Security and Compliance

Shared Responsibility Model #

AWS responsibility - Security of the Cloud #

• Protecting infrastructure( hardware, software, facilities, networking) that runs the AWS services
• Managed services, like S3, DynamoDB, RDS, etc.

Customer responsibility - Security in the cloud #

• For EC2 instance, customer is responsible to the management of the guest OS (including the security patches and updates), firewall and network configuration, IAM
• Encrypting application data

Shared controls #

• Patch Management, Configuration Management, Awareness & Training

Example - RDS #

• AWS responsibility
  • Manage underlying EC2 instance, disable SSH access
  • Automated DB patching
  • Automated OS patching
  • Audit the underlying instance and disks and guarantee it functions
• Customer responsibility
  • Check if the ports / IP / security group inbound rules in DB’s SG
  • In-database user creation and permissions
  • Creating a database with or without public access
  • Ensure parameter groups or DB is configured to only allow SSL connections
  • Database encryption setting

Example - S3 #

• AWS responsibility
  • Guarantee you get unlimited storage
  • Guarantee you get encryption
  • Ensure data separation between customers
  • Ensure AWS employees can’t access your data
• Customer responsibility
  • Bucket configuration
  • Bucket policy / public setting
  • IAM user and roles
  • Enabling encryption

More about Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/

DDoS Protection on AWS #

• AWS Shield Standard - protects against DDoS attack for website and applications - for all customers at no additional cost
• AWS Shield Advanced - 24/7 premium DDoS protection and support
• AWS WAF - filter specific requests based on predefined rules
• CloudFront and Route53
  • Availability protection using global edge network
  • Combined with AWS Shield provides attach mitigation at the edge

Be ready to scale - use AWS Auto Scaling.

DDoS components on above picture: #

• Route53 - Latency / Geolocation routing policies
• CloudFront - to ensure data is cached at the edge
• Shield - see below section
• WAF - optionally
• Load Balancer and Auto Scaling

More about DDOS protection: https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.html

AWS Shield #

• AWS Shield Standard
  • Free service that is activated for every AWS customer
  • Provides protection from attacks such as SYN / UDP Floods, Reflection attacks and other layer 3 / layer 4 attacks
• AWS Shield Advanced
  • Optional DDoS mitigation service ($3000 per month per organization)
  • Protecting against more sophisticated attacks on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Route53

AWS WAF #

• Protecting web applications from common web exploits (Layer 7)
• Layer 7 is HTTP (vs Layer 4 is TCP)
• Can be deployed on Application Load Balancer, API Gateway, CloudFront

Web Access Control List #

• Rules can include filters for IP addresses, HTTP headers, HTTP body, URi strings
• Protecting from common attacks - SQL injection, Cross-Site Scripting (XSS)
• Size constraints (to ensure request size) , geo match (block countries)
• Rate-based rules - to count occurrences of events, limit users to x requests per second, etc. - for DDoS protection

AWS Network Firewall #

• Protects entire Amazon VPC
• From Layer 3 to Layer 7 protection
• Any direction, you can inspect
  • VPC to VPC traffic
  • Outbound to the internet
  • Inbound from the internet
  • To / From Direct Connect & Site-to-Site VPN

AWS Network Firewall offers much better protection than NACL that only operates at the subnet level. AWS Network Firewall operates at VPC level. #

More about Network Firewall: https://docs.aws.amazon.com/network-firewall/

AWS Firewall Manager #

AWS Firewall Manager manages security rules in all accounts of an AWS Organization. #

• Security policy: common set of security rules
  • VPC Security Groups for EC2, Application Load Balancer, etc…
  • WAF rules
  • AWS Shield Advanced
  • AWS Network Firewall

Rules are applied to new resources as they are created (good for compliance) across ALL EXISTING AND FUTURE accounts in all Organization. #

Penetration Testing on AWS Cloud #

Allowed activities: #

AWS Customers are allowed to carry out security assessment or penetration tests against their AWS infrastructure without prior approval for 8 services: #

• Amazon EC2 instances, NAT Gateways and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments

Prohibited activities: #

• DNS zone walking via Amazon Route53 and Hosted Zones
• Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
• Port flooding
• Protocol flooding
• Request flooding (login request flooding, API request flooding)

For any simulated events, contact aws-security-simulated-event@amazon.com

_Read More about Penetration Testing: _ https://aws.amazon.com/security/penetration-testing/ _

