AWS Security Services Overview

14th September 2020

Modular Areas – AWS Security areas which support NIST, CVE, CIS (Common Internet Security), OWASP, Cloud Security Best practices.

1: Security On AWS

• Security in the AWS cloud
• AWS Shared Responsibility Model
• Incident response overview
• DevOps with Security Engineering

2: Entry Points on AWS

• Identify the different ways to access the AWS platform
• Understanding IAM policies
• IAM Permissions Boundary
• IAM Access Analyzer
• Multi-factor authentication
• AWS CloudTrail

3: Web Application Environments

• Threats in a three-tier architecture
• Common threats: user access
• Common threats: data access
• AWS Trusted Advisor

4: Application Security

• Amazon Machine Images
• Amazon Inspector
• AWS Systems Manager

5: Data Security
• Data protection strategies
• Encryption on AWS
• Protecting data at rest with Amazon S3, Amazon RDS, Amazon DynamoDB
• Protecting archived data with Amazon S3 Glacier
• Amazon S3 Access Analyzer
• Amazon S3 Access Points

6: Securing Network Communications

• Amazon VPC security considerations
• Amazon VPC Traffic Mirroring
• Responding to compromised instances
• Elastic Load Balancing
• AWS Certificate Manager

7: Monitoring and Collecting Logs on AWS

• Amazon CloudWatch and CloudWatch Logs
• AWS Config
• Amazon Macie
• Amazon VPC Flow Logs
• Amazon S3 Server Access Logs
• ELB Access Logs

8: Processing Logs on AWS

• Amazon Kinesis
• Amazon Athena

9: Hybrid Environments

• AWS Site-to-Site and Client VPN connections
• AWS Direct Connect
• AWS Transit Gateway

10: Out-Of-Region Protection

• Amazon Route 53
• AWS WAF
• Amazon CloudFront
• AWS Shield
• AWS Firewall Manager
• DDoS mitigation on AWS

11: Serverless Environments

• Amazon Cognito
• Amazon API Gateway
• AWS Lambda

12: Threat Detection and Investigation

• Amazon GuardDuty
• AWS Security Hub
• Amazon Detective

13: Secrets Management on AWS

• AWS KMS
• AWS CloudHSM
• AWS Secrets Manager

14: Automation and Security by Design

• AWS CloudFormation
• AWS Service Catalog

15: Account Management and Provisioning on AWS

• AWS Organizations
• AWS Control Tower
• AWS SSO
• AWS Directory Service

Security Information by AWS Service

https://docs.aws.amazon.com/security/

AWS CIS benchmarks https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Shared Responsibility Model

Client owns Security IN the Cloud.  AWS owns the Security OF the Cloud.

Authentication and Authorisation

The separation between Authentication and Authorization is important to optimize – having strong authentication methods (Active Directory integration, SAML, rotating credentials, MFA) is critical, but ensuring that each operator (human or machine) only has the authorization to do the tasks they need to do against only the objects they should be touching keeps the risk of accidental or malicious actions in a manageable scope.  Humans can’t break it, if they can’t touch it.

AWS Secrets Manager

Designed to centrally manage secrets used to access resources on AWS, on-premises, and third-party services. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text. Secrets Manager enables you to replace hardcoded credentials in your code with an API call to Secrets Manager to retrieve the secret programmatically. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a schedule that you specify.

AWS Single Sign-On

(SSO) is a cloud SSO service that allows for the central management of SSO access to multiple AWS accounts and business applications. It enables users to sign into a user portal with their existing corporate credentials and access all their assigned accounts and applications from one place. AWS SSO includes built-in SAML integrations to many business applications. AWS SSO may be integrated with Microsoft Active Directory, which means your employees can sign into your AWS SSO user portal using their corporate Active Directory credentials. 

AWS Security Token Service

(STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users who are taking on a different role or for users who are being federated. A scenario in which someone, or something, needs access to your account to perform a specific task that is not done on a daily basis would be a great candidate for temporary credentials.

