Please enable JavaScript.

Coggle requires JavaScript to display documents.

Infrastructure security - Coggle Diagram

- - - - compliance auditing
      - security analysis
      - resource tracking
    - - Config Items
        
        Point-in-time attributes of resources
      - Configuration Recorder
        
        configuration of Config that records and stores Config Items
        
        records configuration change
        
        Stores everything in S3 Bucket
      - Configuration snapshots
        
        collection of Configuration Items
      - Configuration Stream
        
        stream of changed Config Items
      - Configuration History
        
        Collection of Config Items for a resource over time
  - - - you can for example generate here your keys to EC2
      - you control keys (Amazon doesn't have access to your keys)
      - Compliant with 140-2 & EAL-4
      - FIPS 140-2 is a US government computer security standard used to approve cryptographic modules. level 4 is the highest, AWS HSM reaches just level 3
  - - - CMK with your own imported key material (in other words CMK not generated in AWS) does NOT allow for automatic rotation (only manually). CMK with AWS mangaed key material can be rotated (once a year)
        
        to do it manually
        
        create new CMK with no key material -> import new encrypted key material into that CMK -> change CMK identifier in your app to the key ID for the new CMK
        
        Users can reimport the key material however the key material must be the same.
      - AWS Managed Keys are rotated every 3 years automatically
        
        AWS Managed Keys cannot be rotated manually!
      - CMK automatic rotation is by default disabled (but it's possible to enable it)
        
        if enabled then it's rotated once a year automatically through opt-in or on-demand manually
      - key deletion
        
        if you imported your own key you don't have to wait 7-30 days for deletion, but you can delete it by clicking button
    - - once you removed public key in the console, you still can log in to the instance using this key (in metadata the key is still accessible)
      - you can import your own SSH public key
      - root EBS volume cannot be encrypted if it is used as unencrypted
        
        to encrypt it : detach volume, create snapshot, copy AMI and enable encryption
      - you can have multiple keys attached to the instance (e.g. for different users and each has different keys)
      - you cannot use KMS with SSH for EC2. But you can with CloudHSM
    - - used for temporary, granular permission
      - you should use Key Policies for static permissions and for explicit deny
      - a generated Grant Token can be passed to KMS API
      - CLI - important commands
        
        create-grant
        
        list-grants
        
        revoke-grant
        
        The AWS 'CLI aws kms encrypt' is suitable for encrypting a file which is less than 4 kb
      - programatically delegates permissions
        
        Grants allow access, not deny
      - When kms:GrantIsForAWSResource is true, only integrated AWS services can create grants
    - - regional service
        
        if you want to encrypt objects in the bucket, the key has to be in the same region as the bucket
      - requires choosing key administrator (who can manage the key) and key users (who can use the key)
        
        administrators can create, delete and decrypt keys
        
        administrator cannot use key. You have to explicitly point the same user as a key user (no tonly administrtaor)
      - keys are generated using Amazon's multi-tenancy HSM
        
        the AWS CloudHSM uses dedicated hardware
      - CMK - Customer Master Key
        
        1 key per CMK (you cannot use someone else's key if it's in use)
        
        you can import your own (external key)
        
        1) you have to firstly download wrapping key
        2) then import token
        
        uses wrapping algorithm RSAES_OAEP_SHA-1
        
        but CMK can never be exported!
        
        CMK keys can be used for encrypting data in maximum 4KB in size.
      - to configure access for external account you have to enable it in Key Policy in owner account, as well as you have to specify the access in IAM policy for the external account
      - encryption context
        
        key-value pair logged in clear text within CloudTrail passed during encryption and then during decryption to ensure the integrity
      - you can create ALIAS keys
        
        each CMK key can have multiple ALIAS's point to it
        
        the ALIAS key must be unique in the AWS account and region
    - - Amazon provides encryption client which is embedded into the AWS SDK and CLI
        
        Client-side encryption workflow
        
        Customer creates a CMK in KMS associated with Key ID
        
        File/Object and CMK Key ID is passed to the AWS encryption client using SDK or CLI
        
        The encryption client requests a data key from KMS using a specified CMK key ID
        
        KMS uses CMK Key ID to generate unique data encryption key, which client uses to encrypt the object data
    - - <Error>
        <Code>InvalidArgument</Code>
        <Message>
        Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
        </Message>
        <ArgumentName>Authorization</ArgumentName>
        <ArgumentValue>null</ArgumentValue>
        <RequestId>7E8FBBAA6A8A9A6C</RequestId>
        <HostId>
        I8n34c6XU03lbq1VFs6dWF3JYV5NPTxxnZzzwV+zHOf+yCPcoR0UbONCBNqLrfekvYPkgoxNotM=
        </HostId>
        </Error>
      - BUT if you use SSE-S3 (Amazon stores keys, not you) then when the object is public, then anonymously you can display it
    - - to specify a condition, e.g. policy condition to disable access after a date
      - AWS KMS Condition Keys are predefined conditions you can use
        
        for example kms:ViaService limits use of CMK requested from particular service, e.g. only allows requests which come from particular Lambda
      - Minimum set of permissions that should be applied in the Key policies to allow users encrypt and decrypt data using CMK keys
        
