ross-humphrey · April 8, 2020 08:13
diff --git a/aws-security-whitepaper-notes.txt b/aws-security-whitepaper-notes.txt
 Shared Security Model:
 > AWS responsible for securing underlying infra
 > Customer responsible for anything they put on or connect to cloud

 The shared security model reduces the operational burden, and sometmes improves default security

 Security features you should always configure:
  > Individual user accounts and credentials
  > SSL/TLS for data transmissions
  > User activity logging
  
 AWS is responsible for the security configuration of its products that are managed services:
 > DynamoDB
 > RDS
 > Redshift
 > Amazon Elastic MapReduce
 > Amazon Workspaces
 > and many more
 
 Customer Responsibility:
 > Configure security config on all EC2, VPC, S3 
 > AWS Firewall
 > Protect credentials with individual user accounts + MFA
 > Use SSL/TLS to communicate with resources
 > Log Account events using CloudTrail
 > Log application events using CloudWatch
 
 Business Continuinty Managemennt
 Availability:
  > Built in clusters in regions
  > No data center is cold
  > Core apps are deployed in N+1 configuration
  > AWS provides you flexibility to place instances and store data within multiple geographic regions and AZs 
  > Distributing applications across multiple avaliability zones makes them more resilient in most failure modes
  
 Incident Response:
 > AWS has 24x7x365 coverage
 > Use service health dahsboard for broad impact
 > AWS Security centre for secuirty and compliance details about AWS
 
 Network Security:
 Secure Network Architecture:
  > Boundary devices (firewall, network etc) employ rule sets, access control lists (ACL) and configurations
  to control the flow of information.
  
 Secure Access Points:
  > API endpoints (HTTPS access)y 
  
 Transmission Protection:
  > Connect to AWS via HTTPS or SSL
  > VPC offers extra security
  > Use a VPN between your data center and AWS
 
 Fault Tolerant Design:
  > AWS data centers are built in clusters in various global regions.
  > All data centers are online and serving customers
  > Core apps are deployed in N+1 configuration - so capacity can be load balanced to remaining sites
  > AWS allows you to place instances and store data in multiple regions and AZs - so that your workloads are fault
  tolerant.
  
 Network Monitoring and Protection:
  > AWS monitoring tools detect unusuual or unauthorized activities and conditions at ingress and egress communication points.
  > ALarms can be configured to automatically notify operations and management when key thresholds are crossed.
  
 X.509 Certificates
  > Used to sign SOAP based requests
  > Contain public key and additional metadata
  
 Security Logs:
  > AWS Cloudtrail provides a log of events within your acount
  > CloudTrail shows each event, who made it and what action was performed on which service.
  > CloudTrail event logs are delivered every 5 minutes and put into an s3 bucket
  > CloudTrail logs can also be stored in Glacier
  > Cloudwatch logs collect and monitor system, app and custom log files from EC2 and other services.
  
 AWS Trusted Advisor:
  > Inspets and recommends opportunities to save money, improve performance or close security gaps.
  > Provides alerts on most common secuirty misconfigurations
  
 AWS Config Security Checks:
  > Continous monitoring and asessment service that records changes to the configuration of AWS resources.
  > Can be used to reconfigure to a steady state when there is an outage.
  
 AWS Service Specific Security:
 
 EC2:
 Multiple levels of security:
  > OS
  > Virtual instance OS/guest OS
  > Firewall
  > Signed API Calls
  
 Hypervisor:
  > CPU provides 4 privelege modes 0-3 called rings
  > 0 has most privelege
  > 3 has least
  > Applications work in 3, OS in 1 - giving a clear security separation between the two
 
 Instance Isolation:
  > Xen hypervisor seperates instances
  > AWS firewall resides in the hypervisor layer between pyhsical network interface and instances virtual interface
  > The network / ram is only available to one host like it would on a physical machine. 
  > No raw disk decives - instead virtualized disks
  
 Host OS:
  > MFA must be used for admin on hosts
  > All access is logged and audited
  
 Guest OS:
  > Virutal instances are controlled by the customers
  > Full root or admin over guest OS
  > Should use SSHv2 to access the virutal instances , disable root login, use command line logging and use 'sudo' for priveilege escalation
 
