Graduate Program KB

Section 21 - Security & Encryption

Encryption

  • Encryption in-flight (TLS/SSL)
    • Encrypt data before sending, decrypt after receiving
    • TLS certificates help with encryption
    • Ensures no man in the middle attacks
  • Server-side encryption at rest
    • Encrypt data after server receives it, decrypt data before being sent
    • Data is stored in an encrypted form
    • Encryption/decryption keys must be managed somewhere and the server must have access to it
  • Client-side encryption
    • Client encrypts data and it's never decrypted by the server, the client will decrypt it upon receiving it
    • Potentially leverage envelope encryption

AWS Key Management Service

  • AWS manages encryption keys, it's fully integrated with IAM for authorization and most other services
  • Easy way to control access to data
  • CloudTrail can audit KMS key usage
  • Don't store secrets in plain text, key encryption is available via API calls (SDK, CLI) or as environment variables
  • Rotation:
    • AWS managed keys are rotated automatically every year
    • Customer managed keys must be enabled to be automatic and on-demand
    • For imported KMS key, only manual rotation is possible using alias

KMS Key Types

  • Symmetric (AES-256)
    • Single encryption key for both encrypt/decrypt
    • Services integrated with KMS use symmetric CMKs
    • You never get access to the KMS key unencrypted (must use KMS API to use)
  • Asymmetric (RSA & ECC key pairs)
    • Public and private key pair used for encrypt/decrypt or sign/verify operations
    • Public key is downloadable, but private key can't be accessed unencrypted
    • Useful for encryption outside of AWS by users who can't call the KMS API
  • AWS Owned Keys and Managed Keys are free
  • Customer managed keys created in KMS or imported are $1/month

KMS Key Policies

  • Define control access to KMS keys
  • Similar to S3 policies but you can't control access without them
  • Default KMS key policy
    • Created if no specific policy is provided
    • Gives complete access to the key to the root user
  • Custom KMS key policy
    • Define users, roles that can access the KMS key and who can administer the key
    • Useful for cross-account access of the key

KMS Multi-Region Keys

  • Identical KMS keys in different regions which can be used interchangeably, they have the same key ID, material and automatic rotation
  • Can encrypt in one region and decrypt in other regions, no need to re-encrypt for making cross-region API calls
  • Not global, each multi-region key is managed independently
  • Useful for global client-side encryption, encryption on Global DynamoDB and Global Aurora

DynamoDB Global Tables and KMS Multi-Region Keys Client-Side Encryption

  • The client-side can encrypt specific attributes using the Amazon DynamoDB Encryption Client
  • The encrypted data is replicated to other regions
  • Using a multi-region key replicated in the same region as the global table enables clients to make low-latency API calls to KMS for decrypting data client-side

Global Aurora and KMS Multi-Region Keys Client-Side Encryption

  • The client-side can encrypt specific attributes using the AWS Encryption SDK
  • The encrypted data is replicated to other regions
  • Using a multi-region key replicated in the same region as the global DB enables clients to make low-latency API calls to KMS for decrypting data client-side
  • Specific fields can even be protected from database admins

S3 Replication Encryption Considerations

  • Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
    • Can also replicate using SSE-C (customer provided key)
  • For encryption with SSE-KNS, the option must be enabled
    • Specify KMS key for encryption, adapt the KMS key policy for the target key
    • Need an IAM role with kms:Decrypt for the source KMS key and kms:Encrypt for the target KMS key
    • Service quota increases might be necessary if there are KMS throttling errors

SSM Parameter Store

  • Provides secure storage for configuration and secrets
  • Version tracking of configuration and secrets
  • Uses IAM for security
  • Notifications with EventBridge
  • Integration with CloudFormation
  • Tiers:
    • Standard
      • 10000 parameters per AWS account and region
      • Maximum parameter size is 4KB
      • No parameter policies
      • No charge
      • Free storage
    • Advanced
      • 100000 parameters per AWS account and region
      • Maximum parameter size is 8KB
      • Has parameter policies available
      • Charges apply
      • Storage pricing is $0.05 per advanced parameter per month

Advanced Parameter Policies

  • Can assign a TTL to a parameter to force updates or deletion of sensitive data such as passwords
  • Can assign multiple policies at a time

AWS Secrets Manager

  • Can force rotation of secrets at some time interval
  • Automates generation of secrets on rotation using Lambda
  • Integrates with RDS (MySQL, PostgreSQL, Aurora) and is the primary use case
  • Secrets are encrypted using KMS
  • Multi-region secrets:
    • Replicate secrets across multiple regions, it keeps read replicas in sync with the primary secret
    • Can promote a read replica secret to a standalone secret
    • Useful for multi-region apps, disaster recovery strategies, multi-region databases, etc.

