Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS - Certified Security Specialty (Infrastructure Security (AWS KMS (Key…

- - - - for example RDP/SSH sessions are NOT logged
      - Logs are delivered every 5 active minutes (with up to 15 minutes delay)
      - Log file Integrity is validated by default (checks if it was modified)
        
        Every hour log files are delivered with 'digest' file to validate the log's integrity
        
        It uses SHA-256 hashing and SHA-256 with RSA for digital signing
      - you can use SSE-S3 or SSE-KMS for encrypting logs
      - Prevent logs from being deleted by configuring S3 MFA Delete
      - you can move/delete logs after every X days by using S3 Lifecyclemanagement
      - S3 and Lambda Data Events are NOT enabled by default in CloudTrail - you have to enable logging them explicitly and additional charge is taken (0,1$ per 100 000 events)
  - - - CloudWatch
        
        for metrics, alarms and notifications
      - CloudWatch Events
        
        allows for configuring rules based on events
      - CloudWatch Logs
        
        pushed from your systems/apps as well as other AWS services
        
        stored indefinitely (not in S3)
        
        CloudWatch Logs require an agent installed and running on EC2 instance and EC2 instance need to have a role with permissions to send logs to CloudWatch
        
        Basic Lambda permissions required to log to CloudWatch Logs include: CreateLogGroup,
        CreateLogStream, and PutLogEvents.
  - - - requires a role to write logs to CloudWatch
- - - - AWS Managed Policies
        
        Those which are created and administered by AWS
        
        they can be change without any notification or can give unnecessary permissions, e.g. AmazonEC2RoleforSSM allows also for reading and writing to S3 (details: https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it-now/)
      - Customer Manages Policies
        
        created and administered by a user
      - Inline Policies
        
        Helpful if you want to make a one-to-one relationship between a policy and the principal entity
        
        Can be used only for one principal entity
    - - You want to set up a guard rails across accounts
        
        use SCP
      - You want to control creation of resources to specific regions
        
        use IAM policies (use an RequestedRegion condition)
      - You want to enable your developers to create roles safely
        
        use Permission Boundaries (condition PermissionsBoundary, pointing to policy with for example region restrictions; then a user can create a role but only with attached policy with region restriction)
      - You want to use Tags to scale permissions management
        
        use IAM policies (force a user to create each resource with specific tag using RequestTag condition; then control an access using combination of RequestTag (that he's created) and ResourceTag (existing tag to verify)). You can specify allowed Tags by using ForAllValues:StringEquals.
        
        You can also give each role a project Tag and create a general policy to allow operations only with your project Tag by specifying the condition $[aws:PrincipalTag/project]
  - - - applicable only to s3
      - can be broken to user level, e.g. Alice can PUT but not DELETE objects
      - When to use?
        
        Simple way to grant cross-account to S3 service without using IAM
        roles
        
        When you want to keep access control in your S3 environment
        
        Example: You have lots of employees in various groups and subgroups and you have one bucket to which only 2 accounts should have access. It's much easier to do it via Bucket Policy rather than denying access in all IAM policies
        
        When your IAM policy bump up against size limit
        
        Limits for IAM: 2 kb for users, 5 kb for groups, 10 kb for roles. S3 bucket policies have limits up to 20 kb.
      - If you use the policy generator you have to add /* at the end of bucket's ARN - without it you can still do actions on any object (only actions against bucket will be denied, e.g. list all objects)!!! On the other hand if you put /* then everyone else can list its content.
      - Explicit DENY always overrides ALLOW!!!
    - - ACLs are as old as the S3 and the predate the IAM.
      - Amazon recommends using IAM and bucket policy instead of ACLs.
        
        BUT they can be useful for setting up access control mechanism for individual object
        
        Bucket policies are limited to 20 kb in size so ACLs can become useful if your bucket policy grows too large
      - You cannot specify ACLs for IAM users from the browser but you can do it using AWS CLI
        
        You need account number and owner canonical user ID
        
        The account number can be taken from: click your user name -> My Security Credentials -> Account Identifiers
        
        The command aws s3api list-buckets will give you the canonical user ID for your IAM
      - If you give public access via ACL to an object (so it can be accessible anonymously), the Deny permission in Bucket Policy won't work (it's applicable only to authenticated users)
    - - Explicit DENY always override ALLOW. So if you explicitly DENY access in bucket policy and allow access in IAM then a DENY rule will be applicable
      - By default a least privilege rule is being followed and by default decision is made always to DENY, e.g. if no there's no ALLOW rule then it will be DENY.
      - Here's how policies work together
    - - You can force downloading S3 objects using bucket policy.
        
