Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save richlamdev/a563d2d33f40437d8fd5c7b97b319aff to your computer and use it in GitHub Desktop.
Save richlamdev/a563d2d33f40437d8fd5c7b97b319aff to your computer and use it in GitHub Desktop.
aws-certified-security-specialist-study-notes
___ _____ ___ _ _ __ _ _ ___ _ _ ___ _ _ _
/_\ \ / / __| ___ / __|___ _ _| |_(_)/ _(_)___ __| | / __| ___ __ _ _ _ _(_) |_ _ _ / __|_ __ ___ __(_)__ _| | |_ _ _
/ _ \ \/\/ /\__ \ |___| | (__/ -_) '_| _| | _| / -_) _` | \__ \/ -_) _| || | '_| | _| || | \__ \ '_ \/ -_) _| / _` | | _| || |
/_/ \_\_/\_/ |___/ \___\___|_| \__|_|_| |_\___\__,_| |___/\___\__|\_,_|_| |_|\__|\_, | |___/ .__/\___\__|_\__,_|_|\__|\_, |
|__/ |_| |__/
Notes taken in Mar-2018, from acloud.guru and AWS FAQ
___ _ _ _ __ _
/ __| ___ __ _ _ _ _(_) |_ _ _ / |/ \/ |
\__ \/ -_) _| || | '_| | _| || | | | () | |
|___/\___\__|\_,_|_| |_|\__|\_, | |_|\__/|_|
|__/
___ _ _ __ _ _ ___ _____ ___ _ _
/ __| ___ __ _ _ _ _(_) |_ _ _ ___ / _| | |_| |_ ___ /_\ \ / / __| / __| |___ _ _ __| |
\__ \/ -_) _| || | '_| | _| || | / _ \ _| | _| ' \/ -_) / _ \ \/\/ /\__ \ | (__| / _ \ || / _` |
|___/\___\__|\_,_|_| |_|\__|\_, | \___/_| \__|_||_\___| /_/ \_\_/\_/ |___/ \___|_\___/\_,_\__,_|
|__/
-------------------------
Security of the AWS Cloud
-------------------------
CIA Model (aka Triad model)
- Confidentiality
- Think: Encryption (At Rest / In Transit) - 2FA - IAM etc
- AWS: MFA, IAM, Bucket Policies, Security Groups, ACL
- Availability
- Think: Multi-AZ, Clusters, Multi-Region, Design for failure
- AWS: Auto-scaling, Multi-AZ, Multi-Region, Route 53
- Integrity
- Think: File permissions, user access controls, version control, checksums, hashes
- AWS: Certificate Manager, IAM, Bucket Policies
AAA Model
- Authentication
- Think: login
- AWS: IAM
- Authorization
- Think: permissions
- AWS: Policies
- Accounting
- Think: Audit Trail
- AWS: CloudTrail
Non-repudiation (can't deny you did something)
- AWS: CloudTrail, IAM, CloudWatch, MFA
-----------------
Security *of* AWS
-----------------
- White paper: Introduction to AWS Security Processes. **MUST READ**
- How does AWS secure their stuff?
- Physical and Environmental Security
- Business Continuity Management
- Network Security
- AWS Access
- Secure Design Principles
- Change Management
The corporate Amazon.com network is COMPLETELY segregated from AWS.
- Why should we trust AS? - Compliance programs:
- PCI DSS level 1
- ISO 27001
- HIPAA
- etc
---------------------------
Shared Responsibility Model
---------------------------
- AWS responsible for security "OF" the Cloud
- Customer responsible for security "IN" the Cloud
Service types
- Infrastructure (e.g. EC2, EBS, Auto-Scaling, VPC) - You're responsible for OS up
- Container (e.g. RDS, EMR, Elastic Beanstalk) - You're responsible above container
- Abstracted (e.g. S3, Glacier, DynamoDB, SQS, SES) - You're responsible for things like encryption, policies etc
-----------------
Security *in* AWS
-----------------
- Visibility
- AWS Config - What assets do you have?
- Auditability
- CloudTrail - Do we comply with policies and regulations?
- Controllability
- KMS (multi-tenant) and CloudHSM (Dedicated - FIPS 140-2 Compliance) - Is my data controlled?
- Agility
- CloudFormation, Elastic Beanstalk - How quickly can we adapt to changes?
- Automation
- OpsWorks, CodeDeploy - Are our processes repeatable?
- Scale
- All AWS customers get the same security foundations, from Fortune 500 to startup
Other services: IAM, Trusted Advisor, CloudWatch
___ _ _ _ _ _ __ __ _ ___ ____ __ ___ _ _ ___ _ _ _
|_ _|__| |___ _ _| |_(_) |_ _ _ /_\ __ __ ___ ______ | \/ |__ _ _ _ __ _ __ _ ___ _ __ ___ _ _| |_ / __|__ / / _|___ / __| ___ __ _ _ _ _(_) |_ _ _ | _ \___| (_)__(_)___ ___
| |/ _` / -_) ' \ _| | _| || | / _ \/ _/ _/ -_|_-<_-< | |\/| / _` | ' \/ _` / _` / -_) ' \/ -_) ' \ _|_ \__ \|_ \ > _|_ _| \__ \/ -_) _| || | '_| | _| || | | _/ _ \ | / _| / -_|_-<
|___\__,_\___|_||_\__|_|\__|\_, | /_/ \_\__\__\___/__/__/ |_| |_\__,_|_||_\__,_\__, \___|_|_|_\___|_||_\__( ) |___/___/ \_____| |___/\___\__|\_,_|_| |_|\__|\_, | |_| \___/_|_\__|_\___/__/
|__/ |___/ |/ |__/
___ _ __ __
|_ _| /_\ | \/ |
| | / _ \| |\/| |
|___/_/ \_\_| |_|
-------------------
Reseting root users
-------------------
Scenario: You are the new sysadmin, and need to ensure that the previous sysadmin cannot access AWS resources in your account
- Create a new root user password, and strong password policy
- Delete previous 2FA and re-create
- Check if the root user has an Access Key ID and Secret Access Key. If so, delete.
- Check other user accounts. Verify they are legitimate and if not, delete these.
----------------
IAM Policies 101
----------------
Types
- AWS Managed
- Standalone, created and admin'd by AWS
- Shared across millions of AWS accounts
- AWS CAN change them
- Customer Managed
- Standalone polices, that you admin
- In-line Policies
- Strict one-to-one relationship between an policy and the principal entity that it's applied to.
Exam tips:
- IAM is GLOBAL. Applies to all areas of AWS, not just S3
- 3 types of IAM policies:
- AWS Managed
- Customer Managed
- Inline policies
- Policy contains PARC
- Principal
- WHO/WHAT is Allowed/Denied access, indicated by ARN.
