AWS SAP - Security - Best Practices December 14, 2021
5 min read
AWS Managed LogsLoad Balancer Access Logs (ALB, NLB, CLB) => to S3 Access logs for your Load Balancers CloudTrail Logs => to S3 and CloudWatch Logs Logs for API calls made within your account VPC Flow Logs => to S3 and CloudWatch Logs Information about IP traffic going to and from network interfaces in yourVPC Route 53 Access Logs => to CloudWatch Logs Log information about the queries that Route 53 receives S3 Access Logs => to S3 Server access logging provides detailed records for the requests that are made to a bucket CloudFront Access Logs => to S3 Detailed information about every user request that CloudFront receives AWS Config => to S3
 S3 Security S3 Encryption for ObjectsThere are 4 methods of encrypting objects in S3 SSE-S3: encrypts S3 objects using keys handled & managed by AWS SSE-KMS: leverage AWS Key Management Service to manage encryption keys SSE-C: when you want to manage your own encryption keys Client Side Encryption Glacier: all data is AES-256 encrypted, key under AWS control
 Encryption in transit (SSL)AWS S3 exposes:HTTP endpoint: non encrypted HTTPS endpoint: encryption in flight You’re free to use the endpoint you want, but HTTPS is recommended HTTPS is mandatory for SSE-C Encryption in flight is also called SSL / TLS
 Events in S3 BucketsS3 Access Logs:Detailed records for the requests that are made to a bucket Might take hours to deliver Might be incomplete (best effort) S3 Events Notifications:Receive notifications when certain events happen in your bucket E.g.: new objects created, object removal, restore objects, replication events Destinations: SNS, SQS queue, Lambda Typically delivered in seconds but can take minutes, notification for every object if versioning is enabled, else risk of one notification for two same object write done simultaneously Trusted Advisor:Check the bucket permission (is the bucket public?) CloudWatch Events: S3 Security S3 Bucket Policies S3 pre-signed URLsCan generate pre-signed URLs using SDK or CLIFor downloads (easy, can use the CLI) For uploads (harder, must use the SDK) Valid for a default of 3600 seconds, can change timeout with —expires-in [TIME_BY_SECONDS] argument Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT Examples : VPC Endpoint Gateway for S3
S3 Object Lock & Glacier Vault Lock Network Security Network SecuritySecurity GroupsAttached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc Are stateful (any traffic in is allowed to go out, any traffic out can go back in) Can reference by CIDR and security group id Supports security group references for VPC peering Default: inbound denied, outbound all allowed NACL (Network ACL):Attached at the subnet level Are stateless (inbound and outbound rules apply for all traffic) Can only reference a CIDR range (no hostname) Default: allow all inbound, allow all outbound New NACL: denies all inbound, denies all outbound Host Firewall  What’s a DDOS (Distributed Denial-of-Service) Attack?
Type of Attacks on your infrastructureDistributed Denial of Service (DDoS):When your service is unavailable because it’s receiving too many requests SYN Flood (Layer 4): send too many TCP connection requests UDP Reflection (Layer 4): get other servers to send many big UDP requests DNS flood attack: overwhelm the DNS so legitimate users can’t find the site Slow Loris attack: a lot of HTTP connections are opened and maintained Application level attacks: DDoS Protection on AWSAWS Shield Standard: protects against DDoS attack for your website and applications, for all customers at no additional costs AWS Shield Advanced: 24/7 premium DDoS protection AWS WAF: Filter specific requests based on rules CloudFront and Route 53:Availability protection using global edge network Combined with AWS Shield, provides DDoS attack mitigation at the edge Be ready to scale – leverage AWS Auto Scaling Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB) Read the whitepaper for details: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf  Sample Reference Architecturehttps://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/

AWS ShieldAWS Shield Standard:Free service that is activated for every AWS customer Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks AWS Shield Advanced: AWS WAF – Web Application FirewallProtects your web applications from common web exploits (Layer 7) Deploy on Application Load Balancer (localized rules) Deploy on API Gateway (rules running at the regional or edge level) Deploy on CloudFront (rules globally on edge locations)Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites) WAF is not for DDoS protection Define Web ACL (Web Access Control List): AWS Firewall ManagerManage rules in all accounts of an AWS Organization Common set of security rules WAF rules (Application Load Balancer, API Gateways, CloudFront) AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront) Security Groups for EC2 and ENI resources in VPC
 Blocking an IP address
Blocking an IP address – with an ALB
Blocking an IP address – with an NLB
Blocking an IP address – ALB + WAF
Blocking an IP address – ALB + CloudFront WAF
RDS - SecurityKMS encryption at rest for underlying EBS volumes/ snapshots Transparent Data Encryption (TDE) for Oracle and SQL Server IAM authentication for MySQL and PostgreSQL SSL encryption to RDS is possible for all DB (in-flight)Authorization still happens within RDS (not in IAM) Can copy an un-encrypted RDS snapshot into an encrypted one CloudTrail cannot be used to track queries made within RDS
