AWS Security Notes 2 - keshavbaweja-git/guides GitHub Wiki
- create-assessment-template
- create-assessment-target
- start-assessment-run
- stop-assessment-run
- sign: Sign a message/message digest using private key of an asymmetric key
aws:SourceVpce
aws:RequestTag/${TagKey}
s3:RequestObjectTag/<key>
s3:RequestObjectTagKeys
aws:TagKeys
aws:ResourceTag/${TagKey}
s3:LocationConstraint
"s3:x-amz-server-side-encryption": "AES256"
"s3:x-amz-server-side-encryption": "aws:kms"
- import-key-pair (imports a third party public key into AWS, not on an EC2 instance)
-
kms:ViaService
: limits the use of KMS key only to requests from specified AWS services on user's behalf.
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
-
"Bool": {"kms:GrantIsForAWSResource": true}
: allows/denies permission for CreateGrant, ListGrants, RevokeGrant only when an AWS service integrated with KMS calls the operation on user's behalf.
AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license. Data key caching stores data keys and related cryptographic material in a cache. When you encrypt or decrypt data, the AWS Encryption SDK looks for a matching data key in the cache. If it finds a match, it uses the cached data key rather than generating a new one. Data key caching can improve performance, reduce cost, and help you stay within service limits as your application scales.
If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file with a new public key, move the volume back to the original instance, and restart the instance.
If you have access to private key of the key pair that was used to launch the instance,
- Use
EC2Launch
service for Windows Server 2016 or later - Use
EC2Config
service for Window Server 2012 R2 or earlier - Use AWS Systems Manager
AWSSupport-ResetAccess
Automation document
- Option 1: You can use AWS Systems Manager
AWSSupport-ResetAccess
Automation document. - Option 2: You can create an Amazon Machine Image (AMI) of the existing instance, launch a new instance, and then select a new key pair.
AWS_KMS
EXTERNAL
CLOUD_HSM
- Customer managed: 1 year automated, if enabled
- Customer managed - external key material origin, custom key store (CloudHSM): Manual
- AWS managed: 3 years automated
- AWS owned: Varies
- Create
Symmetric
AWS Key with no key material. KMS key's origin value will be set toEXTERNAL
. When AWS KMS generates key material, origin value is set toAWS_KMS
. A KMS key with no key material is in thepending import
state and is not available for use.
aws kms create-key --origin EXTERNAL
- Download public key and import token. Import token is valid for 24 hours.
- Generate key material. Encrypt key material and import token using public key downloaded in step 2.
- Import the encrypted key material, import token will also need to be specified
- Deleting imported key material: When you import key material, you can specify an expiration
date. When the key material expires, AWS KMS deletes the key material and the AWS KMS key becomes unusable. You can also delete key material on demand. Key state changes to
pending import
once key material has been deleted.
AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
Like all KMS keys, multi-Region keys never leave AWS KMS unencrypted. You can create symmetric or asymmetric multi-Region keys for encryption or signing, and create multi-Region keys with imported key material or key material that AWS KMS generates. You must manage each multi-Region key independently, including creating aliases and tags, setting their key policies and grants, and enabling and disabling them selectively. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.
You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the DynamoDB Encryption Client, and Amazon S3 client-side encryption.
Multi-Region keys are not global. You create a multi-Region primary key and then replicate it into Regions that you select within an AWS partition. Then you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys.
You cannot convert an existing single-Region key to a multi-Region key. This design ensures that all data protected with existing single-Region keys maintain the same data residency and data sovereignty properties.
For most data security needs, the Regional isolation and fault tolerance of Regional resources make standard AWS KMS single-Region keys a best-fit solution. However, when you need to encrypt or sign data in client-side applications across multiple Regions, multi-Region keys might be the solution.
If a key is automatically rotated by KMS, it maintains a version of previous key material being rotated out. This allows KMS to decrypt data that was encrypted before key rotation.
For decrypt
action with Symmetric keys, there is no need to specify KMS keyId, KMS automatically appends metadata to ciphertext generated by encryption that allows it to identify the KMS keyId (and version)
Following actions can't be performed on keys with external key material origin
- Automated rotation
- Manual deletion
- Export of key material
- Create a cross account role that can be assumed by 3rd party account.
- While creating cross account role, mandate that 3rd party account provide an
EXTERNAL_ID
- Provide cross account role ARN to 3rd party account
aws iam generate-service-last-accessed-details \
--arn <arn of user/group/role/policy>
aws iam get-service-last-access-details \
--job-id <job id returned by generate-service-last-accessed-details>
aws iam get-service-last-accessed-details-with-entities \
--job-id <job id returned by generate-service-last-accessed-details> \
--service-namespace <service-name, like lambda>
- Configuration change
- Periodic: 1hr, 3hr, 6hr, 12hr, 24hr
- Cognito Identity Pools support unauthenticated identities, these can then be associated with an IAM role.