- If IAM Policy, this is implicit based on what you attach it too
- Can be Everyone (AWS:*.*), Specific account/s, IAM user, Federated user, Specific role, Specific service
- Action
- Action or NotAction (everything but)
- ec2:StartInstances
- iam:ChangePassword
- s3:getObject
- sqs:SendMessage, sqs:ReceiveMessage
- iam:*AccessKey*
- Resource
- Object(s) being requested
- Resource or NotResource (everything but)
- Resource: arn:aws:s3:::mybucket/*
- NotResource: arn:aws:s3:::securityloggingbucket/*
- Resource: aws:sqs:us-west-2:12312312312312:queue1
- Resource: arn:aws:dynamodb:us-west-2:1231232:table/books_table
- Resource: arn:aws:ec2:us-east-1:1:12312312312312:instance/*
- Condition
- DateGreaterThan : aws:CurrentTime : "2018-12-25T00:00:00Z"
- DateLessThan: aws:CurrentTime : "2018-12-26T08:00:00Z"
- IPAddress: aws:SourceIP : [192.0.2.0/24, 10.0.0.0/8]
- The above is AND, the OR is in the values (e.g. see IP address)
- All conditions must be true for condition to be met
- Policy types (all use PARC model)
- Service Control Policies (SCPs) -> AWS Organizations / OU
- Use case: Disable access to services
- Inline policies & Managed policies -> IAM
- Use case: Set granular permissions based on functions that users or application need to perform
- Scoped-down policies -> AWS Security Token Service (STS)
- Use case: Reduce general shared permissions further
- Resource-based policies (e.g. S3 bucket policies / Queues/ Vaults) -> AWS Service
- Use case: Control access at the resource
- Use case: Cross-Account access
- How these policies work together....
- Same AWS account:
SCP -> Union(Intersect(Union(IAM Managed Policy, IAM Inline policy), Scoped-Down policy), Resource-based policies)
- Cross account:
SCP -> Intersect(Intersect(Union(IAM Managed Policy, IAM Inline policy), Scoped-Down policy), Resource-based policies)
- Cross Account access:
- To establish cross-account access, in the trusting account (Account A), you create an IAM policy that grants the trusted account (Account B) access to specificresources. Account B can then delegate this access to its IAM users. Account B cannot delegate more access to its IAM users than the permissions that it has been granted by Account A.
___ ____ ___ _ _ ___ _ _ _
/ __|__ / | _ )_ _ __| |_____| |_ | _ \___| (_)__(_)___ ___
\__ \|_ \ | _ \ || / _| / / -_) _| | _/ _ \ | / _| / -_|_-<
|___/___/ |___/\_,_\__|_\_\___|\__| |_| \___/_|_\__|_\___/__/
------------------
S3 Bucket Policies
------------------
- S3 Bucket Policies
- Attached only to S3 buckets
- Specify what actions are ALLOWED or DENIED
- Can be broken down to user level
- Bucket level only. S3 only
- EXPLICIT DENY ALWAYS OVERRIDES AN ALLOW (True for S3 bucket policies AND IAM policies)
- Remember to add /* in after the bucket ARN to specify all objects within it - policy is not valid without
___ ____ _ ___ _
/ __|__ / /_\ / __| | ___
\__ \|_ \ / _ \ (__| |__(_-<
|___/___/ /_/ \_\___|____/__/
-------
S3 ACLs
-------
- Legacy access control (predates IAM)
- Why use?: If you need to apply policies to the OBJECTS themselves (Bucket policies are only bucket level)
- Use cases:
- You need fine grained permissions on individual file/OBJECTs
- Bucket policies are limited to 2 kb in size, so use ACLS if bucket policy has grown too large.
- Object ACLs can be applied - however not via Console, only via CLI/API
___ __ _ _ _ _ ___ _ _ _
/ __|___ _ _ / _| (_)__| |_(_)_ _ __ _ | _ \___| (_)__(_)___ ___
| (__/ _ \ ' \| _| | / _| _| | ' \/ _` | | _/ _ \ | / _| / -_|_-<
\___\___/_||_|_| |_|_\__|\__|_|_||_\__, | |_| \___/_|_\__|_\___/__/
|___/
--------------------
Conflicting Policies
--------------------
- ** Important **
- Policy Conflicts - decision flow:
- 1. Decision starts at deny
- 2. Evaluate All Applicable Policies
- 3. Is there an explicit Deny? - If yes, then DENY (Explicit DENY)
- 4. Is there an Allow? - If yes, then ALLOW.
- 5. DENY.
- Example:
- IF:
- IAM policy grants access to object, and
- S3 bucket policies denies access to that object, and
- There is no S3 ACL
- THEN:
- Access DENIED
- Exam Tips
- With least-privilege, decisions ALWAYS default to DENY
- Also, an explicit DENY ALWAYS trumps an ALLOW
- If no method specifies an ALLOW, then the the request will be DENIED by default
- Only if no method specifies a DENY and one or more methods specify an ALLOW will the request be allowed
___ _ _____ _ ___ ___ _ _ _ _ _ ___ ____
| __|__ _ _ __(_)_ _ __ _ |_ _| | / __| | __|_ _ __ _ _ _ _ _ __| |_(_)___ _ _ | | | |__(_)_ _ __ _ / __|__ /
| _/ _ \ '_/ _| | ' \/ _` | | | | |__\__ \ | _|| ' \/ _| '_| || | '_ \ _| / _ \ ' \ | |_| (_-< | ' \/ _` | \__ \|_ \
|_|\___/_| \__|_|_||_\__, | |_| |____|___/ |___|_||_\__|_| \_, | .__/\__|_\___/_||_| \___//__/_|_||_\__, | |___/___/
|___/ |__/|_| |___/
---------------------------------------
Forcing (TRANSPORT) Encryption Using S3
---------------------------------------
- Deny Non-TLS HTTP
- Use a bucket policy
- Deny with BOOLean condition (aws.SecureTransport:false)
"Condition":{
"Bool": {"aws:SecureTransport":false}}}]}
___ ___ _ ___ _ _ _ _ _ _ ___ ____
/ __|_ _ ___ ______ | _ \___ __ _(_)___ _ _ | _ \___ _ __| (_)__ __ _| |_(_)___ _ _ /_\ _ _ __| | / __|__ /
| (__| '_/ _ (_-<_-< | / -_) _` | / _ \ ' \ | / -_) '_ \ | / _/ _` | _| / _ \ ' \ / _ \| ' \/ _` | \__ \|_ \
\___|_| \___/__/__/ |_|_\___\__, |_\___/_||_| |_|_\___| .__/_|_\__\__,_|\__|_\___/_||_| /_/ \_\_||_\__,_| |___/___/
|___/ |_|
-------------------------------
Cross Region Replication And S3
-------------------------------
Links:
- https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html
- https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-what-is-isnot-replicated.html
- CRR is one source bucket to only ONE destination bucket.