Data at rest vs Data in Transit #

• At rest: data stored or archived on a device
  • On a hard disk, in RDS, in S3 Glacier, etc.
• In transit (in motion): data being transferred

Data in both states (at rest, in transit) should be encrypted as a best practice. #

AWS KMS (Key Management Service) #

AWS is managing encryption keys for the customers using KMS. #

• Encryption Opt-in:
  • EBS Volumes: encrypt volumes
  • S3 buckets: server-side encryption of objects (SSE-S3 enabled by default, SSE-KMS opt-in)
  • Redshift Database
  • RDS database
  • EFS drives: encryption of data
• Encryption Automatically enabled:
  • CloudTrail Logs
  • S3 Glacier
  • Storage Gateway

Cloud HSM #

• KMS = AWS manages the software for encryption
• Cloud HSM = AWS is provisioning encryption hardware (HSM = Hardware Security Module)
  • Customer is managing their own encryption keys instead of AWS
  • HSM devices are tamper resistant and FIPS compliant

Types of KMS Keys #

• Customer Managed Key:
  • Created, managed and used by the customer
  • Possibility of rotation policy (new key generated every year, old key preserved)
  • Possibility to bring-your-own-key
• AWS Managed Key:
  • Created, managed and used on the customer’s behalf by AWS
  • Used by AWS services (S3, EBS, Redshift, etc.)
• AWS Owned Key:
  • Collection of CMDs that an AWS service owns and manages to use in multiple accounts
• CloudHSM Keys:
  • Keys generated from your own (dedicated) CloudHSM hardware device
  • Cryptographic operations are performed within the CloudHSM cluster

KMS > AWS managed keys

AWS Certificate Manager (ACM) #

ACM - allows easy provisioning and deploying SSL / TLS Certificates used to provide encryption for HTTPS enabled websites.

• Supports both, public and private TLS certificates
• Free of charge for public TLS certificates
• Automatic TLS certificate renewal
• Integrations with AWS Services, such as:
  • Elastic Load Balancers (ELB)
  • CloudFront Distributions
  • APIs on API Gateway

AWS Secrets Manager #

• Capability to force rotation of secrets every X days
• Automate generations of secrets (uses Lambda)
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS

Use case: RDS integrations.

Secrets Manager > Store a new secret

Artifact Overview #

Artifact is a portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements.

• Artifact Reports - allows downloading AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry (PCI) and System and Organization Control (SOC) reports
• Artifact Agreements - allows reviewing, accepting and tracking the status of AWS agreements, such as:
  • Business Associate Addendum (BAA)
  • Health Insurance Portability and Accountability Act (HIPAA) for an individual account in the organization

Can be used to support internal audit or compliance. #

Artifact > View reports

GuardDuty #

GuardDuty is an Intelligent Threat Discovery to protect AWS account.

Uses Machine Learning algorithms, anomaly detection.

Enabled with 1-click, no need to install any software.

Input data includes: #

• CloudTrail Event Logs - unusual API calls, unauthorized deployments
  • CloudTrail Management Events - create VPC subnet, create trail, …
  • CloudTrail S3 Data Events - get object, list object, delete object, …
• VPC Flow Logs - unusual internal traffic, unusual IP addresses
• DNS Logs - compromised EC2 instances sending encoded data within DNS queries
• Optional Features

EventBridge Cloud Monitoring can be set up to be notified in case of any findings. Rules can target AWS Lambda or SNS.

GuardDuty has a dedicated finding for Crypto Currency (mining?) attacks.

Amazon Inspector #

Automated Security Assessment. #

• For EC2 instances
  • Using AWS System Manager (SSM) agent
  • Analyze against unintended network accessibility
  • Analyze the running OS against known vulnerabilities
• For Container Images pushed to ECR
  • Assessment of Container Images as they are pushed
• For Lambda Functions
  • Identifies software vulnerabilities in function code and package dependencies
  • Assessment of functions as they are deployed

Reporting and integration with AWS Security Hub. #

Amazon Inspector evaluates vulnerabilities (against CVE database) only running EC2 instances, Container Images and Lambda Functions.

A risk score is associated with all vulnerabilities for prioritization.

AWS Config #

AWS Config helps with auditing and recording compliance of your AWS resources. It is recording configurations and changes over time.

It can store the configuration data into S3 (then analyzed by Athena).

