Trang chủTác giảLiên hệ

AWS SAP - Security - Best Practices

By Nguyễn Huy Hoàng
Published in AWS
December 14, 2021
5 min read

AWS Managed Logs

  • Load Balancer Access Logs (ALB, NLB, CLB) => to S3
  • Access logs for your Load Balancers
  • CloudTrail Logs => to S3 and CloudWatch Logs
  • Logs for API calls made within your account
  • VPC Flow Logs => to S3 and CloudWatch Logs
  • Information about IP traffic going to and from network interfaces in yourVPC
  • Route 53 Access Logs => to CloudWatch Logs
  • Log information about the queries that Route 53 receives
  • S3 Access Logs => to S3
  • Server access logging provides detailed records for the requests that are made to a bucket
  • CloudFront Access Logs => to S3
  • Detailed information about every user request that CloudFront receives
  • AWS Config => to S3 ![alt text](https://kipalog.kaopiz.com/uploads/ac36/c55b/Screen Shot 2021-09-19 at 08.12.56.png)

S3 Security

S3 Encryption for Objects

  • There are 4 methods of encrypting objects in S3
  • SSE-S3: encrypts S3 objects using keys handled & managed by AWS
  • SSE-KMS: leverage AWS Key Management Service to manage encryption keys
  • SSE-C: when you want to manage your own encryption keys
  • Client Side Encryption
  • Glacier: all data is AES-256 encrypted, key under AWS control ![alt text](https://kipalog.kaopiz.com/uploads/61af/fc15/Screen Shot 2021-09-18 at 20.07.29.png)

Encryption in transit (SSL)

  • AWS S3 exposes:
    • HTTP endpoint: non encrypted
    • HTTPS endpoint: encryption in flight
  • You’re free to use the endpoint you want, but HTTPS is recommended
  • HTTPS is mandatory for SSE-C
  • Encryption in flight is also called SSL / TLS ![alt text](https://kipalog.kaopiz.com/uploads/bd55/cfe1/Screen Shot 2021-09-18 at 20.08.24.png)

Events in S3 Buckets

  • S3 Access Logs:
    • Detailed records for the requests that are made to a bucket
    • Might take hours to deliver
    • Might be incomplete (best effort)
  • S3 Events Notifications:
    • Receive notifications when certain events happen in your bucket
    • E.g.: new objects created, object removal, restore objects, replication events
    • Destinations: SNS, SQS queue, Lambda
    • Typically delivered in seconds but can take minutes, notification for every object if versioning is enabled, else risk of one notification for two same object write done simultaneously
  • Trusted Advisor:
    • Check the bucket permission (is the bucket public?)
  • CloudWatch Events:![alt text](https://kipalog.kaopiz.com/uploads/ee61/6b0a/Screen Shot 2021-09-18 at 20.09.26.png)

S3 Security

S3 Bucket Policies

S3 pre-signed URLs

  • Can generate pre-signed URLs using SDK or CLI
    • For downloads (easy, can use the CLI)
    • For uploads (harder, must use the SDK)
  • Valid for a default of 3600 seconds, can change timeout with —expires-in [TIME_BY_SECONDS] argument
  • Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
  • Examples :![alt text](https://kipalog.kaopiz.com/uploads/c95b/40f0/Screen Shot 2021-09-18 at 20.13.20.png)

VPC Endpoint Gateway for S3

![alt text](https://kipalog.kaopiz.com/uploads/54a9/41e6/Screen Shot 2021-09-18 at 20.14.14.png)

S3 Object Lock & Glacier Vault Lock

Network Security

Network Security

  • Security Groups
    • Attached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc
    • Are stateful (any traffic in is allowed to go out, any traffic out can go back in)
    • Can reference by CIDR and security group id
    • Supports security group references for VPC peering
    • Default: inbound denied, outbound all allowed
  • NACL (Network ACL):
    • Attached at the subnet level
    • Are stateless (inbound and outbound rules apply for all traffic)
    • Can only reference a CIDR range (no hostname)
    • Default: allow all inbound, allow all outbound
    • New NACL: denies all inbound, denies all outbound
  • Host Firewall ![alt text](https://kipalog.kaopiz.com/uploads/0aa3/d937/Screen Shot 2021-09-18 at 20.16.04.png)

What’s a DDOS (Distributed Denial-of-Service) Attack?