 Firewall: 
  > EC2 provides a complete firewall solution
  > Firewall isnt controlled through OS - requires X.509 certificate and key to authorize changes.
  > API access can be used to change params using the AWS account secret keys
  > IAM can further be used to manage permissions 
  
 EBS:
  > Replicated across multiple AZs
  > For most fault tolerant system spreadback up to 3 for long term durability
  > Use DB tools to do backup complex transactional databases
  > Snapshots can be shrared to other accounts
  > Sensitive data should be encrypted
  
 Auto Scaling Security:
  > Management of auto scaling must be done via API 
  > IAM roles can be used to simplify key management
  
 Networking Services:
 
 ELB:
  > ELB has same benefits as on site load balancer + more:
    > Takes encrpytion and decryption work from the EC2 instances and manages it centrally on the load balancer.
    > Offers clients a single point of contact - and serves as first line of defence against network
    > Use VPC - create and manage security groups associated with ELB to provide additional networking and security 
    options
    > Supports end to end encrpytion using TLS 
    
  VPC Security:
    > VPC enables you to create an isoalted portion of the AWS cloud and launch EC2 instances that have private
    addresses in a range of your choice.
    > NAT gateway - outbound connections (no inbound)
    > Internet gateway - inbound connections (outbound and inbound - used for public subnets)
    > Connect two VPCs using a private IP - allowing them to communicate
    > VPC peering can be created between VPCS or with VPC in another AWS acount in a single region
    > You must create VPC security groups for VPC, EC2 securiy groups will not work inside VPC. VPC had additional 
    capabilities
    
  Subnets and Route Tables:
    > Create one or more subnets within a VPC
    > MAC spoofing and ARP spoofing are both blocked
    > Each subnet has an associated routing table, all traffic leaving subnet is processed by routing table to determine    
    destination
    
  Firewall(Security Groups)
    > Filtering ingress and egress traffic
    
  Network access control lists:
    > Configure Network ACLS to add further security
    > Stateless traffic filters that apply to all traffic
    > These ACLs can contain ordered rules to allow or deny traffic
    > ACLs are controlled via the VPC
    
  Virtual Private Gateway:
    > Enabled private connectivity between VPC and another network.
    
  Internet Gateway:
    > Attached to VPC to enable direct connectivity to S3, other AWS services and the internet
    > Each instance desiring this access must have elastic IP with a  route through a NAT instance
    
  Dedicated Instances:
    > Pyhsically isolated instances
    
  Elastic Network Interfaces:
    > Create an elastic network interface for your EC2 - useful when you want a management network and security appliance in the VPC.
    
  EC2-VPC
    > If you launch instances where you didnt have one before a default VPC will be created.
    > Following set up is done for you:
      > Create a default subnet in each AZ
      > Create an IGW and connect it to VPC
      > Create a main route table and send all traffic destined for internet to IGW
      > Create default security group and associate with VPC
      > Create a default network access control list (ACL)
      > Associate the default DHCP options set for AWS account with VPC
      
  Amzon Route 53 Security:
    > Highly available DNS service that answers DNS queries
    > Lets you manage IP addresses listed for domain names and it answers requests to translate domain names to their IP addresses.
    > Queries are routed to nearby DNS server
    > Different methods can be used:
      > Latency Based Routing,
      > Geo DNS,
      > Weighted Round- Robin
    > Offers domain name registration 
    > Automatically configures DNS settings for domains
    > Offers privacy detection to stop spamming and scraping
    > Can use Route 53 to check health of website on regular basis and switch to backup if primary is unresponsive.
    