        Firstly allow some action then Deny it and add a condition:
        "Condition":{
        "Bool":
        {"awsSecureTransport":false}}
        
        Example:
        
        {"Version": "2012-10-17",
        "Statement": [
        {
        "Sid": "PublicReadGetObject",
        "Effect": "Allow",
        "Principal": {
        "AWS": ""
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucketnamehere/"
        },
        {
        "Sid": "PublicReadGetObject",
        "Effect": "Deny",
        "Principal": {
        "AWS": ""
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucketnamehere/",
        "Condition":{
        "Bool":
        { "aws:SecureTransport": false }
        }
        }
        ]
        }
    - - By default it's made via SSL, so no need for specifying additional policies to turn it on (no need to use aws:SecureTransport condition).
      - The objects can be replicated only once. So after replicating you cannot replicate it again
      - you can specify only one destination
      - Requirements
        
        Source and destination buckets must have versioning enabled
        
        Source and destination have to be in different regions
        
        Amazon S3 must have permissions to replicate objects. When you're doing it for the first time then a custom policy is generated
        
        If the source bucket owner also owns the object, the bucket owner has full permissions to replicate the object. If not, the object owner must grant the bucket owner the READ and READ ACP permissions via the object ACL
      - The best practice is to replicate CloudTrail logs to the bucket owned by totally different account
      - If you delete object without specifying version ID the S3 will add the DELETE marker in the source bucket.
        
        If you specify Filter element in a replication configuration rule, S3 does not replicate the delete marker.
        More: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-what-is-isnot-replicated.html
        
        If don't specify the Filter element, Amazon S3 assumes replication configuration is a prior version V1. In the earlier version, Amazon S3 handled replication of delete markers differently.
        
        If you specify an object version ID to delete in a DELETE request, Amazon S3 deletes that object version in the source bucket, but it doesn't replicate the deletion in the destination bucket. In other words, it doesn't delete the same object version from the destination bucket. This protects data from malicious deletions.
      - What is NOT replicated?
        
        anything before CRR is turned on
        
        Objects created with server-side encryption using customer provided (SSE-C) encryption keys
        
        Objects created with server-side encryption using AWS KMS managed (SSE-KMS) encryption keys - UNLESS YOU EXPLICITLY ENABLE THIS OPTION
        
        Objects to which the bucket owner doesn't have permissions (e.g. when the object owner is different from bucket owner)
        
        Deletes to a particular VERSION of an object
    - - SSL
        
        You need a separate certificate for your ELB and separate certificate for CloudFront distribution
        
        To use custom SSL certificate (for your custom domain name, e.g. example.com) you have to import it using ACM (AWS Certificate Manager)
        
        Certificates for CloudFront have to be stored in US East (N. Virginia) region or in IAM (certs can be imported to IAM only via CLI)
      - To force S3 to use CloudFront you have to specify the Origin Access Identity and enable an option Restrict Bucket Access
        
        you can grant read permissions when configuring CloudFront distribution or you can do it by yourself (by updating the Origin Access Identity permissions)
        
        It takes a lot of time distribute this change *from several hours to 24 hours even)
    - - They can be generated also via CLI, e.g.
        $ aws s3 presign s3://rzepsky/hello.txt --expires-in 300
  - - - Federation (e.g. AD)
        
        AD Federation (ADFS)
        
        ADFS is Trusted ID provider
        
        AWS is Trusted Relying Party
        
        you have to configure Relying Party Trust with AWS as the Trusted Relying Party
        
        provides SSO for users
        
        gives temporary creds to AWS Console (STS API AssumeRoleWithSAML)
        
        how does it work: https://aws-certified-security-images.s3.eu-central-1.amazonaws.com/ADFS.png
      - Cross-access users (from different AWS account)
      - Federation with Mobile Apps (e.g. Facebook, Google, OpenID providers)
  - - - Cognito maps token from Web ID provider (e.g. FB) to IAM roles to access AWS resources
      - data is synced across multiple devices
      - Behaves as Identity Broker between your app and Web ID providers
      - No need to store locally AWS credentials
      - recommended for mobile apps
      - uses OAuth 2.0
        
        OAuth scope - options to verify identity, e.g. phone mail.
        
