AWS security specialty: PART 3 | Hackitect's playground

Learning for security specialty can be very tough. I am still sharing with all my readers my notes. This is not full learning material, but it can help you with basic points checkup before sitting the exam or looking for a specific topic, which you are solving now in your current project. Let’s start and enjoy!

DNS – Route 53 service

Route53 is a big part of the AWS SAA exam and you need to understand this service up and down. BAsic DNS is also helpful in every architect or engineer job.

Amazon Route 53 uses techniques like shuffle sharding and anycast striping against DoS
You can change and disable AWS DNS (VPC > DNS resolution checkbox). To change this you need to use DHCP option set.
If you want to have a new DHCP option set you need to create a new one. The default cannot be deleted.
DNS Query logging is available only for the public hosted domain.
Content of the log is the following:
- Domain or subdomain that was requested
- Date and time of the request,
- DNS record type,
- Route 53 edge location that responded to the DNS query,
- DNS response code.

Links:

Q: Do you know which routing options provide health checks ?

Flow logs

Flow logs are stored in the Cloud watch.
Tracking all the traffic from ENI within the VPC.
3 levels – VPC (all ENI traffic), subnet level (in particular subnet), Network interface level (ENI level)

Flow logs do not capture all IP traffic. The following types of traffic is not logged:

Traffic generated by instances when they contact the Amazon DNS server. If you use your own DNS server, then all traffic to that DNS server is logged.
Traffic generated by a Windows instance for Amazon Windows license activation.
Traffic to and from 169.254.169.254 for instance metadata.
Traffic to and from 169.254.169.123 for the Amazon Time Sync Service.
DHCP traffic.
Traffic to the reserved IP address for the default VPC router. For more information, see VPC and Subnet Sizing.
Traffic between an endpoint network interface and a Network Load Balancer network interface. For more information, see VPC Endpoint Services (AWS PrivateLink).

Important to know about VPC flow logs:
1) Cannot be tagged
2) The role IAM cannot be changed after it is assigned.
3) Monitoring on VPC peering can be anebled on VPC in the same account.

Default format of the FlowLog (need to know for exam):

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

VPC endpoints

2 types – instances (1 ENI) and gateways (HA)
Route tables must be modified to use VPC endpoints.
Assign a private IP.
For gateways, there are only two options currently – S3 and DynamoDB

Link to read : VPC endpoints – Amazon Virtual Private Cloud

Interface endpoint is using ENI, which means that we can attach the security group.
Interface endpoints can be associated with multiple subnets (every subnet has ENI)
DNS with the service is modified by AWS.
You also not need to worry about managing the route table.
Private IP address allows accessing via VPN from on-premise. This is not possible with VPC endpoints.

Reserved addresses

10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, we also reserve the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. For more information, see Amazon DNS Server.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

AWS Athena

Can create serverless data structure over Cloudtrail logs.
Serverless solution
SQL like query services over S3 data.

AWS Macie

AWS Macie is built with machine learning (guard duty is also running on ML) and helps to detect the data types and PII (personally identifiable information) in sour AWS account and users having access to these personal data.

US east + west only limited to regions.
Needs cloud trail and S3 permissions.

Macie can classify your data based on following content classification methods:

Guard Duty

Guard duty is a threat intelligence platform from AWS.

7-14 days for baseline setup.
When you enable GuardDuty, you grant GuardDuty permissions to analyze AWS CloudTrail logs, VPC Flow Logs, and DNS query logs to generate security findings.
GuardDuty generates findings when it detects unexpected and potentially malicious activity in your AWS environment.
You can view and manage your GuardDuty findings on the Findings page in the GuardDuty console or by using the GuardDuty CLI or API operations.
You can also view your GuardDuty findings through Amazon CloudWatch events.

Pricing – 30 days free than on the quantity of cloud trail events / Volume of DNS and VPC flow log data.
Findings appear in Guardduty dashboard, Cloud Watch events and it can trigger a lambda function to address a threat.

Lists – you can add trusted IP lists or Threat list – own list of know malicious Ip addresses.

Accounts – you can monitor multiple accounts from GD.
Guard duty is having one disadvantage. ITs not monitoring all the logs (VPC flow logs, AWS Route 53 DNS logs, CLoud trail). EC2 Cloud watch logs are note monitored. For better monitoring and more detailed information is good to use a third-party solution like Splunk, Qradar, etc.
Centralized management

is done via the master account dashboard. You can add member accounts via invitation. The invitation is sent from master to member and member is accepting/rejecting it.

SES – simple email service

Throttling on port 25
TLS to SMTP
Supporting API and SDK
other open ports 587 or 2587.

Note: If there is a problem with your emails, its often the throttling on SES API.