        "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey"
      - Data key caching stores data keys and related cryptographic material in cache. When you encrypt or decrypt data the AWS Encryption SDK looks for a matching data key in the cache. Data key caching can improve performance, reduce costs, and help you stay within service limits as your application scales.
    - - separate keys per business unit and data classification
      - CMK admins separated from users
      - limit KMS actions (no kms:*)
      - If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname
        (https://kms.<region>.amazonaws.com) resolves to your VPC endpoint. Thanks to this the communication between VPC and KMS will not go through the public service endpoints.
  - - - AWS Shield protects against SYN/UDP Floods, Reflection and other layer 3 and 4 attacks
        
        should be enabled when you use ELB, CloudFront or Route53
        
        Safeguard Exposed Resources (e.g. by using geolimitatio, CloudFront, Route53, WAFs)
        
        in Route53 using alias Record Sets you can redirect traffic to CloudFront distribution, Private DNS
      - additional resources
        
        AWS DDoS protection whitepaper: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
        
        re:Invent Video: DDOS Best Practices: https://www.youtube.com/watch?v=HnoZS5jj7pk
      - mitigation
        
        minimize the attack surface (e.g. by using Bastion Host with whitelisted IPs, the attack surface is limited to exposed, few hardened entry points)
  - - - only few regions allow for integrating WAF with ALB
    - - If you're using the domain name that CloudFront assigned to your distribution, such as abc.cloudfront.net, you change the Viewer Protocol Policy for one or more cache behaviours to require HTTPS communication. In that configuration CloudFront provides SSL/TLS certificate.
      - If you're using your own domain name, such as example.com you need to change several CloudFront settings. You also need to use an SSL/TLS certificate provided by AWS Certificate Manager (ACM), import a certificate from a third-party certificate authority into ACM or the IAM certificate store, or create and import a self-signed certificate.
      - When you enable logging for a distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you're using Amazon S3 as your origin, we recommend that you do not use the same bucket for your log files; using a separate bucket simplifies maintenace.
      - Use signed cookies in the following cases:
        
        you want to provide access to multiple restricted files
        
        you don't want to change your current URLs.
    - - whitelisting
      - blacklisting
      - counting requests that match your criteria
    - - IP
      - length of request
      - headers
      - strings that appear in requests
      - query string parameters
    - - Rule statement--> Statement which would be analysed by in the web request eg:
        
        Block all request from outside India
        
        Block request which has URI path of /admin
        
        Rules:- Bundle Multiple rules statement in one Rule using AND,OR NOT staements
        
        Can Be regular Rule
        Eg Block request from 172.192.16.0/24 Or have SQL query in the URI
        
        or Ratebased
        Eg. If request exceed 1000 request in 10 Minutes
        It can be a combination of regular rule + rate limiting feature
        
        Web ACL
        WebACL-- Container for all the things + Default action
        
        Association
        It cannot be associated with EC2 directly, It is associated with LB, Cloudfront or API gateway
        
        Can Be Custom or AWS managed
  - - - Amazon may share this hardware with other instances from the same AWS account (if those instances are not dedicated instances)
      - charged by instance
    - - some 3rd party software say you have to run their software on dedicated host
      - charged by host
  - - - but you cannot export the certificate
  - - - to have Perfect Forward Secrecy use ECDHE-... ciphers
      - It is recommended to use ELBSecurityPolicy-2016-08 security policy (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)
  - - - throttled by default
      - by default the steady-state limit is 10 000 rps (requests per second)
      - Burst limit is up to 5 000 requests across all APIs
  - - - you can reference them using their names
      - you can store them as plain text or you can encrypt them using KMS
  - - - in PV, CPU supports 4 privilege modes: Ring 0 is used by host OS and guest OS uses only Ring 1-3
  - - - but custom NACL by default denies all inbound and outbound traffic
    - - outbound rule by default is to DENY any traffic
      - ensure to ALLOW ephemeral ports (1024-65535) in outbound traffic
  - - - 1 subnet = 1 availability zone
      - by default there's no auto-assign public IP
      - first 4 and last IP address from the subnet is reserved by Amazon for: VPC router, DNS server, reservered for future use, network address, broadcast address
        
        In order to use your own DNS server you need to ensure that you create a new custom DHCP options set with the IP of the custom DNS server. You cannot modify the existing set so you have to create a new one.
    - - 2 types
        
        Interface endpoint = Elastic Network Interface (ENI)
        Interfce endpoint resides in the VPC with same subnet hence are accessible for the users from VPN and Direct connect.
        It provide access to more services than gateway endpoint
        
        Gateway endpoint = similar to Network Gateway
        Route is added to the Subnet wherein a DNS name xlating to CIDR range of service is sent to gateway
        It only supports S3 and Dynamo DB currently
        
        As VPN endpoint is accessible via Route table It resides outside of VPC , Hence has some drawbacks.
        
        Endpoints are supported in one region , we cannor create the endpoint between VPC and a service in different region
        
        Users using VPN and Direct connect cannot use Engpoint gateway
        
        Must turn on DNS resolution in the VPC
      - when VPC endpoint is used the source IP address uses private address, not public
      - VPC Endpoint Policies
        controls
        access to the service to which you are connecting
  - - - NAT instances can be found in AWS Marketplace
      - you must disable source/destination checks (enabled by default for all EC2 instances) for NAT Inastances
      - you have to increase instance size in case of bottlenecking
      - you can use NAT Instance as Bastion Host
    - - NAT Gateways are recommended over NAT Instances
        
        no need to patch NAT Gateways = more secure than NAT Insatances
        
        NAT Gateways are not associated with SG, they have automatically assigned public IP
      - Bandwidth up to 10 Gbps
      - NAT Gateways are highly available
      - NAT Gateways should be enabled in every availability zone
      - no need to disable source/destination checks like in NAT Instances
  - - - once rotation is enabled, then SM immediately rotates the secret to test configuration
      - don't enable it if your apps use embedded credentials