AWS Security Notes 1 - keshavbaweja-git/guides GitHub Wiki

Build a fast, scalable, secure, well-monitored, DDoS protected application.

Using Amazon CloudFront for fast, secure content delivery.
Creating a firewall with AWS WAF to counter any exploits
Using AWS Shield for comprehensive DDoS protection
Security automation

Layered perimeter protection

CloudFront: Cloud Delivery Network - a network of data servers that is distributed globally and reduces latency for customers. Accelerates static (images, CSS, HTML), streaming media and dynamic content. Adds security layer. CloudFront is compliant with many industry standards - PCI-DSS, HIPPA, GDPR.

Users -> Local Edge Locations -> Regional Edge Cache -> Application Origin

User -> Local ISP DNS Resolver -> Recursive DNS Name Servers -> Route 53 -> CloudFront DNS. CloudFront DNS then identifies and returns optimal edge location based on user location and network congestion.

Edge Locations have layered caches - L1, L2, L3. -> Regional Cache -> Application Origin

Dynamic content(HTTP/REST APIs, WebSocket protocol) is not cached, CloudFront accelerates the request for dynamic content through AWS network backbone.

CloudFront also terminates TLS handshakes, reducing roundtrip time for these handshakes.

CloudFront support for domain names

Default CloudFront domain name with CloudFront certificate shared across customers.
Custom domain names with customer certificate
- SNI (Server Name Extension)
- Dedicated IP

Securing CloudFront

Signed URLs
Signed cookies
Geo Restriction
Restrict external access to origin
- S3 Origin Access Identity: Prevent direct access to Amazon S3 bucket
- Custom origin Security Groups: Whitelist only CloudFront IP range

Automatically update an ALB/EC2 security group for CloudFront using AWS Lambda - As new IP addresses are added to CloudFront network, an event is fired, triggering a Lambda which updates ALB/EC2 security groups.

Web Application Firewall

Route 53 -> Shield -> WAF & Firewall Manager -> CloudFront -> ALB -> EC2

Volumetric attacks, application attacks Short lived attacks are more frequent Large DDoS attacks are increasing in size 1.8 Tbps Application vulnerabilities, Malicious BOTs

Using WAF to filter out common and customer specific attacks

Set up foundational security easily
Customize security for applications
Visualize and analyse security rules for feedback
Automate for dynamic security

AWS WAF Foundational security

CloudFormation Templates
Managed Rules for AWS WAF: Available in Marketplace, created by security experts, with pay as you go model
Choice of protection rules
- OWASP Top 10
- Common Vulnerabilities and Exposures (CVE)
- BOT protection
- IP reputation lists
- CMS rules (Wordpress, Joomla)
- Apache & Nginx vulnerabilites

AWS WAF is powerful rule language framework that allows creation and customization of security rules

Analyse WAF security rules

CloudWatch Metrics on rules - Counted, Allowed|Blocked
Detailed logs of a sample of requests, available for every rule
Set alarms for notifications
Ingest full logs via Firehose, ability to redact sensitive fields

Lambda based AWS WAF automations

Bad BOTs, known attacks - AWS WAF Security Automations
Guard Duty findings - Automate Threat Mitigation using AWS WAF and Amazon GuardDuty

AWS Firewall Manager (Config based rule policies)

Manage WAF security rules across accounts by defining policies
Customize policy scope to resource type and accounts
Ensure compliance to mandatory rules across organization
Enable rapid response to attacks
AWS Firewall Manager plugs into AWS Config to retrieve security rule policies

AWS Shield

AWS Shield for comprehensive DDoS attack prevention, friction less with minimum architectural changes, identifies and mitigates 1000s of DDoS attacks within 1 min

Low operational overhead for known and edge cases

Global Threat Environment Dashboard

AWS Shield Advanced provides you with AWS WAF and Firewall manager at no additional cost, cost protection for scaling

Layer 3/4 protection for all

Baseline and anomaly detection across all AWS accounts
Mitigation with proprietary packet filtering stacks using suspicion based scoring
Automatic defense against most common network and transport layer DDoS attacks

Shield Advanced

Customer specific attack detection and mitigation
Layer 7 attacks
24*7 access to DDoS Response Team

Other architectures

Serverless API
- AWS WAF -> API Gateway
TCP traffic
- AWS Shield Advanced -> AWS Global Accelerator + Network Load Balancer
- Granular detection thresholds (based on backend infrastrcuture)
- Pre configured, customized mitigation templates
- Network ACLs on the perimeter/
UDP traffic
- AWS Shield Advanced -> AWS Global Accelerator + Network Load Balancer

AWS Global Accelerator

Global Load Balancing across regions with anycast routing and fine grained controls

VPC Ingress Routing

More granular access control in VPC
deploy 3rd party appliances in VPC for access control
Security groups provide access control
Firewall between On Premises and AWS infra
For compliance requirements, intrusion detection in VPC
Centralize security appliance
Middle box appliances in transparent mode - no address translation
Route table associated with Internet Gateway, which also acts as NAT Gateway

AWS site to site VPN

Easy to set up, equipment is usually already available
Fully managed, HA, VPN termination endpoints at AWS end
Two VPN tunnels per one VPN connection terminating in different AZs
IPSec site to site tunnel, AWS 256, SHA2
Charged per hour per VPN connection
Static VPN: Policy or route based
Dynamic VPN
- Route based
- Dynamic Routing (BGP)
- Certificate based authn
Virtual Private Gateway
- Name
- ASN (BGP Identifier)
Define Customer Gateway
- Name
- ASN
- Dynamic/Static
- IP Address
Create VPN connection - two tunnels across two AZs
Update Route Table in VPC to route On Premises traffic to VPN Gateway
1 VPN tunnel = 1.25 Gbps

AWS Transit Gateway

Attach multiple VPCs
Attach VPN connection
Route tables, route On Premises traffic to Transit Gateway
High Availability on customer side is easier to manage

AWS Accelerated site to site VPN

Typically a VPN connection runs over Internet - latency, packet loss, Jitter
Improves VPN performance by routing over AWS network

AWS Direct Connect

Dedicated physical connection into AWS global network
Identify one of 100+ Direct Connect location
AWS router in that location has a port provisioned
If Customer route is already present, set up routing
Link aggregation group between AWS router and customer router
Multiple locations with multiple connections
Virtual Private Gateway <-> AWS Router

Amazon Route 53 Resolver

Private Hosted Zones on AWS and On Premises
Managed DNS Resolver service from Route 53
Enables hybrid DNS resolution over AWS Direct Connect and Managed VPN
Create conditional forwarding rules to redirect query traffic
Private Hosted Zone: Instance -> Amazon Route 53 Resolver -> has access to all Private Hosted Zone associated with VPC, if DNS is not found in any of the private hosted zone, query is routed to internet
A Private Hosted Zone can be associated with multiple VPCs, cross account VPC can be associated via CLI/API only

How to resolve DNS queries for private hosted zones in AWS VPC from On Premises?

Deploy Route 53 Resolver Inbound Endpoint
Queries from On Premises are forwarded to R53 Resolver Inbound Endpoint
R53 Resolver Inbound Endpoint queries private hosted zone for address resolution

How to resolve DNS queries for private hosted zones in On Premises from AWS VPC?

Directing EC2 instance to On Premises DNS Resolver is a bad idea
Loss of visibility of private hosted zones in VPC
DNS resolution is completely dependent on VPN connection, which is a single point of failure
Add forwarding rule in R53 Resolver
Create R53 Resolver Outbound ENI
Resource Access Manager: Share resources - security groups, resolver rules, R53 resolver endpoints, transit gateways across VPCs
AWS Client VPN