- What is replicated:
- Any NEW objects created AFTER CRR enabled
- All unencrypted objects
- Encrypted objects, if:
- AWS S3 managed keys (SSE-S3)
- AWS KMS managed keys (SSE-KMS) - IF you've explicitly enabled this
- Object metadata
- Any object ACL updates
- Any object tags
- Delete Markers
- Note: S3 replicates only objects in the source bucket for which the bucket owner has permissions to read objects and read access control lists (ACLS)
- What is NOT replicated:
- Anything before CRR enabled
- Encrypted objects, if:
- Customer provided keys (SSE-C)
- AWS KMS managed keys (SSE-KMS) - IF you've NOT explicitly enabled this
- Objects in the source bucket for which the bucket owner does not have permissions. This can happen when the object owner is different from the bucket owner
- Deletes to a particular VERSION of an object. This is a security mechanism.
- Exam tips:
- CRR is SSL/TLS by DEFAULT. DO NOT need a bucket policy with aws.SecureTransport conditions.
- Delete markers ARE replicated.
- Deleted versions ARE NOT replicated.
- Source and Destination buckets must have versioning enabled.
- Possible to use CRR from one AWS account to another, the IAM role must have permissions to replicate objects in the destination bucket. This is often a security best practice
___ _ ___ ____ _ _ _ ___ _ _ ___ _
| __|__ _ _ __(_)_ _ __ _ / __|__ / | |_ ___ | | | |___ ___ / __| |___ _ _ __| | __| _ ___ _ _| |_
| _/ _ \ '_/ _| | ' \/ _` | \__ \|_ \ | _/ _ \ | |_| (_-</ -_) | (__| / _ \ || / _` | _| '_/ _ \ ' \ _|
|_|\___/_| \__|_|_||_\__, | |___/___/ \__\___/ \___//__/\___| \___|_\___/\_,_\__,_|_||_| \___/_||_\__|
|___/
----------------------------
Forcing S3 to Use CloudFront
----------------------------
- Process to enable post distribution creation:
1. Edit Origin
2. 'Restrict Bucket Access' - Yes
3. Create/Re-use a OAI (Origin Access Identity)
4. 'Grant Read Permissions on Bucket' - Yes
- To use Custom SSL certificate:
- Need to Request/Import from ACM
- Remember this is not the same cert as ELB/ALB
___ ____ ___ _ _ _ _ ___ _
/ __|__ / | _ \_ _ ___ ___ __(_)__ _ _ _ ___ __| | | | | | _ \ | ___
\__ \|_ \ | _/ '_/ -_)___(_-< / _` | ' \/ -_) _` | | |_| | / |__(_-<
|___/___/ |_| |_| \___| /__/_\__, |_||_\___\__,_| \___/|_|_\____/__/
|___/
------------------
S3 Pre-signed URLs
------------------
- You can access objects using pre-signed URL's
- DONT need to configure: object ACL or Bucket policies or IAM policies
- Typically these are done via the SDK, but can also be done using the CLI
- They exist for a certain length of time (in seconds). Default is 1 hour (3600 seconds)
- Can be changed using '--expires-in' parameter, followed by number of seconds
_ _ _ _ __ __ _ _ _
| | ___ __ _ __ _(_)_ _ __ _ /_\ _ _ __| | | \/ |___ _ _ (_) |_ ___ _ _(_)_ _ __ _
| |__/ _ \/ _` / _` | | ' \/ _` | / _ \| ' \/ _` | | |\/| / _ \ ' \| | _/ _ \ '_| | ' \/ _` |
|____\___/\__, \__, |_|_||_\__, | /_/ \_\_||_\__,_| |_| |_\___/_||_|_|\__\___/_| |_|_||_\__, |
|___/|___/ |___/ |___/
___ _ _ _____ _ _
/ __| |___ _ _ __| |_ _| _ __ _(_) |
| (__| / _ \ || / _` | | || '_/ _` | | |
\___|_\___/\_,_\__,_| |_||_| \__,_|_|_|
----------
CloudTrail
----------
https://aws.amazon.com/cloudtrail/faqs/
- Records AWS API calls for your accounts and delivers log files to you
- Enabled by default, past 90 days of account activity.
- By default, CloudTrail log files are encrypted using S3 Server Side Encryption (SSE)
- WON'T log RDP/SSH etc - ONLY API calls
- What is logged?
- Metadata around API calls...
- The identity of the API caller
- The time of the API call
- The source IP address of the API caller
- The request parameters
- The response elements returned by the service
- Where are the logs stored:
- Sent to S3 bucket
- You manage the retention in S3
- Delivery every 5 (active) minutes with up to 15 mins delay
- Notifications available via SNS
- Can be aggregated across regions
- Can be aggregated across accounts
- Validating CloudTrail Log File Integrity:
- Was the log file modified, or deleted?
- CloudTrail log file integrity validation:
- SHA-256 hashing
- SHA-256 with RSA for digital signing
- Log files are delivered with a Digest file
- Digest file can be used to validate the integrity of the log file. Digest files take ~1hr to be generated.
Exam Tips:
- Protect your CloudTrail logs, they contain everything that you are doing in your AWS account and may contain PII
- Allow you security people admin access to Cloudtrail, auditors read only access to CloudTrail using IAM
- Restrict Access to S3 using bucket policies, and use MFA delete on your objects
- Use lifecycle rules to move data to Glacier or to delete it
- Check the integrity of your log files using digest files
___ _ ___ __ _ _
/ __| |___ _ _ __| \ \ / /_ _| |_ __| |_
| (__| / _ \ || / _` |\ \/\/ / _` | _/ _| ' \
\___|_\___/\_,_\__,_| \_/\_/\__,_|\__\__|_||_|
----------
CloudWatch
----------
https://aws.amazon.com/cloudwatch/faqs/
- CloudWatch is a monitoring service for AWS cloud resources and the application you run on AWS
- Key Components:
- CloudWatch
- Real time
- Dashboard / Widgets
- Metrics
- Alarms
- Notifications
- Custom metrics
- CloudWatch Logs
- Pushed from some AWS services (including CloudTrail)
- Pushed from your applications / systems
- Metrics from log entry mismatches
- Stored indefinitely (DOES NOT use S3)
- CloudWatch Events
- Near real-time stream of system events
- Events
- AWS Resources state change
- AWS CloudTrail (API Calls)
- Custom events (code)
- Scheduled
- Rules - match incoming events and route them to one or more targets
- Targets - Lambda functions, SNS topics, SQS queues, Kinesis Streams etc
___ _____ ___ __ _
/_\ \ / / __| / __|___ _ _ / _(_)__ _
/ _ \ \/\/ /\__ \ | (__/ _ \ ' \| _| / _` |
/_/ \_\_/\_/ |___/ \___\___/_||_|_| |_\__, |
|___/
----------
AWS Config
----------
https://aws.amazon.com/config/faq/
- AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security & governance
- Key components:
- Config Dashboard
- Config Rules
- Managed
- Custom
- Resources
- Settings
- Stored in S3
- Terminology:
- Configuration *Items*
- Point-in-Time attributes of resource
- Configuration *Snapshots*
- Collection of Config Items
- Configuration *Stream*
- Stream of changed Config Items
- Configuration *History*
- Collection of config items for a resource over time
- Configuration *Recorder*
- The configuration of Config that records and stores config items
- Log config for account in region
- Stores in S3
- Notified via SNS
- What can we see?