![alt text](https://kipalog.kaopiz.com/uploads/aef8/49f6/Screen Shot 2021-09-18 at 20.18.25.png)

Type of Attacks on your infrastructure

  • Distributed Denial of Service (DDoS):
    • When your service is unavailable because it’s receiving too many requests
    • SYN Flood (Layer 4): send too many TCP connection requests
    • UDP Reflection (Layer 4): get other servers to send many big UDP requests
    • DNS flood attack: overwhelm the DNS so legitimate users can’t find the site
    • Slow Loris attack: a lot of HTTP connections are opened and maintained
  • Application level attacks:![alt text](https://kipalog.kaopiz.com/uploads/0c5e/79d1/Screen Shot 2021-09-18 at 20.19.26.png)

DDoS Protection on AWS

  • AWS Shield Standard: protects against DDoS attack for your website and applications, for all customers at no additional costs
  • AWS Shield Advanced: 24/7 premium DDoS protection
  • AWS WAF: Filter specific requests based on rules
  • CloudFront and Route 53:
    • Availability protection using global edge network
    • Combined with AWS Shield, provides DDoS attack mitigation at the edge
  • Be ready to scale – leverage AWS Auto Scaling
  • Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB)
  • Read the whitepaper for details: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf![alt text](https://kipalog.kaopiz.com/uploads/0f0d/55b2/Screen Shot 2021-09-18 at 20.20.31.png)

Sample Reference Architecture

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/ ![alt text](https://kipalog.kaopiz.com/uploads/cb1f/5e5a/Screen Shot 2021-09-18 at 20.21.36.png)

AWS Shield

  • AWS Shield Standard:
    • Free service that is activated for every AWS customer
    • Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks
  • AWS Shield Advanced:![alt text](https://kipalog.kaopiz.com/uploads/2532/271f/Screen Shot 2021-09-18 at 20.22.03.png)

AWS WAF – Web Application Firewall

  • Protects your web applications from common web exploits (Layer 7)
  • Deploy on Application Load Balancer (localized rules)
  • Deploy on API Gateway (rules running at the regional or edge level)
  • Deploy on CloudFront (rules globally on edge locations)
    • Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites)
  • WAF is not for DDoS protection
  • Define Web ACL (Web Access Control List):![alt text](https://kipalog.kaopiz.com/uploads/3c0c/0fe9/Screen Shot 2021-09-18 at 20.24.39.png)

AWS Firewall Manager

  • Manage rules in all accounts of an AWS Organization
  • Common set of security rules
  • WAF rules (Application Load Balancer, API Gateways, CloudFront)
  • AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront)
  • Security Groups for EC2 and ENI resources in VPC ![alt text](https://kipalog.kaopiz.com/uploads/44da/e0c3/Screen Shot 2021-09-18 at 20.25.44.png)

Blocking an IP address

![alt text](https://kipalog.kaopiz.com/uploads/a883/d5ae/Screen Shot 2021-09-18 at 20.26.27.png)

Blocking an IP address – with an ALB

![alt text](https://kipalog.kaopiz.com/uploads/a62d/6076/Screen Shot 2021-09-18 at 20.26.44.png)

Blocking an IP address – with an NLB

![alt text](https://kipalog.kaopiz.com/uploads/8640/7921/Screen Shot 2021-09-18 at 20.27.16.png)

Blocking an IP address – ALB + WAF

![alt text](https://kipalog.kaopiz.com/uploads/494b/8c40/Screen Shot 2021-09-18 at 20.27.51.png)

Blocking an IP address – ALB + CloudFront WAF

![alt text](https://kipalog.kaopiz.com/uploads/5025/c4dd/Screen Shot 2021-09-18 at 20.28.22.png)

RDS - Security

  • KMS encryption at rest for underlying EBS volumes/ snapshots
  • Transparent Data Encryption (TDE) for Oracle and SQL Server
  • IAM authentication for MySQL and PostgreSQL
  • SSL encryption to RDS is possible for all DB (in-flight)
  • Authorization still happens within RDS (not in IAM)
  • Can copy an un-encrypted RDS snapshot into an encrypted one
  • CloudTrail cannot be used to track queries made within RDS ![alt text](https://kipalog.kaopiz.com/uploads/301d/8bca/Screen Shot 2021-09-18 at 19.45.24.png)