AWS Directory Service

For Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your domain workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud.

AWS Organizations

Allows you centrally manage and enforce policies for multiple AWS accounts. This service allows grouping accounts into organizational units and use service control policies to centrally control AWS services across multiple AWS accounts. With Organizations, you can also automate the creation of new accounts through APIs and simplify billing by allowing you to set up a single payment method for all the accounts in your organization through consolidated billing. Organizations is available to all AWS customers at no additional charge.

Amazon Cognito

Let’s you add user sign-up, sign-in, and access controls to your web and mobile apps. You can define roles and map users to different roles so your app can access only the resources that are authorized for each user. User sign in can be done either by a third-party identity provider, or directly via Amazon Cognito.

An Amazon Cognito user pool is a user directory that manages the overhead of handling the tokens that are returned from social sign-in providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0. After a successful user pool sign-in, your web or mobile app will receive user pool tokens from Amazon Cognito. These tokens can then be used to retrieve AWS credentials via Amazon Cognito identity pools. These credentials allow your app to access other AWS services and you don’t have to embed long-term AWS credentials in your app.

Capturing and Collecting Logs

Detective controls are an essential part of governance frameworks and can be used to identify a potential security threat or incident. In AWS, there are a number of approaches to consider when addressing detective controls. AWS CloudTrail records API calls made on your account. This information helps you track changes made to your AWS resources, troubleshoot operational issues, and ensure compliance with internal policies and regulatory standards.

Monitoring and Notifications

It’s not uncommon for organizations to integrate security alerts into their operations and platforms. It’s essential to be able to detect change, determine whether a change was appropriate, and then route this information to the correct remediation workflow.

CloudWatch

In AWS, you use Amazon CloudWatch to route events and information reflecting potentially unwanted changes into a proper workflow. CloudWatch can be used to monitor resources and logs, send notifications, and trigger automated actions for remediation. Take a moment to review the Amazon CloudWatch architecture below to learn more about this service.

The key services to audit include Amazon S3, Elastic Load Balancing, Amazon CloudWatch, AWS CloudTrail, and Amazon VPC.

CloudWatch Tutorials and Use Cases: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatch-Events-Tutorials.html

Amazon GuardDuty

An intelligent threat detection service that provides customers with a way to continuously monitor and protect their AWS accounts and workloads. GuardDuty identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies in account and workload activity. It monitors for activity such as unusual API calls or unauthorized deployments that indicate that a customer’s accounts may have been compromised, as well as direct threats like compromised instances or reconnaissance by attackers.

AWS Trusted Advisor

A service that draws upon best practices and inspects your AWS environment making recommendations for saving money, improving system performance, or closing security gaps. You can configure Trusted Advisor notifications to receive weekly emails about any changes. You can also subscribe to Business and Enterprise-level support to access the full suite of Trusted Advisor best-practice checks

AWS Inspector

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

Amazon VPC Flow Logs

Many AWS services provide built-in access control audit trails and logs. You can enable Amazon VPC Flow Logs to capture information about the IP traffic going to and from network interfaces in your VPC. VPC flow logs can help you with a number of tasks. For example, you can troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.

AWS Security Hub

Gives you a single pane of glass view of your high-priority security alerts and compliance status across AWS accounts. It provides you a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. This service is currently in a preview period at no cost to you.

AWS Config

AWS Config is a continuous monitoring and assessment service that can help you detect non-compliance configurations almost in real time. You can view the current and historic configurations of a resource and use this information to troubleshoot outages and conduct security attack analyses.

With AWS Config rules, you can run continuous assessment checks on your resources to verify that they comply with your own security policies, industry best practices, and compliance standards. AWS provides several managed pre-built rules that require minimal to no configuration. For example, AWS Config provides a rule to ensure that encryption is turned on for all EBS volumes in your account. You can also write a custom AWS Config rule to essentially “codify” your own corporate security policies. 