Link: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect

Complying with DMARC Using Amazon SES – Amazon Simple Email Service

Easy DKIM in Amazon SES – Amazon Simple Email Service

Instance metadata service

IMDS if allowing to the user to get an instance and role metadata. The first version was however vulnerable to server-side request forgery attacks so new version comes out.

You can get information about /security-credentials.
IF you are using the IAM role for an EC2 instance, in credentials is Secret key and access key ID + token and expiration. These keys are used to call the services from the associated role. The credentials are rotating.

IMDSv2 offers nrew feratures like :

Session authentication
Session token can only be used directly from the EC2 instance where that session began
Sessions can last up to six hours

IMDSv2offers protection agaist:

Open firewalls.
Open proxies
Server side request forgery
Protecting against open layer 3 firewalls and NATs

The public key can be taken from metadata 169.254.169.254/latest/meta-data/public-keys/0/openssh-key

Get the matadata from version one :

curl http://169.254.169.254/latest/user-data

Get the metadata from version 2:

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \ && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data

Configuration:

Configuring the Instance metadata service

Important reading:

Add defense in depth against open firewalls

DDoS protection

Known techniques – replication, amplification, packet flood

Mitigation

Minimizing the attack surface area
Be ready to scale to absorb the attack
Safeguard exposed resources (control and flexibility provided by WAF, Route53, and CloudFront)
CloudFront – Geoblocking, Origin Access identity (people can access to S3 using Cloud front URLs).
Route53 – Private DNS , Alias record sets
WAF -(AWS WAF or 3rd PArty fireawalls)
Learn normal behavior
Create the plan for attacks – understand the cost, increase resiliency, contact points

AWS Shiled

Offers syn and udp flood, L3/L4 protection.

Advanced – enhanced protection, 3000 dollars per month, DDoS response team 24×7, Realtime notification, HTTP flood protection

You can use aslo for absorbing the attack Autoscaling and CloudWatch.

API Gateway

Burst limit = 5000, after limit exceeded response is 429 Too many requests
The Burst limit is quite simply the maximum number of concurrent requests that API gateway will serve at any given point. So it is your maximum concurrency for the API,
API Throttling = 10 000 requests per second,
API gateway caching = caches responses to TTL default 300s , maximum 3600s, TTL = 0 > Caching is disabled. Must be enabled for the stage. API is deployed in stages (dev, test–)

Amazon API Gateway provides two basic types of throttling-related settings:

A) Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API— and your account — from being overwhelmed by too many requests.
B) Per-client throttling limits are applied to clients that use API keys associated with your usage policy as a client identifier.

API Gateway throttling-related settings are applied in the following order:

Per-client per-method throttling limits that you set for an API stage in a usage plan
Per-client throttling limits that you set in a usage plan
Default per-method limits and individual per-method limits that you set in API stage settings
Account-level throttling.

AWS certificate manager

SSL certificated renew automatically for domains purchased in Route53
Certificates cannot be exported.
Automatic renewal is not available for private DNS and imported certificates.
You can use a cert with cloud front and ALB and it must be done separately.
ACM can provide certificates for CloudFront

Perfect forward secrecy –
ALB has different security policies for HTTPS traffic.
To enable the perfect forward secrecy we must enable the ECDHE cipher suites

Note: Certificates are stored in ACM or IAM.

Generating your reports about cettificate status can be done via AWS certificate manager.

AWS private certificate authority

Create an audit report:

You can generate a new report every 30 minutes
The audit report file has the following path and file name.
- CA_ID is the unique identifier of an issuing CA
- UUID is the unique identifier of an audit report.)

bucket-name/audit-report/CA-ID/UUID.[json|csv]

Creating an Audit Report for Your Private CA

Designing your CA is also very important task for HA is recommneded to have several Root CA in different Regions.

https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-hierarchy.html

https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-best-practices.html

Systems manager

System manager – Parameter store

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

System manager run command

Commands can be applied to a group of instances selected manually or based on the tag.
SSM agents must be installed in EC2 instance.
The Commands and parameters are defined in Systems manager document
Commands can be issued via – CLI, SDK, AWS console, AWS Tools for PowerShell, Systems manager API.
SM can be used on-premise.

Patch manager

Patch manger automates the patching process for security and also common patches.

A patch baseline defines which patches are approved for installation on your instances. PAtch manager allsow you manage patching of your services in AWS and configure maintenance windows.

Maintannace windows – schedule for potentionaly disruptive events.

Compliance for patchingcan be view in:

Patch operations Sand and Install

Scan and install – will check the missing patches and install approved patvches from pathc baselines.

Scan only – will check the missing patches for you on the target patch group and report the missing patches.