- Custom authentication challenges like CAPTCHA can be defined and associated with Lambda functions for logic implementation
- Integration with API Gateway
- Create a Cognito User Pools authorizer
- Configure a single-space separated list of OAuth scope on API method
- You can create and manage a Private CA in ACM.
- ACM Private CA integrates with IAM policies
- You can generate an Audit report to list all the certificates that ACM has generated or revoked
- A Private CA in ACM is scoped to a single region, if you need HA, then create multiple CAs in different regions
- ALB HTTPS listener supports multiple SSL certificates using SNI
- ACM allows to import a self-signed certificate; you will need to provide the private key of the certificate as well
- To import a certificate signed by non AWS root CA, you will need to provide certificate chain.
- A certificate must be valid at time of import
- All the required certificate material (certificate, private key, certificate chain) must be PEM encoded
- A certificate must be an SSL/TLS X.509 version 3 certificate. It must contain a public key, the fully qualified domain name (FQDN) or IP address for your website, and information about the issuer.
- A certificate must be imported in each region where it is intended to be used with an ALB, for associating with a CloudFront distribution the certificate should be import in us-east-1 region.
- WAF integrates with ALB, CloudFront, API Gateway, AppSync.
- WAF rule can be configured to: Allow | Deny | Count web requests based on conditions you define
- WAF managed rule groups come with a pre-configured action (Allow | Block | Count). You can override them to Count.
- WAF web ACL is comprised of rules and rule groups
- WAF web ACL can be configured to Allow or Deny all web traffic by default.
AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be removed.
To remove the port 25 restriction on your Lambda function, associate your function with an Amazon VPC. Then, give internet access to your Lambda function using a network address translation (NAT) gateway. The port 25 restriction can't be removed from non-VPC functions.
If you created a presigned URL using a temporary token, then the URL expires when the token expires. The URL expires even if the URL was created with a later expiration time.
The credentials that you can use to create a presigned URL include:
- IAM instance profile: Valid up to six hours.
- STS: Valid up to 36 hours when signed by an IAM user, or valid up to one hour when signed by the root user.
- IAM user: Valid up to seven days when using AWS Signature Version 4.
To allow users access to the objects in your Amazon S3 bucket for longer than seven days, then consider using one of these options:
- Amazon CloudFront signed URLs and cookies
- Amazon CloudFront origin access identity (OAI)
- Web identity federation with Amazon Cognito
Three different approaches can be used to allow the external account to gain access to the S3 bucket in the production account. This can be achieved by using either
- the bucket's ACL,
- the bucket's policy,
- Creating an IAM role in the production account that the customer from the external account can assume.
Implementing a solution using either the bucket's ACL or creating a bucket policy to allow the external account access to the production account's S3 bucket results in the copied object being owned by the external account and not the production account. The best-suited approach is to have the customer assume a role that provides the necessary permissions to copy objects to the S3 bucket. When the customer assumes the IAM role, the customer temporarily becomes an identity in the production account, which results in the copied object in the S3 bucket being owned by the production account.
- S3 buckets configured as static websites can only serve traffic over HTTP, SSL connection is not supported.
- A DNS CNAME record can be configured to point to S3 website endpoint. A Route 53 Public Hosted Zone allows to configure domain apex to point to S3 website endpoint. This Route 53 behavior is an extension to DNS standard which requires that domain apex point to an authoritative A record (IP Address).
When you enable automatic rotation of an RDS password in Secrets Manager, the password is rotated immediately, so any applications still using embedded credentials will no longer have valid credentials.
Intrusion Detection Systems (IDS) monitor networks and/or systems for malicious activity or policy violations and report them to systems administrators or to a security information and event management (SIEM) system. Intrusion Prevention Systems (IPS) are positioned behind firewalls and provide an additional layer of security by scanning and analyzing suspicious content for potential threats.
- Following services are natively integrated with Parameter Store: EC2, Lambda, CloudFormation
- RDS is not natively integrated with Parameter Store
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). You can combine Network Firewall with services and components that you use with your VPC, for example an internet gateway, a NAT gateway, a VPN, or a transit gateway. You need a VPC to use Network Firewall.
The firewall protects the subnets within your VPC by filtering traffic going between the subnets and locations outside of your VPC. To enable the firewall's protection, you modify your Amazon VPC route tables to send your network traffic through the Network Firewall firewall endpoints.
- Trusted IP list
- Threat IP list
- Suppression rules (to suppress findings)
GuardDuty can detect if any of your EC2 instances are exhibiting unusual behaviour, for example if an EC2 instance is trying to connect to multiple ports over a short period of time, then it might be engaged in a possible port scan attack. The purpose of a port scan attack is to locate open ports to discover what services the machine is running and to identify its operating system.
Security administrators can leverage VPC flow logs to detect vulnerability scans against their network by checking for ping sweeps, port scans and other malicious activity associated with attempts to discover weaknesses in the network.
