AWS Certified Solutions Architect Professional – Study Guide – Domain 6.0: Security (20%)


6.1 Design information security management systems and compliance controls

  • AWS Directory Services is a hosted service that allows you to hook up your EC2 instances with an AD either on prem or standalone in the AWS cloud
  • Comes in two flavours:-
    • AD Connector
    • Simple AD
  • AD Connector permits access to resources such as Workspaces, WorkMail, EC2 etc via existing AD credentials using IAM
  • AD Connector enforces on premises policies such as password complexities, history, lockout policies etc
  • AD can also use MFA by leveraging RADIUS services
  • Simple AD is based within AWS and runs on a Samba 4 compatible server. Supports:-
    • User and group accounts
    • Kerberos based SSO
    • GPOs
    • Domain joining EC2 instances
    • Automated daily snapshots
    • Simple AD limitations:-
      • Does not support MFA
      • Cannot add additional AD servers
      • Can’t create trust relationships
      • Cannot transfer FSMO roles
      • Doesn’t support PowerShell scripting
  • In most cases, Simple AD is the least expensive option and your best choice if you have 5,000 or less users and don’t need the more advanced Microsoft Active Directory features.
  • AWS Directory Service for Microsoft Active Directory (Enterprise Edition) is a managed Microsoft Active Directory hosted on the AWS Cloud. It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications. With the additional Active Directory functionality, you can, for example, easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services.
  • Microsoft AD is your best choice if you have more than 5,000 users and need a trust relationship setup between an AWS hosted directory and your on-premises directories
  • AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.
  • CloudTrail is used for logging all API calls and events made in all regions in your AWS account. This can be either from the console or via the command line. It is more an auditing tool rather than a logging tool
  • CloudWatch is a monitoring service for AWS services. You can collect and track metrics, collect and track log files and set alarms. Works with EC2, DynamoDB, RDS instances as well as any custom metrics from your applications or log files those apps generate
  • By default, CloudWatch Logs will store your log files indefinitely. You can change the log group retention period at any time
  • Log groups are used to capture log files from instances and can gather them in a single folder structure, grouped by instance ID
  • CloudWatch alarms are only stored for 14 days
  • CloudWatch logging is billed per GB ingested and per GB archived per month, charged per alarm per month
  • Can work out cheaper to store your logs in S3, depending on your environment
  • CloudWatch can be used to monitor CloudTrail by creating logging groups to alert when a particular terms, phrases or values is found in a log file (“error”, etc.). This is the CloudWatch Logs feature. Define a metric filter to create alerts based on keywords or phrases in the log files, this then defines a measurable metric
  • Events can be monitored and shipped to CloudWatch, S3 or to a third party product such as Splunk
  • Don’t log to non persistent storage, such as EC2 EBS root volume. Log to S3 or CloudWatch
  • CloudTrail can log across multiple accounts and put logs in a single S3 bucket (needs cross account access)
  • CloudWatch can be used to monitor multiple AWS accounts
  • Awslogs package in Linux installs the log agent and forwards system logs to CloudWatch for collection and alerting
  • Awslogs.conf can be configured to send logging specific information to CloudWatch

6.2 Design security controls with the AWS shared responsibility model and global infrastructure

  • Inline policies are policies that are directly associated to an object (user, for example) and are deleted when the object is deleted. Use cases include:-
    • Requirement for strict one to one policy relationship
    • Ensuring the policy is deleted when the object is deleted
  • Managed policies are created and managed separately, use cases include:-
    • Version management (up to five versions)
    • Configuration rollback
    • Reusability
    • Central management
    • Delegation of permissions management
    • Larger policy size (up to 5K)
    • Can be customer managed or AWS managed (they have little AWS icon next to them)
    • Assign to groups, roles, users etc
    • Up to 10 managed policies may be assigned per object
  • Variables also supported in policies
  • Default policy position is to deny. Explicit deny trumps everything
  • Tags can be used to control access by adding a condition clause into policies – the condition must match a tag for access to be effective (eg. All EC2 instances where the tag matches Cost Centre : IT)
  • IAM policies follow the PARC model
    • Principal (IAM user, group, role)
    • Action (Launch instance, terminate instance, etc.)
    • Resource (EC2 instance, S3 bucket, etc)
    • Condition (where instance = i23523, for example)
      • Effect (Deny, Allow)
  • Wildcards as supported, both asterisk and question marks for granularity
  • NotAction provides a method to exempt or exclude an permission from a resource set, for example having NotAction iam* will grant permissions but not for IAM actions
  • When specifying multiple values in a policy JSON file, this is classed as an array and therefore the values must be wrapped in square brackets []

