Security and patching in AWS, a real-world example.
Firewalls
AWS WAF (Web Application Firewall) is a web application firewall that helps detect and block malicious web requests targeted at your web applications. WAF is configured to block invalid HTTP requests and accepts requests only from specific countries. WAF uses Security Groups to group firewall rules, that groups are assigned to VM instances.
OS Hardening & Virus Protection
– System feature SELinux controls access of applications to only resources allowed by policies.
– System software (RKHunter) monitors possible rootkits/virus installations and alerts the system administrators if this is detected.
– System software (Suricata) monitors all traffic to open ports and logs detected attacks. Further Fail2ban reads from the Suricata logs and blocks abusers.
– System software (Fail2Ban) monitors unsuccessful attempts to login to SSH and blocks an attacker IP for a period of time (a few hours); after several unsuccessful attempts.
Security policy compliancy assessment
The OpenSCAP is a collection of open source tools for implementing and enforcing this standard. System software OpenSCAP scans systems to check up compliance of various OS components for security policy. The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. OpenSCAP provides a wide variety of hardening guides and configuration baselines. Security Content Automation Protocol (SCAP) is U.S. standard maintained by National Institute of Standards and Technology (NIST).
Application Server Hardening
Fail2Ban
– Whitelist HTTP request filter
– Bans IPs after certain threshold of invalid login attempts
– Bans IPs detected by Suricata as abusers
Suricata
– Real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM)
– Suricata inspects the network traffic using a powerful and extensive rules and signature language
– Suricata rules updated daily from Emerging Threats All ruleset, that also includes Snort rules, Blockrules (dynamic IP list based rulesets for blocking known bad hosts), etc…
Security Groups & IAM roles
System administrators can access instances or services via SSH using RSA keys and strong passwords.
FTP access – allowed only from client IP address. This is set by AWS IP filter policy and the system firewall.
-IAM roles used for S3 backup and AWS System Monitor
-AWS WAF uses Security Groups to group firewall rules, those groups are assigned to VM instances.
Data Security & Encryption
- Domain name xxx.yyyy.com is secured by a certificate registered at a trusted certificate authority.
- All browsers have certificate verification capabilities. The site with the correct certificate will have the “Green Lock” icon near the URL, which indicates the site is verified and trusted.
- All user’s traffic goes via HTTPS only and is encrypted.
- Browsers use HTTPS. When users try to enter via HTTP, they are automatically switched to HTTPS by the web application.
- The application uses HTTPS and certificate verification as well.
- It is safe to access web applications from public networks.
- All AWS volumes are encrypted
- S3 backup bucket is encrypted
Patch Management
OS / Security patches
Currently combination of manual and automated processes is used:
- YUM (Yellowdog Updater Modified), an open source command-line as well as graphical based package management tool for RPM (RedHat Package Manager) based Linux systems.
- AWS System Manager – ops automation including patching, updates
- System application Vuls daily scans systems to detect vulnerabilities, using multiple vulnerability databases NVD, RH OVAL, GHOST, etc.. Vulnerability reports can be reviewed by administrators. Vulnerabilities are presented along with update packages when available. Critical updates packages are automatically applied to the system. Administrator is alerted via email if system reboot or service(s) restart is required.
==END