AWS Config generates configuration items when the configuration of a resource changes, and it maintains historical records of the configuration items of your resources from the time you start the configuration recorder.
- You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. To accomplish this, turn on CloudTrail in the account where the destination bucket will belong, configure the bucket policy to allow cross-account permission. Turn on CloudTrail in the other accounts, configure all accounts to log to the destination bucket. You cannot configure cross account access using the bucket ACL
- Using AWS CloudTrail, a user in a management account can create an organization trail that logs all events for all AWS accounts in that organization. Organization trails are automatically applied to all member accounts in the organization. Member accounts can see the organization trail, but can't modify or delete it. By default, member accounts don't have access to the log files for the organization trail in the Amazon S3 bucket. This helps you uniformly apply and enforce your event logging strategy across the accounts in your organization.
S3 does not support HTTPS for website endpoints. To enable custom domain and HTTPS for your S3 website, you would need a CloudFront distribution with S3 as the origin. You also need to configure CloudFront to use your domain certificates and configure Route 53 alias to point to your distribution.
- Allows access to S3 in the same region in which endpoint has been created
- AWS Directory Service Enterprise Edition: > 5000 users, integrated with SQL Server
- AWS Directory Service Standard Edition: = 5000 users, is not integrated with SQL Server
- AD Connector: Proxy service which forwards requests On-premises AD. Small: <=500 users, Large: <=5000 users
- Can grant permissions only to other Accounts, not to individual users
- Does not support condition keys
- Only supports explicit allows, not explicit denys
- Can provide public access
AWS Client VPN is a fully managed service that provides customers with the ability to securely access AWS and on-premises resources from any location using OpenVPN based clients.
Using the ELB Security policy, you can specify the protocols and ciphers that are allowed for secure communication. AWS also provides a set of predefined policies that you can use (if that meets the needs), or you can create a custom policy. When you create a TLS listener, you must select a security policy.
Load balancers do not support resource-based IAM policies.
As part of the AWS Penetration Testing policy, customers can carry out security assessments or penetration tests against their AWS infrastructure without prior approval for eight services listed under permitted services. Testing must limited be limited to customer resources in permitted services. DoS or DDoS attack of any kind is prohibited. AWS will send an abuse notification email if AWS receives an abuse report for activities related to the customer’s security testing.
- Penetration testing: No approval is required to test eight permitted services including EC2, NAT gateways, ALBs, CloudFront, API Gateway, Lambda & Lambda@Edge, RDS, Aurora
- Stress testing: AWS approval is required before conducting Stress testing against your resources
- DDoS testing: This can only be performed by approved AWS Partners.
You cannot delete temporary credentials. So, the only way to deny access is to update the permission policy of the creator of temporary credentials. Creator refers to the identity that was used when calling STS APIs to generate temporary credentials. In case of a role, you can attach a deny all policy to the role. If a user identity was used to generate temporary credentials, you could attach a deny all policy to the user. You can also deny access based on time. For example, you can attach a deny all policy that applies only if the temporary credential was issued before a specific time (using aws:TokenIssueTime variable).
The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system.
AWS Config can monitor IAM resources and ensure they comply with the defined baseline. Out of compliant resources are flagged, and you can view the compliance timeline and change timeline. CloudTrail log events are used by AWS config to pinpoint how the permissions were modified. However, Config is responsible for determining if the change is appropriate and if it complies with the configured baseline.
Security Group | NACL |
---|---|
Only Allow rules | Allow and deny rules |
Stateful | Stateless |
Instance, ALB level | Subnet level |
No of rules: 300, can be increased to 1000 | 40 rules |
AWS Config (monitors Security Groups, NACLs) => AWS Config => Configuration change CW event => Amazon Inspector network assessment.
- SSM Agent needs to be installed in the instance, and it needs to be running to register the instance with the systems manager.
- The SSM Agent needs permission to talk to the SSM Service, and the permission is granted using IAM Roles.
- If the instance is not in the public subnet, you need to add SSM service-specific endpoints to the VPC. Once the instance is registered, the systems manager will track and manage the instance.
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
Use Resource Access Manager to share AMIs across accounts and OUs.
- Cross-region load balancing. CloudFront does not support region based origins. Route 53 DNS resolution is slower to respond to change (DNS cache and TTL) in comparison with Global Accelerator which evaluates each request for traffic routing.
- Global Accelerator with its distributed edge network can block certain types of DDoS attacks and let only valid requests go through to your application.
- Two Static IP addresses to access your global service,
- Hides infrastructure as your load balancer can be private,
- Responds instantaneously to changes in health and traffic conditions,
- Request from edge travels in AWS Global network and not public internet
- Client affinity
- AWS Shield can be integrated, AWS WAF can't
- Bring your own IP
- Traffic shaping: Endpoint groups + Traffic dial
- Traffic shaping: Endpoint within an endpoint group + Weight