AWS Managed Logs

• Load Balancer Access Logs (ALB, NLB, CLB) => to S3
• Access logs for your Load Balancers
• CloudTrail Logs => to S3 and CloudWatch Logs
• Logs for API calls made within your account
• VPC Flow Logs => to S3 and CloudWatch Logs
• Information about IP traffic going to and from network interfaces in yourVPC
• Route 53 Access Logs => to CloudWatch Logs
• Log information about the queries that Route 53 receives
• S3 Access Logs => to S3
• Server access logging provides detailed records for the requests that are made to a bucket
• CloudFront Access Logs => to S3
• Detailed information about every user request that CloudFront receives
• AWS Config => to S3 

S3 Security

S3 Encryption for Objects

• There are 4 methods of encrypting objects in S3
• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage AWS Key Management Service to manage encryption keys
• SSE-C: when you want to manage your own encryption keys
• Client Side Encryption
• Glacier: all data is AES-256 encrypted, key under AWS control 

Encryption in transit (SSL)

• AWS S3 exposes:
  • HTTP endpoint: non encrypted
  • HTTPS endpoint: encryption in flight
• You’re free to use the endpoint you want, but HTTPS is recommended
• HTTPS is mandatory for SSE-C
• Encryption in flight is also called SSL / TLS 

Events in S3 Buckets

• S3 Access Logs:
  • Detailed records for the requests that are made to a bucket
  • Might take hours to deliver
  • Might be incomplete (best effort)
• S3 Events Notifications:
  • Receive notifications when certain events happen in your bucket
  • E.g.: new objects created, object removal, restore objects, replication events
  • Destinations: SNS, SQS queue, Lambda
  • Typically delivered in seconds but can take minutes, notification for every object if versioning is enabled, else risk of one notification for two same object write done simultaneously
• Trusted Advisor:
  • Check the bucket permission (is the bucket public?)
• CloudWatch Events:

S3 Security

• User based
  • IAM policies - which API calls should be allowed for a specific user from IAM console
• Resource Based

S3 Bucket Policies

• Use S3 bucket for policy to:
  • Grant public access to the bucket
  • Force objects to be encrypted at upload
  • Grant access to another account (Cross Account)
• Optional Conditions on:
  • Public IP or Elastic IP (not on Private IP)
  • Source VPC or Source VPC Endpoint – only works with VPC Endpoints
  • CloudFront Origin Identity
  • MFA
• Examples here: https://docs.aws.amazon.com/AmazonS3/latest/dev/examplebucket-policies.html

S3 pre-signed URLs

• Can generate pre-signed URLs using SDK or CLI
  • For downloads (easy, can use the CLI)
  • For uploads (harder, must use the SDK)
• Valid for a default of 3600 seconds, can change timeout with —expires-in [TIME_BY_SECONDS] argument
• Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
• Examples :

VPC Endpoint Gateway for S3


S3 Object Lock & Glacier Vault Lock

• S3 Object Lock
  • Adopt a WORM (Write Once Read Many) model
  • Block an object version deletion for a specified amount of time
• Glacier Vault Lock

Network Security

Network Security

• Security Groups
  • Attached to ENI (Elastic Network Interfaces) – EC2, RDS, Lambda in VPC, etc
  • Are stateful (any traffic in is allowed to go out, any traffic out can go back in)
  • Can reference by CIDR and security group id
  • Supports security group references for VPC peering
  • Default: inbound denied, outbound all allowed
• NACL (Network ACL):
  • Attached at the subnet level
  • Are stateless (inbound and outbound rules apply for all traffic)
  • Can only reference a CIDR range (no hostname)
  • Default: allow all inbound, allow all outbound
  • New NACL: denies all inbound, denies all outbound
• Host Firewall 

What’s a DDOS (Distributed Denial-of-Service) Attack?


Type of Attacks on your infrastructure

• Distributed Denial of Service (DDoS):
  • When your service is unavailable because it’s receiving too many requests
  • SYN Flood (Layer 4): send too many TCP connection requests
  • UDP Reflection (Layer 4): get other servers to send many big UDP requests
  • DNS flood attack: overwhelm the DNS so legitimate users can’t find the site
  • Slow Loris attack: a lot of HTTP connections are opened and maintained
• Application level attacks:

DDoS Protection on AWS

• AWS Shield Standard: protects against DDoS attack for your website and applications, for all customers at no additional costs
• AWS Shield Advanced: 24/7 premium DDoS protection
• AWS WAF: Filter specific requests based on rules
• CloudFront and Route 53:
  • Availability protection using global edge network
  • Combined with AWS Shield, provides DDoS attack mitigation at the edge
• Be ready to scale – leverage AWS Auto Scaling
• Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB)
• Read the whitepaper for details: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

Sample Reference Architecture

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/ 

AWS Shield

• AWS Shield Standard:
  • Free service that is activated for every AWS customer
  • Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks
• AWS Shield Advanced:

AWS WAF – Web Application Firewall

• Protects your web applications from common web exploits (Layer 7)
• Deploy on Application Load Balancer (localized rules)
• Deploy on API Gateway (rules running at the regional or edge level)
• Deploy on CloudFront (rules globally on edge locations)
  • Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites)
• WAF is not for DDoS protection
• Define Web ACL (Web Access Control List):

AWS Firewall Manager

• Manage rules in all accounts of an AWS Organization
• Common set of security rules
• WAF rules (Application Load Balancer, API Gateways, CloudFront)
• AWS Shield Advanced (ALB, CLB, Elastic IP, CloudFront)
• Security Groups for EC2 and ENI resources in VPC 

Blocking an IP address


Blocking an IP address – with an ALB


Blocking an IP address – with an NLB


Blocking an IP address – ALB + WAF


Blocking an IP address – ALB + CloudFront WAF


RDS - Security

• KMS encryption at rest for underlying EBS volumes/ snapshots
• Transparent Data Encryption (TDE) for Oracle and SQL Server
• IAM authentication for MySQL and PostgreSQL
• SSL encryption to RDS is possible for all DB (in-flight)
• Authorization still happens within RDS (not in IAM)
• Can copy an un-encrypted RDS snapshot into an encrypted one
• CloudTrail cannot be used to track queries made within RDS