AWS Platform Security Best Practices

This blog post is about some of the common gotchas to avoid and security best practices the should be followed when you are using the AWS platform and services to host web applications and other functionality.

This post is also a synopsis of the larger blog posts about AWS Security Best Practices available on our website, the first of these deeper blog posts is available here.

Don’t forget that OIC Solutions can help you test and secure your AWS Infrastrucure. You can contact us here.

EC2

Incident Response

The first issue you may have is knowing that an incident is actually happening.

The AWS Guarduty may give you an early warning.

  • Guardduty provides threat intelligence by collecting data from CloudTrail Logs, DNS Logs, VPC flow logs and then runs threat analytics to find and report suspicious activity.

In the event of detecting an security incident on a EC2 instance the following advice is recommended.

  • Lock down the EC2 instance. Isolate the security group so that it cannot communicate with the outside world, nor can any external system except the forensic server can connect to the compromised EC2.
  • Take an EBS Snapshot.
  • Take a Memory Dump.
  • Perform analysis, then when root cause established, terminate the EC2.

The best practice advice with regards to Exposed EC2 keys is to

  • Determine the access associated with those exposed keys.
  • Invalidate the exposed keys by making them inactive.
  • Add an explicit deny policy with the IAM principle whose keys have been exposed.
  • Review the logs to see possible backdoors and whether keys are still being used.

Logging & Monitoring

Continuous Security Monitoring is a critical part of Incident Response and the following services and tools could help you avoid an embarrassing catastrophe.

AWS Inspector is a service designed to help improve the security and compliance of applications deployed on AWS.

  • AWS Inspector is an automated security assessment service.
  • The Inspector Agent must be installed in the EC2 instance.
  • You must provide the key-value pair (tag) associated with the target EC2 instances. 
  • Has four package rules
    • Common vulns and exposure CVE
      • It is important because it will help identify packages with vulnerabilities within servers (EC2 instances).
      • Important but not always ideal.
      • Does NOT allow high vulns scores for information leakage issues.
    • Center for Internet Security (CIS) benchmarks
    • Best security practices
      • Including
        • Disable Root Logins.
        • Support for SSH v2.
    • Runtime Behaviour analysis
      • Including
        • Unused Listening TCP Ports.
        • Insecure protocols in use.
  • It is recommended to run a scan for 1 hour.
  • Reports can be exported as an HTML or PDF.

EC2 Systems Manager

  • This service provides a centralised way to manage operational and automation task accross the AWS environment.
  • SSM Agents need to be istalled in the EC2 instances.
  • Patch Compliance a sub component service of Systems Manager allows you to check the compliance status of an EC2 instance with respect to patching activity (missing updates).
  • Patch Manager allows you to automate and simplfy the EC2 operating systems paching process.
  • AWS Config allows you to continously assess and audit the configuration of AWS workloads.
  • Two important features
    • Evaluate the changes made to a resource over a period of time.
    • Compiance checks.
  • This also includes changes and also provides a set of compliance rules, which will enable you to assess our AWS Environment.
    • You must enable both checkboxes associated with the following options:
      • Record all resources supported within the region
      • Include global resources

CloudWatch logs

CloudWatch is a monitoring service offered by AWS.

  • You can monitor, store and access log files from sources such as EC2, CloudTrail and Lambda.
  • Provides you with a centralised log monitoring solution.
  • There are four steps to push EC2 logs to CloudWatch.
    • IAM role with right permissions
      • IAM Role associated with the EC2 instance should have permission to push logs to the CloudWatch.
    • Installation of CloudWatch agent.
    • Modifying the agent configuration file.
    • Post config, you need to restart the Agent.

CloudWatch Events

CloudWatch Events can deliver a near real time stream of events that describes the changes made to the AWS resources.

CloudWatch Events allow us to monitor events of a specific service in AWS and also trigger services like Lambda, SNS, and others whenever the event is detected.

ElasticSearch

  • ElasticSearch is preloaded with Kibana so you can visualise and perform searches on the data being logged.
  • Kibana and ElasticSearch are free to download and can be hosted on your own servers.

TrustedAdvisor

TrustedAdvisor checks your AWS Account and offers best recommendations and improvments.

