security

DDoS Overview

Distributed Denial of Service attack is an attack that attempts to make your website unavailable to your end users.

Layer 4 DDoS attack is often referred to as a SYN flood. It works at the transport layer (TCP). To establish a TCP connection a 3-way handshake takes place. The client sends a SYN packet to a server, the server replies with a SYN-ACK, and the client then responds to that with an ACK. After the 3-way handshake is completed, the applications begin sending data using layer 7 (application layer protocol ) such as HTTP etc.

SYN flood uses the built in patience of the TCP stack by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server. There are only so many concurrent TCP connections that a web or application server can have open, so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections. This prevents legitimate requests from being answered by the server.

An Amplication/reflection attacks include NTP, SSDP, DNS, CharGEN, SNMP attacks. This is where an attacker may send a third-party server (such as an NTP server) a request using a spoofed IP address. That server will then respond to that request with a greater payload than the initial request (within the region of 28-54 times larger than the request) to the spoofed IP address. This means that if the attacker sends a packet with a spoofed IP address of 64 bytes, the NTP server would respond with up to 3,456 bytes of traffic. (Attacker’s machine (64 bytes) -> Legitimate NTP server (3,456 bytes) -> Victim’s machine. Common layer 7 attack is to send a flood of GET requests.

Logging API calls with CloudTrail

You can monitor what IP address / which user account called API, which calls were made, and when the calls occurred. CloudTrail as CCTV monitoring for your AWS account. Allows for after-the-fact incident investigation. Metadata around API calls, the Identity of the API caller, the time of the API call, the request parameters. Stores these logs in S3.

To ensure CloudTrail logs haven’t been tampered with, enable log file validation in your trail.

Protect Applications with AWS Shield

Protects all AWS customers on ELB, Amazon CloudFront, and Route 53. Protects against layer 3/4 attacks.

AWS Shield enhanced protects against larger and more sophisticated attacks. Offers always-on, flow-based monitoring of network traffic.

Gives you 24/7 access to the DDoS Response Team to help manage and mitigate application-layer DDoS attacks. Protects your AWS bill against higher fees due to Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 usage spikes during a DDoS attack. Cost: Shield is free, Shield Advanced is $3,000/mo. Large fintech and established companies will want to turn this on.

Filtering Traffic with AWS Web Application Firewall (WAF)

Lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon Cloudfront or an application load balancer. You can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed. The application load balancer or cloudfront will either allow this content to be received or will give an HTTP 403 status code. AWS WAF operates at layer 7. Allows all requests except the requests you specify, deny the requests you specify, or count the request with the properties defined.

You can define conditions by using characteristics of web requests such as the following: IP Address origination, Country that requests originate from, values in request headers, presence of SQL code that is likely to be malicious, presence of a script that is likely to be malicious (known as cross-site scripting), strings that appear in requests either specific strings or that match regex patterns.

WAF Operates at Layer 7 – can block SQL injections, countries, or IP addresses.

GuardDuty

Threat detection service that uses machine learning to continuously monitor for malicious behavior. Unusual API calls, calls from a known malicious IP. Attempts to disable CloudTrail logging, unauthorized deployments, compromised instances, reconnaissance by would-be attackers, port scanning, failed logins.

Alerts appear in GuardDuty console, centralize threat detection across multiple AWS accounts. Takes 7-14 days to set a baseline. Once active, you will see events in GuardDuty console and in CloudWatch Events.

Pricing: 30 days free, quantity of cloudtrail events. Monitors CloudTrail Logs, VPC flow logs, DNS logs.

Monitoring S3 Buckets with Macie

Personally Identifiable Information – home address, email address, social security number, passport number, driver’s license number, date of birth, phone number.

Macie uses machine learning and pattern matching to discover sensitive data stored in S3. Alerts you if you about unencrypted buckets, alerts you about public buckets, can also alert you about buckets shared with AWS accounts outside of those defined in your AWS organizations, great for frameworks like HIPAA and GDPR.

Macie Alerts can be sent to Amazon EventBridge and can be integrated with event management systems.

