Security & Compliance

AWS Shared Responsibility Model

• AWS responsibility (security of the cloud)

  • Protecting infrastructure (hardware, software, facilities and networking) that runs all AWS services
  • Managed services such as S3, DynamoDB, RDS, etc.

• Customer responsibility (security in the cloud)

  • For an EC2 instance, the customer is responsible for:
    • Management of the guest OS (security patches / updates), firewall, network configuration, IAM
    • Encrypting application data

• Shared controls

  • Patch management, configuration management, awareness & training

RDS responsibility model

• AWS responsibility

  • Manage the underlying EC2 instance, disable SSH access
  • Automated DB patching and OS patching
  • Audit the underlying instance and disks, guaranteeing it functions

• Your responsibility

  • Check the ports, IP, security group inbound rules in DB's SG
  • In-database user creation and permissions
  • Creating a database with or without public access
  • Ensure parameter groups or DB is configured to only allow SSL connections
  • Database encryption setting

S3 responsibility model

• AWS responsibility

  • Guarantee unlimited storage and encryption
  • Ensure separation of data between different customers
  • Ensure AWS employees can't access your data

• Your responsibility

  • Bucket configuration
  • Bucket policy / public setting
  • IAM user and roles
  • Enabling encryption

DDoS Protection on AWS

• AWS Shield Standard: Protects against DDoS attack for website and applications, at no additional costs for all customers
• AWS Shield Advanced: 24/7 premium DDoS protection
• AWS WAF: Filter specific requests based on rules
• CloudFront and Route 53:
  • Availability protection using global edge network
  • Combined with AWS Shield, provides attack mitigation at the edge

AWS Shield

• AWS Shield Standard:

  • Free service that is activated for every AWS customer
  • Provides protection from attacks such as SYN / UDP Floods, Reflection attacks and other layer 3 / layer 4 attacks

• AWS Shield Advanced:

  • Optional DDoS mitigation service ($3,300 per month per organisation)
  • Protect against more sophisticated attacks Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Route 53
  • 24/7 access to AWS DDoS response team (DRP)
  • Protect against higher fees during usage spikes due to DDoS

AWS WAF

• Web Application Firewall (WAF) protects your web applications from common web exploits (Layer 7, HTTP)
• Deploy on Application Load Balancer, API Gateway, CloudFront
• Define Web ACL (Web Access Control List)
  • Rules can include IP addresses, HTTP headers, HTTP body or URI strings
  • Protects from common attacks such as SQL injection and Cross-Site Scripting (XSS)
  • Size constraints, geo-match (block countries)
  • Rate-based rules to count occurrences of events for DDoS protection

AWS Network Firewall

• Protects your entire Amazon VPC from Layer 3 to 7
• Can inspect any direction:
  • VPC to VPC traffic
  • Outbound to internet
  • Inbound from internet
  • To and from Direct Connect & Site-to-Site VPN

AWS Firewall Manager

• Manages security rules in all accounts of an AWS Organisation
• Security policy (a common set of security rules)
  • VPC security groups for EC2, Application Load Balancer, etc.
  • WAF rules
  • AWS Shield Advanced
  • AWS Network Firewall
• Rules are applied to new resources as they're created across all and future accounts in your organisation
  • Good for compliance

Penetration Testing on AWS Cloud

• AWS customers can carry out security assessments or penetration tests against their AWS infrastructure without prior approval

  • Only applies to the following 8 services:
    • Amazon EC2 instances, NAT Gateways and Elastic Load Balancers
    • Amazon RDS
    • Amazon CloudFront
    • Amazon Aurora
    • Amazon API Gateways
    • AWS Lambda and Lambda Edge functions
    • Amazon Lightsail resources
    • Amazon Elastic Beanstalk environments

• For YOUR cloud:

  • Prohibited activities
    • DNS zone walking via Amazon Route 53 Hosted Zones
    • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
    • Port flooding
    • Protcol flooding
    • Request flooding (login request flooding, API request flooding)
  • More information here

Data at rest vs. Data in transit

• At rest, data is stored / archived on a device
  • Ex. Hard disk, on a RDS instance, in S3 Glacier Deep Archive, etc.
• In transit, data being moved from one location to another
  • Means data transferred on the network
  • Ex. Transfer from on-premises to AWS, EC2 to DynamoDB, etc.
• In both states, data is encrypted leveraging encryption keys

AWS KMS

• Key Management Service (KMS) is a service that manages and protects encryption keys for us
• Encryption Opt-in
  • EBS volumes: Encrypt volumes
  • S3 buckets: Server-side encryption of objects
  • Redshift database / RDS database / EFS drives: Encryption of data
• Encryption Automatically enabled
  • CloudTrail Logs
  • S3 Glacier
  • Storage Gateway

CloudHSM

• Cloud Hardware Security Model is a service providing total access management control and protection for our encryption keys
• Provisions encryption hardware
  • Dedicated hardware
  • HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
• User manages their own encryption keys entirely (not AWS), unlike AWS KMS

Types of KMS Keys

• Customer Managed Key

  • Create, manage and used by the customer, can enable or disable
  • Possibility of rotation policy (generate new key every year, preserving old key)
  • Possibility to bring your own key

• AWS Managed Key

  • Created, managed and used on the customer's behalf by AWS
  • Used by AWS services (S3, EBS, Redshift)

• AWS Owned Key

  • Collection of CMKs that an AWS service owns and manages to use in multiple accounts
  • AWS can use those to protect resources in your account (but you can't view the keys)

• CloudHSM Keys (custom keystore)

  • Keys generated from your own CloudHSM hardware device
  • Cryptographic operations are performed within the CloudHSM cluster

