CP‐Module‐9 - rFronteddu/general_wiki GitHub Wiki

Security in AWS

Introduction

  • Describe how authentication and authorization help secure enterprise data.

  • Identify customer and AWS security responsibilities in the cloud.

  • Identify different types of AWS security controls.

  • Authentication is the process of verifying the identity of a user or entity through credentials like a username and password combination.

  • Authorization grants users certain access rights and permissions that determine which actions they can perform in a system or application.

Cloud security is a shared responsibility between customers and AWS. Customers maintain complete control over their content As a result, customers are responsible for securing everything they create and manage in the AWS Cloud. This includes :

  • Managing the security of data, systems, and applications
  • Deciding what data and workloads to store or run in AWS
  • Determining which AWS services to use
  • Controlling who has access to environments and resources

AWS is responsible for security of the cloud. AWS operates, manages, and controls the components at all layers of the infrastructure. This includes:

  • The foundational software that powers AWS services
  • The virtualization layer
  • The hardware and global infrastructure that supports the data centers from which services operate.

AWS offers multiple security mechanisms to protect your cloud resources. These controls can help you do the following:

  • Prevent security incidents through proper permission and access management.
  • Protect networks, applications, and data.
  • Detect and respond to security incidents as they occur.

Preventing Unauthorized Access

  • Describe the benefits and purpose of AWS Identity and Access Management (IAM).
  • Identify best practices for protecting the AWS account root user.
  • Define IAM identities and policies that support the principle of least privilege.
  • Describe the benefits and purpose of additional AWS services that support the principle of least privilege.

AWS Identity and Access Management (IAM): Securely manage identities and access to AWS services and resources. With IAM, by default, all actions are denied. When you grant permissions, you should provide access only on a need-to-have basis. This concept is called the principle of least privilege.

IAM provides users, groups, and roles so you can configure access based on your company’s specific operational and security needs. IAM policies define the needed access for these identities.

  • AWS account root user: All AWS accounts are given an AWS account root user. The root user is the account owner and has permission to do anything inside the AWS account. It is recommended to use a strong password and multi-factor authentication (MFA). To handle daily tasks, you should create other IAM identities, such as IAM users.
  • IAM users: An IAM user represents a person or application that interacts with AWS services and resources. It consists of a name and credentials. AWS recommends creating individual IAM users for each person who needs to access the AWS account, so they have their own unique set of security credentials.
  • IAM groups: An IAM group is a collection of IAM users. When you assign permissions to a group, all users in the group inherit the permissions.
  • IAM roles: An IAM role is an identity you can assume to gain temporary access to permissions. When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume the permissions of the new role.
  • IAM policies: An IAM policy is a JSON document that allows or denies permission to access AWS services and resources. IAM policies can also define the level of access to resources.

Additional access management services

  • AWS IAM Identity Center: IAM Identity Center centralizes identity and access management across AWS accounts and applications. IAM Identity Center can also connect to an existing identity source and provide your workforce with single sign-on access to all your connected AWS services and accounts. This is called federated identity management. Federated identity management is a system that allows users to access multiple applications, services, or domains using a single set of credentials.
  • AWS Secrets Manager: Secrets Manager provides a secure way to manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. This helps keep your applications, services, and IT resources safe. Secrets are confidential or private information intended to be known only to specific individuals or groups. Examples include passwords, database credentials, and API keys.
  • AWS Systems Manager: Systems Manager provides a centralized view of nodes across your organization’s accounts and Regions and multi-cloud and hybrid environments. With this service, you can quickly access node information, such as ID and operating system details, and automate registry edits, user management, and security patching. Nodes are connection points in a network, system, or structure.

Protecting Networks And Applications:

  • Explain how distributed denial of service (DDoS) attacks are used to attack networks and applications.
  • Describe how AWS infrastructure and services protect against DDoS attacks.

DoS attacks: In a denial of service attack, an attacker floods a web application with excessive network traffic. Legitimate customer requests are denied if the web application becomes overloaded and can no longer respond. In a distributed denial of service (DDoS) attack, an attacker can use multiple infected computers (called zombie bots) to unknowingly send excessive traffic to a web application.

AWS protection through infrastructure

AWS automatically protects against low-level, brute-force attacks, such as DDoS, through its built-in infrastructure and network architecture. AWS infrastructure reaches across the globe and includes multiple Regions, Availability Zones, and edge locations. It is designed to make it difficult for attackers to overwhelm the system.

  • Security Groups: Security groups only allow in proper request traffic. They operate at the AWS network level so they can shrug off massive attacks using the entire AWS Region's capacity.
  • Elastic Load Balancing (ELB): ELB handles traffic first before handing it off, so your frontend server is not overwhelmed. Like security groups, it runs at the Region level.
  • AWS Regions: The enormous capacity of Regions makes them extremely difficult to overwhelm. It would be massively expensive to achieve.

AWS protection through services

AWS also offers the following services to help protect your network and applications.