- Resource Type
- Resource ID
- Compliance
- Timeline
- Configuration details
- Relationships
- Changes
- CloudTrail Events
- Compliance checks:
- Trigger:
- Periodic
- Configuration snapshot delivery (filterable)
- Managed Rules
- ~40 Rules
- Basic, but fundamental
- Permissions needed for Config (Console will optionally create these for you):
- AWS Config requires an IAM Role with:
- Read-only permissions to the recorded resources
- Write access to S3 logging bucket
- Publish access to SNS
- Restricting access:
- Users need to be authenticated with AWS and have the appropriate permissions set via IAM policies to gain access.
- Only admins needing to set up and managed Config require full access
- Provide read only permissions for Config day-to-day use
- Monitoring Config:
- Use CloudTrail with Config to provide deeper insight into resources
- Use CloudTral to monitor access to Config, such as someone stopping the Config Recorder.
------------------------------------------
Setup Up An Alert If the Root User Logs in
------------------------------------------
- Combo of CloudTrail -> CloudWatch Logs -> Custom Metrics
- Steps:
1. Turn on CloudTrail -> CloudWatch Log integration
2. Create a CloudWatch metric filter on the new log group
3. Assign a metric
4. Create an alarm
5. Test the alarm and receive an SNS notification
6. Look up the event and take corrective actions
___ _ _ _ _ ___ __ __
/ __| |___ _ _ __| | | || / __| \/ |
| (__| / _ \ || / _` | | __ \__ \ |\/| |
\___|_\___/\_,_\__,_| |_||_|___/_| |_|
---------
Cloud HSM
---------
https://aws.amazon.com/cloudhsm/faqs
- Cloud HSM is a dedicated Hardware Security Module (HSM) within the AWS cloud
- Enables:
- Control of data
- Evidence of control
- Meet tough compliance controls
- Provides:
- Secure key storage
- Crypto operations
- Tamper-resistant
- Supports Symmetric and Asymmetric keys (unlike KMS, which is symmetric only)
___ _ _____ _ _ _ _ _
|_ _|_ _ ____ __ ___ __| |_ ___ _ _ __ _____ |_ _| _ _ _ __| |_ ___ __| | /_\ __| |_ _(_)___ ___ _ _
| || ' \(_-< '_ \/ -_) _| _/ _ \ '_| \ V (_-<_ | || '_| || (_-< _/ -_) _` | / _ \/ _` \ V / (_-</ _ \ '_|
|___|_||_/__/ .__/\___\__|\__\___/_| \_//__(_) |_||_| \_,_/__/\__\___\__,_| /_/ \_\__,_|\_/|_/__/\___/_|
|_|
-----------------------------
Inspector vs. Trusted Advisor
-----------------------------
- Inspector (NEEDS AGENT)
- Automated security assessment service -> report with prioritized findings
- How does it work?
- Create "Assessment Target"
- Install agents on EC2 instances
- Create 'Assessment template'
- Perform 'Assessment run'
- Review 'Findings' against 'Rules'
- Rule packages:
- Common Vulnerabilities and Exposures
- CIS Operating System Security Configuration Benchmarks
- Security Best Practices
- Runtime Behavior Analysis
- Severity Level of Rules:
- High
- Medium
- Low
- Informational
- It will:
- Monitor the network, file system and process activity within the specified target
- Compare what it 'sees' to security rules
- Report on security issues observed within target during run
- Report findings and advise remediation
- It WILL NOT:
- Relieve you of your responsibility under the shared responsibility model
- Perform miracles
- Trusted Advisor (NO AGENT)
- Help you reduce cost, increase performance, and improve security, fault tolerance by optimizing your AWS environment, areas:
- Cost Optimization
- Performance
- Fault Tolerance
- Security (basically stuff that is not dependent on an agent)
- Core Checks and Recommendations
- The 'Full' trusted advisor is only available for Business / Enterprise customers.
_ _
| | ___ __ _ __ _(_)_ _ __ _
| |__/ _ \/ _` / _` | | ' \/ _` |
|____\___/\__, \__, |_|_||_\__, |
|___/|___/ |___/
------------------------------
Logging with AWS - White paper
------------------------------
- Services:
- AWS CloudTrail
- AWS Config
- VPC Flow Logs
- AWS CloudWatch Logs
- *READ*: Security at Scale: Logging in AWS - https://d0.awsstatic.com/whitepapers/compliance/AWS_Security_at_Scale_Logging_in_AWS_Whitepaper.pdf
- Control Access to Log Files
- Prevent unauthorized access:
- IAM users, groups, roles and polices
- Amazon S3 bucket policies
- Multi Factor Auth (MFA)
- Ensure role-based access:
- IAM users, groups, roles and polices
- Amazon S3 bucket policies
- Obtain Alerts on Log File Creation and misconfiguration
- Alert when logs are created or fail:
- CloudTrail notifications
- AWS Config Rules
- Alerts are specific, but don't divulge detail:
- CloudTrail SNS notifications only point to the log file location
- Manage changes to AWS Resources and Log Files:
- Log changes to system components:
- AWS Config Rules
- CloudTrail
- Controls exist to prevent modifications to logs:
- IAM and S3 controls and policies
- CloudTrail log file validation
- CloudTrail log file encryption
- Storage on log files
- Logs are stored for at least one year.
- Store logs for an organizational defined period of time
- Store logs real-time for resiliency
- S3 has eleven 9s durability.
_ ____ __ ___
| |/ / \/ / __|
| ' <| |\/| \__ \
|_|\_\_| |_|___/
---
KMS
---
- https://aws.amazon.com/kms/faqs/
- Limit: Up to 1000 CMKs per account per region. (Both enabled/disabled count towards limit). Default master keys created on your behalf for use within supported AWS services do not count against this limit.
- Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.
- Integrated with AWS services including: EBS, S3, Redshift, Elastic Transcoder, WorkMail, RDS
- Customer Master Key (CMK)
- Made up of:
- Alias
- Creation date
- Description
- Key State
- Key material (either customer provided or AWS provided)
- Can NEVER be exported
- CMK Types:
- AWS-Managed CMK for each service that is integrated with AWS KMS
- Customer-Managed CMK that you generate by providing AWS with key material (e.g. client-side OpenSSL)
- Keys are REGION specific.
- CMK, steps to create:
- Create Alias and Description
- Choose material option (AWS provided or Customer Provided)
- Define Key *Administrative Permissions*
- IAM users/roles that can ADMIN (but NOT use) the key through the KMS API
- Define Key *Usage Permissions**
- IAM users/roles that can USE the key to encrypt / decrypt data.
- Key material options:
- KMS generated key material
- Own key material (symmetric 256-bit key)
- Why import your OWN key material?