Tags

AWSSAP
Khóa học AWS cơ bản

Nguyễn Huy Hoàng

Developer

Related Posts

AWS SAP - Security - KMS & CloudHSM
December 14, 2021
12 min

AWS SAP - Security - Best Practices

Published in AWS
December 14, 2021
5 min read

AWS Managed Logs

  • Load Balancer Access Logs (ALB, NLB, CLB) => to S3
  • Access logs for your Load Balancers
  • CloudTrail Logs => to S3 and CloudWatch Logs
  • Logs for API calls made within your account
  • VPC Flow Logs => to S3 and CloudWatch Logs
  • Information about IP traffic going to and from network interfaces in yourVPC
  • Route 53 Access Logs => to CloudWatch Logs
  • Log information about the queries that Route 53 receives
  • S3 Access Logs => to S3
  • Server access logging provides detailed records for the requests that are made to a bucket
  • CloudFront Access Logs => to S3
  • Detailed information about every user request that CloudFront receives
  • AWS Config => to S3 ![alt text](https://kipalog.kaopiz.com/uploads/ac36/c55b/Screen Shot 2021-09-19 at 08.12.56.png)

S3 Security

S3 Encryption for Objects

  • There are 4 methods of encrypting objects in S3
  • SSE-S3: encrypts S3 objects using keys handled & managed by AWS
  • SSE-KMS: leverage AWS Key Management Service to manage encryption keys
  • SSE-C: when you want to manage your own encryption keys
  • Client Side Encryption
  • Glacier: all data is AES-256 encrypted, key under AWS control ![alt text](https://kipalog.kaopiz.com/uploads/61af/fc15/Screen Shot 2021-09-18 at 20.07.29.png)

Encryption in transit (SSL)

  • AWS S3 exposes:
    • HTTP endpoint: non encrypted
    • HTTPS endpoint: encryption in flight
  • You’re free to use the endpoint you want, but HTTPS is recommended
  • HTTPS is mandatory for SSE-C
  • Encryption in flight is also called SSL / TLS ![alt text](https://kipalog.kaopiz.com/uploads/bd55/cfe1/Screen Shot 2021-09-18 at 20.08.24.png)

Events in S3 Buckets

  • S3 Access Logs:
    • Detailed records for the requests that are made to a bucket
    • Might take hours to deliver
    • Might be incomplete (best effort)
  • S3 Events Notifications:
    • Receive notifications when certain events happen in your bucket
    • E.g.: new objects created, object removal, restore objects, replication events
    • Destinations: SNS, SQS queue, Lambda
    • Typically delivered in seconds but can take minutes, notification for every object if versioning is enabled, else risk of one notification for two same object write done simultaneously
  • Trusted Advisor:
    • Check the bucket permission (is the bucket public?)
  • CloudWatch Events:![alt text](https://kipalog.kaopiz.com/uploads/ee61/6b0a/Screen Shot 2021-09-18 at 20.09.26.png)

S3 Security

S3 Bucket Policies

S3 pre-signed URLs

  • Can generate pre-signed URLs using SDK or CLI
    • For downloads (easy, can use the CLI)
    • For uploads (harder, must use the SDK)
  • Valid for a default of 3600 seconds, can change timeout with —expires-in [TIME_BY_SECONDS] argument
  • Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
  • Examples :![alt text](https://kipalog.kaopiz.com/uploads/c95b/40f0/Screen Shot 2021-09-18 at 20.13.20.png)

VPC Endpoint Gateway for S3

![alt text](https://kipalog.kaopiz.com/uploads/54a9/41e6/Screen Shot 2021-09-18 at 20.14.14.png)

S3 Object Lock & Glacier Vault Lock

Network Security

Network Security

  • Security Groups
    • Attached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc
    • Are stateful (any traffic in is allowed to go out, any traffic out can go back in)
    • Can reference by CIDR and security group id
    • Supports security group references for VPC peering
    • Default: inbound denied, outbound all allowed
  • NACL (Network ACL):
    • Attached at the subnet level
    • Are stateless (inbound and outbound rules apply for all traffic)
    • Can only reference a CIDR range (no hostname)
    • Default: allow all inbound, allow all outbound
    • New NACL: denies all inbound, denies all outbound
  • Host Firewall ![alt text](https://kipalog.kaopiz.com/uploads/0aa3/d937/Screen Shot 2021-09-18 at 20.16.04.png)

What’s a DDOS (Distributed Denial-of-Service) Attack?

