Learn Cloud Security with AWS
Sangam Biradar
@sangamtwts
CloudSecurityCorner.com
educate
Prepare
Prepare
Prepare
simulate
Prepare
Iterate
If the user has been assigned Access Keys, consider deactivating them..
Be cautious when deleting keys, as this may impact applications that rely on them.
Review all policies assigned to the user.
Monitor Cloudtrail events for any unusual activity
Delete the compromised user account and recreate it.
If the user has long-term access credentials, transition to using IAM roles.
Roles utilize short-term credentials, offering enhanced security.
General Consideration
Install only the necessary components on the EC2 instance to minimize the attack surface
Use host-based protection software
Restrict network access to the instance
Establish a baseline server configuration and monitor any changes against this baseline
Ensure all changes to the EC2 instance are audited.
EC2 Instance
Private Subnet
EC2 Instance
Public Subnet
Elastic Network Interface
Network Access Control List
Security Groups
Configure Security Groups: Set up security group: rules to allow only the minimum necessary traffic.
Use Network Access Control Lists (NACLs): Implement NACLs to manage traffic at the subnet level.
Control and monitor interactive access to EC2 instances.
Provide user access based on the principle of least privilege.
If an application on the EC2 instance needs to access other AWS services, assign an IAM role to the EC2 instance
Always encrypt data at rest and in transit
Regularly update the EC2 instance with the latest security patches
Ensure a change management process is in place for all updates to the EC2 instance.
What is AWS Guard Duty ?
This is a continuous security monitoring service
This service analyses the following data sources - VPC flow logs , AWS CloudTrail event logs , DNS logs
it is used to identity unexpected and potentially unauthorised and malicious activities from within your AWS account
this does this with help of existing threat intelligence feeds and list that contain malicious IP's and domains
The Threats it can detect
Escalation of privileges
Uses of exposed credentials
Communication with malicious IP's , URL's or Domains
Detect compromised EC2 Instance having malware
Can also detect unauthorised infrastructure deployments in your AWS environment
How can we use amazon GuardDuty
We have to enable it
it is region specific resources
To get better coverage , you can enable the service in every region
you can also invite other accounts to use amazon guardDuty . if you do this your account becomes the master account you can then get the finding of your member accounts
EC2 Encryption with key pairs
Configure Security Groups: Set up security group: rules to allow only the minimum necessary traffic.
Use Network Access Control Lists (NACLs): Implement NACLs to manage traffic at the subnet level.
This service helps monitor all of your AWS resources
Monitoring Can be carried out in real time
CloudWatch can be used to collect and track metrics
these metrics help you understand how your AWS resources and behaving
You can then create alarms based on these metrics
CloudWatch agents allows you to get more system level metrics from amazon EC2 Instances
You can also collect metrics from on-premise servers
you can also collect logs from Amazon EC2 Instances or on premise servers which could be running either linux or windows
This service helps you enable governance , compliance and operational and risk auditing for your AWS account
All actions taken by a user , role or an AWS service are recorded as events in AWS cloudtrail
These events could have taken place into AWS management console , AWS CLI Interface , the AWS SDKs and APIs
You Can Then create a trail which would persists these events
You can search these events later on for any suspicious activities
This service helps you record configuration changes to your AWS resources
You can also see how resources are related to each other
You can also define AWS config rules to check whether your resources are compliant or noncompliant with your organisation's policies
VPC Flow logs - This can be used to log the network traffic flowing in and out your VPC
Simple Storage Access Logs - Gives you a better representation of how your S3 objects are being accessed
Elastic Load Balancer logs - Gives you a better representation on requests and responses being made to the Elastic Load Balancer
The Purpose of Amazon CloudWatch Logs
create AWS Lamada
// index.js
exports.handler = asynx function(event, context) {
console.log("this is sample data");
return context.logStreamName;
}
filer @message like /test/
Insights
what can you do with the cloud watch agents
You can use the agent to collect more system-level metrics from amazon EC2 instance this can be don e both windows and linux based system
you can also collect metrics from on-premise servers
