Cloud Security Corner

 

​Learn Cloud Security with AWS  

Sangam Biradar

@sangamtwts

 

CloudSecurityCorner.com

 

 Sangam Biradar , Individual Open-Source Contributor

• Docker Community Leader Award Winner 2020

• Traefik , Okteto ambassador

• AWS Community Builder - 2022 - 2024

•BOS( Board of Studies – Alliance University , Bangalore )

•DevNetwork Board of DevRel Advisor

•Cybersecurity Innovator of Year 2023 by Bside Bangalore

•Packt Publication – Co author of Course on lightweight Kubernetes with K3s in 2019  

•Prev worked as Principal Security advocate / Senior Product Marketing Manager, Developer Advocate

Cloud Security Fundaments

Threat Detection and Incidence Response

Principles of Incidence Response

educate

Prepare 

Prepare 

Prepare 

simulate

Prepare 

Iterate

Demo - 1 -  IAM User

Dealing with compromised users

Dealing with compromised users

 

If the user has been assigned Access Keys, consider deactivating them..

 

Be cautious when deleting keys, as this may impact applications that rely on them.

 

Review all policies assigned to the user.

 

Monitor Cloudtrail events for any unusual activity

Addressing Compromised Users

 

Delete the compromised user account and recreate it.

 

If the user has long-term access credentials, transition to using IAM roles.

 

Roles utilize short-term credentials, offering enhanced security.

  Demo 2- Best security practices for managing EC2 Instances

  

General Consideration

Install only the necessary components on the EC2 instance to minimize the attack surface

 

Use host-based protection software

 

Restrict network access to the instance

 

Establish a baseline server configuration and monitor any changes against this baseline

 

Ensure all changes to the EC2 instance are audited.

 

EC2 Instance

Private Subnet

EC2 Instance

Public  Subnet

Elastic Network Interface

Network Access Control List

Security Groups

Configure Security Groups: Set up security group: rules to allow only the minimum necessary traffic.

Use Network Access Control Lists (NACLs): Implement NACLs to manage traffic at the subnet level.

Control and monitor interactive access to EC2 instances.

 

Provide user access based on the principle of least privilege.

 

If an application on the EC2 instance needs to access other AWS services, assign an IAM role to the EC2 instance

 

Always encrypt data at rest and in transit

 

Regularly update the EC2 instance with the latest security patches

 

Ensure a change management process is in place for all updates to the EC2 instance.

Demo - AWS Guard Duty

What is AWS Guard Duty ?

This is a continuous security monitoring service

 

This service analyses the following data sources - VPC flow logs , AWS CloudTrail event logs , DNS logs

 

it is used to identity unexpected and potentially unauthorised and malicious activities from within your AWS account

 

this does this with help of existing threat intelligence feeds and list that contain malicious IP's and domains

The Threats it can detect

Escalation of privileges

 

Uses of exposed credentials

 

Communication with malicious IP's , URL's or Domains

 

Detect compromised EC2 Instance having malware

 

Can also detect unauthorised infrastructure deployments in your AWS environment

How can we use amazon GuardDuty

                                                                 We have to enable it

​it is region specific resources

 

To get better coverage , you can enable the service in every region

 

you can also invite other accounts to use amazon guardDuty . if you do this your account becomes the master account you can then get the finding of your member accounts  

EC2 Encryption with key pairs

Configure Security Groups: Set up security group: rules to allow only the minimum necessary traffic.

Use Network Access Control Lists (NACLs): Implement NACLs to manage traffic at the subnet level.

Security logging and Monitoring

Amazon CloudWatch

Amazon CloudWatch agents

AWS CloudTrail

AWS Config

other tools available

Amazon CloudWatch

This service helps monitor all of  your AWS resources

 

Monitoring Can be carried out in real time

 

CloudWatch can be used to collect and track metrics

 

these metrics help you understand how your AWS resources and behaving  

 

You can then create alarms based on these metrics 

Amazon CloudWatch Agents

CloudWatch agents allows you to get more system level metrics from amazon EC2 Instances ​

 

You can also collect metrics from on-premise servers

 

you can also collect logs from Amazon EC2 Instances or on premise servers which could be running either linux or windows

Amazon cloudtrail

This service helps you enable governance , compliance and  operational and risk auditing for your AWS account

 

All actions taken by a user , role or an AWS service are recorded as events in AWS cloudtrail

 

These events could have taken place into AWS management console , AWS CLI Interface , the AWS SDKs and APIs

 

You Can Then create a trail which would persists these events

 

You can search these events later on for any suspicious activities

 

AWS Config

This service helps you record configuration changes to your AWS resources

 

You can also see how resources are related to each other

 

You can also define AWS config rules to check whether your resources are compliant or noncompliant with your organisation's policies

 

other tools available

VPC Flow logs - This can be used to log the network traffic flowing in and out your VPC

