Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security - Coggle Diagram
Security
KMS
Features:
- To control access to data, AWS manages keys for us
- Fully integrated with IAM for Authorization
- Seamlessly integrated into:
- EBS (encrypt volumes)
- S3 (encrypt objects)
- Redshift (encrypt data)
- EDS (encrypt data)
- SSM (parameter store)
- Can use with CLI/ SDK
- Able to fully manage the keys and policies: Create, Rotation policies, Disable, Enable
- Able to audit key usage (using CloudTrail)
- Pricing:
- AWS Managed Service Default CMK: free
- User Keys created in KMS: $1/ month
- User Keys imported (must be 256-bit symmetric key): $1/ month
-
Best Practices:
- Encrypted secrets can be stored in the code/ environment variables
- KMS can only help in encrypting up to 4KB of data per call
- If data > 4KB, use Envelope Encryption
- To give access to KMS to someone:
- make sure the Key Policy allows the user
- make sure the IAM Policy allows the API calls
-
2 types of Key Policies
Default KMS Key Policy:
- Created if I do not provide a specific KMS Key Policy
- Complete access to the key to the root user (entire AWS account)
- To give user to this KMS key (create the IAM policy and attach to this user)
Custom KMS Key Policy:
- Define users, roles that can access the KMS key
- Define who can administer the key
- Use Case: Cross-account access of my KMS key
-
Key Rotation
Automatic Key Rotation: (image)
- For Customer-managed CMK only (not AWS managed CMK)
- Automictic key rotation happens every 1 year
- Previous key is kept active
- New Key has the same CMK ID (only the Backing Key is changed)
Manual Key Rotation: (image)
- When I want to rotate key every 90 days, 180 days
- New Key has a different CMK ID
- Previous key is kept active
- Use Aliases to hide the change of CMK ID
- Use Cases: to rotate CMK that are not eligible for automatic rotation (like asymmetric CMK)
- Use UpdateAlias API (image)
Encryption
Encryption in flight: (image)
- Data is encrypted before sending and decrypted after receiving
- SSL certificates help with encryption (HTTPS)
- Encryption in flight ensures no MITM (man in the middle attack) can happen
Server-side encryption at rest: (image)
- Data encrypted after being received by the server
- Data is decrypted before being sent
- Store in encrypted form (use data key)
- Encryption/ Decryption keys must be managed and server must have access to it
Client-side encryption: (image)
- Data is encrypted by the client and never decrypted by the server
- Data will be decrypted by a receiving client
- Server should not be able to decrypt the data
- Can leverage Envelope Encryption
AWS WAF
Features:
- Protects my web applications from common web exploits (Layer 7)
- Layer 7 is HTTP
- Deploy on ALB, API Gateway, CloudFront, AppSync
- Have to define Web ACL:
- Rules can include IP addresses, HTTP headers, HTTP body or URI strings
- Protects from common attack like SQL injection and XSS
- Size constraints, geo-match (block countries)
- Rate-based rules (to count occurrences of events) for DDoS protection
AWS Firewall Manager:
- Manage rules in all accounts of an AWS Organization
- Common set of security rules
- WAF rules (ALB, API Gateway, CloudFront)
- AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront)
- Security Groups for EC2, ENI resources in VPC
-
SSM Parameter Store
Features: (image)
- Is a secure storage for configuration and secrets
- Optional seamless encryption using KMS
- Serverless, scalable, durable, easy SDK
- Version tracking of configurations/ secrets
- Configuration management using path and IAM
- Notifications with CloudWatch Events
- Integration with CloudFormation
- SSM Parameter Store hierarchy (image)
- Pricing for Standard and Advanced tiers (image)
Parameters Policies (for advanced parameters): (image)
- Allow to assign a TTL to a parameter to force updating or deleting sensitive data such as passwords
- Can assign multiple policies at a time
AWS Shield
AWS Shield Standard:
- Free service that is activated for every AWS customer
- Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other Layer 3/ Layer 4 attacks
AWS Shield Advanced:
- Optional DDoS mitigation service ($3,000 per month per organization)
- Protect against more sophisticated attack on EC2, ELB, CloudFront, Global Accelerator and Route 53
- 24/7 access to AWS DDoS response team (DRP)
- Protect against higher fees during usage spikes due to DDoS
AWS Secrets Manager
Features:
- For storing secrets
- Capability to force rotation of secrets every X days
- Automate generation of secrets on rotation (use Lambda)
- Integration with RDS (MySQL, PostgreSQL, Aurora)
- Secrets are encrypted using KMS
CloudHSM
Features: (image)
- Hardware Security Module
- Dedicated hardware
- My responsibility to manage my own encryption keys
- HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
- CloudHSM clusters are spread across Multi-AZs for HA
- Supports both Symmetric and Asymmetric encryption (SSL/TLS keys)
- No Free Tier available
- Must use the CloudHSM Client Software (manage Keys, Users)
- Redshift supports CloudHSM for database encryption and key management
- Good option to use with SSE-C encryption
Amazon GuardDuty
Features: (image)
- Intelligent threat discovery to protect AWS account
- Use Machine Learning algorithms, anomaly detection, 3rd party data
- One click to enable (30 days trial), no need to install software
- Input data includes:
- CloudTrail logs: unusual API calls, unauthorized deployments
- VPC Flow Logs: unusual internal traffic, unusual IP address
- DNS logs: compromised EC2 instances sending encoded data within DNS queries
- Can setup CloudWatch Event rules to be notified in case of findings
- CloudWatch Events rules can target Lambda or SNS
- Can protect against CryptoCurrency attacks (has a dedicated finding for it)
Amazon Inspector
Features: (image)
- Automated Security Assessments for EC2 instances
- Analyze the running OS against known vulnerabilities
- Analyze against unintended network accessibility
- AWS Inspector Agent must be installed on OS in EC2 instances
- Get a report with a list of vulnerabilities after the assessment
- Possibility to send SNS notifications
Amazon Macie
Features: (image)
- Is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect my sensitive data (e.g. Personally Identifiable Information PII) in AWS
-