AWS Security

Leverage encryption and how key will or should be replicated

Encryption
- TLS/SSL
- prevent MITM
KMS (Key Management Service)
- Symmetric (AES-256)
- Asymmetric (RSA, ECC)
- Multi-Region Key
SSM Parameter Store
Secrets Manager
- new version of parameter store
ACM (Amazon Certification Management)
WAF (Web Application Firewall)
Shield (DDOS Protection)
Firewall Manager
- all accounts firewall rule manager
GuardDuty
- AWS account threat discovery
Inspector
- security assessments
Macie
- sensitive personal information

KMS

Anytime you hear “encryption” for an AWS service, it’s most likely KMS
AWS manages encryption keys for us
Fully integrated with IAM for authorization
Easy way to control access to your data
Able to audit KMS Key usage using CloudTrail
Seamlessly integrated into most AWS services (EBS, S3, RDS, SSM…)
Never ever store your secrets in plaintext, especially in your code!
- KMS Key Encryption also available through API calls (SDK, CLI)
- Encrypted secrets can be stored in the code / environment variables

keys

key types
- AWS owned keys (free) - SSE-S3, SSE-SQS, SSE-DDB (default key)
- AWS managed keys (free) - (aws/service-name, aws/rds, aws/ebs)
- customer managed keys created in KMS - 1$/month
- customer managed keys imported (symmetric) - 1$/month
- - pay for API call to KMS - 0.03$/10_000 calls
key rotation
- AWS-managed key - automatic every 1 year
- customer-managed key - (must be enabled) automatic every 1 year
- imported KMS key - only manual rotation possible using alias
multi-region key
- have the same keyID, key material, automatic rotation
- not global (primary + replicas)

SSM Parameter Store

/my-department/my-app/'dev' or 'prod'/db-url

Secure storage for configuration and secrets
Optional Seamless Encryption using KMS
Serverless, scalable, durable, easy SDK
Version tracking of configurations / secrets
Security through IAM
Notifications with Amazon EventBridge
Integration with CloudFormation
advanced policies
- allow to assign a TTL to a parameter
- can assign multiple policies at a time

Secrets Manager

Newer service, meant for storing secrets
Capability to force rotation of secrets every X days
Automate generation of secrets on rotation (uses Lambda)
Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
Secrets are encrypted using KMS
Mostly meant for RDS integration
multi-region secrets
- replicate secrets across regions
- Secrets Manager keeps read replicas in sync with the primary secret
- capable of promoting a read replica to a standalone

AWS Certificate manager

Easily provision, manage, and deploy TLS Certificates
Provide in-flight encryption for websites (HTTPS)
Supports both public and privateTLS certificates
Free of charge for publicTLS certificates
AutomaticTLS certificate renewal
Integrations with (loadTLS certificates on)
- ElasticLoadBalancers(CLB,ALB,NLB)
- CloudFront Distributions
- APIs on API Gateway
cannot use ACM with EC2 (can’t be extracted)

WAF

layer 7 protector
deploys on
- ALB
- API Gateway
- CloudFront
- AppSync GraphQL API
- Cognito User Pool
Web ACL Rules
- IP Set
- HTTP headers/body, URI strings
- Size constraints, geo-match
- rate-based rules - DDoS

Shield

DDoS: Distributed Denial of Service – many requests at the same time
AWS Shield Standard:
- Free service that is activated for every AWS customer
- Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other
AWS Shield Advanced:
- Optional DDoS mitigation service ($3,000 per month per organization)
- Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
- 24/7 access to AWS DDoS response team (DRP)
- Protect against higher fees during usage spikes due to DDoS
- Shield Advanced automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

Firewall Manager

Manage rules in all accounts of an AWS Organization
Security policy: common set of security rules
- WAF rules (Application Load Balancer, API Gateways, CloudFront)
- AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront)
- Security Groups for EC2, Application Load Balancer and ENI resources in VPC
- AWS Network Firewall (VPC Level)
- Amazon Route 53 Resolver DNS Firewall
- Policies are created at the region level
Rules are applied to new resources as they are created (good for compliance) across all and future accounts in your Organization

WAF vs Firewall Manager vs Shield

WAF, Shield and Firewall Manager are used together for comprehensive protection
Define your Web ACL rules in WAF
For granular protection of your resources,WAF alone is the correct choice
If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use Firewall Manager with AWS WAF
Shield Advanced adds additional features on top of AWS WAF, such as dedicated support from the Shield ResponseTeam (SRT) and advanced reporting.
If you’re prone to frequent DDoS attacks, consider purchasing Shield Advanced

GuardDuty

Intelligent Threat discovery to protect your AWS Account
Uses Machine Learning algorithms, anomaly detection, 3rd party data
One click to enable (30 days trial), no need to install software
Input data includes
- CloudTrail Events Logs – unusual API calls, unauthorized deployments
  - CloudTrail Management Events–create VPC subnet, create trail,…
  - CloudTrail S3 DataEvents–get object, list objects, delete object,…
- VPC Flow Logs – unusual internal traffic, unusual IP address
- DNS Logs – compromised EC2 instances sending encoded data within DNS queries
- Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 Data Events…
Can setup EventBridge rules to be notified in case of findings
EventBridge rules can target AWS Lambda or SNS
Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

Amazon Inspector

automated security assessments
For EC2 instances
- Leveraging the AWS System Manager (SSM) agent
- Analyze against unintended network accessibility
- Analyze the running OS against known vulnerabilities
For Container Images push to Amazon ECR
- Assessment of Container Images as they are pushed
For Lambda Functions
- Identifies software vulnerabilities in function code and package dependencies
- assessment of functions as they are deployed
reporting & integration with AWS security hub
send findings to event-bridge

AWS Macie

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
Macie helps identify and alert you to sensitive data, such as personally identifiable information (PII)

Quick Catchup

SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter’s history.
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.
Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).
As the Edge-Optimized API Gateway is using a custom AWS managed CloudFront distribution behind the scene to route requests across the globe through CloudFront Edge locations, the ACM certificate must be created in us-east-1.