- Prove that RANDOMNESS meets your requirements (compliance)
- Extend you existing processes to AWS
- Can set an expiry period
- Able to delete key material without 7-30 day wait (without deleting the underlying customer master key). Then be able to import again
- To be resilient to AWS failure by storing keys outside AWS - i.e. you need to maintain a secure copy of your key within your own infrastructure in the effect of a disaster
- How to import your own key material
- Create a CMK with NO key material
- Download a public key (wrapping key) and import token
- Encrypt the key material (e.g. OpenSSL)
- Import the key material
- Considerations for Imported Key material:
- Availability and durability is "different" - i.e. you need to maintain a secure copy of your key within your own infrastructure in the effect of a disaster
- Secure key generation is up to you
- No automatic rotation
- Ciphertexts are not portable between CMKs (true for AWS managed too)
------------------
KMS with EC2 & EBS
------------------
- KMS CANNOT be used to generate public / private key (i.e. SSH) keys (asymmetric) to log into EC2
- CAN import public keys (i.e. SSH) for EC2
- KMS CAN be used to encrypt EBS volumes (i.e. symmetric)
- CANNOT use EC2 key pairs (i.e. SSH) to encrypt EBS volumes
- Use KMS (or 3rd party tools) to encrypt EBS volumes
- Steps to encrypt root EBS volume:
1. Stop instance
2. Detach Root Volume
3. Make snapshot (still unencrypted)
4. Create Image (AMI) from unencrypted root EBS volume snapshot
5. Copy image (AMI) and target region and select 'encrypt' and choose key
6. Launch EC2 instance with encrypted AMI
- Can change from AWS managed to customer managed keys.
- Can make an encrypted copy of an AMI in another region, but MUST use keys present in destination region
___ ___ ___ _ __ ___ _
| __/ __|_ ) | |/ /___ _ _ | _ \__ _(_)_ _ ___
| _| (__ / / | ' </ -_) || | | _/ _` | | '_(_-<
|___\___/___| |_|\_\___|\_, | |_| \__,_|_|_| /__/
|__/
-------------
EC2 Key Pairs
-------------
- View public key via:
- ~/.ssh/authorized_keys
- curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key/
- Can add multiple public keys to an EC2 instance (append to ~/.ssh/authorized_keys)
- Deleting a Key Pair in the console WILL NOT delete it from the instance or from the instance meta-data
- If you loose your key, take snapshot of the EC2 instance, and deploy a new instance, this will APPEND a new public key to ~/.ssh/authorized_keys
- You cannot use KMS for SSH for EC2. KMS is symmetric keys only. You can with CloudHSM, as it supports asymmetric keys
- The instance meta-data DOES NOT update to include additional public keys, will only reflect the original one
___ _____ __ __ _ _ ___ _
/_\ \ / / __| | \/ |__ _ _ _| |_____| |_ | _ \ |__ _ __ ___
/ _ \ \/\/ /\__ \ | |\/| / _` | '_| / / -_) _| | _/ / _` / _/ -_)
/_/ \_\_/\_/ |___/ |_| |_\__,_|_| |_\_\___|\__| |_| |_\__,_\__\___|
----------------------------------
AWS Market Place Security Products
----------------------------------
- Can you purchase security products from 3rd party vendors on the AWS Market Place
- Things like: Firewalls, Hardened OS's, WAF's, Antivirus, Security Monitoring etc
- Free, Hourly, Monthly, Annual, BYOL (bring your own license) etc
- CIS (Centre for Internet Security) OS hardening guidelines
- Exam tip: If scenario is that you have a security challenge (e.g. block IP via NACL), that could technically be solved yourself (but at cost of time) - then it's likely that the preferred answer is to get a solution from the AWS Market Place (e.g. IDS/IPS)
__ ___ ___
\ \ / /_\ | __|
\ \/\/ / _ \| _|
\_/\_/_/ \_\_|
---
WAF
---
- Web Application Firewall
- Layer 7
- Lets you monitor HTTP / HTTPS requests that are forwarded to CloudFront or ALB
- Also lets you control access to your content
- Behaviors (at a basic level):
- ALLOW All except the ones you specify (Blacklist)
- BLOCK All except the ones you specify (Whitelist)
- COUNT the requests that match the properties that you specify (Monitor)
- Conditions such as:
- Source IP address
- Country
- Values in request headers
- Strings that appear in requests, either specific strings or regex match
- Length of requests
- Presence of SQL code that's likely to be malicious (i.e. SQLi)
- Presence of script code that's likely to be malicious (i.e. XSS)
- Query string parameters
- The ALLOW or HTTP 403 (permission denied)
- ALBs integrate with WAF at a REGIONAL level
- CloudFront integrates with WAF at a GLOBAL level
- You MUST to associate your rules to AWS resources in order for it to take effect
- You CAN use AWS WAF to project web sites not hosted in AWS via CloudFront. CloudFront support custom origins outside of AWS.
- IPs can be blocked at a /8, /16, /24 and /32 level
- Dual stack, supports both IPv4 and IPv6
___ _ _ _ _
/ __| |_ (_)___| |__| |
\__ \ ' \| / -_) / _` |
|___/_||_|_\___|_\__,_|
------
Shield
------
- DDoS protection
- Turned on by default (basic level)
- $3000 per month for advanced option
- Advanced gives you an incident response team and in depth reporting
- And you won't pay for the AWS resource usage costs associated with the DDoS attack
___ _ _ _ _ ___ _ ___ _ _ _ _ _ _ _
| \ ___ __| (_)__ __ _| |_ ___ __| | |_ _|_ _ __| |_ __ _ _ _ __ ___ ___ __ _____ | \ ___ __| (_)__ __ _| |_ ___ __| | | || |___ __| |_ ___
| |) / -_) _` | / _/ _` | _/ -_) _` | | || ' \(_-< _/ _` | ' \/ _/ -_|_-< \ V (_-< | |) / -_) _` | / _/ _` | _/ -_) _` | | __ / _ (_-< _(_-<
|___/\___\__,_|_\__\__,_|\__\___\__,_| |___|_||_/__/\__\__,_|_||_\__\___/__/ \_//__/ |___/\___\__,_|_\__\__,_|\__\___\__,_| |_||_\___/__/\__/__/
--------------------------------------
Dedicated Instances vs Dedicated Hosts
--------------------------------------
- BOTH enable the use of dedicated physical servers
- Dedicated INSTANCES:
- are billed per instance
- supports automatic instance placement only, cannot target the placement of your instance to specific hardware
- Dedicated HOSTS:
- are billed per host
- give visibly of sockets, cores, Host ID
- affinity between host and instance
- Allow targeted instances placement,
- But also supports automatic instance placement
- Need to add capacity using an allocation request
- Exam Tip: If you have specific regulatory requirements or licensing conditions, select Dedicated HOSTS
- Dedicated INSTANCES may share the same hardware with other AWS instances in the SAME AWS account
- Dedicated HOSTS give you much better visibility into things like sockets, cores and host id
___ _____ _ _ _
/_\ \ / / __| | || |_ _ _ __ ___ _ ___ _(_)___ ___ _ _ ___
/ _ \ \/\/ /\__ \ | __ | || | '_ \/ -_) '_\ V / (_-</ _ \ '_(_-<
/_/ \_\_/\_/ |___/ |_||_|\_, | .__/\___|_| \_/|_/__/\___/_| /__/
|__/|_|
---------------
AWS Hypervisors
---------------
- Choose HVM (hardware virtual machine) over PV (paravirtualization) where possible (due to performance)
- Windows EC2 can only run on HVM
- Linux can be either PV or HVM
- PV is isolated by rings, Hypervisor on Layer 0, Guest OS site on Layer 1, Application Layer 3
- Only AWS staff Administrators have access to hypervisors
- AWS staff DO NOT have access to EC2, customer responsibility
- All storage memory and RAM is scrubbed before it's delivered to you
__ _____ ___
\ \ / / _ \/ __|
\ V /| _/ (__
\_/ |_| \___|
----------
VPC Re-cap
----------
- Think of a VPC as a logical datacentre in AWs
- Consists of:
- IGW (or Virtual Private Gateways)
- Route Tables
- NACLS
- Subnets
- Security Groups
- 1 subnet = 1 AZ
- Security Groups are STATEFUL
- NACLS are STATELESS
- /16 - Largest VPC
- /28 - Smallest VPC
- Soft limit of 5 VPCs per region
- Default VPC
- Created automatically when you created your AWS account
- All subnets have a route out to the Internet
- Each EC2 instance has both a public and private IP address
- VPC Peering
- Connect one VPC with another using private IP addresses.
