Security Concepts

Shared Responsibility Model

  • AWS - Reponsbility for Security of the Cloud
  • Customer - Responsibility for Security in the Cloud

Principle of Least Privillege**

  • Give users (or services) nothing more than those privileges required to perform their intended function. (and only when they need them)

Security Facets

  • Identity
    • Who are you?
  • Authentication
    • Prove that you’re who you say
  • Authorization
    • Are you allowed to do this?
  • Trust
    • Do other entities that I trust say they trust you

Typical Components

  • Identities
    • Users who want to grant access to certains services
  • Identity Providers
    • e.g. Facebook, Google, etc..
  • Identity Broker
    • Facilitates communication with identity to grant access to certain services
  • Identity Store
    • Contains information about identities privileges
  • Services

SAML 2.0, OAuth 2.0, OpenID Connect

SAML 2.0

  • Can handle both authorization and authentication
  • XML-based protocol
  • Can contain user, group, membership and other useful information
  • Assertions in the XML for authentication, attributes or authorization
  • Best suited for Single Sign-On for enterprise users

OAuth 2.0

  • Allow sharing of protected assets without having to send login credentials
  • Handles authorization only, not authentication
  • Issues token to client
  • Application validates token with Authorization Server
  • Delegate access, allowing the client applications to access information on behalf of user
  • Best suited for API authorization between apps

OpenID Connect

  • Identity layer built on top of OAuth 2.0, adding authentication
  • Uses REST/JSON message flows
  • Supports web clients, mobile clients, Javascript clients
  • Extensible
  • Best suited for Single Sign-on for consumer

AWS Artifact

  • AWS resource for compliance-related information
  • Provides on-demand access to AWS’ security and compliance reports and select online agreements

Multi-Account Management

  • AWS Organizations
  • Service Control Policies
  • Tagging
  • Resource Groups
  • Consolidated Billing

Identity Account Structure

  • Manage all user accounts in one location
  • Users trust relationship from IAM roles in sub-accounts to identify Account to grant temporary access
  • Variations include by Business Unit, Deployment, Environment, Geography

Logging Account Structure

  • Centralized logging repository
  • Can be secured so as to be immutable
  • Can use Service Control Policies (SCP) to prevent sub-accounts from changing logging settings

Publishing Account Structure

  • Common repository for AMI’s, Containers, Code
  • Permits sub-accounts to use pre-approved standardized services or assets

Central IT Account Structure

  • IT can manage IAM users and groups while assigning to sub-account roles
  • IT can provide shared services and standardized assets (AMI’s, databases, EBS, etc.) that adhere to corporate policy

Network Controls and Security Groups

Security Groups

  • Virtual firewalls for individual assets (EC2, RDS, AWS Workspaces, etc..)
  • Controls inbound and outbound traffic
  • Port or port ranges
  • Inbound rules are by SourceIP, Subnet or other Security Groups
  • Outbound rules are by Destination IP, Subnet, or other SG

Network Access Control Lists (NACLs)

  • Additional layer of security for VPC that acts as a firewall
  • Apply to entire subnets rather than individual assets
  • Default NACL allows all inbound and outbound traffic
  • NACLs are stateless - outbound traffic simply obeys outbound rules - no connection is maintained
  • Can duplicate or futher restrict access with SG
  • Remmeber ephermal ports for OUtbound if you need them

Why NACLs?

  • NACLs provide a backup method of security if you accidentally change yoiur SG to be too permissive
  • Covers the entire subnet so users to create new instances and fail to assign a proper SG are still protected
  • Part of a multi-layer Least Privilege concept to explicitly allow and deny

AWS Directory Services

  • AWS Cloud Directory
    • Cloud-native directory to share and control access to hierarchical data between applications
    • Cloud appliocations that need hierarchical data with complex relationships
  • Amazon Cognito
    • Sign-up and sign-in functionality that scales to millions of users and federated to public social media services
    • Develop consumer apps or SaaS
  • AWS Directory Service for Microsoft Active Directory
    • AWS-managed full Microsoft AD (standard or enterprise) running on Windows Server 2012 R2
    • Enterprises that want hosted Microsoft AD or you need LDAP for Linux Apps
  • AD Connector
    • Allow on-premises users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain.
    • Single sign-on for on-prem employees and for adding EC2 instances to the domain
  • Simple AD
    • Low scale, low cost AD implementation based on Samba
    • Simple user directory, or you need LDAP compatibility

Credentials and Access Management

AWS Security Token Service (STS)