Securing Operating systems with Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

2 Types of assessments:

  1. Network Assessments – network configuration analysis to check ports for reachability outside the VPC. Inspector agent not required.
  2. Host Assessments – Vulnerable software (CVE), host hardening (CIS Benchmarks), and security best practices. Inspector agent required.

How does it work?

  1. Create an assessment target,
  2. Install agents on EC2 instances
  3. Create assessment template
  4. Perform assessment run
  5. Review findings against rules

If you see any questions about vulnerability scans about EC2 and VPCs, the answer is likely Inspector.

Managing Encryption keys with Key Management Service (KMS) and CloudHSM

AWS KMS integrates with EBS, S3, RDS, as well as other services to make it simple to encrypt data with keys you manage. Centralized control over the lifecycle and permissions of your keys. You can create new keys whenever you wish, and you can control who can manage keys separately from who can use them. Can control who manages the keys and separately who can use them.

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.

You start using the service by requesting the creation of a CMK. You control the lifecycle of the CMK as well as who can use or manage it.

HSM (hardware security module) is a physical computing device that safeguards and manages digital keys and performs encryption and decryption functions. HSM contains one or more secure cryptoprocessor chips.

3 Ways to generate a CMK

  1. AWS creates the CMK for you. The key material for a CMK is generated within HSMs managed by AWS KMS.
  2. Import key material from your own key management infrastructure and associate it with a CMK
  3. Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS.

Can have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs. Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

The primary way to manage access to your AWS KMS CMKs is with policies. Policies that are attached to IAM identity are called identity based policies or IAM policies, and policies attached to other kinds of resources are called resource-based policies.

Key policies: in AWS KMS, you must attach resource-based policies to your customer master keys (CMKs). These are called key policies. All KMS CMKs have a key policy.

3 Ways to Control Permissions

  1. Use the key policy. Controlling access this way means the full scope of access to the CMK is defined in a single document (the key policy).
  2. Use IAM policies in combination with the key policy. Controlling access this way enables you to manage all the permissions for your IAM identities in IAM.
  3. Use grants in combination with the key policy. Controlling access this way enables you to allow access to the CMK in the key policy, as well as allow users to delegate their access to others.

CloudHSM is a physical device, entirely dedicated to you, that can be deployed in a highly available fashion.

KMS vs CloudHSM:

  • KMS: shared tenancy of underlying hardware, automatic key rotation, automatic key generation.
  • CloudHSM : dedicated HSM to you, full control of underlying hardware, full control of users, groups, keys, etc. No automatic key rotation.

KMS: Managed service that makes it easy for you create and control the encryption keys used to encrypt your data. You start the service by requesting the creation of a CMK.

Remember the 3 ways to generate a CMK

KMS key deletion takes a minimum of 7 and a default of 30 days to delete any keys

Storing your secrets in Secrets Manager

Securely stores, encrypts, and rotates your database credentials and other secrets. Encryption in transit and at rest using KMS. Automatically rotates credentials. Apply fine-grained access control using IAM policies. Highly scalability.

Your application makes an API call to Secrets Manager to retrieve the secret programatically. Reduces the risk of credentials being compromised.

Can store RDS credentials, Credentials for non-RDS databases, any other type of secret, provided you can store it as a key-value pair (SSH keys, API keys). If you enable rotation, secrets manager immediately rotates the secret once to test the configuration. Ensure that all of your applications use these credentials are updated to retrieve the credentials.

DISABLE ROTATION: If your application are still used embedded credentials, do not enable rotation because the embedded credentials will no longer work and this will break your application.

Enable rotation: this is recommended setting if your applications are not already using embedded credentials (i.e. they are not going to try to connect to the database using the old credentials). Secrets Manager can be used to store database credentials, API keys, SSH keys, passwords, etc. Applications use the Secrets Manager API, rotating credentials is super easy, but be careful. When enabled, Secrets Manager will rotate credentials immediately. Make sure all your application instances are configured to use Secrets Manager before enabling credential rotation.

Storing your secrets in Parameter Store

Parameter store is a capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. Parameter Store is free! Limits of parameters you can store (10,000) and there is no key rotation.