- Instance behave as if they were on the same private network
- You can peer with other AWS accounts, as well as with other VPCs in the same account
- Star configuration. E.g. 1 central VPC with 4 others
- NO TRANSITIVE PEERING
- Reserved AWS VPC IP addresses
- First 4 IP addresses, and the last address are reserved:
- .0 - Network address
- .1 - AWS VPC router
- .2 - AWS DNS server
- .3 - AWS Future use
- .255 - Network Broadcast
- You cannot have multiple IGWs on a VPC.
- Security Groups don't span VPCS, i.e. you cannot select a SG from VPC A and use in VPC B (it won't be listed)
----------
Custom VPC
----------
- Steps to build a custom VPC:
- Create a VPC, specify:
- Name
- CIDR block
- Tenancy (Default/Dedicated)
- The above step auto creates the following defaults: Route Table, NACL, Security Group
- Create Subnet, specify
- Name
- VPC (select above VPC)
- AZ
- IPv4 / IPv6 CIDR block
- Create Internet Gateway
- Name
- Attach to VPC (the custom one)
- Create a new Route Table (i.e don't use the default)
- Name
- VPC
- Create a route out to the Internet (0.0.0.0/0 -> IGW)
- Associate with public subnets
- Set public subnet(s) to auto-assign IPv4 public address
_ _ _ _____
| \| | /_\_ _|
| .` |/ _ \| |
|_|\_/_/ \_\_|
----------------------------
NAT Instances & NAT Gateways
----------------------------
- NAT Instances:
- Need to DISABLE source / destination checks
- MUST be in a public subnet
- There must be a route out of the private subnet to the public subnet for this to work
- Traffic it can handle depends on instance size. If bottlenecking increase instance size
- It's possible to create high-availability using AutoScaling Groups, multiple subnets in different AZs, and a script to automate failover
- Behind a security group
- NAT Gateways
- Preferred
- A NAT gateway is per AZ, if you want HA your need ones in other AZs
- Scale automatically up to 10Gbps
- No need to patch
- Not associated with security groups
- Automatically assigned a public IP address (EIP)
- Remember to update your route tables
- No need to disable source / destination checks
- More secure than a NAT instance
_ ___ _
_ _ /_\ / __| | ___
| ' \ / _ \ (__| |__(_-<
|_||_/_/ \_\___|____/__/
------------
Network ACLs
------------
- Your VPC automatically comes with a default Network ACL, the default NACL ALLOWS all in / outbound traffic
- You can create custom NACLs, by default custom NACLs DENY all in / outbound traffic (until you add rules)
- Each subnet in your VPC MUST be associated with a NACL
- If you don't explicitly associate a subnet with a NACL, the subnet will automatically be associated with the default ACL
- You CAN associate a NACL with multiple subnets
- A subnet can only be associated with One NACL at a time
- When you associate a NACL with a subnet, the previous association is removed
- NACLs are evaluated in order, starting from the lowest numbered rule
- NACLs have separate inbound and outbound rules, each rule can either allow or deny traffic
- NACLs can span AZs
- NACLS are STATELESS, responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)
- Remember to allow ephemeral port for outbound
- You can Block IP addresses using NACLS, cannot do that with Security Groups
_ _ ___
/_\ | | | _ )
/ _ \| |__| _ \
/_/ \_\____|___/
-------------------
ALB with Custom VPC
-------------------
- Must be in AT LEAST two AZs
__ _____ ___ ___ _ _
\ \ / / _ \/ __| | __| |_____ __ __ | | ___ __ _ ___
\ V /| _/ (__ | _|| / _ \ V V / | |__/ _ \/ _` (_-<
\_/ |_| \___| |_| |_\___/\_/\_/ |____\___/\__, /__/
|___/
-------------
VPC Flow Logs
-------------
- Capture IP traffic to / from network interfaces in your VPC, stored in CloudWatch logs
- Levels:
- VPC (all ENI traffic)
- Subnet
- Network Interface Level
- You CANNOT enable flow logs for VPCs that are peered with your VPC, unless the peer VPC is in your account
- You CANNOT tag a flow log
- After you've created a flow log, you cannot change it's configuration; for example, you can't associate with a different IAM role with the flow log
- Not all traffic is monitored, such as:
- Contacting Amazon DNS (will see to your own DNS)
- Windows instance -> Amazon Windows license activation
- Traffic to and from 169.254.169.254 for instance meta-data
- DHCP
- Traffic associated with reserved IP address for the default VPC router
_ _ _ _____ ___ _ _
| \| | /_\_ _|__ __ _____ | _ ) __ _ __| |_(_)___ _ _ ___
| .` |/ _ \| |(_-< \ V (_-< | _ \/ _` (_-< _| / _ \ ' \(_-<
|_|\_/_/ \_\_|/__/ \_//__/ |___/\__,_/__/\__|_\___/_||_/__/
---------------
NAT vs Bastions
---------------
- NAT instance / gateway is used to provided Internet traffic TO EC2 instances in a private subnet
- Bastion instance is used to securely admin the EC2 instances (using SSH/RDP) in private subnets. (aka Jump boxes)
__ _____ ___ ___ _ ___ _ _
\ \ / / _ \/ __| | __|_ _ __| |___| _ \___(_)_ _| |_ ___
\ V /| _/ (__ | _|| ' \/ _` |___| _/ _ \ | ' \ _(_-<