6.3 Design identity and access management controls

  • The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
  • Users come from one of three sources:-
    • Federated (Active Directory, SAML). Uses AD credentials and does not need to be an IAM user, SSO allows login to console without assigning IAM credentials
    • Federation with OpenID web applications (Facebook, Google, Amazon etc)
    • Cross account access (IAM user from another account)
  • Federation is joining users in one domain (IAM) with another (AD, Facebook etc)
  • Identity Broker joins domain A to domain B
  • Identity Store/Provider is AD, Facebook etc
  • Identity is a user of that service or member of that domain
  • On a correct userid and password, STS returns 4 items – access key, secret access key, token and duration (token’s lifetime, between 1 and 36 hours,default is 12 hours for GetFederationToken, 1 hour for AssumeRole)
  • Identity Broker takes credentials from the application, checks LDAP. If this is correct, it goes to STS and passes the token for a role using GetFederationToken call using IAM credentials. STS passes the access token with permissions back to the broker who passes it back to the app which then accesses the respective resource (such as S3). Resource then verifies the token has appropriate access
    • Develop an identity broker to communicate with LDAP and STS
    • Broker always communicates with LDAP first and then with STS
    • Application gets temporary access to AWS resources
  • AssumeRole Action returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that you can use to access AWS resources that you might not normally have access to. Typically, you use AssumeRole for cross-account access or federation.You can optionally include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios in which you want to make sure that the user who is assuming the role has been authenticated using an AWS MFA device
  • AssumeRoleWithWebIdentity returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider, such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider. Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider.
  • AssumeRoleWithSAML generally used for AD Federation requests.
  • DecodeAuthorizationMessage decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request. For example, if a user is not authorized to perform an action that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS actions additionally return an encoded message that can provide details about this authorization failure
  • GetFederationToken returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. Because you must call the GetFederationToken action using the long-term security credentials of an IAM user, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. If you are creating a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity
  • GetSessionToken returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to APIs that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error.
  • The GetSessionToken action must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, between 900 seconds (15 minutes) and 129600 seconds (36 hours); credentials that are created by using account credentials have a maximum duration of 3600 seconds (1 hour)
  • Assertions  are used in SAML to map AD groups to AWS roles

6.4 Design protection of Data at Rest controls

  • HSM is a Hardware Security Module and is a physical device used that safeguards and manages cryptographic keys, usually either a plug in card or a physical box
  • HSMs would previously have to be hosted on premises, which could mean latency between the application in AWS and the HSM on the customer site
  • Amazon provides CloudHSM. Keys can be created, stored and managed in a way that is only accessible to you
  • CloudHSM is charged with an upfront fee and then per hour until the instance is terminated. A two week eval is available by request
  • CloudHSM is single tenanted. When you purchase an instance, it’s dedicated to you
  • Has to be deployed in a VPC (EC2-Classic will have to add a VPC)
  • VPC peering can be used to access CloudHSM
  • You can use EBS volume encryption, S3 object encryption and key management with CloudHSM, but this does require custom scripting
  • If you need fault tolerance, you need to add a second CloudHSM in a cluster as if you lose your single one, you lose all the keys
  • Can integrate CloudHSM with RDS as well as Redshift
  • Monitor with syslog
  • AWS Key Management Service is used from the IAM console and allows an administrator to define keys for the encryption of data
  • KMS is region based
  • CMK is the Customer Master Key and is the top of the hierarchy and you can add KMS administrators using IAM. Users also need to have permissions via IAM or they are not allowed to use keys to perform encryption tasks
  • Accounts from other AWS accounts can be added as users
  • Key rotation changes the backing key and all backing keys are kept. These are used to encrypt and decrypt data. CMKs would need to be disabled to prevent any of the backing keys being used for encryption or decryption
  • Data encrypted using a key is lost if the key is lost
  • You can select which encryption key is used to create an encrypted EBS volume, for example. If none is selected, the default is the EBS key pre-created in KMS

