AWS-Security

1.1The shared responbility model

Customer : Responsible for Security IN the cloud

AWS: Responsible for Security OF the cloud

Customer Data

Platform, Application, Identiry and Access Management

Operating System, Network, Firewall Configuration

Client-side Data: Encrytion and Data Integrity Authentication

Server-side encryption: File System and/or Data

Network traffic protection: Encryption/Integrity/Identity

Compute

Storage

Database

Networking

Global Infrastructure

Avaibility Zones

Regions

Edge Locations

What is AWS responsible for? Example:

PHYSICAL/ENVIRONMENTAL SECURITY

HOST SECURITY

Physical access to the machine running your EC2 instance is protected by security staff

AWS also manages power backup systems

eg: The first is an attacker gaining access to the Host OS and messing with your Guest OS

eg: The second is an attacker with a Guest OS on the same machine escaping its virtualized environment and gaining access to yours, often called VM escape

01image003

NETWORK SECURITY

AWS to ensure that those controls(Security Groups...) are enforced. It's also AWS' responsibility to ensure the integrity of all the traffic within it's network.

1.2 IAM

User

Policy

A user is a representation of a person or application. A person or application can only access AWS services by first authenticating as an IAM User.

A policy is a JSON document that describes exactly how a user can access AWS services. For example, a policy might let a user list all of the DynamoDB tables.

1.3 Virtual Private Cloud - VPC

BASTION HOST

It's a good practice to use a bastion host for access to private networks to reduce your attack surface.

services level

Regions

S3

AZ level

EC2

Global

IAM

The main reason for breaking it up this way, as you might be able to guess from the name, is for high availability of AWS' services

2.1 IAM

Identity Policies

Resource Policies

Typically Identity Policies are used to grant people (or applications) permission to use services and resources.

Typically Identity Policies are used to grant people (or applications) permission to use services and resources. Resource Policies are most often used to further restrict which people (or applications) can access a specific resource

Users

two kinds of credentials

password

Access Key

Policy document

Effect block

The reason for using a Deny statement is that it overrides any Allow statements on the same action.

Action block

The Effect is typically Allow, since by default all permissions not specified are denied

Action: 's3:*'

Action: '*'

Action: 'ec2:List*'

Resource block

Amazon resource names

special cases

ListTables: and so the resource block is typically left as '*'

ListAllMyBuckets: is the same

The Condition block

NotAction & NotResource blocks

Using policies

Inline policies

Managed policies

A user can only have ten managed policies attached at a time

only create up to 1500 managed policies.

What resources can those actions be performed on?

Who is allowed to perform those actions?

Groups and Instance Profiles, cannot be used as principals

Principal Entities include certain IAM entities: Users,
AWS Accounts, AWS Services, Federated Users.

For resources that support Resource Policies, either the Resource Policy or the Identity Policy are necessary to grant permission.

Groups

The only required parameter for creating a group is a name.

you could create a group called Developers on the /DivisionA/ProductB path.

Roles

Resource-based policies are inline only, not managed

Native tools

Security groups

ACL

Statefull và Stateless
Security group là stateful, những gì thay đổi ở inbound rule cũng sẽ tự động được áp dụng cho outbound rule.


VD: Nếu bạn set inbound rule cho port 80, nó cũng sẽ tự động open port 80 ở outbound rule.


Network ACLs là stateless, ngược lại với security group, những thay đổi ở inbound rule sẽ ko được áp dụng tự động cho outbound rule, thay vào đó ta phải cài đặt thủ công.

  1. arn
  1. the partition

aws

aws-cn

aws-us-gov

  1. The service short name
  1. The region
  1. The account ID
  1. The resource identifier

However, if either the resource policy or the identity policy have an explicit deny for the action and resource in the request, then it will be denied even if the other policy allows it

Create actions: and so the resource block is typically left as '*'