\_/ |_| \___| |___|_||_\__,_| |_| \___/_|_||_\__/__/
--------------
VPC End Points
--------------
- Access AWS Service (e.g. S3) without going over the internet
- Route directly over AWS private network
- Remember source IPs will now be the private address range
- Associate VPC end-points with the subnet in question (likely private)
___ ___ ___
| \| \ ___/ __|
| |) | |) / _ \__ \
|___/|___/\___/___/
----
DDoS
----
Read: AWS DDOS White Paper - https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
- Amplification/Reflection attacks. NTP, SSDP, DNS, Chargen, SNMP
- Slowloris (open lots of webserver connections, and hold them only - sending partial html requests)
- Mitigation
- Minimize the Attack Surface Area
- e.g. use Bastion/Jump box instead of exposing direct SSH-RDP, with allow sources (whitelisted)
- Be Ready to Scale to Absorb the Attack
- Scale both horizontally and vertically, such that:
- Attack is spread over a larger area
- Attackers have to counter-attack taking up more of THIER resources too
- It buys you time to analyze the attack and respond with countermeasures
- Additional benefit of providing additional levels of redundancy
- Safegaurd Exposed resources
- Protect entry points, using
- CloudFront
- Geo Restriction/Blocking. Whitelists or blacklists
- Origin Access Identity. Restrict access to S3 bucket
- Route 53
- Alias Record Sets - Immediately redirect traffic to CloudFront distribution, or a different ALB with high capacity EC2 instances running WAFs or own security tools. No DNS change, hence no propagation latency
- Private DNS - Manage internal DNS names for app resources, without exposing this information to public internet
- WAFs (either service or something from AWS market place)
- Learn Normal Behavior
- Know the different types of traffic and what normal levels should be
- Understand expected and unexpected resource spikes
- Benefits:
- Allows you to spot abnormalities fast
- You can create alarms to alert you of abnormal behavior
- Helps you to collect forensic data to understand the attack
- Create a plan for attacks
- Ensures:
- You've validated the design of your architecture
- You understand the costs for your increased resiliency and know what techniques to employ when you come under attack
- You know who to contact when the attach happens
- AWS Shield (L3 / L4 DDoS attack protection)
- Basic:
- Free for AWS customers uses ALB, CloudFront and Route 53
- Protects against SYN/UDP floods, reflection attacks, and other l3/l4 attacks
- Advanced:
- Enhanced protections for apss on ALB, CloudFront and Route 53 against larger and more sophisticated attacks. $3000 per month
- Always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks
- DDoS Response Team (DRT) 24x7 to manage and mitigate application layer DDoS attacks
- Protects your AWS bill against higher fees due to ALB, CloudFront and Route 53 usage spikes during a DDoS attack
- Exam Tips
- Read white paper
- Technologies to mitigate DDoS:
- CloudFront
- Route 53
- ELB/ALB
- WAFs
- Autoscaling (for WAF and web servers)
- CloudWatch
__ ___ ___ ___ _ _ _
\ \ / /_\ | __| |_ _|_ _| |_ ___ __ _ _ _ __ _| |_(_)___ _ _
\ \/\/ / _ \| _| | || ' \ _/ -_) _` | '_/ _` | _| / _ \ ' \
\_/\_/_/ \_\_| |___|_||_\__\___\__, |_| \__,_|\__|_\___/_||_|
|___/
---------------
WAF Integration
---------------
WAF can ONLY be integrated with ALB and CloudFront. NOT other services like EC2 or ROUTE 53
___ ___ ___ _ _ _ _ _
| __/ __|_ ) | |_ __ _ ___ | |__ ___ ___ _ _ | |_ __ _ __| |_____ __| |
| _| (__ / / | ' \/ _` (_-< | '_ \/ -_) -_) ' \ | ' \/ _` / _| / / -_) _` |
|___\___/___| |_||_\__,_/__/ |_.__/\___\___|_||_| |_||_\__,_\__|_\_\___\__,_|
-------------------
EC2 has been hacked
-------------------
ISOLATE!
Steps
- Stop the instance
- Take a snapshot of the EBS Volume
- Deploy the instance into an isolated VPC (no internet access - private subnet)
- Be able to access from a forensic workstation (isolated)
- Read through logs and figure out how the system was compromised
_ _ _ _ _ ___ _ _ _ _
| | ___ __ _| |_____ __| | | |_____ _ _ ___ | |_ ___ / __(_) |_| |_ _ _| |__
| |__/ -_) _` | / / -_) _` | | / / -_) || (_-< | _/ _ \ | (_ | | _| ' \ || | '_ \
|____\___\__,_|_\_\___\__,_| |_\_\___|\_, /__/ \__\___/ \___|_|\__|_||_\_,_|_.__/
|__/
---------------------
Leaked keys to Github
---------------------
First, assume compromise! even if it's up only a few seconds
1. IAM - Make Access Key - then 'Make Inactive'
2. IAM - Delete compromised key
3. IAM - Create a new key
___ _ _ ___ _ _ _____ _ _ _
| _ \___ __ _ __| (_)_ _ __ _ / __| |___ _ _ __| |_ _| _ __ _(_) | | | ___ __ _ ___
| / -_) _` / _` | | ' \/ _` | | (__| / _ \ || / _` | | || '_/ _` | | | | |__/ _ \/ _` (_-<
|_|_\___\__,_\__,_|_|_||_\__, | \___|_\___/\_,_\__,_| |_||_| \__,_|_|_| |____\___/\__, /__/
|___/ |___/
-----------------------
Reading CloudTrail Logs
-----------------------
JSON.