What AWS Config can record (examples): #

• Unrestricted SSH access to the Security Groups (i.e. port open for everyone)
• Public access to S3 buckets
• ELB configuration changes over time

It is using SNS (check: Cloud Integrations) for sending notifications.

AWS Config is a per-region service but can be aggregated across regions and accounts.

AWS Config > 1-click setup

AWS Macie #

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover your sensitive data in AWS.

Macie helps identifying and alerting sensitive data, such as e.g. PII (Personally Identifiable Information).

AWS Security Hub #

AWS Security Hub is a central security tool to manage security across several AWS accounts and automate security checks.

Integrated dashboards showing current security and compliance status to quickly take actions.

Security Hub automatically aggregates alerts in predefined formats from AWS services (or AWS partner tools):

• Config
• GuardDuty
• Inspector
• Macie
• IAM Access Analyzer
• AWS Systems Manager
• AWS Firewall Manager
• AWS Health
• AWS Partner Network Solutions

AWS Config service is a dependency and must first be enabled to use Security Hub.

Amazon Detective #

GuardDuty, Macie and Security Hub are used to identify potential security issues of findings.

Often security findings require deeper analysis to isolate the root cause and take action - it can be a complex process.

Amazon Detective analyzes, investigates and identifies the root cause of security issues or suspicious activities (using Machine Learning).

It is automatically collecting and processing events from VPC Flow Logs, CloudTrail, and GuardDuty and creating an unified view. It can produce visualizations with details and context to help getting to the root cause.

AWS Abuse #

Report suspected AWS resources used to abusive or illegal purposes.

• Abusive and prohibited behaviors:
  • SPAM
  • Port scannint
  • DoS or DDoS
  • Intrusion attempts
  • Hosting illegal or copyrighted content
  • Distributing malware

Contact the AWS Abuse team at abuse@amazonaws.com

Root user privileges #

Root user = AWS Account Owner

Actions that can be performed only by the root user: #

• Change account settings (account name, email address, root user password, root user access keys)
• View certain tax invoices
• Close AWS account
• Restore IAM user permissions
• Change or cancel your AWS Support plan
• Register as a seller in the Reserved Instance Marketplace
• Configure an Amazon S3 bucket to enable MFA
• Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
• Sign up for GovCloud

IAM Access Analyzer #

Find out which resources are shared externally with IAM Access Analyzer. #

• S3 Buckets
• IAM Roles
• KMS Keys
• Lambda Functions and Layers
• SQS queues
• Secrets Manager Secrets

Define Zone of Trust (AWS Account or AWS Organization).

Access outside zone of trusts = findings.

Summary #

• Shared Responsibility Model on AWS
• Shield: Automatic DDoS Protection + 24/7 support for advanced
• WAF: Web Application Firewall to filter incoming web requests based on rules
• KMS: Encryption keys managed by AWS
• CloudHSM: Hardware encryption (AWS Customer managing own keys)
• AWS Certificate manager: Provision, manage and deploy TLS Certificates
• Artifact: Get access to compliance reports such as PCI, ISO, etc.
• GuardDuty: Find malicious behavior within VPC, DNS and CloudTrail Logs
• Inspector: Find software vulnerabilities in EC2, ECR images and Lambda functions
• Network Firewall: Protect VPC against network attacks
• Config: Track config changes and compliance against rules
• Macie: Find sensitive data (e.g. PII Personally Identifiable Information data) in Amazon S3 buckets
• CloudTrail: Track API calls made by users within account
• AWS Security Hub: gather security findings from multiple AWS accounts
• Amazon Detective: Find the root cause of security issues or suspicious activities
• AWS Abuse: Report AWS resources used for abusive or illegal purposes
• Root user privileges:
  • Change account settings
  • Close AWS account
  • Change or cancel AWS Support plan
  • Register as a seller in the Reserved Instance Marketplace
• IAM Access Analyzer: Identify which resources are shared externally
• Firewall Manager: Manage security rules across an Organization (WAF, Shield…)

» Sources « #

• Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
• DDOS: https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.html
• Network Firewall: https://docs.aws.amazon.com/network-firewall/
• Penetration Testing: https://aws.amazon.com/security/penetration-testing/

» References « #

• EC2
• S3
• Storage
• Elastic Load Balancing
• Cloud Monitoring
• Databases
• Other Compute Services
• AWS Global Infrastructure

» Table of contents (CLF-C02) « #

» Disclaimer « #