You can also collect logs from Ec2 instance or on premise server running
you can also collect logs from EC2 instance servers running either windows or linux
How can you set this up
You can Install the agent manually or set it up using software system manager
first you need to create an IAM role that allows the agent to send metrics to cloud watch
Download the required agent package
Modify the CloudWatch agent configuration file here you specify the metrics you want to collect
Install and stat the agent
What are we going to do now
We will install apache2 on ubuntu EC2 instance
create an IAM role and attach it to the EC2 instance
Install the cloud watch agent
set the configuration file for the cloudwatch agent
Run the cloudwatch agent
sudo apt update
sudo apt-get install apache2
sudo service apache2 start
### -- lets create new new role
### -- attach policy - cloudwatchagentserverpolicy
### -- role name sangam
### -- Go to EC2 instance setting setup the role sangam
### -- install cloudwatch agent -
wget https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
sudo dpkg -i -E ./amazon-cloudwatch-agent.deb
sudo apt-get install awscli
sudo aws configure --profile AmazonCloudWatchAgent
AWS Access ID :
Key ID [None] :
Bundle Tasks :
AWS Secret Access Key [None]:
Default region name [None]: us-east-2
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status
{
status :"stopped"
"starttime":
"version":
}
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
log file path :
/var/log/apache2/access.log
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status
Access Logs
The purpose of S3 access logs
This can be useful for security and access audit report purposes
by default server access logging is disabled . you have a explicitly enable it
the logs can be written to the same bucket or a different bucket . it is recommended to use a different bucket for log data
when server access logging is enabled via the console , a bucket ACL grant for the log deliver group to write data is set on destination bucket
there is no charge for enabling S3 access logs
but there will be a charge for the storage of log data
create s3 bucket -> permission -> access control list -> s3 log delivery group - log delivery
Governance and Compliance
the event history is available for the past 90 days
you can use the history to view , search and download activity during this time period
you can also create a trail to persist the events
the events can be send to CloudWatch Logs or to an S3 bucket
you can create a trail that applies to all regions
you can create a trail that just applies to one region
What is AWS CloudTrail
if you have an an AWS organisation , you can also create an organisation trail
the trail is applied to the master account
the event get recorded for all of the member accounts as well
All of the CloudTrail event log file are encrypted using amazon S3 server-side encryption
you can also use the Key Management service to encrypt the log files
When configuring a trail , you can choose to log data and management events
Data events events performed on a resource such as Amazon S3 object level API activity or AWS Lambda function execution
Management events are those events performed at the control plane . for example attaching an IAM role
AWS account
AWS account
AWS CloudTrail
AWS CloudTrail
S3 bucket
We have to ensure the bucket policy for the destination bucket allows for multiple to write data
bucket policy -> permission
Monitoring your VPC
What are VPC Flow Logs
this is a feature that enables you to capture information on the traffic flowing into and out of the network interface from within a VPC
The Flow log data can be sent to Amazon CloudWatch logs and Amazon S3
A Flow log can be created for VPC , a subset or just a network interface
when flow logs are activated it will take around several minutes to start receiving the data
#Different Fields Format
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
#Accept SSH traffic on port 22
2 123456789010 eni-1235b8ca123456789 172.16.0.20 172.16.0.100 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
# Reject SSH traffic on port 22
2 123456789010 eni-1235b8ca123456789 172.16.0.36 172.16.0.120 49761 22 6 20 4249 1418530010 1418530070 REJECT OK
We are going to enable VPC flow logs for a network interface
we will send the logs to CloudWatch Logs
we need to also have an IAM role in place to VPC flow logs to send the data to CloudWatch Logs
IAM role - ec2 - create policy - json
edit trust relationship
This is an interactive query service that allows you to analyse data directly from s3
AWS Athena is a serverless service
Here you don't need any infrastructure setup service
you can query and analyse unstructured , semi - structured and structured data stored in AWS s3
Tha data could be in various formats such as CSV , JSON , Apache Parquet or Apache ORC
What is VPC ?