Parameter Store or Secrets Manager?

If you’re trying to minimize cost, go with Parameter store. If you need more than 10,000 parameters, key rotation, or the ability to generate passwords using CloudFormation, use Secrets Manager.

Temporarily Sharing S3 Objects using presigned URLs or Cookies

You can share a file/video with others by generating a presigned URL in S3 which can have an expiry time. Presigned cookies are for access to multiple restricted files. Use the CLI to presign URLs which will return a shareable link for the content. Default expires in 1 hour, but can be changed with the “–expires-in” parameter.

Advanced IAM Policy Documents

ARNs are amazon resource names. All ARNS begin with:

arn:partition:service:region:account_id:
arn:aws|cn:s3|ec2|rds:us-east-1|eu-central-1|:123456789
'

and end with

resource
resource_type/resource
resource_type/resource/qualifier
resource_type/resource:qualifier
resource_type:resource
resource_type:resource:qualifier

examples:

arn:aws:iam::1234567890:user/ryan
arn:aws:s3:::my_awesome_bucket/image.png
arn:aws:dynamodb:us-east-1:1234567890:table/orders
arn:aws:ec2:us-east-1:1234567890:instance/*

When we have two colons, we’ve omitted the region value since IAM is global.

When we have three colons, we’ve also omitted the user value since the bucket name is globally unique

When we have a qualifier as a wildcard (*), it matches all ec2 instances

IAM Policies

JSON document that defines permissions

Identity Policy

Resource Policy

No effect until the policies are attached (to a user account or a group the users are in)

{
        "version":"2012-10-17",
        "Statement" : [
            {
                "Sid":"SpecificTable",
                "Effect" : "Allow",
                "Action" : [
                    "dynamodb:BatchGet*",
                    "dynamodb:DescribeStream",
                    "dynamodb:DescribeTable",
                    "dynamodb:Get*",
                    "dynamodb:Query",
                    "dynamodb:Scan",
                    "dynamodb:BatchWrite*",
                    "dynamodb:CreateTable",
                    "dynamodb:Delete*",
                    "dynamodb:Update*",
                    "dynamodb:PutItem",
                ],
                "Resource":"arn:aws:dynamodb:*:*:table/MyTable"
            }
        ]
}

An effect is either Allow or Deny.

Matched based on their Action

The Resource the Action is against

Permission Boundaries : used to delegate administration to other users. Prevent privilege escalation or unnecessarily broad permissions. Control maximum permissions an IAM policy can grant.

Use cases:

  • Developers creating roles for lambda functions
  • Application owners creating roles for EC2 instances
  • Admins creating ad hoc users

Not explicit allowed == implicitly denied

Explicit deny > everything else

AWS joins all applicable policies

AWS managed policies and customer managed policies

ONLY ATTACHED POLICIES HAVE AN EFFECT!

AWS Certificate Manager

AWS Certificate Manager allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services. It integrates with other services – such as Elastic Load Balancing, CloudFront distributions, and API Gateway – allowing you to easily manage and deploy SSL certificates in your AWS environment.

Cost: no more paying for SSL certificates! AWS Certificate Manager provisions both private and public certificates for free. You will still pay for the resources that utilize your certificates (such as Elastic Load Balancing).

Automated Renewals and Deployment

Certificate Manager can automate the renewal of your SSL certificate and then automatically update the new certificate with ACM-integrated services, such as Elastic Load Balancer, Cloudfront, and API Gateway.

Easier to set up. Removes a lot of the manual process, such as generating a key pair or creating a certificate signing request (CSR). You can create your own SSL certificate with just a few clicks in the AWS management console.

Security Exam Tips

Layer 3,4 – Shield. Layer 7 – WAF.

GuardDuty monitors CloudTrail logs VPC Flow Logs, and DNS logs (Network Intrusion detection) . Findings can trigger a lambda function to address a threat.

Macie uses AI to analyze PII data in S3. Great for HIPAA and GDPR compliance as well as preventing identity theft.

Parameter store vs Secrets manager? If you want to save money, parameter store. If you need more than 10,000 parameters, secrets manager.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.