Simple Storage Access Logs - Gives you a better representation of how your S3 objects are being accessed

Elastic Load Balancer logs - Gives you a better representation on requests and responses being made to the Elastic Load Balancer

 

 

The Purpose of Amazon CloudWatch Logs 

Working with CloudWatch Logs

create AWS Lamada 

// index.js

exports.handler = asynx function(event, context) {
console.log("this is sample data");
return context.logStreamName;
}
filer @message like /test/

Insights

Working with CloudWatch Agents

what can you do with the cloud watch agents

You can use the agent to collect more system-level metrics from amazon EC2 instance this can be don e both windows and linux based system

 

you can also collect metrics from on-premise servers

 

You can also collect logs from Ec2 instance or on premise server running

 

you can also collect logs from EC2 instance servers running either windows or linux

 

How can you set this up

You can Install the agent  manually or set it up using software system manager

 

first you need to create an IAM role that allows the agent to send metrics to cloud watch

 

Download the required agent package

 

Modify the CloudWatch agent configuration file here you specify the metrics you want to collect

 

Install and stat the agent  

What are we going to do now

 

 

We will install apache2 on ubuntu EC2 instance

 

create an IAM role and attach it to the EC2 instance

 

Install the cloud watch agent

 

set the configuration file for the cloudwatch agent

 

Run the cloudwatch agent

 

sudo apt update 
sudo apt-get install apache2 
sudo service apache2 start 

### -- lets create new new role 
### -- attach policy - cloudwatchagentserverpolicy
### -- role name sangam


### -- Go to EC2 instance setting setup the role sangam
### -- install cloudwatch agent - 

wget https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb
sudo dpkg -i -E ./amazon-cloudwatch-agent.deb
sudo apt-get install awscli 
sudo aws configure --profile AmazonCloudWatchAgent
AWS Access ID : 
Key ID [None] :
Bundle Tasks : 
AWS Secret Access Key [None]:
Default region name [None]: us-east-2


sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status 

{
status :"stopped"
"starttime":
"version":
}

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard


log file path :
/var/log/apache2/access.log

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s 
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status 


Working with Simple Storage Service

Access Logs

The purpose of S3 access logs

 

This can be useful for security and access audit report purposes

 

by default server access logging is disabled . you have a explicitly enable it

 

the logs can be written to the same bucket or a different bucket . it is recommended to use a different bucket for log data

 

when server access logging is enabled via  the console , a bucket ACL grant for the log deliver group to write data is set on destination bucket

 

there is no charge for enabling S3 access logs

 

but there will be a charge for the storage of log data

 

 

 

create s3 bucket -> permission -> access control list -> s3 log delivery group - log delivery  

Working with AWS CloudTrail

Governance and Compliance

the event history is available for the past 90 days

 

you can use the history to view , search and download activity during this time period

 

you can also create a trail to persist the events

 

the events can be send to CloudWatch Logs or to an S3 bucket

 

you can create a trail that applies to all regions

 

you can create a trail that just applies to one region   

What is AWS CloudTrail

if  you have an an AWS organisation ​, you can  also  create an organisation trail

 

the trail is applied to the master account

 

the event get recorded for all of the member accounts as well

 

​All of the CloudTrail event log file are encrypted using amazon S3 server-side encryption 

 

you can also use the Key Management service to encrypt the log files

When configuring a trail ,  you can choose to log data and management events

 

Data events events performed on a resource such as Amazon S3 object level API activity or AWS Lambda function execution

 

Management events are those events performed at the control plane . for example attaching an IAM role

 

CloudTrail - cross account logging

AWS account 

AWS account 

AWS CloudTrail 

AWS CloudTrail 

S3 bucket

We have to ensure the bucket policy for the destination bucket allows for multiple to write data

 

bucket policy -> permission

VPC Flow Logs

Monitoring your VPC

What are VPC Flow Logs

 

this is a feature that enables you to capture information on the traffic flowing into and out of the network interface from within a VPC

 

The Flow log data can be sent to Amazon CloudWatch logs and Amazon S3

 

A Flow log can be created for VPC , a subset or just a network interface

 

when flow logs are activated it will take around several minutes to start receiving the data

 

#Different Fields Format
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
#Accept SSH traffic on port 22
2 123456789010 eni-1235b8ca123456789 172.16.0.20 172.16.0.100 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
# Reject SSH traffic on port 22
2 123456789010 eni-1235b8ca123456789 172.16.0.36 172.16.0.120 49761 22 6 20 4249 1418530010 1418530070 REJECT OK

VPC Flow Logs

We are going to enable VPC flow logs for a network interface

 

​we will send the logs to CloudWatch Logs

 

​we need to also have an IAM role in place to VPC flow logs to send the data to CloudWatch Logs

 

IAM role - ec2 - create policy - json

edit trust relationship  

 

AWS Athena

This is an interactive query service that allows you to analyse data directly from s3

 

AWS Athena is a serverless service

 

Here you don't need any infrastructure setup service

 

you can query and analyse unstructured , semi - structured and structured data stored in AWS s3

 

Tha data could be in various formats such as CSV , JSON , Apache Parquet or Apache ORC

Infrastructure security

What is VPC ?