  AWS Cloudfront security:
    > Easy way to distribute content to end users with low latency and high transfer speeds
    > Delivers dynamic, static and streaming content using a global network of edge locations
    > Optimized to work with other AWS services
    > No guarantee of durability of data held in CloudFront edge locations
    
  Storage Services
  
  S3 Security:
    > Restricted by default
    > Only bucket and object owners have access to the resources they create
    > IAM Policies - IAM enables organizations with many employees to create and manage multiple users under a single 
    AWS account. 
    > Access Control Lists - ACL to give read / write access on buckets or objects to groups of users.
    > Bucket policies - Add or deny permissions across some or all objects within a bucket 
      > Attached to users, groups or S3 buckets.
    > Versioning - preserve, retrieve and restore every version of every object stored in an S3 buecket. 
      > Can use S3 versioning MFA to restrict deletions
    > Cross-Origin Resource Sharing (CORS)
      > Host static web pages or store objects using S3 by enabling cross-origin requests
      > JS requries same domain - to stop malicious content being loaded, with CORS enabled assets stored in S3 can be referenced and loaded.
      
   > DynamoDB uses IAM
   
   > RDS
      > DB Security groups are used - like a firewall 
      > Use VPC for extra security
      > All data can and should be encrypted (connections included)
      > Backups and Snapshots can be used. 
        > Auotmated backups on by default - back up all logs and database for retention peroid 
        > DB snapshots are user initiated and are a full back up of the RDS until you delete them
      > For high availability put th DB (replicated) in multiple zones.
        > With a primary and secondary zone
        
   > Redshift
    > Petabyte scale SQL data warehouse service that runs on highly optimized managed AWS storage and compute
    > Improves query speeeds - even on large datasets
    > Uses columnar storage, data compression and zone mapts to reduce IO
    
    Cluster access;
      > Closed by default
      > Run inside VPC to isolate data warehouse
      > Like any DB - db level access ust be granted 
    > Redshift data is backed up to S3 periodically 
    > Redshift data snapshots can also be taken at any time
    > Redshift continously monitors health of cluster and re-replicates when required.
    
    ElastiCache:
      > Scale a distributed in-memory cache environment in the cloud
      > Improve the performance of web applications
      > Retrieve from fast, managed in memory cache
      > Good for read heavy workloads
      > Automates time consuming management tasks for in-memory cache environments
      > Works with other managed services 
      > Operates within a cache cluster each running its own memcached service
      > Uses security groups
  
    Cloud Search:
      > Managed service that makes it easy to set up, managed and scale search for your website.
      > Cloudsearch scales with your needs
      > Create a sepearate search doamin for each collection of data you want to make searchable
      > All searches done through a standard general purpose endpoint
    
    SQS - 
      > Highl reliable, scalable message queuing service that enables asyncronous messaged based communication
      between distributed components.
      > Send any number of messages at any time
       Messages can be consumed by same component right now - or up to 4 days later by any component
       > Highly durable and available
       > Access granted by account or user with IAM 
       > Available via SSL encrypted endpoints
       > Data stored in SQS is not encrypted - however user can encrpt before putting on SQS
       
    SNS - 
      > Easy to set up and operate sending notifications
      > Highly scalable flexible and cost effective
      > Built event driven applications using a push mechanisms
      > Built for monitoring, workflow systems, time sensitive information udpates, mobile apps etc
      > Topic owners can set policies for a topic that restrict who can publish or subscribe to a topic
      > Traffic can be encrytpted using HTTPS
      > Access given to AWS accounts of IAM users
      
    SWF ( Simple workflow service)
      > Easy to build applications that coordinate work across distributed components
      > Structure various tasks in a workflow - and SWF co ordiantes for you 
      > Access is granted to AWS accounts or user created AWS IAM.
      
    SES (Simple email service)
      > Sends and recieves emails
      > Maximise email deliverability and stay informed on delivery status of your emails
      > Integrates with other AWS services
      > Requires users to verify email address or domain to confirm they own it
      > Requires DNS record to be verified
      > AWS check that emails dont contain malware or viruses
      > AWS maintain complaint feedback loops with major ISPs
      > Measure quality of each users sending
      > Supports authentication methods such as Sender Policy Framework, etc
      
    Kinesis Security:
      > Handles real-time streaming of big data
      > Accepts any amount of data from any number of sources
      > Large- scale, real time data ingestion and processing such as server logs, social media or market data feeds
      > Apps read and write in streams
      > Can create any number of streams
      > Data records contain a sequence number, a partition key and a data blob. Objects available for 24 hours then discarded
      > Application is a consumer of a kinesis stream - typically a fleet of EC2 instances.
      
