AWS Security Best Practices Part Four

Continuing on from the first, second and third blog posts about Incident Response and Logging & Monitoring and Infrastrucutre Security available here Part One, here Part Two and here Part Three. This post continues with Infrastructure Security best practices and some gotchas to avoid.

As with the other blog posts peppered in them are some photos from the Astronomy Photographer of the year awards at the Greenwich Maritime Museum. Why? Cos they are cool and interesting.

Our Sun doing what can only be described as letting off some gas! And having a bit of a vent!

Infrastructure Security

  • AWS Shield
    • Two Tiers
      • Shield Standard
        • No additional charge
        • Basic level protection against command network and transport layer DDsoS attacks.
      • Shield Advanced
        • Protect against large and sophisticated DDoS attacks with near real time visibility into attacks.
        • 24×7 access to AWS DDoS Response team.
        • If infrastructure has scaled because of the attack, AWS will return the costs of the scaling in the form of credits.
        • $3000 per organisation and requires business or enterprise support.
  • Distributed Denial of Service (DDoS) attacks
    • Mitigate a DDoS attack
      • Minimise the attack surface area.
        • Make use of Bastion hosts or VPNs and allow those ports to be only accessible from these services.
      • Be ready to scale and absorb the attacks.
        • Be ready scale horizontally.
        • Autoscaling can help.
      • Safeguard exposed resources.
        • Additional security such as AWS WAF to protect against Layer 7 attacks, CloudFront for caching and Route53.
    • AWS Services that can protect against DDoS attacks.
      • AWS Shield
      • CloudFront
      • Route53
      • Auto-Scaling
      • Web application firewall
      • Elastic load balancers CloudWatch
    • Network segmentation can really save the day.
      • Production is separate from DEV, QA and Staging. Nowadays a standard best practice.
      • Split networks into multiple sub networks and then apply individual controls over these subnetworks.
      • PCI DSS has mandatory network segmentation requirements.
      • Segmented networks have no direction connections between them.
      • In AWS Network segmentation is done through VPC.
      • Prod and Dev should NOT be in the same region. If possible Prod and Dev should be on different accounts.
      • Do not waste IP Addresses. E.g 172.18.0.0/24. Having a larger subnet can create issues if you want to set up IPSec tunnels to different organisations.
  • Bastion Hosts
    • Also known as a jump box, acts as a proxy that allows the client to connect to remote servers.
    • Best Practices
      • All unnecessary packages should be removed.
      • Proper server hardening should be applied.
      • Use agent forwarding. Never store private keys on Bastion Host.
    • The private key of the users who want to connect to an instance in a private subnet must be stored in the Bastion Host. But this is simpler but not recommended.
    • SSH Agent Forwarding plays a big part in the implementation of Bastion Hosts.
      • Means that there is no need to store private keys on the Bastion Host.
    • SSH-Agent
      • A local program that keeps track of the private keys and associated passphrases. It logs the user into servers without having to keep typing passphrases.
      • Users Public Key is stored in the authorised_keys in the Bastion Host and the Remote Server.
    • Agent Forwarding
      • A way in which the SSH Client allows the SSH Server to utilize the local SSH-Agent for authentication. The local SSH-agent has access to the user’s private keys and passwords.
      • Private Keys of the users are never stored in the Bastion Hosts. Challenge and response is used.
    • Advantages
      • Single point for logins in the network, makes firewall rules easier.
      • Easier to log all login attempts.
      • Simplifies authentication.
    • Disadvantages
      • Generally only used for SSH.
      • To access applications running for example of port 8080, VPNs are the solution, not Bastion Hosts.
  • Virtual Private Networks (VPNs)
    • VPN server must always be running in the public subnet.
    • VPN connection has two tunnels which are created for redundancy purposes.
  • Virtual Private Gateway (VGW)
    • Three entities
      • Virtual Private Gateway (VGW) on the AWS side.
        • Default is the detached state.
      • Customer gateway (CGQ) on the customer’s side.
        • A VPN tunnel created between the two.
          • Two config files
            • /etc/ipsec.secrets
            • /etc/ipsec.conf
            • Restart the service
  • Direct Connect (DX)
    • Dedicated network connection between on-premise and AWS.
    • Can be used to lower latencies and reduce costs.
    • Dedicated line between customer site and AWS.
    • Request Direct Connect connection.
      • Request directly through AWS.
      • Request through the AWS DX partners.
    • Two port speeds 1 and 10 Gbps. Can get lower speeds through a DX partner.
    • When Direct Connection request set up you get a Letter of Acceptance (LoA) from AWS that you can share with Direct connect partners.
    • Post Set up you need to create a Virtual Interface (VIF).
    • Two types
      • DX uses BGP, based on dynamic routing. You do not have to configure routing manually. BGP manages and advertises the routes.
      • Public VIF
        • Useful for accessing public endpoints within the region.
      • Private VIF
        • Useful for accessing private endpoints within the region.
        • Each VIF can be assigned to a single VGW only. Each VGW can be associated with a single VPC.
      • DX is not fault tolerant so need a secondary DX or VPN as a backup.
      • DX does not encrypt any traffic, To have encrypted traffic you have to establish a VPN connection over DX.