Token Vending Machine Concept

  • Common way to issue temporary credentials for mobile app development
  • Anonymous TVM (Token Vending Machine) - Used as a way to provide access to AWS services only, does not store user identity
  • Identity TVM - used for registration and login, and authorizations
  • AWS now recommends that mobile developers use Cognito and related SDK

AWS Secret Manager

  • Store passwords, encryption keys, API keys, SSH keys, PGP keys, etc…
  • Alternative to storing passwords or keys in a “vault”
  • Can access secrets via API with fine-grained access control provided by IAM
  • Automatically rotate RDS database credentials for MySQL, PostgreSQL and Aurora
  • Better than hard-coding credentials in scripts or application


  • Encryption at Rest
    • Data is encrypted such as on EBS, on S3, in an RDS database or in an SQS queue waiting to be processed
  • Encryption in Transit
    • Data is encrypted as it flows through a network or process, such as SSL/TLS for HTTPS, or with IPSec for VPN connections

Key Management Service (KMS)

  • Key storage, management and auditing
  • Tightly integrated into many AWS services, like Lambda, S3, EBS, EFS, DynamoDB, SQS, etc.
  • You can import your own keys or have KMS generate them
  • Control who manages and accesses keys via IAM users and roles
  • Audit use of keys via CloudTrail
  • Differs from Secret Manager as its purpose-build for encryption key management
  • Validated by many cmpliance schemes

CloudHSM (Hardware Security Module)

  • Dedicated hardware device, Single Tenanted
  • Must be within a VPC and can access via VPC Peering
  • Does not natively integrated with many AWS services like KMS, but rather requires custom application scripting
  • Offload SSL from web servers, act as an issuing CA, enable TDE for Oracle databases

Cloud HSM vs KMS

  • CloudHSM
    • Single-Tenant HSM
    • Customer-managed durability and available
    • Customer managed root of trust
    • Broad 3rd Party Support
    • Multi-Tenant AWS Service
    • Highly available and durable key storage and management
    • AWS managed root of trust
    • Broad AWS Service Support

AWS Certificate Manager

  • Managed service that lets you provision, manage and deploy public or private SSL/TLS certificates
  • Directly integrated into many AWS services like CloudFront, ELB and API Gateway
  • Free public certificates to use with AWS services; no need to register via a 3rd party certificate authority
  • You can import 3rd party certificates for use on AWS
  • Supports wildcard domains
  • Managed certificate renewal
  • Can create a managed Private Certificate Authority as well for internal and proprietary apps, services or devices

Distributed Denial of Services Attacks

  • Phishing is one of the common way to compomise the systems
  • Amplification/Reflection Attacks
    • Send small request to NTP server by manipulating data packets (NTP Monlist)
    • NTP server replies to target device with a big response (MONLIST command output)
    • Target device is flooded
  • Application Attacks (Layer 7)
    • HTTP GET Flood

Mitigating DDoS

  • Minimize attack surface
    • NACLs, SGs, VPC Design
  • Scale to absorb attack
    • Auto-Scaling Groups, AWS CloudFront, Static Web Content via S3
  • Safeguard exposed resources
    • Route 53, AWS WAF, AWS Shield
  • Learn normal behavior
    • AWS GuardDuty, CloudWatch


  • Intruder Detection System
    • watches network to identify someone trying to compromise the system
  • Intruder Prevention System
    • Prevents exploits, sits behind firewall and scans and analyzes suspicious content
  • Systems usually consist of a Collection/Monitoring system and monitoring agents on each system
  • Logs collected in CloudWatch, S3 or other tools are sometimes called Security Information and Event Management (SIEM) system
  • AWS marketplace has different third-party choices of IDS and IPS appliances


  • Log events across AWS services
  • Higher-level comprehensive monitoring and eventing
  • Log from multiple accounts
  • Logs stored indefinetely
  • Alarms history for 14 days


  • Log API activity across AWS services
  • More low-level granular
  • Log from multiple accounts
  • Logs stored to S3 or CloudWatch indefinetely
  • No native alarming; Can use CloudWatch alarms

AWS Service Catalog

  • Framework allowing administrators to create pre-defined products and landscapes for their users
  • Granular control over which users have access to which offerings
  • Make use of adopter IAM roles so users don’t need underlying service access
  • Allows end users to be self-sufficient while uploading enterprise standards and deployments
  • Based on CloudFormation templates
  • Administrators can version and remove products. Existing running product versions will not be affected.

AWS Service Catalog Constraints

  • Launch Constraint
    • IAM role that Service Catalog assumes when an end-user launches a product.
  • Notificaiton Constraint
    • SNS topic to receive notifications about stack events.
  • Template Constraint
    • One or more rules that narrow allowable values an end-user can select