Security

AWS Shared Responsibility Model

  • All resources are secured by both customer and AWS

  • AWS env is not a single object

    • a Collection of parts built on top of each other

    • Some parts AWS is responsible for, and others the customer is

  • Two parts

    • customer responsibilities aka security in the cloud

      • responsible to secure everything that is created and put in aws

      • customer of aws has complete control over content

      • Layers

        • client side data, server side encryption; network traffic protection

        • os, network, firewall config

        • platform, app, iam

        • customer data

    • AWS responsibilities aka security of the cloud

      • responsible of construction and ensuring it is solidly built

      • Handles the layers of infrastructure

      • aws provides reports from 3rd party audtiors

      • Layers

        • regions, az, edge locations

        • hardawar, global infrastructure

        • compute, storage, database, networking

        • software

User Permissions and Access (AWS Identity and Access Management (IAM))

  • managess access to AWS services and resources securely

  • When new AWS account created, a AWS account root user is created

    • Has permissions for everything (create users, access all data and resources). very powerful

    • Should have MFA turned on

    • Should not use root user for everyday tasks

      • Should create another user with less privileges (permissions).

      • should create a user which can create other users

      • Only use it root for very specific tasks

        • ie changin account settings (account name, email address, root user password, and root user access keys)

        • changing support plan

        • Restore IAM user permissions

        • View certain tax invoices

        • Close AWS account

        • for others see https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html

IAM Users

  • An identity created in AWS

  • represents a person or app that interacts with service or resource

  • HAs

    • name

    • credentials

  • Default on creatoin has no permissions

    • Need to grant permissions

  • Always create a new user for each person using it

IAM Policy

  • document that allows or denies permissions to AWS services and resources

  • Assign a policy to a user or group

  • Customise users levels of access to resources

  • Should follow priniciple of least privilege for granting permisssions

    • Have the least number of permissiosn to perform their task

    • dont grant access to all buckets, when one is all that is needed

  • Example

    tbc..

    • parts

      • Version

        • of the policy, different versions have different features

      • Statement

        • effect

          • either Allow or Deny

        • action

          • The action that the effect will have on, ie s3:listObject

        • resources

          • references the specific id of the resource

IAM groups

  • A collection of IAM users

  • When policy is assigned, then all users of the group are granted those policies defined in the policy

IAM Roles

  • An identity that you can asssume to gain temp access to persmissions

  • IAM user, app or service must be granted permissions to switch roles before assuming a Role

  • On assuming a role, they lose all previous permissions under previous role

MFA

Links

  • https://docs.aws.amazon.com/iam/

AWS Organisations

  • Consolidating multiple AWS accounts in central location

  • Good for growth of company

  • A root is created on creation

  • centrally control permissions for all accounts in the organisation

    • use service control policies (SCP)

    • place restrictions on AWS servies and individual api actions

    • consolidated billing

ORganisational Units

  • Organise accounts in groups

  • manage accounts with similar business and security requirements

Compliance (AWS Artifact)

  • There are specific standards that must be followed

    • These will be checked to ensure they are upheld via auditing or inspection from internal and external parties

    • Not doing so can lead to fines, prison, loss of contract, loss of reputation etc

    • Ie taxes, gdpr

  • Aws provides tools to collect documents, records and insepct env to see if it meets compliance regulations

  • AWS already builds all the infrastructure using best practices, which you inherit

    • Following specific compliance rules see https://aws.amazon.com/compliance/programs/

    • Depending on the region you use, it will already be compliance ready for that region

      • ie data will not be replicated into a different region if stored in a specific region

    • You own your data

      • Which you can encrypt in ways that best suit you

    • You can ask AWS to provide documents to show they are following the compliance

      • Can be found AWS artifact

        • Can select online agreements

      • Third party reports on compliance met by AWS -> see AWS Compliance

    • Due shared responsibility model, the stuff you build needs to have it's complaince done by you

  • AWS Artifact has two sections

    • AWS Artifact Agreements

      • can review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations.

    • AWS Artifact Reports

    • provide compliance reports from third-party auditors.

  • Customer Compliance Center

    • contains resources to help you learn more about AWS compliance.

    • access compliance whitepapers and documentation on topics

    • includes an auditor learning path.

Denial of service (DoS) attacks

  • Attack on your system

  • How carried out

    • Shut down app to function, by overwhelming the capacity of the app with mutliple requests, so that no one else can access it (ie real customers)

    • One computer/actor doing this will not provide enough requests to overwhlem service, instead DDoS (distrubuted) is used

      • Leverages other machines (their or unknowningly hacked machines)

      • This allows for random ip addresses to hit the service

      • The main bot, will do little and delegate the majority of the work to the zombie bots

    • Example

      • UDP Flood ie weather info is sent to your service, by malicious actor settign the response address to victim host

      • Http level attacks, lots of (fake) users requesting stuff from the service

      • Slowloris attack, the attack pretends to have a slow connection, so holds up the server

  • How to defend

    • Use security groups

      • to only allow specific traffic (ie hosts, type of connections)

    • ELB will handle slow connections

    • AWS Shield with AWS WAF

      • standard service

        • no costs

        • USes analysis techniques to detect malicious traffic

      • Advnaced

        • paid

        • provides detailed attack diagnostics

        • detect more sophisticated ddos

        • Integrates with ELB, route 53, cloudfront

Additional Security Services

  • Encryption

    • securing a message or data in a way that can only be accessed by authorized parties

    • encryption at rest

      • data not moving

      • all data in dynamo db is encrypted

    • encryption in transit

      • data travelling between servies

      • use SSL and certificates

    • Integrated with AWS key management service (KMS)

    • AWS key management service (KMS)

    • perform encryption operations through the use of cryptograhic keys

    • cryptographic keys

      • random string of digits used for locking(encypting) and unlocking (decrypting) data

    • manage, create and use keys, control use of keys

    • Can specify IAM users and roles that can manage keys

    • Can disable keys (perm/temp)

    • keys never leave KMS

  • AWS WAF

    • Web application firewall

    • monitor network requests that enter apps

    • works with cloudfront and ELB

    • uses the web access control list (ACL) to block or allow traffic

  • amazon inspector

    • perform automated security assessments

    • Checks for security vulnerabilities and deviations from best practices

    • ie open access to EC2 or installations of vulnerable software versions

    • Provides a list of findings (gui) with serverity levels

  • amazon guardduty

    • intelligent threat detection

    • identifies threats from monitoring network activity and behaviour

    • uses multiple sources like vpc logs and dns logs

    • Can automate fixes using a lambda to act on specific problems

    • running outside of apps so no affect on performance

Links

  • https://aws.amazon.com/products/security

  • https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/welcome.html

  • https://docs.aws.amazon.com/whitepapers/latest/aws-overview-security-processes/aws-overview-security-processes.pdf

  • https://aws.amazon.com/blogs/security/

  • https://aws.amazon.com/compliance

  • https://aws.amazon.com/solutions/case-studies/?customer-references-cards.sort-by=item.additionalFields.publishedDate&customer-references-cards.sort-order=desc&awsf.customer-references-location=*all&awsf.customer-references-segment=*all&awsf.customer-references-product=product%23vpc%7Cproduct%23api-gateway%7Cproduct%23cloudfront%7Cproduct%23route53%7Cproduct%23directconnect%7Cproduct%23elb&awsf.customer-references-category=category%23security-identity-compliance

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

PreviousModule 5 Storage and DatabasesNext7 Monitoring and Aanlytics

Last updated