Security in AWS - vedratna/aws-learning GitHub Wiki

  • Promiscuous IDS (Intrusion Detect System) is not allowed in AWS as this listens to all traffic comes to physical host at hyperviser level and AWS never allowed to any ec2 instance to listen to the traffic intended for any other ec2 instance.

AWS Web Application Firewall (AWS WAF)

AWS Web Application Firewall (AWS WAF) is a web application firewall that helps protect web application from attacks by allowing you to configure rules that allow, block or monitor web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, Uniform Resource Identifier (URI) strings, SQL injection and cross-site scripting. As the underlying service receives requests for your websites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying services either to block or allow the request based on the action you define. AWS WAF is tightly integrated with Amazon CloudFront and the Application Load Balancer. When WAF is used with CloudFront, rules run in all AWS edge locations around the world close to your end users.

  • It is mainly used to protect against cross site scripting(XSS) and sql injection kind of attacks.
  • It has WACL (Web Access Control List) that contains condition/group of conditions that evaluates the incoming request as allow, block or count.
  • Count would be useful to Identify and prevent DDOS. WACL can have a rule that if count of requests from same IP is more than defined limit than just block it.
  • IPSet can be used in Allow and block rule. In other words IPs can be whitelisted or blacklisted.

AWS Trusted Advisor

The AWS Trusted Advisor customer support service not only monitors cloud performance and resiliency, but also cloud security. AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may exist to save money, improve system performance or close security gaps. Advisor will advise you on cost optimization, performance, fault tolerance and security. Some of the security options are free but all of optimization, performance and fault tolerance options and other security options are chargeable.

AWS Shield

  • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
  • All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
  • For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.

AWS Guard Duty

  • AWS Guard Duty is continuous security monitoring service that uses threat intelligence feeds and list of malicious ip addresses and analyzes vpc flow logs, DNS logs, CloudTrail Management and S3 Data event logs to detect malicious activities such as:
  • Escalation o privileges (credential compromise)
  • Use of exposed credentials
  • Communication to malicious IPs, URLs or Domains
  • Compromised EC2 instances, Crypto Currency mining
  • Guard Duty can be integrated with CloudWatch events and can send notification on the bases of CloudWatch Events.
  • It provide multi account support using aws organizations.
  • We can upload list of trusted IP addresses so that Guard Duty will not create finding for them.
  • Data would be encrypted in transit and at rest.
  • Charges applied for CloudTrail logs, vpc flow logs and DNS logs analyses.

AWS Inspector

  • It is security assessment service that helps in improving applications' security compliance by finding network vulnerabilities, security exposure and any deviation from security best practices.
  • Predefined package rules created by AWS security team are the core of AWS inspector assessment
  • It can do
  • Host Assessment (requires Inspector Agent on EC2)
  • Data from Agent to Inspector is sent in TLS almost at real time
  • Network Assessment
  • Inspector analyzes network configuration of subject aws environments for vulnerabilities.
  • Either assessment can be configured to do only once or weekly
  • Guard Duty Analyzes logs to create findings it is more like IDS at the other end Inspector analyzes EC2 instances or application to find vulnerabilities.
  • Scope of Guard is at account level while Inspector is useful for EC2 or Group of EC2.
  • You can use Amazon Inspector to conduct a detailed scan for CVE in your fleet of EC2 instances. Amazon Inspector offers predefined software called an agent that you can optionally install in the operating system of the EC2 instances that you want to assess. Amazon Inspector also has rules packages that help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures.

AWS Secret Manager

  • As name suggests it manages secrets mainly of storage or db endpoint credentials. Automatic Secret (Password) rotation and Audit makes it better than parameter store for secret store.
  • Password for supported DB like RDS, EMR, Farget, SegMaker, IOT Greengrass, ECS, Codebuild can be rotated automatically or ondemand. Lambda function is required to rotate password or oauth secrets for other dbs.
  • Secret Manager always encrypts data at rest while Parameter store has an option to store it in plain text as well.
  • Secret Manager is chargeable 0.40$/secret/month and 0.05$ per 10K APIs on the other hand standard Parameter store is free and Advance is chargeable
  • For Parameter store maximum parameter size is 4KB for standard and 8KB for advance. For secret manager maximum secret size is 64KB

Amazon Macie

  • Amazon Macie is a fully managed data security and privacy service
  • It uses Machine learning and pattern matching to analyze and protect data
  • It automatically provides inventory of S3 bucket those are unencrypted, publicly accessible and s3 buckets shared with other account outside of AWS Organizations.
  • Using Machine learning it also notifies about sensitive data like PII. (useful for HIPAA)
  • It can send finding to Eventbridge that can trigger step function to take remediate action.
  • Macie can provide this functionality to multiple accounts from one Macie account.