One of the first design challenges firms will face when moving to the cloud is to secure network access from on-premise and from the Internet. A Networking High Level and End to End design document is needed, built by Networking SMEs. DNS, DHCP, SSO and protecting assets in dev-test and production are primary focal areas often left out of the discussion about ‘cloud’. Networking is probably the most complex aspect of migrating applications into the AWS cloud.
1: Bastion Hosts
For non-VPN, Internet based access use a Jump Box or Bastion Host in the Public Subnet. This allows an engineer to SSH into Port 22 on the production servers in the private subnet. You can track all activity (access, who, from where etc), with AWS System Manager ‘Session’ Manager. A Bastion secures outside-access in to the EC2 instance. A NAT (network address translation) gateway secures access from the private subnet EC instances out to the internet. You will likely be using both. AWS provides a managed NAT gateway, or you can set up your own NAT instance.
2: Virtual Private Networks
A VPN enables you to route traffic from an on-premise corporate network to the AWS VPC via the internet, using IP-SEC. A VPN is similar to the use of a Proxy connection and server. In Corporate environments, the VPN is a critical networking fabric used to connect to instances in Private Subnet. The VPN Server resides in the Public Subnet and you route your traffic via VPN server to instances in Public Subnet. You can still use a Bastion Host of course in conjunction with a VPN. A VPN’s primary purpose is to provide a secure on-premise to AWS connection. A Direct Connect backbone fiber connection (not internet based); can also be used and now you can layer a VPN inside a Direct Connection to provide low-latency IPSec communications.
3: Site to Site VPN Tunnels
A Site to Site (S2S) VPN allows two networking domains to communicate securely between each other over an untrusted network like the Internet. The two sites can be an AWS VPC and an on-premise datacenter or even two different VPC’s within AWS.
A Virtual Private Gateway (VGW) has built-in high availability for VPN connection. AWS automatically creates 2 HA endpoints, each in a different AZ.
4: VPC Peering
VPC peering is a network connection between two VPC that enables the communication between instances of both the VPC. VPC Peering is now possible between regions.
Unsupported VPC Peering Configurations: You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.
Unsupported VPC Peering Configurations: You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc). You cannot peer a connection between VPC B and VPC C. This means you cannot route packets directly from VPC B to VPC C through VPC A.
5: VPC Endpoints
AWS has public endpoints that used to be accessed from the internet only (S3 for instance). Now we can use “VPC Endpoints”, which are secure and highly reliable connections to services like S3, KMS, DynamoDB.
This means for example that EC2 instances within a private VPC can now connect to AWS public services without any need of NAT gateway or even Private Gateways. EC2 to DynamoDB Communication via VPC Endpoint:
This is called a gateway endpoint approach. Access policy is controlled through IAM – JSON documents.
Interface VPC Endpoint
AWS has introduced VPC endpoints which are different than gateway end-points:
- Interface VPC Endpoints are next-generation VPC endpoints.
- VPC endpoints are created inside your VPC.
- They have ENI and Private IP associated.
- Access control through security groups.
6: Network ACL
NACLs operate at the subnet level (each subnet is mapped to 1 NACL). Security Groups are firewalls at the instance level.
- Network ACL are stateless in nature.
- They operate at the subnet level instead of instance-level like Security Groups.
- All subnets in VPC must be associated with one NACL.
- By default, Network ACL contains full allow ingress and egress (inbound allow, outbound allows).
7: IPTABLES and Instance Meta Data
Instance Meta-Data can provide a lot of sensitive information that includes temporary credentials like AWS Access Key / Secret Key and Session Token. To view all categories of instance metadata from within a running instance, run the following command.
http://169.254.169.254/latest/meta-data/
Any user who has access to the server will be able to fetch that information. This can lead to a security risk. With IPTABLES, you can block access to the instance meta-data for the common users within servers.
iptables -A OUTPUT -m owner ! –uid-owner root -d 169.254.169.254 -j DROP
8: IDS/IPS
IDS = Intrusion Detection System
IPS = Intrusion Protection System
Within AWS, if you want to set up IDS and IPS you will need to use 3rd party products. This usually entails installing IDS-IPS agents on your server and routing packet traffic to a centralised server. It may also mean (as a 2nd option), setting up a VPC proxy fleet of IDS-IPS servers where every VPC flow is routed and analysed for security risks before being passed on to the production servers.
You have an IDS / IPS agents installed in the EC2 instance which will communicate to the central IDS / IPS appliance.
9: EBS Security
i) Before terminating an instance, customers can wipe the data in EBS.
ii) AWS also wipes the data immediately before the EBS is made for re-use.
iii) When the storage device has reached its end of use, they are decommissioned via detailed steps mentioned in NIST 800-88 or DoD 5220.22-M
Whenever an EC2 instance or EBS Volume is deleted:
i) Just right after EBS volume is deleted.
ii) After it’s being assigned for re-use for the second time
iii) Data is wiped immediately before re-use
iv) AWS does not wipe. It’s the customer’s responsibility.
10: CloudFront Origin Access Identity
CloudFront Origin Access Identity allows users to only access the contents of an S3 bucket via the CloudFront distribution. When OAI is enabled, CloudFront will add a bucket policy to the S3 bucket which will allow access only via the CloudFront distribution.