      
    AWS Data pipeline secuirty 
      > Helps process and move data between different data sources at intervals - using data driven workflows and built in dependency checking.
      > Pipelines manage launching of AWS services in the pipeline
      > AWS data pipeline creates the necessary IAM roles and policies.
	Shared Security Model:
	> AWS responsible for securing underlying infra
	> Customer responsible for anything they put on or connect to cloud

	The shared security model reduces the operational burden, and sometmes improves default security

	Security features you should always configure:
	> Individual user accounts and credentials
	> SSL/TLS for data transmissions
	> User activity logging

	AWS is responsible for the security configuration of its products that are managed services:
	> DynamoDB
	> RDS
	> Redshift
	> Amazon Elastic MapReduce
	> Amazon Workspaces
	> and many more

	Customer Responsibility:
	> Configure security config on all EC2, VPC, S3
	> AWS Firewall
	> Protect credentials with individual user accounts + MFA
	> Use SSL/TLS to communicate with resources
	> Log Account events using CloudTrail
	> Log application events using CloudWatch

	Business Continuinty Managemennt
	Availability:
	> Built in clusters in regions
	> No data center is cold
	> Core apps are deployed in N+1 configuration
	> AWS provides you flexibility to place instances and store data within multiple geographic regions and AZs
	> Distributing applications across multiple avaliability zones makes them more resilient in most failure modes

	Incident Response:
	> AWS has 24x7x365 coverage
	> Use service health dahsboard for broad impact
	> AWS Security centre for secuirty and compliance details about AWS

	Network Security:
	Secure Network Architecture:
	> Boundary devices (firewall, network etc) employ rule sets, access control lists (ACL) and configurations
	to control the flow of information.

	Secure Access Points:
	> API endpoints (HTTPS access)y

	Transmission Protection:
	> Connect to AWS via HTTPS or SSL
	> VPC offers extra security
	> Use a VPN between your data center and AWS

	Fault Tolerant Design:
	> AWS data centers are built in clusters in various global regions.
	> All data centers are online and serving customers
	> Core apps are deployed in N+1 configuration - so capacity can be load balanced to remaining sites
	> AWS allows you to place instances and store data in multiple regions and AZs - so that your workloads are fault
	tolerant.

	Network Monitoring and Protection:
	> AWS monitoring tools detect unusuual or unauthorized activities and conditions at ingress and egress communication points.
	> ALarms can be configured to automatically notify operations and management when key thresholds are crossed.

	X.509 Certificates
	> Used to sign SOAP based requests
	> Contain public key and additional metadata

	Security Logs:
	> AWS Cloudtrail provides a log of events within your acount
	> CloudTrail shows each event, who made it and what action was performed on which service.
	> CloudTrail event logs are delivered every 5 minutes and put into an s3 bucket
	> CloudTrail logs can also be stored in Glacier
	> Cloudwatch logs collect and monitor system, app and custom log files from EC2 and other services.

	AWS Trusted Advisor:
	> Inspets and recommends opportunities to save money, improve performance or close security gaps.
	> Provides alerts on most common secuirty misconfigurations

	AWS Config Security Checks:
	> Continous monitoring and asessment service that records changes to the configuration of AWS resources.
	> Can be used to reconfigure to a steady state when there is an outage.

	AWS Service Specific Security:

	EC2:
	Multiple levels of security:
	> OS
	> Virtual instance OS/guest OS
	> Firewall
	> Signed API Calls

	Hypervisor:
	> CPU provides 4 privelege modes 0-3 called rings
	> 0 has most privelege
	> 3 has least
	> Applications work in 3, OS in 1 - giving a clear security separation between the two

	Instance Isolation:
	> Xen hypervisor seperates instances
	> AWS firewall resides in the hypervisor layer between pyhsical network interface and instances virtual interface
	> The network / ram is only available to one host like it would on a physical machine.
	> No raw disk decives - instead virtualized disks

	Host OS:
	> MFA must be used for admin on hosts
	> All access is logged and audited

	Guest OS:
	> Virutal instances are controlled by the customers
	> Full root or admin over guest OS
	> Should use SSHv2 to access the virutal instances , disable root login, use command line logging and use 'sudo' for priveilege escalation