  • Performs checks based on five categories.
  • Cost optimisation
    • Low utilization EC2 instances.
    • Idle load balances.
    • Underutilised AWS EBS volumes.
    • Unassociated Elastic IP Address.
    • Idle RDS DB instances.
  • Fault tolerance
    • Suggestions to improve availability and redundancy of application workloads by taking advantage of various AWS services, such as auto-scaling, multi AZ, and backup capabilities.
    • Amazon EBS Snapshots.
    • VPN Tunnel Redundancy.
    • AWS RDS Backups.
    • AWS RDS Multi-AZ.
    • S3 Bucket logging.
    • Direct connect connection redundancy.
  • Security
    • Suggestions and checks based on best practices.
    • Unrestricted access to specific ports of the security group (0.0.0.0/0).
    • AWS S3 bucket permissions.
    • MFA on Root Account.
    • IAM password policy.
    • AWS CloudTrail logging.
    • IAM Key rotation.
    • Exposed Access Keys.
  • Performance
    • Adding to many firewall rules that we associate to an EC2 instance, may deteriorate the overall performance.
    • High utilization EC2 instances.
    • Large number of rules in security group applied to an instance.
    • Overutilized EBS Magnetic volumes.
    • EC2 to EBS throughput optimisation.
    • AWS CloudFront CDN optimisation.
  • Service Limits
    • Information about services usage which has reached more than 80% of its service limit.
  • Important Points to note.
    • Many checks are only available for Business and Enterprise support customers.
    • Customers with BASIC (Core Checks) support only get
      • Service limits
      • Security
        • S3 Bucket permissions.
        • Security groups – specific ports unrestricted.
        • IAM Use.
        • MFA on Root account.
        • EBS public snapshots.
        • RDS Public snapshots.

AWS Athena

This service allows you to anayse data from S3 Buckets using standard SQL statements, queries are run from the query editor.

You only pay for the queries you run.

  • Use cases
    • Show the number of times user Mark has performed the delete operation between two dates in AWS.
    • Show the number of rejected packers from VPC flow logs and sort them based on IP addresses from the highest to lowest numbers.

VPC Flow Logs

VPC flow logs allow you to capture information related to IP traffic that goes in and out from the network interfaces within the VPC.

  • Important points
    • VPC flow logs are captured at a per network interface level.
  • Options/Configuration
    • Filter
      • Indicates the type of traffic that needs to be logged. Values can be Accepted, Rejected or All.
    • Role
      • The name of the role which has the permission to push events to CloudWatch. In case you don’t have any role, you can select Set Up Permissions link and that would help you set up a role.
    • Destination log group
      • The name of the log group where the vpc flow logs will be stored.
  • Most records are either ACCEPT OK, which means accepted or REJECT OK which means blocked.
  • Sample VPC flow log
    • 2 182607422 eni-fa865da4 172.31.10.50 172.31.10.69 443 10828 6 2 112 1527046252 1527046310 ACCEPT OK
version2
Account-id 182607422 
interface-ideni-fa865da4 
srcaddr172.31.10.50
dstaddr172.31.10.69
Src port443
Dest port10828
protocol6
packets2
bytes112
  • Interesting Point
    • Protocol number used instead of TCP or UDP etc
      • TCP protocol  number 6.
      • ICMP protocol number 1.
      • UDP protocol number 17.

S3 Event Notification

AWS S3 event notification allows you to receive notifications whenever a specific event occurs within the S3 bucket.

  • Use cases relating to notifications of activity associated with an S3 bucket. The S3 event notification is the right option.

AWS Macie

AWS Macie is a service that can automatically classify the data stored in S3 buckets based on the regexes configured.

  • Do remember that Macie CANNOT scan the encrypted objects within S3.

AWS Organisations

  • A service that provides centralised policy management as well as consolidated billing for multiple AWS accounts.
  • By using Service Control Policies (SCP) you can create centralised permissions and associate it with various Organisational Units.
  • AWS organisations allow customers to group the child accounts in the form of OU and SCP can be applied at the OU level

Firewalls and the like.