        Implicit grant - you'll get your JWT token
        
        Authorization code grant - Cognito will give you authorization code back to process it further on the backend side
      - Definitions
        
        User pools - user directories; users can login directly to user pools or indirectly via ID providers (e.g. FB)
        
        Identity pools - create unique identities, can give temporary credentials to AWS resources
      - How does it work-diagram
      - When Cognito receives a SAML assertion it needs to be able to map SAML attributes to user pool attributes. When configuring Cognito to receive SAML assertions from an identity provider you need ensure that the IDP is configured to have Cognito as a relying party. API Gateway will need to be able to understand the authorization being passed from Cognito, so you should update API Gateway to use an Amazon Cognito User Pools authorizer.
  - - - Allows for specifying permission boundary even for root account
      - Overwrites any local policy
      - Service Control Policies (SCPs) are guardrails to disable service access. They DO NOT grant access
- - - - Archives are stored in containers called vaults
        
        Vault Lock Policy
        
        Used for:
        
        configuring WORM (Write Once Read Many))
        
        creating data retention policy (e.g. 5 years)
        
        Once you attach policy the lock is in-progress state for 24 hours
        
        after you accept they become immutable. In other words once it is accepted and applied it cannot be changed or removed!
        
        if you want to change it, call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.
- - - - https://www.youtube.com/watch?v=X1eZjXQ55ec
    - - https://www.youtube.com/watch?v=gTZgxsCTfbk
    - - https://www.youtube.com/watch?v=HnoZS5jj7pk
    - - https://www.youtube.com/watch?v=YQsK4MtsELU
    - - https://www.youtube.com/watch?v=jZAvKgqlrjY
    - - https://www.youtube.com/watch?v=zU1x5SfKEzs
- - - - Infrastucture Services
        
        e.g. compute services (e.g. VPC, EC2, Auto Scaling)
        
        You control OS and any identity management systems that provides access
      - Container services
        
        e.g. RDS, EMR, Elastic Beanstalk
        
        You are responsible for setting up and managing network controls, e.g. firewall rules, and for managing platform-level identity and access management separately from IAM
      - Abstracted
        
        e.g. high-level storage, database and messaging services like S3, Glacier, DynamoDB, SQS
        
        You access the endpoints of these abstracted services using AWS APIs and AWS manages the underlying service components or the operating system on which they reside
    - - Visibility
        
        e.g. AWS Config
      - Auditability
        
        e.g. AWS CloudTrail
      - Controlability
        
        e.g. AWS KMS (Multi Tenant)
        
        e.g. CloudHSM (dedicated)
      - Agility
        
        e,g, AWS CloudFormation
      - Automation
        
        e.g. AWS OpsWorks, CodeDeploy
      - Services cross all controls
        
        AWS IAM
        
        AWS CloudWatch
        
        AWS Trusted Advisor
    - - multiple compliance programs: https://aws.amazon.com/compliance
- - - - compliance auditing
      - security analysis
      - resource tracking
    - - Config Items
        
        Point-in-time attributes of resources
      - Configuration Recorder
        
        configuration of Config that records and stores Config Items
        
        records configuration change
        
        Stores everything in S3 Bucket
      - Configuration snapshots
        
        collection of Configuration Items
      - Configuration Stream
        
        stream of changed Config Items
      - Configuration History
        
        Collection of Config Items for a resource over time
  - - - you can for example generate here your keys to EC2
      - you control keys (Amazon doesn't have access to your keys)
      - Compliant with 140-2 & EAL-4
      - FIPS 140-2 is a US government computer security standard used to approve cryptographic modules. level 4 is the highest, AWS HSM reaches just level 3
  - - - CMK with your own imported key material (in other words CMK not generated in AWS) does NOT allow for automatic rotation (only manually). CMK with AWS mangaed key material can be rotated (once a year)
        
        to do it manually
        
        create new CMK with no key material -> import new encrypted key material into that CMK -> change CMK identifier in your app to the key ID for the new CMK
        
        Users can reimport the key material however the key material must be the same.
      - AWS Managed Keys are rotated every 3 years automatically
        