  • AWS Shield: AWS Shield Standard is designed to automatically protect AWS customers from the most common, frequently occurring types of DDoS attacks at no cost. It uses a variety of analysis techniques to detect and mitigate incoming malicious network traffic in real time.
  • AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. It also integrates with other services, such as Amazon CloudFront, Amazon Route 53, and ELB. Additionally, you can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
  • AWS WAF: AWS WAF is a web application firewall that monitors network requests that come into your web applications. When a request comes into AWS WAF, it checks the IP address against a web access control list (web ACL). If the request comes from a blocked IP address on the web ACL, AWS WAF denies access. Legitimate requests are allowed access.

Protecting Data

  • Define data encryption at rest and in transit.

  • Describe how various AWS services protect data at rest and in transit.

  • Data encryption: Data encryption works like a lock and key mechanism. If you have the right key, you can access the encrypted data. Otherwise, you cannot access the data.

  • **Types of data encryption Types of data encryption:

    • Data encryption at rest: The data is idle and not moving, like when it's stored in a database.
    • Data encryption in transit: The data is moving between locations, like when it's being sent from a database to an application. SSL/TLS certificates are used to establish encrypted network connections from one system to another.

AWS Data Protection

  • AWS built-in data protection:
    • S3: By default, all new S3 buckets have encryption configured, and all uploaded objects are encrypted at rest.
    • EBS: Amazon EBS volumes and snapshots can be encrypted at rest, including both boot and data volumes of an Amazon EC2 instance.
    • Amazon DynamoDB: Server-side encryption at rest is enabled on all DynamoDB table data using encryption keys stored in AWS Key Management Service (AWS KMS).

AWS Data Protection Services

  • AWS Key Management Service (AWS KMS): You can use AWS KMS to create and manage cryptographic keys. These keys can then be used to encrypt and decrypt your data. You can also control the use of keys across a wide range of services and in your applications. For example, you can specify which IAM users and roles can manage keys. Your keys never leave AWS KMS, and you can temporarily disable them so they can no longer be used. A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data.
  • Amazon Macie: With Amazon Macie, you can monitor your sensitive data at rest to make sure it's safe. Macie uses machine learning (ML) and automation to discover sensitive data stored in Amazon S3. You can use Macie to assess your security posture, which is especially helpful for meeting compliance requirements.
  • AWS Certificate Manager (ACM): ACM centralizes the management of your SSL/TLS certificates that provide data encryption in transit. It can be used to protect various AWS services and your connected on-premises resources. SSL/TLS certificates are used to establish encrypted network connections from one system to another.

Detecting and Responding to security Incidents

  • Describe how various AWS services help customers detect and respond to security incidents.

AWS offers a variety of services you can use to detect and respond to security incidents.

  • Inspector: Helps improve the security and compliance of applications by running automated security assessments for Amazon EC2 instances, containers, and Lambda functions. It checks applications for security vulnerabilities and deviations from security best practices, such as open access to EC2 instances and installations of vulnerable software versions. You can view completed assessments in the Amazon Inspector console. These assessments include a list of security findings prioritized by severity level. Each identified security issue includes a detailed description and a recommendation for how to fix it. You can also retrieve these findings through an API.
  • GuardDuty: provides intelligent threat detection across your infrastructure and resources. GuardDuty identifies threats by continuously monitoring streams of your account metadata and network activity in your environment. It uses known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately. You can review detailed findings about any GuardDuty detected threats in the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to perform remediation steps automatically.
  • Amazon Detective: After a threat has been detected, you can use Amazon Detective to further investigate the root cause. Detective helps you analyze threats with interactive visualizations contained in a unified AWS Management Console view. These visualizations include resource and user interactions over a configurable timeline with recommended steps for remediation.
  • AWS Security Hub: brings multiple security services together into a single place and format. With this service, you can quickly see your security and compliance state in one comprehensive view. Security Hub automatically aggregates security findings from AWS and partner services and organizes them into actionable, meaningful groupings called insights. It can accelerate time to resolution (TTR) with automated remediation.

Additional Security Resources

The AWS Marketplace provides a digital catalog where you can purchase third-party software and services that run on AWS including threat detection and prevention tools, identity and access management tools, data protection, compliance and governance tools

Resources

Link Description
AWS Identity and Access Management (IAM) Securely manage identities and access to AWS services and resources.
AWS IAM Identity Center Connect your existing workforce identity source and centrally manage access to AWS with single sign-on.
AWS Secrets Manager Centrally store and manage credentials, API keys, and other secrets.
AWS Systems Manager Manage nodes, or connection points, at scale on AWS and in multi-cloud and hybrid environments.
AWS Shield Protect your network and applications from the most common, frequently occurring types of DDoS attacks.
AWS WAF Protect your network and applications from blocked IP addresses defined by a web ACL.
AWS Key Management Service (AWS KMS) Create and manage cryptographic keys to encrypt and decrypt your data.
Amazon Macie Certify that sensitive data is discovered and protected in Amazon S3.
AWS Certificate Manager (ACM) Create and manage SSL/TLS certificates that provide data encryption in transit.
Amazon Inspector Check applications for security vulnerabilities and deviations from security best practices.
Amazon GuardDuty Continuously monitor the AWS environment with intelligent threat detection.
Amazon Detective Analyze threats with interactive visualizations contained in a unified view.
AWS Security Hub Aggregate security findings and organize them into actionable insights.