  • Security Group is a STATEFUL firewall.
  • NACL (Network Access Control List) is a STATELESS firewall.
    • Number rule. The lower the number has a HIGHER order of precedence.
    • If the request matches a lower numbered rule, then the request is processed according to the action specified in that rule irrespective of what higher order rule says.
  • Web Application Firewalls
    • Can ONLY be associated with ELB (Elastic Load Balancer), CloudFront and API Gateway.
  • EC2 Instance pairs
    • keys will stay with the EC2 in the authorised_keys file until you manually remove them.
    • If a new EC2 instance is launched based on the AMI of the first. The new key will be appended to the authorised_keys file.
  • CloudFront
    • Origin Access Identity (OAI) is generally used to lock the access to the S3 Bucket so that the requests can only be accepted from the CloudFront distribution.
  • Intrusion Prevention System
    • AWS does not support and SPAN functionality.
    • IPS needs to be installed in the EC2 instance.
    • IPS can either send the network traffic to the IPS Server for analysis or analyse is on the EC2 instance itself.
  • Instance Meta-Data
    • Meta-Data information including IAM secret credentials can be accesses via the EC2 instance.
    • To block a regular user from accessing these credentials, you cab make use of IP Tables.
  • API Gateway
    • Supports caching functionality.
    • API Gateway throttling. Supports steady state requests of 10,000 requests per second with bursts of 5000 requests.
    • Limit can be raised by contacting and creating an AWS support request.
  • DDOS Mitigation
  • Direct Connect
    • Direct connect is a dedicated connection between your on site kit and AWS.
    • It is region specific except for the US region.
    • The traffic in Direct Connect is not encrypted.
    • If you need encryption, then you need to user a VPN tunnel within the direct connect connection.
  • VPN and Multi-cast
    • Can work based on hardware as well as software VPN’s. In AWS, Multi-cast is not supported; hence, if multicast functionality is required, then it can be made possible through VPN.
  • VPC Peering and Endpoints
    • VPC peering supports inter-region peering
    • It is important to remember that is two VPCs have an overlapping CIDR range then peering is not possible. Transit VPC functionality is also not possible via VPC peering.
    • VPC Endpoints allow connection to various AWS services via their high-speed internal fibre network, which is also referred to as a AWS Private link.
  • Lambda and S3
    • Lambda functions can be integrated with S3 through S3 event triggers.
    • Anytime a specific activity is performed in the S3 bucket, the Lambda function can be triggered.
    • The Lambda function must be able to connect to the S3 bucket.
    • An appropriate IAM role must be associated with the Lambda function.

IAM Identity & Access Management

  • IAM policy evaluation logic follows the approach of “Default Deny”, where, by default everything will have a deny access.
  • Explicit allow can overrule the Default Deny. If an IAM policy has an explicit deny and also allow action, then the explicit deny will have higher precedence.
  • Important concepts to understand
    • Conditions, versions, action, notAction& statement.

S3

  • Three major parts to consider
    • Presign URLs
      • These allow you to create a time expiry URL for an object within the private S3 bucket so that users outside of your AWS account can access these objects.
    • S3 Bucket policies
      • The challenge in cross account bucket policies and how “bucket-owner-full-control” ACL should be present in objects being sent from different accounts.
      • You can add an S3 bucket policy with the condition that only objects which have the “bucket-owner-full-control” should be allowed.
      • There are three ways of assigning permissions to a S3 bucket. These are S3 ACL, IAM Policies, S3 bucket policies.
      • IAM policies are more user-orientated and are attached to user/group/roles.
      • S3 bucket policies are resource based policies and are attached directly to the bucket.
    • Delegation
      • Cross-account roles allow resources from one AWS account to access the resources of another AWS account with the help of IAM roles.
  • S3 Security
  • Cross account IAM role architecture
    • Account 1 (AWS Account that will share its resources to another different AWS account).
      • Create a cross account IAM role in the account whose resources need to be accessed by the delegation account.
      • There are two important points. The Trust relationship and the Role policy.
      • The Trust relationship of the cross account role should allow the destination account to be able to assume the role.
      • When the role is created, the Account 1 Administrator can share the role ARN (Amazon Resource Name) through which the Account 2 principles can assume the role.
    • Account 2 (AWS Account that is going to assumne the role).
      • If an IAM user from Account 2 wants to assume the cross account IAM role created in Account 1, the user should have appropriate assume role policy attached to their principal.
      • One appropriate assume role policy is attached to the principal of Account 1, the user can use the Role ARN or the Role URL to assume the role, and they will get all the permissions associated with the cross account role created in Account 1.

