AWS_Security - kamialie/knowledge_corner GitHub Wiki
Identity Federation options:
- SAML 2.0
- Custom Identity Broker
- Web Identity Federation with
Cognito - Web Identity Federation without
Cognito - Single Sign On
- non-SAML with AWS Microsoft AD
Each account has only one root user, which has full access to all AWS resources.
IAM objects:
Credentials Report - list of all account's users and the status of their
credentials.
Access Advisor - shows service granted permissions and usage at user, group,
role, or policy level. Shows only the current state. Tracks for 365 days. Good
for identifying unused and unnecessary policies.
By default, full access IAM user doesn't have access to billing information
on the account. This can be enabled by root in My account settings.
User object represents a user or service with unique name or identifier. It can belong to multiple groups.
Federated users are existing enterprise users, f.e. Active Directory or Facebook. Identity management solution must support SAML 2.0 or one of the AWS's federation samples.
Group object is a collection of users (can not contain other groups). One or more policies can be attached to a group.
Role object contains a set of permissions in the form of attached policies and a list of entities that can assume it, f.e. users, AWS services, etc.
When an entity assumes a role all previous permissions are abandoned. Best practice is to use roles to grant temporary access. Can be used as extra security inside same account or to grant cross-account access.
Policy object is a JSON document that explicitly lists permissions. It can be
assigned to user, group, role, or resource (Inline policy, modifies resource
and can not be reused). In case of conflicting policies the least access is
preferred.
Amazon Resource Name (ARN) - unique name that every resource has. Missing
parameters are assumed to be defaults (f.e. arn:aws:ec2:::instance/instance-id)
Structure:
| Element | Description |
|---|---|
| Effect | allow or deny specified action(s) |
| Action | list of service-level action(s) in the noun:verb (service:action) form, f.e. s3:ListBucket
|
| NotAction | explicitly matches any actions except specified ones |
| Resource | list of resources within services |
| NotResource | allow effect will work on all resources, except listed ones, while deny will affect all services that are not listed |
| Condition | optional, can require MFA, IP range, time, etc; consists of key (not case-sensitive) and value (case-sensitive) |
Policy types:
- identity-based
- resource-based
- organization service control
- ACL
Managed policy versioning can save up to 5 versions. If maximum is reached, one has to be removed explicitly. Newer version becomes the default (can be changed to previous ones). Default version can not be deleted (first make another one the default).
Each policy has the following summary structure:
- policy summary - list of services and summary of permissions defined by the policy
- service summary - list of actions and summary of permissions defined by the policy for the chosen service
- action summary - list of resources and associated conditions that apply to the chosen action
Policy simulator - users have to have appropriate permissions to use simulator. Can edit policies inside simulator without affecting actual environment!
Condition operators (not all):
StringEqualsStringNotEqualsStringEqualsIgnoreCaseStringNotEqualsIgnoreCaseStringLikeStringNotLike
Condition objects (not all):
-
aws:SourceIP- client making requests -
aws:RequestedRegion- target region of API request
Tag based security:
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": "ProjectName",
"aws:PrincipalTag/Team": "TeamName",
}
}Enforce MFA:
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": true}
}Permission boundary is an advanced IAM feature that defines maximum
permissions that a user or role can have (not supported for groups).
Principal's final permissions are identified by overlapping of actual policies
and a boundary.
Encryption key management.
Keys are linked to a specific region. Up to 4KB of data can be encrypted per call. For data more than 4KB use envelop encryption.
Key options:
- AWS Managed - free
- User created key - $1/month
- User imported key (must be 256-bit symmetric) - $1/month
CMK (Customer Master Key) types:
- symmetric (AES-256) - client never gets access to the key, only to
KMSAPIs - asymmetric (RSA and ECC) - public/private pairs; client can download public
key, but there is no access to private one - public key can be distributed to
users that don't have access to
KMSAPI
When snapshot of any service is copied across region, new key (in the destination region) is specified to be used for encrypting snapshot.