11: CloudFront Signed URLs
CloudFront Signed URLs mandates users to provide signed URLs or signed cookies to access the private content. CloudFront signed URLs can be generated by the trusted signers assigned in your AWS account.
12: AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) service that safeguards the workloads running on AWS against DDoS attacks. There are two tiers of AWS Shield:
- Shield Standard
- Shield Advanced
AWS Shield standard provides basic level protection against most common network and transport layer DDoS attacks. For a higher level of protection, you can subscribe to the Shield Advanced. Shield Advanced protects against large and sophisticated DDoS attacks with near-real-time visibility into the attacks that might be occurring. AWS Shield Advanced also gives customers 24×7 access to the AWS DDoS Response Team (DRT) during ongoing attacks. AWS Shield Advanced costs 3000$ per organization and requires Business or Enterprise Support.
One interesting part about AWS Shield Advanced is that during the attack, if your infrastructure has scaled, AWS will return you the amount that occurred during scaling in the form of credits. This is also referred to as Cost protection.
13: Mitigating DDoS
There are four key areas around DDOS mitigation:
- Scale up if there is surge in traffic
- Minimize the attack surface area
- Know what is normal and abnormal
- Create a Plan for Attack response (runbook)
Be Ready to Scale:
Your infrastructure should be designed to scale when the traffic increases. Use load-balancing, auto-scaling and Cloudwatch metrics.
Example: Whenever CPU load is more than 70% in Application servers, automatically add one more Application server to meet the needs. AWS Services: ELB, Auto Scaling
Minimize the attack surface area:
Decouple your infrastructure. Example: Application and Database should not be on the same server. AWS Services: SQS, Elastic BeanStalk
Know what is normal and abnormal:
Key metrics need to be defined to understand the behavior. Example: Website getting a huge surge in traffic in the middle of the night at 3 AM. AWS Services: CloudWatch, SNS.
Create a Plan for Attacks:
For example:
- Check whether the Source IP Address is the same.
- Check from which country the increased traffic is coming from.
- Nature of the attack (SYN Flood, Application Level)
- Can it be blocked with NACL or Security Group level
It is recommended to have AWS Support. At-least Business Support.
Following are some of the key AWS services involved in DDoS attack mitigation
- AWS Shield
- Amazon CloudFront
- Amazon Route53
- AWS WAF
- Elastic Load Balancing
- VPC & Security Groups
14: EC2 Key Pair Troubleshooting
Whenever we create an EC2 instance, we generally specify the associated key-pair. Often the keys are lost or compromised – even posted on Git or public code repo as part of the application code (in plain text no doubt).
i) Deleting the key-pair from the console will not delete the associated key from the EC2 instance.
ii) If we create a new instance from AMI of older instance, the public key specified while AMI creation will be appended to the authorized_keys.
15: EC2 Tenancy Attribute
Every EC2 instance that we launch in the VPC has a specific tenancy attribute associated with it. There are three tenancy attributes which are available:
i) Shared Tenancy
In this approach, your EC2 instance is launched on the shared hardware where EC2 instances of other customers also run.
ii) Dedicated Instance
Dedicated Instances are EC2 instances that run on the hardware which is dedicated to a single customer.
Dedicated instances may share the hardware with other EC2 instances that belong to the same AWS accounts.
iii) Dedicated Hosts
Dedicated Host is a physical server that allows us to use our existing per-socket, per-core or even per-VM based software licenses which includes Windows Server, SUSE, and various others. With dedicated hosts, we can use the same physical server over time, even if the instance is stopped and started.
16: Lambda@Edge
Lambda@Edge lets you run Lambda functions to customize content that CloudFront delivers. You can use Lambda functions to change CloudFront requests and responses at the following points:
- After CloudFront receives a request from a viewer (viewer request)
- Before CloudFront forwards the request to the origin (origin request)
- After CloudFront receives the response from the origin (origin response)
- Before CloudFront forwards the response to the viewer (viewer response)
17: AWS SES
AWS SES is a highly scalable platform that AWS offers for sending and receiving emails. Many firms have generic emails like [email protected] which are used to send emails to users for various reasons (registration, shipment, updates). You need a mail server installed on an EC2 instance with traffic throttled over port 25. To remove the throttle, you can make use of non-default ports or fill out the form to remove email sending limitations.
To access the AWS SES interface, you need to have an SES SMTP username and password. SMTP works on port number 25, 465 or 587. SMTP credentials should be used when we connect to the AWS SES SMTP endpoint.
18: DNS Support in VPC
There are two important attributes in VPC that determines DNS related resources.
If both attributes are set to true, the following occurs:
Instances with a public IP address receive corresponding public DNS hostnames.
The Amazon-provided DNS server can resolve Amazon-provided private DNS hostnames.
If both attributes are set to false, the following occurs:
Instances with a public IP address do not receive corresponding public DNS hostnames.
The Amazon-provided DNS server cannot resolve Amazon-provided private DNS hostnames.
19: AWS Artifact
The AWS Artifact portal provides on-demand access to AWS’ security and compliance documents, also known as audit artifacts including PCI DSS, HIPAA. GDPR and others. If the organization is using certain AWS services, then the auditor will ask the organization to show a certificate that the service is compliant.
==END