution
- checks
  - VPC flow logs
  - CloudTrail event logs
  - Event logs
- Uses threat intelligent feeds and machine learning to determine unauthorized or malicious activity
- Behavious analysis
  - monitor behavious for signs of compromise
  - unauthorised infrastructure deployment
  - unexpected API calls