This is a separate part of the AWS cloud network

 

​it allows you to launch resources into virtual network

 

a virtual private cloud is logically isolated from other virtual network in the AWS cloud

 

A VPC contains a specific IP address range

 

​in the VPC you define subnets

 

​Each subnets is a range of IP addressed in the VPC

 

Components of a VPC

Security for VPC

Security Groups - this is like a virtual firewall that cam control inbound and outbound traffic into your instance

 

in the security groups you add inbound an outbound rules to control the traffic

 

bye default no traffic is allowed into an instance

 

you have to explicitly add inbound rules in the security groups to allow traffic to flow into the instance

 

Security Groups are stateful - this means that if you send a request to the instance if the request is allowed the response will be allowed irrespective of the outbound rules set in the security group

 

Network access control list - this is like a virtual firewall that can control inbound and outbound traffic into your subnets

 

​each network access control list consists of inbound and outbound rules

 

​the network access control list by default allows all inbound and outbound traffic

 

each subset needs to be associated with a network access control list

 

network access control lists are stateless . even if a request is allowed via an inbound rule the response would be subject to the outbound rules

 

Demo - Setting up the  VPC 

Create a new VPC in the Ohio regime

 

Create a new subnet in the VPC

 

Ensure the DNS hostnames assignment is set for the VPC

 

​Ensure the public IP address setting is made for the subnet in the VPC

 

Create an internet gateways and attach it to the VPC

 

Modify the route tables to ensure traffic destination from the internet can flow via the internet gateway

 

​Launch an EC2 Instance in the new VPC

 

Demo - Security Groups 

Install apache2 on the server

Change the security groups to allow traffic into our instance

 

Amazon EC2 instance 

 

inbound rules 

 

port 80

Amazon RDS instance 

 

mysql 3306

Database - inbound rule 

 

- add an inbound rule to allow traffic from -> 

Security group sever 

Amazon EC2 instance

Internet 

We need to add an outbound rule to allow an outgoing request on port 80 

mysql -h endpoint -p 3306 -u admin -p 

IAM - identity and access management

This service allows you to securely control access to AWS resources

 

You can control who is allowed to sign in - the authentication process

 

You can also control who is allowed to use resources - the authorisation process

 

IAM User - this represents a person or a service that would interact with AWS

 

the user would either access the console or make programmatic access calls to AWS service

 

you could place the user in an IAM group

 

you could assign permission to the user

 

IAM  Groups - this is a collection of IAM user

 

you can assign permission at the group level

 

​IAM roles - this is an identity in AWS . you can assign permission to an IAM role

 

A role is not associated with any access key or password so it is  a secure way of accessing AWS resources  

Policies and permissions

You Manage access to AWS resources with help of policies

 

Policies are mostly stored in AWS as JSON documents

 

 

there are different types of policies

 

​- identity based policies- these are attached to users , groups or roles

 

- Resource based Policies - some AWS service can have their own policies for example in the simple storage service you can create bucket Policies  

 

- Permission Boundaries - this can be used to define the maximum permission that can be assigned to an IAM entity

 

- Organization Service Control Policy - this can be used to define the maximum permission that can be assigned to members of an organization  

 

​- Access control list- some AWS service use access control lists an example is the simple storage service

 

- Session Policies these are policies used during a particular session  

Data Protection

This is a service that allows you to store and retrieve virtually any amount of data from the web

 

in the service you go ahead and create buckets to store the data

 

Each object in the bucket is addressable via a URL

 

Each object has a key which is a unique identifier for the object with the bucket

 

In term of security the service provider the following capabilities

 

encryption of data at rest and transit - this can done with either server side or client side encryption

 

You can manage access to the bucket and its objects via identity and access management policies , bucket policies or access control lists

Access control List

Access control list can be used to manage access to buckets and underlying objects

 

these are just used to grant basic read / write permission

 

you can grant ACL's for both the buckets and there underlying objects

 

when to use ACL's

 

Granting access to individual objects using a bucket policy for gibing access to individual files is not recommended

Management and security Governance

What is AWS trusted advisor service ?

You can use this service to get recommendation on how to improve aspect of your AWS resources

 

You get recommendation based on cost optimazation performance , security fault tolerance and service limit

 

​if you apply for business and enterprise support you get access to full set of trusted advisor checks and recommendations

 

You can also get weekly updates you can also create alerts and automate actions with the amazon CloudWatch service  

Meet the Team

CFO

George

CEO

Elaine

COO

Susan

Made with Slides.com