Security
Security Concepts
Shared Responsibility Model
- AWS - Reponsbility for Security of the Cloud
- Customer - Responsibility for Security in the Cloud
Principle of Least Privillege**
- Give users (or services) nothing more than those privileges required to perform their intended function.
(and only when they need them)
Security Facets
- Identity
- Authentication
- Prove that you’re who you say
- Authorization
- Are you allowed to do this?
- Trust
- Do other entities that I trust say they trust you
Typical Components
- Identities
- Users who want to grant access to certains services
- Identity Providers
- e.g. Facebook, Google, etc..
- Identity Broker
- Facilitates communication with identity to grant access to certain services
- Identity Store
- Contains information about identities privileges
- Services
SAML 2.0, OAuth 2.0, OpenID Connect
SAML 2.0
- Can handle both authorization and authentication
- XML-based protocol
- Can contain user, group, membership and other useful information
- Assertions in the XML for authentication, attributes or authorization
- Best suited for Single Sign-On for enterprise users
OAuth 2.0
- Allow sharing of protected assets without having to send login credentials
- Handles authorization only, not authentication
- Issues token to client
- Application validates token with Authorization Server
- Delegate access, allowing the client applications to access information on behalf of user
- Best suited for API authorization between apps
OpenID Connect
- Identity layer built on top of OAuth 2.0, adding authentication
- Uses REST/JSON message flows
- Supports web clients, mobile clients, Javascript clients
- Extensible
- Best suited for Single Sign-on for consumer
AWS Artifact
- AWS resource for compliance-related information
- Provides on-demand access to AWS’ security and compliance reports and select online agreements
Multi-Account Management
- AWS Organizations
- Service Control Policies
- Tagging
- Resource Groups
- Consolidated Billing
Identity Account Structure
- Manage all user accounts in one location
- Users trust relationship from IAM roles in sub-accounts to identify Account to grant temporary access
- Variations include by Business Unit, Deployment, Environment, Geography
Logging Account Structure
- Centralized logging repository
- Can be secured so as to be immutable
- Can use Service Control Policies (SCP) to prevent sub-accounts from changing logging settings
Publishing Account Structure
- Common repository for AMI’s, Containers, Code
- Permits sub-accounts to use pre-approved standardized services or assets
Central IT Account Structure
- IT can manage IAM users and groups while assigning to sub-account roles
- IT can provide shared services and standardized assets (AMI’s, databases, EBS, etc.) that adhere to corporate policy
Network Controls and Security Groups
Security Groups
- Virtual firewalls for individual assets (EC2, RDS, AWS Workspaces, etc..)
- Controls inbound and outbound traffic
- Port or port ranges
- Inbound rules are by SourceIP, Subnet or other Security Groups
- Outbound rules are by Destination IP, Subnet, or other SG
Network Access Control Lists (NACLs)
- Additional layer of security for VPC that acts as a firewall
- Apply to entire subnets rather than individual assets
- Default NACL allows all inbound and outbound traffic
- NACLs are stateless - outbound traffic simply obeys outbound rules - no connection is maintained
- Can duplicate or futher restrict access with SG
- Remmeber ephermal ports for OUtbound if you need them
Why NACLs?
- NACLs provide a backup method of security if you accidentally change yoiur SG to be too permissive
- Covers the entire subnet so users to create new instances and fail to assign a proper SG are still protected
- Part of a multi-layer Least Privilege concept to explicitly allow and deny
AWS Directory Services
- AWS Cloud Directory
- Cloud-native directory to share and control access to hierarchical data between applications
- Cloud appliocations that need hierarchical data with complex relationships
- Amazon Cognito
- Sign-up and sign-in functionality that scales to millions of users and federated to public social media services
- Develop consumer apps or SaaS
- AWS Directory Service for Microsoft Active Directory
- AWS-managed full Microsoft AD (standard or enterprise) running on Windows Server 2012 R2
- Enterprises that want hosted Microsoft AD or you need LDAP for Linux Apps
- AD Connector
- Allow on-premises users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain.
