AWS-Security
1.1The shared responbility model
Customer : Responsible for Security IN the cloud
AWS: Responsible for Security OF the cloud
Customer Data
Platform, Application, Identiry and Access Management
Operating System, Network, Firewall Configuration
Client-side Data: Encrytion and Data Integrity Authentication
Server-side encryption: File System and/or Data
Network traffic protection: Encryption/Integrity/Identity
Compute
Storage
Database
Networking
Global Infrastructure
Avaibility Zones
Regions
Edge Locations
What is AWS responsible for? Example:
PHYSICAL/ENVIRONMENTAL SECURITY
HOST SECURITY
Physical access to the machine running your EC2 instance is protected by security staff
AWS also manages power backup systems
eg: The first is an attacker gaining access to the Host OS and messing with your Guest OS
eg: The second is an attacker with a Guest OS on the same machine escaping its virtualized environment and gaining access to yours, often called VM escape
NETWORK SECURITY
AWS to ensure that those controls(Security Groups...) are enforced. It's also AWS' responsibility to ensure the integrity of all the traffic within it's network.
1.2 IAM
User
Policy
A user is a representation of a person or application. A person or application can only access AWS services by first authenticating as an IAM User.
A policy is a JSON document that describes exactly how a user can access AWS services. For example, a policy might let a user list all of the DynamoDB tables.
1.3 Virtual Private Cloud - VPC
BASTION HOST
It's a good practice to use a bastion host for access to private networks to reduce your attack surface.
services level
Regions
S3
AZ level
EC2
Global
IAM
The main reason for breaking it up this way, as you might be able to guess from the name, is for high availability of AWS' services
2.1 IAM
Identity Policies
Resource Policies
Typically Identity Policies are used to grant people (or applications) permission to use services and resources.
Typically Identity Policies are used to grant people (or applications) permission to use services and resources. Resource Policies are most often used to further restrict which people (or applications) can access a specific resource
Users
two kinds of credentials
password
Access Key
Policy document
Effect block
The reason for using a Deny statement is that it overrides any Allow statements on the same action.
Action block
The Effect is typically Allow, since by default all permissions not specified are denied
Action: 's3:*'
Action: '*'
Action: 'ec2:List*'
Resource block
Amazon resource names
special cases
ListTables: and so the resource block is typically left as '*'
ListAllMyBuckets: is the same
The Condition block
NotAction & NotResource blocks
Using policies
Inline policies
Managed policies
A user can only have ten managed policies attached at a time
only create up to 1500 managed policies.
What resources can those actions be performed on?
Who is allowed to perform those actions?
Groups and Instance Profiles, cannot be used as principals
Principal Entities include certain IAM entities: Users,
AWS Accounts, AWS Services, Federated Users.
For resources that support Resource Policies, either the Resource Policy or the Identity Policy are necessary to grant permission.
Groups
The only required parameter for creating a group is a name.
you could create a group called Developers on the /DivisionA/ProductB path.
Roles
Resource-based policies are inline only, not managed
Native tools
Security groups
ACL
Statefull và Stateless
Security group là stateful, những gì thay đổi ở inbound rule cũng sẽ tự động được áp dụng cho outbound rule.
VD: Nếu bạn set inbound rule cho port 80, nó cũng sẽ tự động open port 80 ở outbound rule.
Network ACLs là stateless, ngược lại với security group, những thay đổi ở inbound rule sẽ ko được áp dụng tự động cho outbound rule, thay vào đó ta phải cài đặt thủ công.
- arn
- the partition
aws
aws-cn
aws-us-gov
- The service short name
- The region
- The account ID
- The resource identifier
However, if either the resource policy or the identity policy have an explicit deny for the action and resource in the request, then it will be denied even if the other policy allows it
Create actions: and so the resource block is typically left as '*'