	Firewall:
	> EC2 provides a complete firewall solution
	> Firewall isnt controlled through OS - requires X.509 certificate and key to authorize changes.
	> API access can be used to change params using the AWS account secret keys
	> IAM can further be used to manage permissions

	EBS:
	> Replicated across multiple AZs
	> For most fault tolerant system spreadback up to 3 for long term durability
	> Use DB tools to do backup complex transactional databases
	> Snapshots can be shrared to other accounts
	> Sensitive data should be encrypted

	Auto Scaling Security:
	> Management of auto scaling must be done via API
	> IAM roles can be used to simplify key management

	Networking Services:

	ELB:
	> ELB has same benefits as on site load balancer + more:
	> Takes encrpytion and decryption work from the EC2 instances and manages it centrally on the load balancer.
	> Offers clients a single point of contact - and serves as first line of defence against network
	> Use VPC - create and manage security groups associated with ELB to provide additional networking and security
	options
	> Supports end to end encrpytion using TLS

	VPC Security:
	> VPC enables you to create an isoalted portion of the AWS cloud and launch EC2 instances that have private
	addresses in a range of your choice.
	> NAT gateway - outbound connections (no inbound)
	> Internet gateway - inbound connections (outbound and inbound - used for public subnets)
	> Connect two VPCs using a private IP - allowing them to communicate
	> VPC peering can be created between VPCS or with VPC in another AWS acount in a single region
	> You must create VPC security groups for VPC, EC2 securiy groups will not work inside VPC. VPC had additional
	capabilities

	Subnets and Route Tables:
	> Create one or more subnets within a VPC
	> MAC spoofing and ARP spoofing are both blocked
	> Each subnet has an associated routing table, all traffic leaving subnet is processed by routing table to determine
	destination

	Firewall(Security Groups)
	> Filtering ingress and egress traffic

	Network access control lists:
	> Configure Network ACLS to add further security
	> Stateless traffic filters that apply to all traffic
	> These ACLs can contain ordered rules to allow or deny traffic
	> ACLs are controlled via the VPC

	Virtual Private Gateway:
	> Enabled private connectivity between VPC and another network.

	Internet Gateway:
	> Attached to VPC to enable direct connectivity to S3, other AWS services and the internet
	> Each instance desiring this access must have elastic IP with a route through a NAT instance

	Dedicated Instances:
	> Pyhsically isolated instances

	Elastic Network Interfaces:
	> Create an elastic network interface for your EC2 - useful when you want a management network and security appliance in the VPC.

	EC2-VPC
	> If you launch instances where you didnt have one before a default VPC will be created.
	> Following set up is done for you:
	> Create a default subnet in each AZ
	> Create an IGW and connect it to VPC
	> Create a main route table and send all traffic destined for internet to IGW
	> Create default security group and associate with VPC
	> Create a default network access control list (ACL)
	> Associate the default DHCP options set for AWS account with VPC

	Amzon Route 53 Security:
	> Highly available DNS service that answers DNS queries
	> Lets you manage IP addresses listed for domain names and it answers requests to translate domain names to their IP addresses.
	> Queries are routed to nearby DNS server
	> Different methods can be used:
	> Latency Based Routing,
	> Geo DNS,
	> Weighted Round- Robin
	> Offers domain name registration
	> Automatically configures DNS settings for domains
	> Offers privacy detection to stop spamming and scraping
	> Can use Route 53 to check health of website on regular basis and switch to backup if primary is unresponsive.

	AWS Cloudfront security:
	> Easy way to distribute content to end users with low latency and high transfer speeds
	> Delivers dynamic, static and streaming content using a global network of edge locations
	> Optimized to work with other AWS services
	> No guarantee of durability of data held in CloudFront edge locations

	Storage Services

	S3 Security:
	> Restricted by default
	> Only bucket and object owners have access to the resources they create
	> IAM Policies - IAM enables organizations with many employees to create and manage multiple users under a single
	AWS account.
	> Access Control Lists - ACL to give read / write access on buckets or objects to groups of users.
	> Bucket policies - Add or deny permissions across some or all objects within a bucket
	> Attached to users, groups or S3 buckets.
	> Versioning - preserve, retrieve and restore every version of every object stored in an S3 buecket.
	> Can use S3 versioning MFA to restrict deletions
	> Cross-Origin Resource Sharing (CORS)
	> Host static web pages or store objects using S3 by enabling cross-origin requests
	> JS requries same domain - to stop malicious content being loaded, with CORS enabled assets stored in S3 can be referenced and loaded.