- Single sign-on for on-prem employees and for adding EC2 instances to the domain
- Simple AD
- Low scale, low cost AD implementation based on Samba
- Simple user directory, or you need LDAP compatibility
Credentials and Access Management
AWS Security Token Service (STS)
Token Vending Machine Concept
- Common way to issue temporary credentials for mobile app development
- Anonymous TVM (Token Vending Machine) - Used as a way to provide access to AWS services only, does not store user identity
- Identity TVM - used for registration and login, and authorizations
- AWS now recommends that mobile developers use Cognito and related SDK
AWS Secret Manager
- Store passwords, encryption keys, API keys, SSH keys, PGP keys, etc…
- Alternative to storing passwords or keys in a “vault”
- Can access secrets via API with fine-grained access control provided by IAM
- Automatically rotate RDS database credentials for MySQL, PostgreSQL and Aurora
- Better than hard-coding credentials in scripts or application
Encryption
- Encryption at Rest
- Data is encrypted such as on EBS, on S3, in an RDS database or in an SQS queue waiting to be processed
- Encryption in Transit
- Data is encrypted as it flows through a network or process, such as SSL/TLS for HTTPS, or with IPSec for VPN connections
Key Management Service (KMS)
- Key storage, management and auditing
- Tightly integrated into many AWS services, like Lambda, S3, EBS, EFS, DynamoDB, SQS, etc.
- You can import your own keys or have KMS generate them
- Control who manages and accesses keys via IAM users and roles
- Audit use of keys via CloudTrail
- Differs from Secret Manager as its purpose-build for encryption key management
- Validated by many cmpliance schemes
CloudHSM (Hardware Security Module)
- Dedicated hardware device, Single Tenanted
- Must be within a VPC and can access via VPC Peering
- Does not natively integrated with many AWS services like KMS, but rather requires custom application scripting
- Offload SSL from web servers, act as an issuing CA, enable TDE for Oracle databases
Cloud HSM vs KMS
- CloudHSM
- Single-Tenant HSM
- Customer-managed durability and available
- Customer managed root of trust
- Broad 3rd Party Support
- AWS KSM
- Multi-Tenant AWS Service
- Highly available and durable key storage and management
- AWS managed root of trust
- Broad AWS Service Support
AWS Certificate Manager
- Managed service that lets you provision, manage and deploy public or private SSL/TLS certificates
- Directly integrated into many AWS services like CloudFront, ELB and API Gateway
- Free public certificates to use with AWS services; no need to register via a 3rd party certificate authority
- You can import 3rd party certificates for use on AWS
- Supports wildcard domains
- Managed certificate renewal
- Can create a managed Private Certificate Authority as well for internal and proprietary apps, services or devices
Distributed Denial of Services Attacks
- Phishing is one of the common way to compomise the systems
- Amplification/Reflection Attacks
- Send small request to NTP server by manipulating data packets (NTP Monlist)
- NTP server replies to target device with a big response (MONLIST command output)
- Target device is flooded
- Application Attacks (Layer 7)
Mitigating DDoS
- Minimize attack surface
- Scale to absorb attack
- Auto-Scaling Groups, AWS CloudFront, Static Web Content via S3
- Safeguard exposed resources
- Route 53, AWS WAF, AWS Shield
- Learn normal behavior
- AWS GuardDuty, CloudWatch
IDS and IPS
- Intruder Detection System
- watches network to identify someone trying to compromise the system
- Intruder Prevention System
- Prevents exploits, sits behind firewall and scans and analyzes suspicious content
- Systems usually consist of a Collection/Monitoring system and monitoring agents on each system
- Logs collected in CloudWatch, S3 or other tools are sometimes called Security Information and Event Management (SIEM) system
- AWS marketplace has different third-party choices of IDS and IPS appliances
CloudWatch
- Log events across AWS services
- Higher-level comprehensive monitoring and eventing
- Log from multiple accounts
- Logs stored indefinetely
- Alarms history for 14 days
CloudTrail
- Log API activity across AWS services
- More low-level granular
- Log from multiple accounts
- Logs stored to S3 or CloudWatch indefinetely
- No native alarming; Can use CloudWatch alarms
AWS Service Catalog
- Framework allowing administrators to create pre-defined products and landscapes for their users
- Granular control over which users have access to which offerings
- Make use of adopter IAM roles so users don’t need underlying service access
- Allows end users to be self-sufficient while uploading enterprise standards and deployments
- Based on CloudFormation templates
- Administrators can version and remove products. Existing running product versions will not be affected.
AWS Service Catalog Constraints
- Launch Constraint
- IAM role that Service Catalog assumes when an end-user launches a product.
- Notificaiton Constraint
- SNS topic to receive notifications about stack events.
- Template Constraint
- One or more rules that narrow allowable values an end-user can select