Protection via Isolation

Infrastructure protection ensures that systems and resources within your workloads are protected against unintended and unauthorized access, and other potential vulnerabilities. Amazon Virtual Private Cloud (Amazon VPC) allows you to isolate your AWS resources in the cloud. A VPC enables you to launch resources into a virtual network that you’ve defined and that closely resembles a traditional network that you’d operate in your own data center. Here we have the most common VPC features that provide a defense-in-depth approach for your resources. Please review each item for more information.

Application and OS Security

Securing your network and making sure that all your servers are hardened and properly patched are some of the tasks required in infrastructure security. AWS Systems Manager includes capabilities that help you automate management tasks such as collecting system inventory, applying operating system patches, maintaining up-to-date anti-virus definitions, and configuring operating systems and applications at scale. Systems Manager helps keep your systems compliant with your defined configuration policies.

EC2 security best practices

https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/

AWS Systems Manager

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices.html

AWS Systems Manager provides a tool to help with automating operations with things like patch deployment, deploying automation scripts to your instances, and a lot more. Doing these sorts of tasks manually, one instance at a time, is like inviting the elusive creatures that cause you to get paged at 3 AM directly into your metaphorical server room. Through the use of Systems Manager, you can push patches and scripts to be run on an instance, or group of instances, in an automated fashion to avoid logging directly into a production box to make those changes.

AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. You can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments. With Systems Manager, you can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status. You can also take action on each resource group depending on your operational needs. Systems Manager provides a central place to view and manage your AWS resources, so you can have complete visibility and control over your operations.

OpsCenter

OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational issues related to any AWS resource. OpsCenter aggregates and standardizes operational issues, referred to as OpsItems, while providing contextually relevant data that helps with diagnosis and remediation. Engineers working on an OpsItem get access to information such as:

  • Event, resource and account details
  • Past OpsItems with similar characteristics
  • Related AWS Config changes
  • AWS CloudTrail logs
  • Amazon CloudWatch alarms
  • Stack information
  • Other quick-links to access logs and metrics
  • List of runbooks and recommended runbooks
  • Other information passed to OpsCenter through AWS services

This information helps engineers to investigate and remediate operational issues faster. Engineers can use OpsCenter to view and address issues using the Systems Manager console or via the Systems Manager OpsCenter APIs.

Explorer

AWS Systems Manager Explorer is a customizable dashboard, providing key insights and analysis into the operational health and performance of your AWS environment. Explorer aggregates operational data from across AWS accounts and AWS Regions to help you prioritize and identify where action may be required.

Resource Groups

Resource groups are a way to create a logical group of resources associated with a particular workload such as different layers of an application stack, or production versus development environments. For example, you can group different layers of an application, such as the frontend web layer and the backend data layer. Resource groups can be created, updated, or removed programmatically through the API.

AWS AppConfig

AWS AppConfig helps you deploy application configuration in a managed and a monitored way just like code deployments, but without the need to deploy the code if a configuration value changes. AWS AppConfig scales with your infrastructure so you can deploy configurations to any number of Amazon EC2 instances, containers, AWS Lambda functions, mobile apps, IoT devices or on-premises instances. AWS AppConfig enables you to update configurations by entering changes through the API or Console. AWS AppConfig allows you to validate those changes semantically and syntactically to ensure configurations are aligned to their respective applications’ expectation, thus enabling you to help prevent potential outages. You can deploy your application configurations with similar best practices as code deployments, including staging roll-outs, monitoring alarms, and roll back changes should an error occur

System Manager and Insights Dashboard

AWS Systems Manager automatically aggregates and displays operational data for each resource group through a dashboard. Systems Manager eliminates the need for you to navigate across multiple AWS consoles to view your operational data. With Systems Manager you can view API call logs from AWS CloudTrail, resource configuration changes from AWS Config, software inventory, and patch compliance status by resource group. You can also easily integrate your AWS CloudWatch Dashboards, AWS Trusted Advisor notifications, and AWS Personal Health Dashboard performance and availability alerts into your Systems Manager dashboard. Systems Manager centralizes all relevant operational data, so you can have a clear view of your infrastructure compliance and performance.

