Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS SECURITY, Domain 1 12% Incident Response, image, image, image, image,…
AWS SECURITY
Domain 3 - Infrastructure Security
VPC Peering
VPC peering is a network connection between two different VPC's that enables the communication between instances of both the VPC's.
VPC Peering is now possible between regions.
You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4
CIDR blocks. Also VPC peering does not act like a transit gateway.
Gateway Endpoints ACL
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html
Introduction to Bastion Hosts
Bastion Host → “Jump Box” from the public to the private subnet.
User needs to have access for jump box and the private instance.
https://medium.com/@crishantha/handing-bastion-hosts-on-aws-via-ssh-agent-forwarding-f1d2d4e8622a
https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
Virtual Private Networks
A Virtual Private Network (VPN) is used to establish an encrypted connection between computer devices through the public Internet.
VPN aims to emulate the privacy of a network connection that exists in a private network.
In AWS, you can establish a VPN connection between your VPC and remote servers in four (4) ways.
AWS Site-to-Site VPN tunnel
AWS Site-to-Site VPN provides an IPsec VPN connection between your VPC and your remote network.
AWS Client VPN
AWS Client VPN is a managed client-based VPN that is offered as a service.
AWS VPN CloudHub
AWS VPN CloudHub is a hub-and-spoke VPN that allows communication between two or more on-premises networks situated at different locations.
Third Party Software VPN Appliance
Optionally, you can spin up an EC2 instance where you can run a third party software VPN appliance. Unlike
AWS Client VPN, you have full control over the software, instance, and the responsibilities that come with it, like
installing updates and patches. You can find a software VPN appliance from open source communities, AWS
partners, or AWS Marketplace.
VPC Endpoints
AWS introduced a feature called “VPC Endpoints” they are secure and highly reliable connection that provides a secure connection to services like S3.
VPC endpoints for S3 are secured through VPC endpoint access policies, which allows you to set which S3
buckets the endpoints should and should not have access to. By default, any user or service within the VPC
using credentials from any AWS account has access to any Amazon S3 resource. Use these together with S3
bucket policies to further refine access control over your buckets and objects
Interface VPC endpoints (AWS PrivateLink)
● Interface VPC Endpoints are next-generation VPC endpoints.
● VPC endpoints are created inside your VPC.
● They have ENI and Private IP associated.
● Access control through security groups.
Network ACL
● Network ACL are stateless in nature.
● They operate at the subnet level instead of instance-level like Security Groups.
● All subnets in VPC must be associated with NACL.
● By default, Network ACL contains full allow in INBOUND and OUTBOUND.
NACL is opposite of Security Group which is
stateful
Origin Access Identity (OAI)
CloudFront Origin Access Identity allows users to only access the contents of an S3 bucket via
the CloudFront distribution.
When OAI is enabled, CloudFront will add a bucket policy to the S3 bucket which will
allow
access only via the CloudFront distribution
CloudFront Signed URLs
CloudFront Signed URLs mandates users to provide signed URLs or signed cookies to access the private content.
CloudFront signed URLs can be generated by the trusted signers assigned in your AWS
account.
EBS Security
i) Before terminating an instance, customers can wipe the data in EBS.
ii) AWS also wipes the data immediately before the EBS is made for re-use.
iii) When the storage device has reached its end of use, they are decommissioned via detailed
steps mentioned in NIST 800-88 or DoD 5220.22-M
Server Name Indication (SNI)
is a TLS protocol that lets you consolidate multiple certificates to handle
different domains in a single location.
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) service that safeguards the workloads running on AWS against DDoS attacks.
There are two tiers of AWS Shield:
●
Shield Standard provides basic level of protection
●
Shield Advanced 3000$ per organization and requires Business or Enterprise
Support.
Mitigating DDoS
There are four major pointers that need to be remembered
Be ready to scale as traffic surges.
Minimize the attack surface area.
Know what is normal and abnormal.
Create a Plan for Attacks.
Following are some of the key AWS services involved in DDoS attack mitigation
●
AWS Shield
●
Amazon CloudFront
●
Amazon Route53
● AWS WAF
● Elastic Load Balancing
● VPC & Security Groups
DOMAIN 2
Logging & Monitoring
9 more items...
Domain 1
12%
Incident Response
AWS GuardDuty
Fully managed, intelligent threat-detection service
Monitors for Malicious behavior
Monitors multiple log files:
CloudTrail, VPC Flow Logs, Route 53 DNS Logs, S3 Data Events
Centralize Dashboards
Centralize dashboards by sending findings from member account to Master account
GuardDuty Alerts
You can Whitelist Trusted IP addresses or Threat addresses
Via a file in correct format
You can Archive corrected alerts
You can Suppress alerts
Incident Response
IR=
is an organized approach to address and manage the aftermath of a security incident in an organization.
Incident = some form of a security breach
The first step is to identify an incident has actually occurred
Two Primary Use Cases
Compromised EC2 Instances
Lock the instance down
Take an EBS Snapshot
Memory Dump
Perform Forensic Analysis
Terminate the instance
Exposed AWS Access & Secret Keys
Determine the access associated with those keys
Invalidating the credentials
Invalidating any temporary credentials that might have been issued with exposed keys
Restore the access with new credentials
Review your AWS account
You should disable keys not delete them
make inactive – keys
aws sts get-session-token
For
temp key
attach
explicit deny policy
or remove all policies associated with the user
Incident Response In Cloud
Preparation---
We need to make sure controls are in place that will help us in the detection of anomalies within
the infrastructure.
"CloudTrail, VPC Flow Logs, EC2 instances"
Using AWS organizations to separate accounts to reduce the blast surface.
Detection---
Use behavioral-based rules by identifying or detecting breaches.
CloudTrail, CloudWatch, GuardDuty, SNS
Containment---
Use AWS CLI or SDK’s for quick containment using the predefined security groups.
Investigation---
Use CloudWatch logs to determine what occurred inside the server.
Use AWS Config to see the infrastructure timeline to see if anything was changed.
Recovery---
Use pre-built AMI for the application to launch a fresh new app server.
Lessons Learned---
Recap Process
Penetration Testing In AWS
The following are the supported services where prior approval is not needed.
Amazon EC2 instances, NAT Gateways, and Elastic Load
Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments
Exclude:
T3.nano
T2.nano
T1.micro
M1.small
PROHIBITED!!!!!
because of CPU credit limitations
DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy)
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)
AWS Artifact
Generates Compliance Reports