Security

AWS IAM is the service that provides authentication and authorization features.

It is a global service.

A root account is created by default. This account has full privilege on the account and must be well protected. Using MFA with the root account is highly advised.

A User entity is created in IAM for each person. Users performing similar functions can be put into a Group.

Policies are permissions which can be assigned to Users and Groups.

An IAM Policy has the following fields:

IAM Role is an entity that can be associated with AWS services that allow them to assume permissions temporarily. When a service assumes a role, it gives up the original permissions and takes the permissions assigned to the role.

SNS, SQS, Lambda are examples of services that use resource based policies.
Kinesis, System Manager Run Command, ECS task are examples that use roles.

Security Tools:

IAM Credentials Report runs at an account level to list all user accounts and their credential status.
IAM Access Advisor runs at a user level to show the service permissions granted to a user and when they were last accessed.

Some popular IAM Conditions are listed below:

AWS Security Token Service (AWS STS) can be used to create and provide trusted users with temporary security credentials that can control access to your AWS resources. However, AWS STS does not control access to an application.

AWS Identity Center (formerly AWS Single Sign-On) allows employees to sign in to a central portal using existing corporate credentials, simplifying account management.

It is a central platform for creating or connecting workforce identities in AWS.

It manages access centrally across multiple AWS accounts.

It is free of charge and can scale easily.

It can offer SSO for EC2.

Policies are attached through Permission Sets

Amazon Cognito is the Identity Provider (IDP) offering from Amazon.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Users can sign in directly with a user name and password, or through a trusted third party.

It offers secure password storage, integration with an identity provider, quick start-up, pay as you go.

Cognito Identity Pool allows you to give applications access to AWS resources temporarily.

Cognito can work with hundreds of users including mobile users and supports authentication with SAML.

Amazon Cognito can generate temporary credentials by invoking AWS STS.

AWS Directory Service is a managed service for Active Directory like MS Active Directory.

All objects are organized in trees and a group of trees is a forest.

AD connector is a proxy to on-premise active directory.

Amazon Verified Permissions is a scalable service for managing permissions in custom applications.

It centralizes policy management, utilizes cedar policy language.

It is currently in preview.

AWS Artifact is a centralized portal where customers can access audit reports of AWS, to check against standards like SOC, PCI , ISO, HIPAA.

It uses machine learning for identifying unauthorized access, compromised instances and potentially harmful network traffic.

It provides alerts and insights to help quickly respond to security threats.

It provides intelligent threat detection.

GuardDuty identifies threats and gives it a score from 1 to 10. Lower the number lower is the severity.

GuardDuty can be configured with Trusted IP list and a Threat IP list.

Detection Categories:

IT can protect against CryptoCurrency attacks.

Amazon Inspector automatically scans workloads for software vulnerabilities and undesired network exposure.

It has the ability to scans EC2, ECS and Lambda. You need to specify what resources to scan by assessment targets / rules packages.

Features:

3 types of findings:

A risk score is associated for prioritization.

It offers reporting and integration with AWS Security Hub and can send findings to Amazon Event Bridge.

It uses machine learning and pattern matching to identify PII.

Macie monitors S3 → discovers PII → EventBridge activates a trigger to run Lambda function → notification to data protection team to take action and follow compliance.

AWS Security Hub collates findings from tools such as GuardDuty, Inspector, Macie, CloudWatch Events, Lambda and even external security tools.

AWS Key Management Service helps to manage cryptographic keys for encryption. KMS can be implemented for key management and enables automatic key rotation for encrypting and decrypting your data.

It integrates well with S3, EBS, RDS, CloudTrail and CloudWatch.

HSM stands for Hardware Security Module.

All keys are securely stored on the HSM and they never leave this device.

AWS does not have access to these keys.

Certificates are used for authentication, data encryption, data integrity. They are issued by CAs.

AWS Certificate Manager is a managed service to assist customers in generating certificates when they need a secure web presence using TLS.

ACM certificates are allowed for ELB, CloudFront and Amazon API Gateway.

If you want to require HTTPS between CloudFront and your origin, and you’re using a load balancer in Elastic Load Balancing as your origin, you can request or import the certificate in any AWS Region.

ACM certificates cannot be directly attached to EC2, S3 or Lambda.

ACM is a regional service, meaning certificates generated in one region cannot be used in another region.

Flow involves:

Features include:

It is meant for use in the internet.

AWS PCA is a scalable, secure, cost-effective solution for managing private certificates within an organization.

We can assign private certificates to internal servers and can integrate with ACM to help automatic renewal of certificates.

It is meant for use in the private organization.

Passwords and credentials should not be saved in tools like GitHub.
AWS Secrets Manager helps you manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles.
Many AWS services store and use secrets in Secrets Manager.
It helps you secure, manage and distribute secrets for your application

Secrets can be created via console, CLI or SDK. AWS Secrets manager encrypts the secrets at rest using keys stored in AWS KMS.

Lambda functions can routinely rotate the secrets.
With Secrets Manager, you can configure an automatic rotation schedule for your secrets. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. Since the credentials are no longer stored with the application, rotating credentials no longer requires updating your applications and deploying changes to application clients.

Systems Manager Parameter Store offers a secure storage for configuration and secrets. It enables version tracking for configuration and secrets.

Amazon Security Lake collects logs and events from multiple sources including AWS, on-premise and other clouds. All the logs are stored in a S3 bucket and Amazon Athena can be used to query using SQL.

The typical flow is as such:
Collect logs → store in S3 → Normalize AWS logs into Parquet / OCSF → Data or Query Access

Open Cybersecurity Schema Framework (OCSF) is a format for efficient querying.

AWS WAF protects web applications from common exploits at layer 7.
It can be deployed on ALB, API Gateway, CloudFront, AppSync GraphQL API, Cognito User Pool.

WAF monitors all HTTP requests made by client to web applications.

WebACLs are a collection of rules for the WAF.
Rules can filter based on IP addresses, HTTP headers, HTTP body, URI strings, size of packet, specific countries, rate based rules to prevent against DDoS attacks.

It protects against most common attacks like cross-site scripting and SQL injection attacks.

WAF does not support the Network Load Balancer (Layer 4).

It can integrate with other services like Firewall Manager and CloudWatch.

AWS Shield protect against DDoS attacks.

AWS Network Firewall provides network protection at the VPC level.

We need to create Firewall endpoint which is the entry and exit point for traffic to be inspected.

A separate subnet needs to be created for Firewall endpoints.

Firewall endpoints cannot protect resources in its own subnet.

The customer has to set up the route tables to route traffic to the firewall endpoints.

It provides a centralized place to manage firewall rules using rule groups, which helps to significantly simplify rule management. Rules can be specified on IP addresses, ports, protocols etc.

When traffic enters the VPC it gets handled by the Firewall Subnet and checked by the firewall. Once allowed, the traffic is forwarded to the subnet.

It can work with Transit Gateway if you need centralized protection for multiple VPCs. So you do not have to set up a separate Network Firewall for each of your VPCs.

Two distinct rules engines:

AWS Firewall Manager is a centralized location to manage all firewall rules across all AWS accounts.

It is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.

It provides audit trails and logging through CloudWatch Logs and CloudWatch Alarms.