        AWS Managed Keys cannot be rotated manually!
      - CMK automatic rotation is by default disabled (but it's possible to enable it)
        
        if enabled then it's rotated once a year automatically through opt-in or on-demand manually
      - key deletion
        
        if you imported your own key you don't have to wait 7-30 days for deletion, but you can delete it by clicking button
    - - once you removed public key in the console, you still can log in to the instance using this key (in metadata the key is still accessible)
      - you can import your own SSH public key
      - root EBS volume cannot be encrypted if it is used as unencrypted
        
        to encrypt it : detach volume, create snapshot, copy AMI and enable encryption
      - you can have multiple keys attached to the instance (e.g. for different users and each has different keys)
      - you cannot use KMS with SSH for EC2. But you can with CloudHSM
    - - used for temporary, granular permission
      - you should use Key Policies for static permissions and for explicit deny
      - a generated Grant Token can be passed to KMS API
      - CLI - important commands
        
        create-grant
        
        list-grants
        
        revoke-grant
        
        The AWS 'CLI aws kms encrypt' is suitable for encrypting a file which is less than 4 kb
      - programatically delegates permissions
        
        Grants allow access, not deny
      - When kms:GrantIsForAWSResource is true, only integrated AWS services can create grants
    - - regional service
        
        if you want to encrypt objects in the bucket, the key has to be in the same region as the bucket
      - requires choosing key administrator (who can manage the key) and key users (who can use the key)
        
        administrators can create, delete and decrypt keys
        
        administrator cannot use key. You have to explicitly point the same user as a key user (no tonly administrtaor)
      - keys are generated using Amazon's multi-tenancy HSM
        
        the AWS CloudHSM uses dedicated hardware
      - CMK - Customer Master Key
        
        1 key per CMK (you cannot use someone else's key if it's in use)
        
        you can import your own (external key)
        
        1) you have to firstly download wrapping key
        2) then import token
        
        uses wrapping algorithm RSAES_OAEP_SHA-1
        
        but CMK can never be exported!
        
        CMK keys can be used for encrypting data in maximum 4KB in size.
      - to configure access for external account you have to enable it in Key Policy in owner account, as well as you have to specify the access in IAM policy for the external account
      - encryption context
        
        key-value pair logged in clear text within CloudTrail passed during encryption and then during decryption to ensure the integrity
      - you can create ALIAS keys
        
        each CMK key can have multiple ALIAS's point to it
        
        the ALIAS key must be unique in the AWS account and region
    - - Amazon provides encryption client which is embedded into the AWS SDK and CLI
        
        Client-side encryption workflow
        
        Customer creates a CMK in KMS associated with Key ID
        
        File/Object and CMK Key ID is passed to the AWS encryption client using SDK or CLI
        
        The encryption client requests a data key from KMS using a specified CMK key ID
        
        KMS uses CMK Key ID to generate unique data encryption key, which client uses to encrypt the object data
    - - <Error>
        <Code>InvalidArgument</Code>
        <Message>
        Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
        </Message>
        <ArgumentName>Authorization</ArgumentName>
        <ArgumentValue>null</ArgumentValue>
        <RequestId>7E8FBBAA6A8A9A6C</RequestId>
        <HostId>
        I8n34c6XU03lbq1VFs6dWF3JYV5NPTxxnZzzwV+zHOf+yCPcoR0UbONCBNqLrfekvYPkgoxNotM=
        </HostId>
        </Error>
      - BUT if you use SSE-S3 (Amazon stores keys, not you) then when the object is public, then anonymously you can display it
    - - to specify a condition, e.g. policy condition to disable access after a date
      - AWS KMS Condition Keys are predefined conditions you can use
        
        for example kms:ViaService limits use of CMK requested from particular service, e.g. only allows requests which come from particular Lambda
      - Minimum set of permissions that should be applied in the Key policies to allow users encrypt and decrypt data using CMK keys
        
        "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey"
      - Data key caching stores data keys and related cryptographic material in cache. When you encrypt or decrypt data the AWS Encryption SDK looks for a matching data key in the cache. Data key caching can improve performance, reduce costs, and help you stay within service limits as your application scales.
    - - separate keys per business unit and data classification
      - CMK admins separated from users
      - limit KMS actions (no kms:*)
      - If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname
        (https://kms.<region>.amazonaws.com) resolves to your VPC endpoint. Thanks to this the communication between VPC and KMS will not go through the public service endpoints.
  - - - AWS Shield protects against SYN/UDP Floods, Reflection and other layer 3 and 4 attacks
        
        should be enabled when you use ELB, CloudFront or Route53
        
        Safeguard Exposed Resources (e.g. by using geolimitatio, CloudFront, Route53, WAFs)
        
        in Route53 using alias Record Sets you can redirect traffic to CloudFront distribution, Private DNS
      - additional resources
        