![alt text](https://kipalog.kaopiz.com/uploads/aef8/49f6/Screen Shot 2021-09-18 at 20.18.25.png)

Type of Attacks on your infrastructure

  • Distributed Denial of Service (DDoS):
    • When your service is unavailable because it’s receiving too many requests
    • SYN Flood (Layer 4): send too many TCP connection requests
    • UDP Reflection (Layer 4): get other servers to send many big UDP requests
    • DNS flood attack: overwhelm the DNS so legitimate users can’t find the site
    • Slow Loris attack: a lot of HTTP connections are opened and maintained
  • Application level attacks:![alt text](https://kipalog.kaopiz.com/uploads/0c5e/79d1/Screen Shot 2021-09-18 at 20.19.26.png)

DDoS Protection on AWS

  • AWS Shield Standard: protects against DDoS attack for your website and applications, for all customers at no additional costs
  • AWS Shield Advanced: 24/7 premium DDoS protection
  • AWS WAF: Filter specific requests based on rules
  • CloudFront and Route 53:
    • Availability protection using global edge network
    • Combined with AWS Shield, provides DDoS attack mitigation at the edge
  • Be ready to scale – leverage AWS Auto Scaling
  • Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB)
  • Read the whitepaper for details: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf![alt text](https://kipalog.kaopiz.com/uploads/0f0d/55b2/Screen Shot 2021-09-18 at 20.20.31.png)

Sample Reference Architecture

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/ ![alt text](https://kipalog.kaopiz.com/uploads/cb1f/5e5a/Screen Shot 2021-09-18 at 20.21.36.png)

AWS Shield

  • AWS Shield Standard:
    • Free service that is activated for every AWS customer
    • Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks
  • AWS Shield Advanced:![alt text](https://kipalog.kaopiz.com/uploads/2532/271f/Screen Shot 2021-09-18 at 20.22.03.png)

AWS WAF – Web Application Firewall

  • Protects your web applications from common web exploits (Layer 7)
  • Deploy on Application Load Balancer (localized rules)
  • Deploy on API Gateway (rules running at the regional or edge level)
  • Deploy on CloudFront (rules globally on edge locations)
    • Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites)
  • WAF is not for DDoS protection
  • Define Web ACL (Web Access Control List):![alt text](https://kipalog.kaopiz.com/uploads/3c0c/0fe9/Screen Shot 2021-09-18 at 20.24.39.png)

AWS Firewall Manager

  • Manage rules in all accounts of an AWS Organization
  • Common set of security rules
  • WAF rules (Application Load Balancer, API Gateways, CloudFront)
  • AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront)
  • Security Groups for EC2 and ENI resources in VPC ![alt text](https://kipalog.kaopiz.com/uploads/44da/e0c3/Screen Shot 2021-09-18 at 20.25.44.png)

Blocking an IP address

![alt text](https://kipalog.kaopiz.com/uploads/a883/d5ae/Screen Shot 2021-09-18 at 20.26.27.png)

Blocking an IP address – with an ALB

![alt text](https://kipalog.kaopiz.com/uploads/a62d/6076/Screen Shot 2021-09-18 at 20.26.44.png)

Blocking an IP address – with an NLB

![alt text](https://kipalog.kaopiz.com/uploads/8640/7921/Screen Shot 2021-09-18 at 20.27.16.png)

Blocking an IP address – ALB + WAF

![alt text](https://kipalog.kaopiz.com/uploads/494b/8c40/Screen Shot 2021-09-18 at 20.27.51.png)

Blocking an IP address – ALB + CloudFront WAF

![alt text](https://kipalog.kaopiz.com/uploads/5025/c4dd/Screen Shot 2021-09-18 at 20.28.22.png)

RDS - Security

  • KMS encryption at rest for underlying EBS volumes/ snapshots
  • Transparent Data Encryption (TDE) for Oracle and SQL Server
  • IAM authentication for MySQL and PostgreSQL
  • SSL encryption to RDS is possible for all DB (in-flight)
  • Authorization still happens within RDS (not in IAM)
  • Can copy an un-encrypted RDS snapshot into an encrypted one
  • CloudTrail cannot be used to track queries made within RDS ![alt text](https://kipalog.kaopiz.com/uploads/301d/8bca/Screen Shot 2021-09-18 at 19.45.24.png)

Tags

© 2021, All Rights Reserved.

Quick Links

Liên hệ quảng cáoThông tinLiên hệ

Social Media