AWS Certificate Manager

  • Provision, manage and deploy TLS certificates to provide in-flight encryption for websites
  • Supports both public and private TLS certificates
  • Free of charge for public TLS certificates
  • Automatic TLS certificate renewal
  • Integrations with elastic load balancers (CLB, ALB,NLB), CloudFront distributions and APIs on API Gateway
  • Can't use ACM with EC2

Requesting Public Certificates

  • List domain names to be included in the certificate (fully qualified domain name or use a wildcard domain)
  • Secret either DNS validation or email validation
    • DNS preferred for automation, it will leverage a CNAME record to DNS config
    • Email validation will send emails to contact addresses in the WHOIS database
  • Takes few hours to get verified
  • The public certificate will be enrolled for automatic renewal, ACM automatically renews ACM-generated certificates 60 days before expiry

Importing Public Certificates

  • Option to generate the certificate outside of ACM and then import it
  • No automatic renewal, must import a new certificate before expiry
  • ACM sends daily expiration events starting 45 days prior to expiration
  • AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates

Integration with API Gateway

  • Create a custom domain name in API Gateway
  • Edge-Optimized (default) for global clients
    • Route requests through edge locations
    • API Gateway still lives in only one region
    • TLS certificate must be in the same region as CloudFront (us-east-1)
    • Set up CNAME or A-Alias record in Route 53
  • Regional
    • TLS certificate must be imported on API Gateway in the same region as the API stage
    • Set up CNAME or A-Alias record in Route 53

Web Application Firewall

  • Protects web app from common web exploits at Layer 7 (HTTP)
  • Deployable on ALB, API Gateway, CloudFront, AppSync GraphQL API, Cognito User Pool
  • Define Web Access Control List rules
    • Set up to 10000 IP addresses (multiple rules)
    • Set HTTP headers, HTTP body or URI strings to protect from SQL injection and cross-site scripting
    • Size constraints and geo-matching to block certain countries
    • Rate-based rules for DDoS protection
  • Web ACL are regional except for CloudFront
  • A rule group is a reusable set of rules that can be added to a web ACL
  • WAF doesn't support NLB (Layer 4), can use Global Accelerator for fixed IP and WAF on ALB

AWS Shield

  • Protects from DDoS attacks
  • Standard
    • Free service for every AWS customer
    • Protects SYN/UDP floods, reflection attacks and other layer 3/4 attacks
  • Advanced
    • Optional DDoS mitigation service ($3000 per month per organization)
    • Protect against more sophisticated attacks on EC2, ELB, CloudFront, Global Accelerator and Route 53
    • 24/7 access to AWS DDoS response team
    • Protect against higher fees during usage spikes due to DDoS
    • Automatic application layer DDoS mitigation automatically creates, evaluates and deploys WAF rules to mitigate layer 7 attacks

AWS Firewall Manager

  • Manage rules in all accounts of an AWS Organization
  • Define a security policy which is a common set of security rules
  • Rules are applied to newly created resources across all and future accounts in the organization, this is good for compliance

WAF vs. Firewall Manager vs. Shield

  • All of them are used together for comprehensive protection
  • Define Web ACL in WAF
  • WAF provides granular protection of resources
  • To use WAF across all accounts, accelerate WAF configuration, automate protection of new resources and use Firewall Manager as well
  • Shield Advanced adds additional features such as dedicated support from a response team and advanced reporting
    • Consider this tier if you're prone to frequent DDoS attacks

Best Practices for DDoS Resiliency

  • Edge location mitigation:
    • CloudFront
      • Web app delivery at edge
    • Global Accelerator
      • Access app from edge, integrate with Shield for DDoS protection
    • Route 53
      • Domain name resolution at edge
  • DDoS mitigation:
    • Infrastructure layer defense
      • Protect EC2 against high traffic
    • EC2 with auto scaling
      • Helps scale in case of sudden traffic surges
    • Elastic load balancing
      • Scales with traffic and will distribute the traffic to the many EC2 instances
  • Application layer defense:
    • Detect and filter malicious web requests
      • Cache static content and serve from edge, protecting backend
      • Rate-based rules to automatically block IPs of bad actors
      • Block specific geographies
    • Shield advanced
      • Automatic application layer DDoS mitigation to deploy WAF rules to mitigate layer 7 attacks
  • Attack surface reduction:
    • Obfuscating AWS resources
      • Use CloudFront, API Gateway, ELB to hide backend resources
    • Security groups and Network ACLs
      • Filter traffic based on specific IP at the subnet or ENI-level
      • Elastic IP are protected by Shield Advanced
    • Protecting API endpoints
      • Hide EC2, Lambda, etc. elsewhere
      • Use WAF and API Gateway for burst limits, filtering headers and use of API keys

GuardDuty

  • Intelligent threat discovery to protect your AWS account
  • Uses ML algorithms for anomaly detection and 3rd party data
  • 30 days trial
  • Input data includes CloudTrail Events logs, VPC flow logs, DNS logs and optional features (EKS audit logs, RDS, Aurora, EBS, Lambda, S3 Data Events, etc.)
  • Can set up EventBridge rules to be notified in case of findings
  • EventBridge rules can target AWS Lambda or SNS
  • Can protect against CryptoCurrency attacks

Inspector

  • Performs automated security assessments
  • EC2 instances
    • Leverages AWS System Manager (SSM) agent
    • Analyze against unintended network accessibility and the running OS against known vulnerabilities
  • Container Images pushed to ECR
    • Assess images as they are pushed
  • Lambda functions
    • Identifies software vulnerabilities in function code and package dependencies
    • Assessment of functions as they are deployed
  • Integrates with AWS Security Hub for reportings
  • Sends findings to EventBridge

Macie

  • A fully managed data security and privacy service using ML and pattern matching to discover and protect your sensitive data
  • Helps identify and alert you to sensitive data such as personally identifiable information