More information at: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html

Session manager

Session manager provides you the way how to manage your instances with session manager utility without the need of bastion host. The session manager provides centralized management with the use of IAM policies.

Session manager main features:

One-click access to instances from the console and CLI
Cross-platform support for both Windows and Linux
Port forwarding enabled
No open inbound ports and no need to manage bastion hosts or SSH keys

Important: SSM Agent must be installed on the instances you want to connect to through sessions.

Reading:

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html

Compliance

Compliance standards which you can discover during AWS architecture requirements:

ISO 27001
HIPPA
PCIDSS
FISMA
NIST
SOC1
SAS70
FEDRAMP

If you want to know AWS compliance check AWS artifact.

Link:

https://aws.amazon.com/artifact/getting-started/

Lambda (Serverless)

If lambda should terminate the EC2 instance it must have proper IAM permissions and assigned role.

Execution role – An execution role gives your Lambda function permission to upload logs and access other AWS services. Add policies to the execution role to give it access to downstream resources such as Amazon DynamoDB tables.
In addition to an execution role, your function also has a function policy that gives other AWS services permission to invoke it. When you add a trigger to your function, you might add permissions to the trigger resource’s role, the function execution role, or the function policy, depending on the trigger type.

Function policy – AWS offers managed permissions policies that you can add to your IAM role. Choose all the policies that apply to your function.

Resource-based policy – Resource-based policies enable you to grant usage permission to other accounts on a per-resource basis. You also use a resource-based policy to allow an AWS service to invoke your function.

Lambda can log the data events – extra charges are applied.

Troubleshooting

Cloud trail common problems:

Lambda or S3 data events are not enabled by default (Object level API activity). Must be explicitely enabled.
When you want to log in S3 bucket you provided wrong name
S3 bucket policy is incorrect
Cloud trail is not enabled
Auditor acces ? – IAM Readonly access must be asigned to user. (AWSCloudTrailReadOnlyAccess policy)

Infrastructure troubleshooting:

Check the Flow Logs for allow/deny traffic.
Check routing tables, NACLS, security groups
For explicit deny use ACL. Security groups deny by default
Peering = Routing tables update.

Additional troubleshooting notes:

IF you cannot access the CLoudWatch dashboard – Check the IAM if you have access to it.
You need to have cloudwatch:GET, cloudwatch:List* in your IAM Action part of the policy.
EC2 must be able to send the logs to CloudWatch:
- Cloud watch agent must be configured correctly : Installed and running
- Doest the EC2 instance permission to write to Cloud Watch logs.

For every service read please the troubleshooting part in docuemntation.

Link: Troubleshooting EC2 instances

AWS Directory Service

MFA on AD :
You can enable multi-factor authentication (MFA) for your AWS Managed Microsoft AD directory to increase security.

MFA offers an authentication code obtained from your virtual or hardware MFA solution.

To enable MFA, company must have an MFA solution that is RADIUS server, or you must have an MFA plugin to a RADIUS server implemented in on-premise.

Trust types are also important to know. There are types of trust one-directional and bidirectional.

Tutorial for trust setup:

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html

Managed directory service:

powered by Windows Server 2012 R2
connected to your virtual private cloud (VPC)
the domain controllers run in different Availability Zones
updates are automatically configured and managed for you.

2 types of AWS directory service are available:

Standard Edition

AWS Managed Microsoft AD (Standard Edition) – companies (small-medium) with up to 5,000 employees. It provides you enough storage capacity to support up to 30,000 directory objects.

Enterprise Edition

AWS Managed Microsoft AD (Enterprise Edition) – support large organizations with up to 500,000 directory objects.

Directory service can be used plenty of tasks:

Manage users and groups
Provide single sign-on to applications and services
Create and apply group policy
Securely connect to Amazon EC2 Linux and Windows instances
Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads
You can use AWS Managed Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.

AWS directory connector

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises MS Active Directory with no need of storing the data in the cloud. AD Connector comes in two flavors, small and large. You can spread application traffic/load across multiple AD Connectors to scale to your performance requirements and needs.

Once set up, AD Connector offers the following benefits:

Your end-users and IT administrators can use their existing corporate credentials to log on to AWS apps.
You can manage AWS resources through IAM role-based access.
You can consistently enforce existing security policies.
You can use AD Connector to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.

What is RADIUS : Wiki RADIUS description

AWS Security Hub

Region-specific, every region must have a master Security hub.
Integration of Inspector, Guard duty, Macie and Pernet network platforms.
Remediation action with Lambda or Cloud watches events.
Can aggregate multiple accounts data.

And that’s all for the next part of our preparation cramming. WE are still not at the end!