	> DynamoDB uses IAM

	> RDS
	> DB Security groups are used - like a firewall
	> Use VPC for extra security
	> All data can and should be encrypted (connections included)
	> Backups and Snapshots can be used.
	> Auotmated backups on by default - back up all logs and database for retention peroid
	> DB snapshots are user initiated and are a full back up of the RDS until you delete them
	> For high availability put th DB (replicated) in multiple zones.
	> With a primary and secondary zone

	> Redshift
	> Petabyte scale SQL data warehouse service that runs on highly optimized managed AWS storage and compute
	> Improves query speeeds - even on large datasets
	> Uses columnar storage, data compression and zone mapts to reduce IO

	Cluster access;
	> Closed by default
	> Run inside VPC to isolate data warehouse
	> Like any DB - db level access ust be granted
	> Redshift data is backed up to S3 periodically
	> Redshift data snapshots can also be taken at any time
	> Redshift continously monitors health of cluster and re-replicates when required.

	ElastiCache:
	> Scale a distributed in-memory cache environment in the cloud
	> Improve the performance of web applications
	> Retrieve from fast, managed in memory cache
	> Good for read heavy workloads
	> Automates time consuming management tasks for in-memory cache environments
	> Works with other managed services
	> Operates within a cache cluster each running its own memcached service
	> Uses security groups

	Cloud Search:
	> Managed service that makes it easy to set up, managed and scale search for your website.
	> Cloudsearch scales with your needs
	> Create a sepearate search doamin for each collection of data you want to make searchable
	> All searches done through a standard general purpose endpoint

	SQS -
	> Highl reliable, scalable message queuing service that enables asyncronous messaged based communication
	between distributed components.
	> Send any number of messages at any time
	Messages can be consumed by same component right now - or up to 4 days later by any component
	> Highly durable and available
	> Access granted by account or user with IAM
	> Available via SSL encrypted endpoints
	> Data stored in SQS is not encrypted - however user can encrpt before putting on SQS

	SNS -
	> Easy to set up and operate sending notifications
	> Highly scalable flexible and cost effective
	> Built event driven applications using a push mechanisms
	> Built for monitoring, workflow systems, time sensitive information udpates, mobile apps etc
	> Topic owners can set policies for a topic that restrict who can publish or subscribe to a topic
	> Traffic can be encrytpted using HTTPS
	> Access given to AWS accounts of IAM users

	SWF ( Simple workflow service)
	> Easy to build applications that coordinate work across distributed components
	> Structure various tasks in a workflow - and SWF co ordiantes for you
	> Access is granted to AWS accounts or user created AWS IAM.

	SES (Simple email service)
	> Sends and recieves emails
	> Maximise email deliverability and stay informed on delivery status of your emails
	> Integrates with other AWS services
	> Requires users to verify email address or domain to confirm they own it
	> Requires DNS record to be verified
	> AWS check that emails dont contain malware or viruses
	> AWS maintain complaint feedback loops with major ISPs
	> Measure quality of each users sending
	> Supports authentication methods such as Sender Policy Framework, etc

	Kinesis Security:
	> Handles real-time streaming of big data
	> Accepts any amount of data from any number of sources
	> Large- scale, real time data ingestion and processing such as server logs, social media or market data feeds
	> Apps read and write in streams
	> Can create any number of streams
	> Data records contain a sequence number, a partition key and a data blob. Objects available for 24 hours then discarded
	> Application is a consumer of a kinesis stream - typically a fleet of EC2 instances.


	AWS Data pipeline secuirty
	> Helps process and move data between different data sources at intervals - using data driven workflows and built in dependency checking.
	> Pipelines manage launching of AWS services in the pipeline
	> AWS data pipeline creates the necessary IAM roles and policies.