Inventory

AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications. You can collect data about applications, files, network configurations, Windows services, registries, server roles, updates, and any other system properties. The gathered data enables you to manage application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more.

Automation

AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks. With Systems Manager Automation, you can use predefined playbooks, or you can build, run, and share wiki-style automated playbooks to enable AWS resource management across multiple accounts and AWS Regions. You can execute Python or Powershell scripts as part of a playbook in combination with other automation actions such as approvals, AWS API calls, or running commands on your EC2 instances. These playbooks can be scheduled in a maintenance window, triggered based on changes to AWS resources through Amazon CloudWatch Events, or executed directly through the AWS Management ConsoleCLIs, and SDKs. You can track the execution of each step in a playbook, require approvals, incrementally roll out changes, and automatically halt the roll out if errors occur.

Run Command

AWS Systems Manager provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell. It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations. Through integration with AWS Identity and Access Management (IAM), you can apply granular permissions to control the actions users can perform on instances. All actions taken with Systems Manager are recorded by AWS CloudTrail, allowing you to audit changes throughout your environment.

Session Manager

AWS Systems Manager provides a browser-based interactive shell and CLI for managing Windows and Linux EC2 instances, without the need to open inbound ports, manage SSH keys, or use bastion hosts. Administrators can grant and revoke access to instances through a central location by using AWS Identity and Access Management (IAM) policies. This allows you to control which users can access each instance, including the option to provide non-root access to specified users. Once access is provided, you can audit which user accessed an instance and log each command to Amazon S3 or Amazon Cloud Watch Logs using AWS CloudTrail.

Patch Manager

AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances. Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected. You can also schedule maintenance windows for your patches so that they are only applied during preset times. Systems Manager helps ensure that your software is up-to-date and meets your compliance policies.

Maintenance Window

AWS Systems Manager lets you schedule windows of time to run administrative and maintenance tasks across your instances. This ensures that you can select a convenient and safe time to install patches and updates or make other configuration changes, improving the availability and reliability of your services and applications.

Distributor

AWS Systems Manager helps you securely distribute and install software packages, such as software agents. Systems Manager Distributor allows you to centrally store and systematically distribute software packages while you maintain control over versioning. You can use Distributor to create and distribute software packages and then install them using Systems Manager Run Command and State Manager. Distributor can also use Identity and Access Management (IAM) policies to control who can create or update packages in your account. You can use the existing IAM policy support for Systems Manager Run Command and State Manager to define who can install packages on your hosts.

State Manager

AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of you Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more. You can define configuration policies for your servers through the AWS Management Console or use existing scripts, PowerShell modules, or Ansible playbooks directly from GitHub or Amazon S3 buckets. Systems Manager automatically applies your configurations across your instances at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status.

Parameter Store

AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily.

For example, you can use the same parameter name, “db-string”, with a different hierarchical path, “dev/db-string” or “prod/db-string”, to store different values. Systems Manager is integrated with AWS Key Management Service (KMS), allowing you to automatically encrypt the data you store. You can also control user and resource access to parameters using AWS Identity and Access Management (IAM). Parameters can be referenced through other AWS services, such as Amazon Elastic Container Service, AWS Lambda, and AWS CloudFormation.

Connect with ITSM / ITOM Software

IT Service Management (ITSM) tools, such as Jira Service Desk, can connect with AWS Systems Manager to make it easier for ITSM platform users to manage AWS resources. These AWS Service Management Connectors provide Jira Service Desk administrators governance and oversight over AWS products.

