Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security - Coggle Diagram
Traffic Protection
AWS Shield
- AWS provided DDoS attack prevention service.
Advanced
- Always-on, flow-based monitoring
- Shield Response Team (SRT) is available 24/7
Standard
- Free
- Prevention against most typical attacks like SYN/UDP floods, reflection attacks, etc.
AWS Web Application Firewall (WAF)
- Monitor HTTP/HTTPS requests and prevent malicious packets
- Custom rules can be defined to filter the requests
- ALB, API Gateway, CloudFront, AppSync can deploy WAF
AWS Certificate Manager (ACM)
- SSL certificate can be automatically provisioned and renewed
- Also can purchase private certificate and used by ACM
- Per region bases. Different region require different certificate
Load Balancer
- SSL certificate is deployed to load balancer
- Connection to the target group is plain HTTP
EC2 Instance
- Get public key / private key pair
- The public key is already signed by CA, so it can be sent directly to the client in handshake process
SSM Parameter Store
- SSL public and private key can be retrieved through SSM Parameter Store
CloudHSM
- Private key is held in CloudHSM
- Encrypted data must go through CloudHSM to be decrypted as the private key is in it
- Cryptographic User (CU) must be configured on CloudHSM to allow EC2 to send decryption request
Securing Accounts
Security Token Service (STS)
- Grants temporary credential to be used for certain amount of time. The credential can impersonate the user/role, so anyone with the temporary credential can have the permissions granted to the user/role.
AWS Security Hub
- Centrally control various security services: Macie, Guard Duty #, Inspector, Fireall Manager, IAM Access Analyzer, SSM
- Automatically detects new accounts and add them as member account
Amazon GuardDuty
- Monitor various logs, such as VPC Flow Logs, CloudTrail Logs, DNS Logs, and EKS Audit Logs, to detect any malicious workload or activity within each account.
GuardDuty Delegated Administrator
- Management account can assign any account to be GDDA of a region
- The GDDA account has GuardDuty automatically enabled and can manage GuardDuty for every account in the region
Government Standards
FIPS 140
- Earliest version of government standard for information security. Not being replaced by FIPS 140-2
FIPS 140-2
- Provides 4 levels of information security standards
FIPS 140-3
- Successor of FIPS 140-2 planned to replace FIPS 140-2
Securing Resources
AWS Config
- Set of rules are checked against the AWS resources and recorded whether the rule is broken or not.
- Can trigger notification to various services like SNS
- Has built-in remediation through Lambda
Metrics Recorded
- Compliance over time
- Changes over time
- Number of configuration Changes
CloudTrail
- If enabled from AWS Config, it can be audited in CloudTrail to see who made such changes.
Amazon Inspector
- Automatically scan EC2, Lambda, and Container Images to detect known vulnerabilities and unintended access.
- If anything is found, Security Hub and Event Bridge will be notified.
Configuration
Key Management Service (KMS)
- Managed symmetric and asymmetric key provider
- Support FIPS 140-2 Level 2
Key
Key Types
Customer Managed Key
- Metadata viewable, managed, can be used only by own account
- Key can be rotated every 1 year (optional)
-
AWS Managed Key
- Metadata viewable, can be used only by own account
- Key is rotated every 1 year
-
Public Key (kms:GenerateDataKey)
- The symmetric key that can be used for client-side encryption
- Not related to any key used by KMS
Multi-Region Setting
- A original key in one region can be replicated to multiple regions
KMS Policy
- Can share key to another account
Parameter Store
- Through SSM, pre-defined parameters can be easily transferred to the applications
- Sensitive information, such as database credential, can be encrypted using KMS #
- Free up to 10,000 parameters
Parameter Policies
- Can set expiration time for the parameters
- Can create notification to EventBridge
Secrets Manager
- Similar to Parameter Store, except it's only for the sensitive data
- Secrets can be automatically rotated
Resource-based Policy
- Can share key to another account
CloudHSM
- Hardware Security Module (HSM) can be provisioned to be served as the key store.
- FIPS 140-2 Level 3
- Must be connected through CloudHSM Client
CloudHSM Cluster
- A Cluster of HSM can be configured to be available in multiple AZ to increase availability and durability