This is a separate part of the AWS cloud network
it allows you to launch resources into virtual network
a virtual private cloud is logically isolated from other virtual network in the AWS cloud
A VPC contains a specific IP address range
in the VPC you define subnets
Each subnets is a range of IP addressed in the VPC
Components of a VPC
Security Groups - this is like a virtual firewall that cam control inbound and outbound traffic into your instance
in the security groups you add inbound an outbound rules to control the traffic
bye default no traffic is allowed into an instance
you have to explicitly add inbound rules in the security groups to allow traffic to flow into the instance
Security Groups are stateful - this means that if you send a request to the instance if the request is allowed the response will be allowed irrespective of the outbound rules set in the security group
Network access control list - this is like a virtual firewall that can control inbound and outbound traffic into your subnets
each network access control list consists of inbound and outbound rules
the network access control list by default allows all inbound and outbound traffic
each subset needs to be associated with a network access control list
network access control lists are stateless . even if a request is allowed via an inbound rule the response would be subject to the outbound rules
Create a new VPC in the Ohio regime
Create a new subnet in the VPC
Ensure the DNS hostnames assignment is set for the VPC
Ensure the public IP address setting is made for the subnet in the VPC
Create an internet gateways and attach it to the VPC
Modify the route tables to ensure traffic destination from the internet can flow via the internet gateway
Launch an EC2 Instance in the new VPC
Install apache2 on the server
Change the security groups to allow traffic into our instance
Amazon EC2 instance
inbound rules
port 80
Amazon RDS instance
mysql 3306
Database - inbound rule
- add an inbound rule to allow traffic from ->
Security group sever
Amazon EC2 instance
Internet
We need to add an outbound rule to allow an outgoing request on port 80
mysql -h endpoint -p 3306 -u admin -p
This service allows you to securely control access to AWS resources
You can control who is allowed to sign in - the authentication process
You can also control who is allowed to use resources - the authorisation process
IAM User - this represents a person or a service that would interact with AWS
the user would either access the console or make programmatic access calls to AWS service
you could place the user in an IAM group
you could assign permission to the user
IAM Groups - this is a collection of IAM user
you can assign permission at the group level
IAM roles - this is an identity in AWS . you can assign permission to an IAM role
A role is not associated with any access key or password so it is a secure way of accessing AWS resources
Policies and permissions
You Manage access to AWS resources with help of policies
Policies are mostly stored in AWS as JSON documents
there are different types of policies
- identity based policies- these are attached to users , groups or roles
- Resource based Policies - some AWS service can have their own policies for example in the simple storage service you can create bucket Policies
- Permission Boundaries - this can be used to define the maximum permission that can be assigned to an IAM entity
- Organization Service Control Policy - this can be used to define the maximum permission that can be assigned to members of an organization
- Access control list- some AWS service use access control lists an example is the simple storage service
- Session Policies these are policies used during a particular session
This is a service that allows you to store and retrieve virtually any amount of data from the web
in the service you go ahead and create buckets to store the data
Each object in the bucket is addressable via a URL
Each object has a key which is a unique identifier for the object with the bucket
In term of security the service provider the following capabilities
encryption of data at rest and transit - this can done with either server side or client side encryption
You can manage access to the bucket and its objects via identity and access management policies , bucket policies or access control lists
Access control list can be used to manage access to buckets and underlying objects
these are just used to grant basic read / write permission
you can grant ACL's for both the buckets and there underlying objects
when to use ACL's
Granting access to individual objects using a bucket policy for gibing access to individual files is not recommended
What is AWS trusted advisor service ?
You can use this service to get recommendation on how to improve aspect of your AWS resources
You get recommendation based on cost optimazation performance , security fault tolerance and service limit
if you apply for business and enterprise support you get access to full set of trusted advisor checks and recommendations
You can also get weekly updates you can also create alerts and automate actions with the amazon CloudWatch service
CFO
CEO
COO