AWS Firewall Manager

A security management service that allows you to centrally configure and manage AWS WAF rules across your accounts and applications. Firewall Manager is able to bring new applications and resources into compliance with a common set of security rules from the start.

AWS Direct Connect is a cloud service solution that is used to establish a dedicated and secure network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment. In many cases, this can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

AWS CloudFormation automates and simplifies the task of repeatedly creating and deploying AWS resources in a consistent manner.  With AWS CloudFormation, you can ensure that all of your security and compliance controls are deployed along with your new environment.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

Using Amazon Inspector with AWS Lambda allows you to automate certain security tasks. Combining these capabilities allows you to build event-driven security automation to help better secure your AWS environment in near real time. The diagram above illustrates a solution that automatically remediates findings generated by Amazon Inspector. Click here for more information on this specific use case.

https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html

AWS Certificate Manager (ACM) handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications. ACM can also be used to issue private SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally. 

Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property. It provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.

AWS KMS

AWS Key Management Service (AWS KMS) is a managed service that allows you to create and control the keys used in data encryption. If you want a managed service for creating and controlling encryption keys, but do not want or need to operate your own hardware security module (HSM), consider using AWS KMS. You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with AWS KMS, including AWS CloudTrail, which helps meet your auditing, regulatory, and compliance needs.

White paper https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

Encryption in AWS, a series of videos

https://www.youtube.com/user/AmazonWebServices/search?query=encryption

Protecting Data in S3 https://docs.aws.amazon.com/AmazonS3/latest/dev/DataDurability.html

AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Workflows are made up of a series of steps, with the output of one step acting as the input into the next. Step Functions can be used to design and run workflows that stitch together services such as AWS Lambda and AWS CloudFormation to respond to an incident in the cloud.

A compromised instance using AWS Step Functions, AWS Lambda, AWS CloudFormation, and Amazon SNS. We start with a script, or third-party tool, pushing instance IDs to an SNS topic. IDs are then verified by a Lambda function, and if compromised, a Step Function workflow is initiated.

  • 1 The instance is removed from its auto scaling group, a snapshot is created of any attached EBS volume, instance metadata (like IP, AMI ID, subnets. etc.) is recorded, a quarantine resource tag is applied to the instance, and the team is notified.
  • 2 The instance is isolated by removing all its previously associated security groups. Then, a new forensics security group is assigned to the instance with no ingress or egress permissions.
  • 3 An AWS CloudFormation template is used to create a brand-new environment, including a new VPC containing a forensics instance with prebuilt tools attached to a copy of any volumes from the snapshots.
  • 4 A basic forensics investigation is performed on the attached volumes.
  • 5 Reports are then generated with the results from the investigation and sent to the team via an SNS topic.

Protection at the Edge

A combination of AWS services may be used to implement a defence in depth strategy when it comes to DDoS attacks. These services are designed with an automatic response to DDoS attacks and can help minimize time to mitigate and reduce impact. AWS Edge locations provide an additional layer of network infrastructure that increases your ability to absorb DDoS attacks and to isolate faults while minimizing availability impact. 

Amazon Route 53

A highly available and scalable DNS service that can be used to direct traffic to your web application. It includes many advanced features like traffic flow, latency-based routing, weighted round-robin, Geo DNS, health checks, and monitoring. You can use these features to improve the performance of your web application and to avoid site outages. Route 53 is hosted at numerous AWS edge locations, creating a global surface area capable of absorbing large amounts of DDoS traffic.

Amazon CloudFront

A content delivery network (CDN) service that can be used to deliver data, including your entire website, to end users. CloudFront only accepts HTTPS and HTTP well-formed connections to prevent many common DDoS attacks. These capabilities can greatly improve your ability to continue serving traffic to end users during larger DDoS attacks.

AWS Shield

A managed DDoS protection service that safeguards web applications that run on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.

AWS Web Application Firewall (WAF) helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block by defining customizable web security rules.

===END