Federation

  • The user signs the identity broker page with the credentials.
  • The Identity Broker will verify the credentials with the backend AD/LDAP.
  • If the credentials are correct and the user belongs to the proper group, the Identity Broker will send a request fot the tokwn and get the authenticated token from the AWS STS service (Security Token Service). Once the token is received, the Identity Broker sends the token back to the authenticated user.
  • The user will use the toke and sends it to the AWS sign-in page of the SAML.
  • Web Identity Federation
    • Web Federation is generally used with users that do not belong within the organisation.

AWS Directory Service

  • Comprised of three major components
    • Simple AD
      • Usefull for installations, where basic features are needed. It does now support various important features such as DNS, MFA, FSMO role transfers and others.
    • Microsoft AD
      • Full fledged AD Server. Two editions, Standard (SME upto 5000 users) & Enterprise.
    • AD Connector
      • Gateway the helps to redirect directory requests from cloud resources to the on-premise Microsoft AD. It also comes in small and variants. Small upto 500 (Hundred) Users. Large upto 5000 (Thousand) Users.

ACM Certificates

  • Exporting Certificates
    • You CAN export PRIVATE certificates from ACM (Amazon Certificate Manager) and use them with EC2 instances, with containers and in on-premises servers.
    • You CANNOT export PUBLIC certificates created from the ACM.
  • Is it possible to use an individual ACM Certificate in more than one region?
    • If you want to associate an ACM certificate with ELB, then the ELB and ACM MUST BE in the same region.
    • For CloudFront, YOU MUST request the certificate in the US EAST (North Virginia) region.
    • ACM additionally can also be associated with the AWS API Gateway service.
  • AWS ACM takes care of the entire cycle of the certificate from issuing to renewing.
    • Two methods for issuing a certificate
      • Email validation
      • DNS

Classic and Application load balancers

There are also Network load balancers, but the section largely skips them. Nework Load Balancers are dealing at Layer 4 of the OSI, TCP, UDP Traffic.

Application Load Balancer

  • Works at Layer 7 (The application layer).
  • Can use features like content-based routing.
  • Content based routing, ALB can distribute the request to a group of servers depending on the URI of the HTTP headers.
  • ONLY Supports HTTP and HTTPS, if other protocols are used, you should consider using NLB or Classic load balancers.

Classic Load Balancer

Security implications of terminating SSL/TLS as the ELB

  • Terminating SSL/TLS at the ELB level will help in saving processing power at the EC2 instance level.
  • Terminate SSL/TLS at the ELB, then the traffic betweeb the load balancer and the EC2 instance WILL BE unencrypted.
  • ALB (Application Load Balancer) will need to decrypt to the traffic to be able to read the HTTP headers based on which routing is done. Once the ALB has decrypted the traffic and read the HTTP headers, it will then encrypt it again before forwarding it to the destination group of servers.

EBS Security

  • If EBS Is encrytped with a KMS CMK and someone deletes the CMK, then your EBS volume will still work correctly because the plain text key is still present in the EC2 memory. However, if you unmount the EBS volume and mount it again, the data WILL NOT be accessible. For such as use case, it is recommended to back up your data.
  • TCP Listeners do not modify any header information, whereas HTTPS does.
  • Perfect Forward Secrecy. You need to enable the ECDHE key exchange in ELB.

CloudHSM

  • CloudHSM is a single tenanted (single physical device only for you).
  • It must be used within the VPC.
  • You can integrate CloudHSM with RedShift and RDS for Oracle.
  • For fault tolerance, you need to build clusters of two CloudHSM.
  • AWS users SafeNet Luna SA 7000 HSM appliance for CloudHSM.

Dynamo DB Security

  • ‘Dynamo DB Encryption Client’ libraries are used to encrypt data at the origin before it is stored in the DynamoDB Table.

Container Security

  • Run Containers in protected networks to prevent any unauthorised access.
  • Sanitise the logs and output files for any retrieved secrets.
  • Modifications to the container should now be allowed in production.
  • Parameterised codes should be user so that the value (secrets) can be pulled from the centralised secret server. The centralised server can be S3, Parameter Store and even Secrets Manager at the time of executions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close