6.5 Design protection of Data in Flight and Network Perimeter controls

  • NTP amplification can be used with a spoof IP address to return a large packet back to a different target (the intended victim) and flood the target with traffic
  • Reflection attacks involve eliciting a response from a server to a spoofed IP address where the compromised server acts like a reflector
  • Attacks can also take place at the application layer (layer 7) by flooding the web server with GET requests.
  • Slowloris attack is deliberately slow GET requests to open up lots of connections on the web server
  • Limit the attack surface by opening only required ports, use bastion hosts where appropriate and use private subnets
  • WAF is web application filter and provides protection at layer 7
  • Can use a community based WAF appliance or use the AWS WAF service
  • Stacks can also be scaled horizontally and vertically to meet the additional load placed on your infrastructure by a DDoS attack
  • Scaling out is easier than scaling up as it results in no downtime as instances are added
  • Geo restrictions or blocking can be used with CloudFront to prevent attacks from certain countries. This can be achieved by either using white or black listing
  • Origin Access Identity. Restrict access to S3 buckets by preventing direct user access and forcing them to access objects via CloudFront URLs
  • Alias records in Route 53 can be used to redirect traffic from an existing infrastructure to a new one with greater capacity and WAFs, built to withstand a DDoS attack. No DNS changes and no propagation delays
  • You also need to learn normal behaviour for an application so that you don’t block any traffic during month end spikes, for example
  • With C3, C4, R3, D2, and I2 instances, you can enable Enhanced Networking capabilities, which provides higher network performance (packets per second). This feature uses a network virtualization stack that provides higher I/O performance and lower CPU utilization compared to traditional implementations. With Enhanced Networking, your application can benefit from features that can aid in building resilience against DDoS attacks, such as high packet-per-second performance, low latency networking, and improved scalability.
  • Amazon Route 53 has two capabilities that work together to help ensure end users can access your application even under DDoS attack: shuffle sharding and anycast routing
  • Amazon Route 53 uses shuffle sharding to spread DNS requests over numerous PoPs, thus providing multiple paths and routes for your application
  • Anycast routing increases redundancy by advertising the same IP address from multiple PoPs. In the event that a DDoS attack overwhelms one endpoint, shuffle sharding isolate failures while providing additional routes to your infrastructure
  • Alias Record Sets can save you time and provide additional tools while under attack. For example, suppose an Alias Record Set for example.com points to an ELB load balancer, which is distributing traffic across several EC2 instances running your application. If your application came under attack, you could change the Alias Record Set to point to an Amazon CloudFront distribution or to a different ELB load balancer with higher capacity EC2 instances running WAFs or your own security tools. Amazon Route 53 would then automatically reflect those changes in DNS answers for example.com without any changes to the hosted zone that contains Alias Record Sets for example.com.
  • IDS is Intrusion Detection, IPS is Intrusion Protection
  • IDS/IPS is a virtual appliance installed into the public subnet that may communicate with a SoC such as Trend Micro, sends logs to S3 and an agent is required in each instance to capture and analyse traffic and requests
  • It is possible to restrict access to resources using tags. You can do an explicit deny permission and this overrides everything. Use Action:API permissions to prevent actions via the command line or AWS console

One thought on “22-07-16

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.