AWS Security Best Practices Part Three

Infrastructure Security

Continuing on from the first and Second blog posts about Incident Response and Logging & Monitoring available here Part One and here Part Two. This post moves into the realm of Infrastructure Security best practices and some gotchas to avoid.

Peppered in these blog posts are photos from the Astronomy Photographer of the year awards at the Greenwich Maritime Museum. Why? Cos they are cool and interesting.

Our next door neighbour in astrological terms. The Andromeda galaxy.
  • AWS Organisations
    • Offers centralised policy based management as well as the feature of consolidated billing for multiple AWS accounts.
    • You can create a master/child account relationship in AWS Organisations.
    • The master account is the controller account where was can create, set and manage policies for all child accounts.
    • By using Service Control Policies (SCP) you can create centralised permissions and associate it with various Organisational Units. AWS organisations allow customers to group the child accounts in the form of OU and SCP can be applied at the OU level.
    • There are two types of invitations which AWS organisations allow us to configure.
      • Enable only consolidated billing
      • Enable all the features
    • Similar to IAM where after you create a policy, it can be attached to either a IAM User/Group or Role.
    • You can create multiple OUs (Organisational U within a single organisation, and you can create OUs within other OUs.
  • CloudFront
    • Content delivery network (CDN) provided by AWS.
    • Two types of distribution are available
      • Web distribution
        • Generally used when you want to host websites or host videos based on progressive download approach.
      • RTMP distribution
        • Generally preferred when streaming content needs to be delivered.
    • To Setup you will need
      • S3 Bucket: one s3 bucket with the video files inside.
        • Once created and uploaded, you can go to the CloudFront console and create a web-based distribution.
        • Origin Domain Name in this case referers to the DNS of the S3 bucket where your video file is stored.
          • Better choice for streaming distributions as pirating is more difficult.
      • Cloudfront distribution pointing to an S3 bucket.
      • Price class: Use all edge locations (Best performance).
    • Security Benefits
      • Integrates with the AWS WAF (web application firewall)
      • Geo-location based restrictions
      • IP Whitelisting or Blacklisting
      • Protection against various layer 3 attacks
    • CloudFront can also be used with various origins, such as EC2 instances.
    • You should grant Read Only on the S3 bucket.
      • Anyone could access the object either through CloudFront or by directly using the Amazon S3 URL.
      • It is important to block the access to the S3 Bucket to everyone except the CloudFront distribution. This is referred to as Origin Access Identity (OAI).
      • Add a CloudFront bucket policy to remove all public access to the objects.
      • You can test the access to the bucket using a Curl command and looking for an HTTP 200 OK. If the permissions are set correctly an HTTP 403 Forbidden message should be received.
    • Important Point
      • If you are going to use certificates from AWS Certificate Manager, then the Cert MUST be created with the us-east-1 region for CloudFront to be able to use it.
  • Firewalls
    • Three primary subsets on which firewall rules are configured.
      • Source IP
      • Destination IP
      • Rule (Allow or Deny)
    • The Firewall inspect packets by primarily analysing the TCP/IP header fields.
      • Security Group is a STATEFUL firewall
      • NACL is a STATELESS firewall
    • Modes of operation
      • Stateful packet inspection
        • Keeps track of connection states. It knows at which point the connection has reached (SYN, SYN-ACK, ESTABLISHED, etc).
        • Important Point
          • If an Internal server initiates a SYN connection to an outside IP then it expects a reply. Therefore it allow responses to come back in regardless of firewall rules.
        • Functionality through Security Groups. Groups are Stateful and remember connection states.
      • Stateless packet inspection
        • Every packet is considered an individual packet.
        • Functionality through NACLs (Network ACL).
        • Control traffic at the subnet level within the VPC.
        • Important Points
          • NACLs are Stateless in nature.
          • NACLs operate at the subnet level instead of the instance level like security groups do.
          • All subnets in VPC must be associated with NACL.
          • By default, NACL contains full permission in inbound and outbound.
      • NACL rules are evaluated from the LOWEST number first, if traffic matches a rule then it is applied regardless of any higher numbered rule that it may contradict.
      • Many organisations have a rule for sake of ease, but this can produce security and compliance issues.
      • Definitely don’t want a ALL
      • Outbound rules are important because if an EC2 is compromised it can send out Spam and connect to C&C servers.
  • Firewall Best Practices
    • Always implement the approach of Deny ALL and Allow SOME.
    • Avoid the rule of in the firewall with a set of exceptions, such as HTTP or HTTPS which can be justified.
    • Setup alarms that will alert if changes are made to Firewall rules.
    • Outbound rules are as important as inbound rules.
  • Intrustion Prevention System (IPS)
    • The packet reaches the Firewall FIRST where it will be passed or blocked. The IPS then analyses the contents of the packet against its own set of rules.
    • With regards to AWS, IPS Agents are deployed on EC2 instances. They will communicate with IPS Server for rules updates.
  • Web Application Firewalls (WAFs)
  • WAFs specifically designed to understand web application logic, including HTTP GET, POST and HEAD and SQL, Cookies, XML and XSS.
  • Traffic Path
    • Firewall first, then the IPS, then the WAF and then finally the EC2 Instance.
      • Firewall filters based on IP Addresses and Ports.
      • IPS filters on known signatures to prevent exploits.
      • WAF designed to mitigate HTTP application attacks.
    • You cannot associate a WAF with a SPECIFIC EC2 instance, it can ONLY be associated with with CloudFront, Application Load Balancers (ALB) and API Gateway.
      • Thus to use the AWS WAF you must use CloudFront, ALB or API Gateway as well.
    • AWS WAF uses four terminologies.
      • Conditions
        • Define the essential characteristics that should be analysed in a web request.
        • Six conditions are supported
          • SQL Injection.
          • Cross Site Scripting.
          • Geographical location from which request originated (geomatch).
          • Length of specified parts of the request (size constraints).
          • IP address or address ranges that requests originate from.
          • Strings that appear within the requests.
      • Rules
        • Allow the combination of multiple conditions to precisely target the requests.
        • Treated as an AND.
      • Web ACL
        • Actions that needs to be taken against a rule.
          • Allow
          • Block
          • Count
      • Association
        • Defines which entities the AWS WAF is to be associated with.
        • Three options available.
          • ALB
          • CloudFront
          • API Gateway
The Moon in colour

That about covers it all for this blog post. Part Four is available here.

2 thoughts on “AWS Security Best Practices Part Three

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close