In envelop encryption CMK is used for generating/encrypting/decrypting the Data key (also called Envelop key), which in turn is used for encrypting actual data. This way network is used only for transferring the data key, instead of huge amount of data.
Key administrators are principals that can make changes to the key, but not use it. However, those principals can add permissions to also use the key. Key's usage permissions set principals that can encrypt and decrypt data using this key. These settings actually generate a key (resource) policy.
To allow principal to perform operations using KMS key, it should have IAM
policy allowing intended API request and be listed in key policy. Default key
policy allows access to root user, which means to all users within the
account. For cross account snapshot copy, target account must be able to access
the source KMS key.
Automatic key rotation can be enabled only for customer managed symmetric key (happens once a year). Does not change the CMK ID, just the backing key. Previous versions are stored to decrypt files that were encrypted previously.
Keys can be rotated manually. This also changes the CMK ID. Alias helps to hide the change for applications and clients using the key.
# Encrypt content of specified file, returns encrypted text in base64
# For key id can use alias, id or full ARN
aws kms encrypt --key-id alias/<alias> --plaintext <file_path> --output text --query CipherTextBlob > encrypted.base64
# Decrypt encrypted text, returns original text in base64
# Info about the key that was used to encrypt the text is included in the blob
aws kms decrypt --ciphertext-blob <file_path> --output text --query PlainText > decrypted.base64
# Enable automatic key rotation and check the status
aws kms enable-key-rotation --key-id alias/<alias>
aws kms get-key-rotation-status --key-id alias/<alias>
# Generate data key for encrypting data over 4KB
aws kms generate-data-key --key-id alias/<alias> --key-spec AES_256Authentication and authorization provider for web and mobile applications.
Provides UI components for many platforms. Enables controlled access to AWS resources. Has support for identity federation (Google, Amazon, Facebook, Microsoft Active Directory, SALM 2.0).
Also tracks association between user identity and various devices. State across all devices is synced using push synchronization (SNS under the hood).
Provides user directory (with user profiles) that clients can use to sign in to web and mobile apps. Users can also sign in through social identity provides (Facebook, Google, SAML 2.0, etc). Provides client a JWT upon authentication.
Some features:
- built-in, customizable UI for many platforms
- email/phone verification
- MFA
Integrates with API Gateway for authentication.
Also called federated identities, allows creating unique identities and
federate them with identity provides, such as Facebook, Google, Cognito User Pools, SAML, etc. Then it provides temporary AWS credentials to directly
access AWS resources.
Used to synchronize data from device to Cognito. Soon to be replaced by
AppSync.
Stores preferences, configurations, app state. Synchronizes with different
platforms (iOS, Android, etc). Also provides offline, when client went offline
and back online. Requires use of Federated Identity Pool in Cognito. Stores
data in datasets (max 1MB), up to 20 datasets to synchronize.
Provides limited and temporary access to AWS resources. Token is valid up to one hour (minimum 15 minutes).
Important APIs:
- AssumeRole - provide credentials within same account or cross-account
- AssumeRoleWithSAML - provide credentials for users logged in with SAML
-
AssumeRoleWithWebIdentity - provide credentials for users logged in via
Identity Provider (not recommended, use
Cognitoinstead);AssumedRoleUsersection containsArnandAssumedRoleIdfield, which are used to referenced temporary credentials (not related toIAMresources) - GetSessionToken - set of credentials for MFA
Secure storage for configurations and secrets.
Integrated with KMS, CloudWatch Events, CloudFormation. Provides
versioning, management using path (hierarchy).
Tiers:
| Name | Total number of params (per account and region) | Max size |
|---|---|---|
| Standard | 10,000 | 4KB |
| Advanced | 100,000 | 8KB |
Standard tier has no costs, provides free storage pricing and free Standard Throughput (High Throughput for extra cost). Advanced tier comes with an extra cost, storage and API requests price.