AWS Certificate Manager (ACM)

• A service to provision, manage and deploy SSL / TLS Certificates
• Used to provide in-flight encryption for websites (HTTPS)
• Supports public and private TLS certificates
  • Free of charge for public
  • TLS certificate renewal is automatic
• Integrations with (load TLS certificates on)
  • Elastic Load Balancers
  • CloudFront Distributions
  • APIs on API Gateway

AWS Secrets Manager

• A relatively new service for storing secrets
• Capability to force rotation of secrets every X days
  • Using Lambda, it automates generation of secrets on rotation
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS

AWS Artifact

• A portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
• Artifact Reports
  • Allows you to download AWS security and compliance documents from third-party auditors
    • Third-party auditors such as AWS ISO certifications, Payment Card Industry (PCI), System and Organization Control (SOC) reports
• Artifact Agreements
  • Allows you to review, accept and track the status of AWS agreements
    • Agreements such as the Business Associate Addendum (BAA) or Health Insurance Portability and Accountability Act (HIPAA) for an individual account os within an organisation
• Used for supporting internal audit or compliance

Amazon GuardDuty

• A threat detection service that monitors for malicious activity or anomalous behaviour for protecting your AWS account
• Uses machine learning algorithms, anomaly detection and third-party data
• 30 day trial available, don't need to install any software
• Input data includes:
  • CloudTrail Event Logs: Unusual API calls, unauthorised deployments
    • CloudTrail Management Events: Create VPC subnet, create trail, ...
    • CloudTrail S3 Data Events: Get object, list objects, delete object, ...
  • VPC Flow Logs: Unusual internet traffic, unusual IP address
  • DNS Logs: Compromised EC2 instances sending encoded data within DNS queries
  • Optional features: EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 Data Events...
• Can setup EventBridge rules for notifications
  • These rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated "finding" for it)

Amazon Inspector

• An automated vulnerability management service for continually scanning AWS workloads for vulnerabilities
  • Continuous scanning only when needed
  • Risk score is associated with all types of vulnerabilities for prioritisation
  • Only evaluates EC2 instances, Container Images and Lambda functions
• For EC2 instances:
  • Leveraging AWS System Manager (SSM) agent
  • Analyse against unintended network accessibility
  • Analyse the running OS against known vulnerabilities
• For Container Images pushed to Amazon ECR:
  • Assessment of Container Images as they're pushed
• For Lambda functions:
  • Identifies software vulnerabilities in function code and package dependencies
  • Assessment of functions as they are deployed
• Reporting and integration with AWS Security Hub
• Send findings to Amazon Event Bridge

AWS Config

• A configuration tool to help assess, audit and record your configurations and AWS resources over time

  • Possibility of storing configuration data into S3
  • Questions that can be solved by AWS Config
    • Is there unrestricted SSH access to my security groups?
    • Do my buckets have any public access?
    • How has my ALB configuration changed over time?
  • Can receive alerts for any changes through SNS notifications
  • AWS Config is a per-region service
  • Can be aggregated across regions and accounts

• AWS Config Resource

  • View compliance of a resource over time
  • View configuration of a resource over time
  • View CloudTrail API calls if enabled

AWS Macie

• A fully managed data security and data privacy service using machine learning and pattern matching to discover and protect your sensitive data in AWS
• Macie identifies and alerts you to sensitive data, such as personally identifiable information (PII)

AWS Security Hub

• A central security tool to manage security across several AWS accounts and automate security checks
• Integrated dashboards showing current security and compliance status to quickly take actions
• Automatically aggregates alerts in pre-defined or personal findings formats from various AWS services and partner tools
  • Config
  • GuardDuty
  • Inspector
  • Macie
  • IAM Access Analyzer
  • AWS Systems Manager
  • AWS Firewall Manager
  • AWS Health
  • AWS Partner Network Solutions
• Must enable the AWS Config Service first

Amazon Detective

• A service to analyse, investigate and quickly identify the root cause of security issues or suspicious activities using ML and graphs
  • Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty and creates a unified view
  • Produces visualisations with details and context to get the root cause
• Provides deeper analysis to isolate root cause and take action after finding a security issue
  • Detective handles this complex process
  • GuardDuty, Macie and Security Hub are used to identify potential security issues or findings

AWS Abuse

• A service to report suspected AWS resources used for abusive or illegal purposes
• Abusive and prohibited behaviours include:
  • Spam: Receiving undesired emails from AWS-owned IP addresses, websites and forums spammed by AWS resources
  • Port scanning: Sending packets to your ports to discover unsecured ones
  • DoS or DDoS attacks: AWS-owned IP addresses attempting to overwhelm or crash your servers or softwares
  • Intrusion attempts: Logging in on your resources
  • Hosting objectionable or copyrighted content: Distributing illegal or copyrighted content without consent
  • Distributing malware: AWS resources distributing softwares to harm computers or machines

Root user privileges

• Root user is the account owner
  • They have complete access to all AWS services and resources
• Secure your AWS account root user access keys
• Don't use the root account for everyday tasks, even administrative tasks
• Actions that can be performed only by the root user include:
  • Change account settings
  • View certain tax invoices
  • Close AWS account
  • Restore IAM user permissions
  • Change or cancel AWS support plan
  • Register as a seller in the Reserved Instance Marketplace
  • Configure an Amazon S3 bucket to enable MFA
  • Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
  • Sign up for GovCloud

IAM Access Analyzer

• Used to find out which resources are shared externally
  • S3 buckets
  • IAM roles
  • KMS keys
  • Lambda functions and Layers
  • SQS queues
  • Secrets Manager Secrets
• Define Zone of Trust for AWS Account or AWS Organization