        AWS DDoS protection whitepaper: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
        
        re:Invent Video: DDOS Best Practices: https://www.youtube.com/watch?v=HnoZS5jj7pk
      - mitigation
        
        minimize the attack surface (e.g. by using Bastion Host with whitelisted IPs, the attack surface is limited to exposed, few hardened entry points)
  - - - only few regions allow for integrating WAF with ALB
    - - If you're using the domain name that CloudFront assigned to your distribution, such as abc.cloudfront.net, you change the Viewer Protocol Policy for one or more cache behaviours to require HTTPS communication. In that configuration CloudFront provides SSL/TLS certificate.
      - If you're using your own domain name, such as example.com you need to change several CloudFront settings. You also need to use an SSL/TLS certificate provided by AWS Certificate Manager (ACM), import a certificate from a third-party certificate authority into ACM or the IAM certificate store, or create and import a self-signed certificate.
      - When you enable logging for a distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you're using Amazon S3 as your origin, we recommend that you do not use the same bucket for your log files; using a separate bucket simplifies maintenace.
      - Use signed cookies in the following cases:
        
        you want to provide access to multiple restricted files
        
        you don't want to change your current URLs.
    - - whitelisting
      - blacklisting
      - counting requests that match your criteria
    - - IP
      - length of request
      - headers
      - strings that appear in requests
      - query string parameters
  - - - Amazon may share this hardware with other instances from the same AWS account (if those instances are not dedicated instances)
      - charged by instance
    - - some 3rd party software say you have to run their software on dedicated host
      - charged by host
  - - - but you cannot export the certificate
  - - - to have Perfect Forward Secrecy use ECDHE-... ciphers
      - It is recommended to use ELBSecurityPolicy-2016-08 security policy (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)
  - - - throttled by default
      - by default the steady-state limit is 10 000 rps (requests per second)
      - Burst limit is up to 5 000 requests across all APIs
  - - - you can reference them using their names
      - you can store them as plain text or you can encrypt them using KMS
  - - - in PV, CPU supports 4 privilege modes: Ring 0 is used by host OS and guest OS uses only Ring 1-3
  - - - but custom NACL by default denies all inbound and outbound traffic
    - - outbound rule by default is to DENY any traffic
      - ensure to ALLOW ephemeral ports (1024-65535) in outbound traffic
  - - - 1 subnet = 1 availability zone
      - by default there's no auto-assign public IP
      - first 4 and last IP address from the subnet is reserved by Amazon for: VPC router, DNS server, reservered for future use, network address, broadcast address
        
        In order to use your own DNS server you need to ensure that you create a new custom DHCP options set with the IP of the custom DNS server. You cannot modify the existing set so you have to create a new one.
    - - 2 types
        
        Interface endpoint = Elastic Network Interface (ENI)
        
        Gateway endpoint = similar to Network Gateway
      - VPC endpoint is internal gateway for accessing other AWS services from private subnets
      - when VPC endpoint is used the source IP address uses private address, not public
  - - - NAT instances can be found in AWS Marketplace
      - you must disable source/destination checks (enabled by default for all EC2 instances) for NAT Inastances
      - you have to increase instance size in case of bottlenecking
      - you can use NAT Instance as Bastion Host
    - - NAT Gateways are recommended over NAT Instances
        
        no need to patch NAT Gateways = more secure than NAT Insatances
        
        NAT Gateways are not associated with SG, they have automatically assigned public IP
      - Bandwidth up to 10 Gbps
      - NAT Gateways are highly available
      - NAT Gateways should be enabled in every availability zone
      - no need to disable source/destination checks like in NAT Instances
  - - - once rotation is enabled, then SM immediately rotates the secret to test configuration
      - don't enable it if your apps use embedded credentials
- - - - https://www.whizlabs.com/aws-certified-security-specialty/
      - https://www.certkillers.net/demo/AWS-007.pdf