Advanced tier also provides parameter policy - assign a TTL to a parameter to enforce updating or deleting it. There are 3 types of policies:
-
Expiration- delete parameter at a specified date -
ExpirationNotification- notify (CloudWatch Events) about deletion specified amount of time before expiration date -
NoChangeNotification- notify (CloudWatch Events) that parameter hasn't changed for specified amount of time after creation or last update
# Retrieve param store value
$ aws ssm get-parameters --names <full_path_1> <full_path_2>
# Retrieve encrypted param store value
# If user has associated permissions to the encryption key, then the decrypted value is returned
$ aws ssm get-parameters --with-decryption --names <full_path_1>
# Retrieve all parameters under specified path
# Add optional --recursive parameter to retrieve child paths
$ aws ssm get-parameters-by-path --path <parent_path>Creates and manages Secure Socket Layer and Transport Layer Security certificates. Integrates with ELB, CloudFront, API Gateway, and web apps.
On-demand access to AWS security and compliance reports.
-
Agreements- review, accept and manage agreements for an individual or all accounts in AWS Organizations -
Reports- provides compliance reports from third-party auditors
Cloud-based hardware security module (AWS provisions it) that enables you to generate and use your own encryption keys. Supports both symmetric and asymmetric encryption. Does not provide free tier.
Integrates with Redshift and can be used as SSE-C option for S3.
Requires CloudHSM client software to interact with a service. IAM is used
to manage CRUD operations, while client software is used to create users and
assign permissions.
Operates as a HA cluster deployed in a VPC.
- AWS Managed Microsoft AD - your own AD in AWS; can establish "trust" connection with on-prem AD - users are shared between 2 instances of AD; supports MFA
- AD Connector - Directory Gateway (proxy) to redirect to on-prem AD
- Simple AD - AD-compatible managed directory on AWS (can not join Microsoft AD)
Intelligent threat detection for AWS infrastructure and resources (continuous monitoring of network and account activity).
Input data includes CloudTrail logs, VPC flow logs, and DNS logs.
ClodWatch Event rules can be set up to notify about findings.
Automated security assessments (best practices) for EC2 instances. Analyzes
running OS against known vulnerabilities. Inspector agent must be installed -
connects to Inspector service. Generates a report with vulnerabilities and
can send notifications to SNS.
Assessment types (use AWS standards or define custom ones):
- network - network reachability (agentless)
- host - up to date patches, common configuration errors, vulnerabilities
Data security and privacy management powered by machine learning.
Analyzes data stored in S3. Detects personal data and intellectual property.
Provides dashboards showing how data is accessed and stored. Can notify unusual
data access through EventBridge.
Provides secure way to integrate credentials, API keys, tokens, etc. Has native
integration with RDS, DocumendDB, and Redshift. Can auto-rotate
credentials. Possible fine-grained access control to secrets.
RDS secrets include username/password, server address, and database name and port.
Secrets can auto-rotate after specified number of days and get automatically
generated by Lambda on rotation. SecretsManager can create this Lambda
function, which can also be reused later.
DDoS protection service.
Standard option is automatically enabled and free; protects resources from the most common, frequently occurring types of attacks.
Advanced option is a paid service that provides detailed attack diagnostics
(network and transport layer). Can be integrated with CloudFront, Route 53,
ELB, EC2 and WAF. Also provides financial protection against DDoS-related
spikes in AWS services and 24/7 access to DDoS response team, or DRP.
Central portal to manage SSO to multiple AWS accounts and 3rd party apps.
Integrates with Orginazations, on-prem Active Directory, and supports SAML
2.0.
Provides centralized permission management and auditing (CloudTrail).
Monitors network requests and protects against common web exploits, layer 7.
Can be deployed on CloudFront, ALB, and API Gateway, and has similar
functionality to ACLs. Can protect from SQL injection and Cross-Site Scripting
(XSS).
Web ACL defines rules that include IP addresses, HTTP headers, body and URI strings. Rules can also set maximum size of a request, geo-restriction and rate-based restriction (DDoS protection).
Firewall Manager manages rules in all account in Organization
- common set of security rules
-
WAFrules -
ShiledAdvanced Security Groups