    • VPC Peering
      • Network connection established between two VPCs so that resources between the VPCs will be able to communicate.
      • Inter region VPC peering is now supported.
    • Transit gateway service
      • VPC A is paired with VPC B. VPC is also paired with VPC C. To get VPC B and VPC C communicating you need to use Transit gateway service.
    • VPC Endpoints
      • Through endpoints, various resources such as S3 and DynamoDB which are in the same region and are accessible via private link instead of the Internet.
      • Enhances security and data costs as sensitive data does not have to flow through the internet.
  • EC2 Instances and Key pairs
    • Important Point
      • Deleting the key pair from the console will NOT delete the key pair from the EC2 instance.
    • AWS will add the public key under the
      • /home/ec2-user/.ssh/authorised_keys
    • Once you have deleted the key via the console you will STILL be able to log into the EC2 instance. This is because the public key is already in the authorised_keys.
    • Important Point
      • If you lose the private keys for an EC2 instance.
        • Create a new AMI instance and launch a new EC” instance from the create AMI with the new key pair.
          • In the new AMI, AWS will APPEND the new key pair to yout authorised_keys.
          • In the new EC2 instance the public key will be present and you can recover the private key.
  • API Gateway
    • Gateway Throttling
      • Prevents the API from being overwhelmed by a large number of requests.
      • By default, the API gateway has a limit of steady-state requests rate of 10,000 requests per second.
      • Will start replying with HTTP Code 429 (Too many request) to clients.
      • Burst allows up to 5,000 requests across all the APIs in the AWS account.
      • If the requester submits 10,000 requests in one second in an everly manager, for example, 10 requests every millisecond, API gateway will process all the request without HTTP 429 will be sent back to the client (request dropping).
      • If the requester submits all 10,000 requests in the first millisecond itself, API gateway will service only 5,000 requests, including the burst limit, of those requests and throttles the rest in the one-second period.
      • It the requester submits 5,000 requests in the first millisecond and then evenly spreads the other 5,000 requests across the remaining 999 milliseconds, then the API gateway will process all 10,000 requests without returning any HTTP 429 error response to the client.
      • Rate limit can be increased by making requests to AWS support.
    • Gateway Caching
      • If the same type of request is being made multiple times, API gateway supports a caching.
      • With caching, we can reduce the number of calls made to the backend endpoints and also improve latency for an API.
      • Default TTL value is 300 seconds.
      • Setting the TTL value to Zero, means no caching.
    • Gateway Validation
    • Can configure an API Gateway to perform the necessary validation for an API request. If the validation of the request fails, API gateway immediately drops the request and returns the HTTP 400 response code to the requester. This will reduce unnecessary calls to the backend systems.
      • Basic validation
        • The necessary request parameters in the URL, query string and headers of the incoming request are not blank and are included.
        • The request payload adheres to the configured JSON schema for the method.
      • Having a request validation at the API gateway level in very useful. Request validation will prevent flooding the backend with malformed requests.
  • EC2 Tenancy
    • Shared
      • Instances run on shared hardware
      • The DEFAULT
    • Dedicated
      • EC2 instance runs on hardware that will only be shared between the same account AWS instances.
      • May share hardware with other EC2 instances that belong to the same AWS accounts.
      • Dedicated instances that belong to different AWS accounts are physically separated and isolated at the hardware level.
      • Dedicated instance that belong to linked AWS accounts are also physically isolated at the hardware level.
      • When the machine stops and starts, the instance might migrate to different hardware.
      • Can have Licencing and Compliance aspects
    • Dedicated Hosts
      • Instances run on dedicated hosts with a very granular level of hardware access.
      • You use the same physical server over time if the instance stops and starts.
  • AWS Lambda
    • For Lambda to pull objects from AWS S3, the Lambda function needs to be associated with a proper IAM role.
    • Two important configuration options
      • Name of the bucket
      • Event Type
  • Simple Email Service (SES)
    • Throttles email traffic over port 25 by default.
    • To avoid throttling, use different ports 587 or 2587.
    • Submit a Request to remove email sending limitation.
    • If you set up an Email server on a EC2 instance it is entirely your responsibility.
    • To access the AWS SES interface you need to have a SMTP username and password.
    • Only three endpoints
      • North Virginia
      • Oregon
      • Ireland
    • When configuring an email client you essentially need three things.
      • SMTP username
      • SMTP password
      • SMTP endpoints
  • Custom DNS Server for VPC
    • AWS automatically creates an endpoint for the server with a .2 CIDR.
    • Propagated to all EC2 via the DHCP options sets.
    • Can set custom options for DNS via the DHCP Options set.
  • Lambda@Edge
    • Can run custom functions.
    • CloudFront delivers content by executing the Lambda function in the AWS location closet to the viewer.
Our Sun.

1 thought on “AWS Security Best Practices Part Four

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close