Logical Enigma
AWS Notes

Security

Reducing security threats

  • NACL - block bad actor
  • Host-based firewall - firewalld, ufw, Windows firewall
    • ALB makes it a bit harder
    • Can allow only ALB SG on EC2 instances
  • NLB - traffic passes through NLB
  • Web Application Firewall (WAF) - IP blocking and filtering, preconfigured injections (SQL Injections, etc - Layer 7)
    • Can attach to CloudFront or ALB
  • CloudFront Geo Match can also block countries

Key Management Service (KMS)

  • Regional secure key management enc/dec
  • Managed customer master keys (CMKs)
  • Ideal for S3 objects, db passwords, api keys stored in Systems Manager Parameter Store
  • Encrypt/Decrypt data up to 4KB in size
  • Pay per API call
  • Audit capability using CloudTrail - logs to S3
  • FIPS 140-2 Level 2 - must provide evidence of tampering
  • Level 3 is covered by CloudHSM
  • Types of CMK
    • AWS Managed CMK - Free; used by default
    • Customer Managed - Allows key rotation, controlled via key policies and can be enabled/disabled
    • AWS Owned CMK - shared basis, typically don’t see
  • Symmetric - same key for enc/dec AES-256. Never leaves AWS unencrypted , used by AWS services. Can generate data keys, data key pairs, random byte strings. Import your own key material
  • Asymmetric - public/private key pair. RSA (older) and elliptic-curve cryptography (ECC). Private key never leaves AWS unencrypted. Download the public key and use outside AWS (especially if can’t call KMS apis). AWS services integrated w/ KMS do no support asymmetric CMKs. Sign messages and verify signatures.
  • For > 4Kb - can use “envelope encryption”, which is more network efficient

CloudHSM

  • Dedicate hardware security modules
  • FIPS 140-2 Level 3 - key data is removed if physical enclosure is opened
  • Manage your own keys
  • Single tenant, multi-AZ cluster
  • No access to the AWS-managed component
  • Runs w/in VPC in your account - exposes ENI
  • Suggested at least 2 AZ
  • Industry-standard APIs
  • PKCS#11
  • Java Cryptography Extensions (JCE)
  • Microsoft CryptoNG (CNG)
  • Keep your keys safe - irretrievable if lost

Systems Manager Parameter Store

  • Servlerless
  • Passwords, db cons strings, license codes, api keys
  • Values can be stored encrypted (KMS) or plaintext
  • Separate from source control
  • Store in hierarchies - up to 15 levels
  • Track Versions
  • Set TTL to expire values
  • Paths: /prod/db/mysql/db-string - GetParametersByPath
  • Can grant to specific path
  • Integration w/ CloudFormation

Secrets Manager

  • Similar to parameter store - no charges up to 10K API Calls
  • Secrets manager has cost
  • Secrets manager can automatically rotate secrets
  • Apply the new key/password in RDS for you
  • Generate random secrets - in cloud formation or use in own code
  • Shared across accounts

AWS Shield

  • Mitigate DDoS
  • AWS Shield Standard - automatically enabled for all customers at no cost, common layer 3/4 attacks
    • SYN/UDP floods
    • Reflection attacks (source is spoofed)
  • AWS Shield Advanced
    • $3,000 per month per org
    • Enhanced protection for EC2, ELB, CloudFront, Global Accelerator, Route 53
    • Business/Enterprise support sutlers get 24x7 access to the DDoS Response Team (DRT)
    • DDoS cost protection

Web Application Firewall (WAF)

  • lets you monitor http(s) to CloudFront, ALB or API Gateway
  • Control access to content
  • Configure filter rules to allow/deny traffic
    • IP addresses
    • Query string parameters
    • SQL query injection
  • Blocked traffic return HTTP 403 Forbidden
  • Different behaviors:
    • Allow all requests, except ones you specify
    • Block all requests, except ones you specify
    • Count the requests that match the properties you specify
  • Request properties:
    • Originating IP address
    • Originating country
    • Request size
    • Values in request headers
    • Regex in request
    • SQL code (injection)
    • Cross-site scripting (XSS)
  • AWS Firewall manager
    • Centrally manage firewall rules across an AWS Organization
    • WAF rules:
      • ALB
      • API GW
      • CloudFront distributions
    • AWS Shield Advanced protections:
      • ALB
      • ELB Classic
      • EIP
      • CloudFront distributions
    • Enable security groups for EC2 and ENIs