Key value pairs
___ _ _ _ _____ _ _
| _ \___ _ _ ___| |_ _ _ __ _| |_(_)___ _ _ |_ _|__ __| |_(_)_ _ __ _
| _/ -_) ' \/ -_) _| '_/ _` | _| / _ \ ' \ | |/ -_|_-< _| | ' \/ _` |
|_| \___|_||_\___|\__|_| \__,_|\__|_\___/_||_| |_|\___/__/\__|_|_||_\__, |
|___/
-------------------
Penetration Testing
-------------------
- ALWAYS need permission from AWS to perform Pen Testing - including simulation event
- Consider using Kali linux from AWS Market place
___ _____ ___ _ _ __ _ _ __ __
/_\ \ / / __| / __|___ _ _| |_(_)/ _(_)__ __ _| |_ ___ | \/ |__ _ _ _ __ _ __ _ ___ _ _
/ _ \ \/\/ /\__ \ | (__/ -_) '_| _| | _| / _/ _` | _/ -_) | |\/| / _` | ' \/ _` / _` / -_) '_|
/_/ \_\_/\_/ |___/ \___\___|_| \__|_|_| |_\__\__,_|\__\___| |_| |_\__,_|_||_\__,_\__, \___|_|
|___/
-----------------------------
AWS Certificate Manager (ACM)
-----------------------------
- For SSL/TLS certs
- Can import existing certs
- Domain certs - via either DNS validation (add the specified CNAME with value to DNS record) or Email validation (based on whois data)
- Automatic renewal
- For all, except:
- Not available for Imported certs or Route 53 Private hosted zones
- CANNOT export from AWS Certificate Manager
- Can associate with:
- CloudFront Distribution
- ALB (Application Load Balancer)
_ _ ___ ___ __ _ ___ _ ___
/_\ | | | _ ) ___ | _ \___ _ _ / _|___ __| |_ | __|__ _ ___ __ ____ _ _ _ __| | / __| ___ __ _ _ ___ __ _ _
/ _ \| |__| _ \ |___| | _/ -_) '_| _/ -_) _| _| | _/ _ \ '_\ V V / _` | '_/ _` | \__ \/ -_) _| '_/ -_) _| || |
/_/ \_\____|___/ |_| \___|_| |_| \___\__|\__| |_|\___/_| \_/\_/\__,_|_| \__,_| |___/\___\__|_| \___\__|\_, |
|__/
------------------------------
ALB - Perfect Forward Secrecy
------------------------------
- Cipher suites are selected by choosing a 'Security Policy'
- For PFS we need ECDHE (Elliptic Curve Diffie Hellman), so choose the '2016-08 *' policy
- For exam ALWAYS assume HTTPS is on 443, even if they throw you some curve balls
_ ___ ___ ___ _
/_\ | _ \_ _| / __|__ _| |_ _____ __ ____ _ _ _
/ _ \| _/| | | (_ / _` | _/ -_) V V / _` | || |
/_/ \_\_| |___| \___\__,_|\__\___|\_/\_/\__,_|\_, |
|__/
-----------
API Gateway
-----------
Throttling
- 10k request per sec, burst limit of 5000
- limits can be increased by contacting AWS support
Caching
- API caching possible from 5 mins (300 sec) to 1 hour (3600 secs)
___ _____ ___ _ __ __ ___ _ ___ _
/_\ \ / / __| / __|_ _ __| |_ ___ _ __ ___ | \/ |__ _ _ _ __ _ __ _ ___ _ _ | _ \__ _ _ _ __ _ _ __ ___| |_ ___ _ _ / __| |_ ___ _ _ ___
/ _ \ \/\/ /\__ \ \__ \ || (_-< _/ -_) ' \(_-< | |\/| / _` | ' \/ _` / _` / -_) '_| | _/ _` | '_/ _` | ' \/ -_) _/ -_) '_| \__ \ _/ _ \ '_/ -_)
/_/ \_\_/\_/ |___/ |___/\_, /__/\__\___|_|_|_/__/ |_| |_\__,_|_||_\__,_\__, \___|_| |_| \__,_|_| \__,_|_|_|_\___|\__\___|_| |___/\__\___/_| \___|
|__/ |___/
-----------------------------------
AWS Systems Manager Parameter Store
-----------------------------------
- System Manager - Manage EC2 fleets at scale. Find it under the EC2 section of the console
- For example need to pass info such as... users, passwords, license keys, db connection strings to EC2 as a boot strap script - while maintaining confidentiality
- Types:
- String
- String List
- Secure String (encrypted with KMS
- Usable with:
- EC2
- CloudFormation
- Lambda
- SM EC2 Run Command
___ _____ ___ _ __ __ ___ ___ ___ ___ ___ _
/_\ \ / / __| / __|_ _ __| |_ ___ _ __ ___ | \/ |__ _ _ _ __ _ __ _ ___ _ _ | __/ __|_ ) | _ \_ _ _ _ / __|___ _ __ _ __ __ _ _ _ __| |
/ _ \ \/\/ /\__ \ \__ \ || (_-< _/ -_) ' \(_-< | |\/| / _` | ' \/ _` / _` / -_) '_| | _| (__ / / | / || | ' \ | (__/ _ \ ' \| ' \/ _` | ' \/ _` |
/_/ \_\_/\_/ |___/ |___/\_, /__/\__\___|_|_|_/__/ |_| |_\__,_|_||_\__,_\__, \___|_| |___\___/___| |_|_\\_,_|_||_| \___\___/_|_|_|_|_|_\__,_|_||_\__,_|
|__/ |___/
-----------------------------------
AWS Systems Manager EC2 Run Command
-----------------------------------
- Manage large number of EC2 instances and/or on-premise systems
- Automate common admin tasks / ad-hoc config changes. Examples
- Install apps
- Apply patches
- Join Domain
- Exam tips
- Commands can be applied to a group of systems based on AWS instance tags or by selecting manually
- SSM agent needs to be installed on all your managed instances. AMI for Win 2016 has it pre-installed
- Does Need an IAM Role, and must be attached to all EC2 instances to be managed by Systems Manager
- Commands and parameters are defined in a Systems Manager Document
- Commands can be issued using:
- AWS Console
- AWS CLI
- AWS Tools for Windows Powershell
- System Manager API
- Amazon SDKs
- Can use with on-premise systems as well as EC2 instance
___ _ _ ___ _
/ __|___ _ __ _ __| (_)__ _ _ _ __ ___ | __| _ __ _ _ __ _____ __ _____ _ _| |__ ___
| (__/ _ \ ' \| '_ \ | / _` | ' \/ _/ -_) | _| '_/ _` | ' \/ -_) V V / _ \ '_| / /(_-<
\___\___/_|_|_| .__/_|_\__,_|_||_\__\___| |_||_| \__,_|_|_|_\___|\_/\_/\___/_| |_\_\/__/
|_|
---------------------
Compliance Frameworks
---------------------
- PCI DSS - "The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information". Currently version 3.2
- Requirements:
- Build and Maintain a Secure Network and Systems
- 1. Install and maintain a firewall configuration to protect cardholder data
- 2. Do not use vendor supplied defaults for system password and other security parameters
- Protect cardholder data
- 3. Protect stored cardholder data (e.g. encrypt at rest)
- 4. Encrypt transmission of cardholder data across open, public networks (e.g. encrypt in transit)
- Maintain a Vulnerability Management Program
- 5. Protect all systems against malware and regularly update anti-virus software or programs
- 6. Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- 7. Restrict access to cardholder data by business need to know
- 8. Identify and authenticate access to system components
- 9. Restrict physical access to cardholder data
- Regularly monitor and test networks
- 10. Track and monitor all access to network resources and cardholder data
- 11. Regularly test security systems and processes
- Maintain an Information Security Policy
- 12. Maintain a policy that addresses information security for all personnel
- ISO - "ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organizations overall business risks"
- HIPAA - "HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs."
- FIPS 140-2 is a US government computer security standard used to approve cryptographic modules. Rated from Level 1 to 4 (highest). CloudHSM meets the Level 3 standard
- FedRAMP - "The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services"
- NIST = "National Institute of Standards and Technology" Framework for Improving Critical Infrastructure Cybersecurity. "...a set of industry standards and best practices to help organizations manage cybersecurity risks."
- SAS70 - Statement on Auditing Standards No. 70
- SOC1 - Service Organization Controls - Auditing Standards
- FISMA - Federal Information Security Modernization Act
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment