Lambda

• Setup one role per Lambda function; don't reuse roles
• Use a function via an API gateway
• Don't store passwords - use AWS secrets manager

Route 53

• Most important features
  • Registration
  • DNS Service
  • Health Checks

Domain vs Hosted Zone

• Domain is a construct of DNS servers that associates a name with a resource
• Domains have zone files
  • Zone files are a text mapping of different resources.

Route 53 health checks

• Allows the checking of application health.
• Can be used to reroute traffic if a resource is unhealthy

Cheking Health of an endpoint

• Create a check from Route 53
• Checks can be done on an IP address or domain name
  • • Can also be a URL that contains data from services
    • These can mirror the actions a user would normally perform

• Calculated health checks act as a root health check
  • • Monitor other health checks
    • Can fail before the origin is considered unhealthy
    • This will fail if any of it's alarms go off.

Route 53 Security Considerations

• Use Route 53 health checks with CloudWatch to monitor services
• Make sure DNS Entries have auto-renew enabled
  • | Famous forgotten DNS names
• Enable DNS query logging

RDS Servicess

• Removes the overhead of having a DBA on staff.
• Read replicas are easy to provision with RDS.
  • These are read-only and will not allow writes.
• An instance can be made HA replicating to another region or AZ.
  • A replicated primary cannot serve any other function.
    • It cannot work as a read replica.
• Read replicas can be promoted to a standalone database
  • If promoted, they will no longer stay in sync with the master.

RDS Security Considerations

• Don't use the AWS root user to create and manage resources.
• Using security groups to control what IPs and services can connect to RDS services
  • Remember Least privilege
• Use encryption to protect RDS data and snapshots
• Use least privilege when granting permissions to the database
• USE AWS backup service to back up data via cross-account backups.

Amazon Aurora

• This is an alternative to Oracle and MS SQL without licensing problems.
• IS compatible with MySQL and PostgreSQL
• It can be run serverless or as a cluster.

Key Value Databases

• An example is Dynamo DB
• They store key value pairs
• Designed for performance and scalability
• Each key is a UID that pulls a value from the database.

In Memory Databases

• All data is stored in RAM
• Uses specialized hardware
• Offers fast performance and very low latency
• More expensive due to the use of RAM
• Can be used as a caching layer to reduce application latency.
• AWS offers the service as Elasicashce
  • Two different engines:
  • Redis and Memcached
  • Clusters use SSDs that enable encryption at rest.
  • Other memory databases may just run in RAM.

Document Databases

• Non Relational database that stores documents
• Allows data to be stored in a JSON type format
• No Fixed Schema
• Documents can be nested inside each other
• AWS has DocumentDB - Compatible with Mongo DB as a managed document database
• Good if you don't want the admin aspects of a database.

Message and Queuing systems

• Used to decouple components
• Increases resiliency

SNS - Simple Notification Service

• Alows services to send notifications SMS / EMAIL / Push to end users
• No complex programming required
• AWS services (such as Coudwatch) can use SNS.

• SNS is a Publisher and a Consumer system
  • Publishers push a message to a topic
  • Consumers subscribe to a topic
  • The topic is a Chanel sending the message to multiple consumers
  • Publisher only sends the message once

Security Considerations for SNS

• Only apply the minimum permissions necessary to perform the work least privilege
• An application sending or receiving messages does not need administrative permissions for the topic.
• Enforce encryption for data in transit
  • HTTPS instead of HTTP when sending messages to a topic.
• Use VPC endpoints to access SNS
  • Route requests from hosts VPC endpoints rather than the public internet. Keep data off internet

SQS Simple Queue Service

• Requests can be held until they are ready to be processed.
• Allows decoupling of services

Two Flavors:

• FIFO Queues
  • FIFO - Exactly one message is delivered (No multiple)
  • Messages are processed in the order they are received.

• Standard Queues
  • At least one message delivery - you could have multiple messages.
  • Multiple messages could happen due to technical issues or high loads.
  • Best effort to preserve the ordering.

• SQS is a distributed queuing system
  • Spread across different regional nodes
  • This gives it high scalability, reliability, and availability

• SQS allows for server-side encryption
  • Use AWS KMS or a Custom Key

• Access to SQS can be controlled via access control policies.
  • Controls who can produce and consume messages

• Producers place messages
• Distributed for redundancy
  • Distributed to different AZ in the region for redundancy
  • Each message is stored at least twice on different nodes

Consuming of messages

• Can be a long or short poll

• Consumers detect and pull down messages
• The messages are flagged once they are pulled down
  • A timeout visibility begins when messages are pulled down
  • While it is flagged no other consumers can pull the message
• Once a consumer has processed a message, it deletes the message
  • This deletes it from all nodes of the distributed queue.
  • IF the message is not processed before the timeout expires (IE it still exists), then the flag is cleared and another consumer can pull it.

Securing SQS

• Least privilege when granting access to SQS Queues.
• Create a role for admins that do not need to consume or publish messages. Change but no touchy.
• Implement server-side encryption
• Use VPC endpoints to access SQS Dont route over internet
• Make sure SQS Queues are not publically available.
• Don't use a wildcard * in access policies; call the queue out directly.

SQS or SNS

Ask a simple question...

• SQS - Messages will only be consumed by my application.

• SNS - Multiple sources will consume messages.

• SQS is a Queue - You are waiting for one thing in one line - Like the checkout line at store.

• SNS is a notification - You don't care who services you; it is a notification of availability. You are asking for help rahter than waiting for it.

Simple Email Service

• Send emails without running an SMTP server

• Can only receive emails from 3 endpoints
  • us-east-1 N Virginia
  • us-west-2 Oregon
  • eu-west-1 Ireland

• Can send from over 18 regions.

Trust is provided

• DKIM Records in the email headers
• Can be verified by the mail server

What is DKIM

Securiry considerations for SES

• Use with VPC endpoints - Keep traffic off the internet [1]
• Turn on cloud trail - capture API activity
• Use IAM to control access to SES - you don't want to be a spam bot

API Gateway

• Protects a web service

• Can be used for AWS web services like RDS and Lambda

• AWS managed the underlying infrastructure
  • Think of gateway as a service
  • Enables developers to focus on the data rather than the security

Security Considerations for API Gateway

• Enable logging - gather logs in Cloud Watch - see what is happening.
• Enable integration with web application firewall
• Add cloud watch alarms
• Use Authentication and Authorization
  • Can be API Keys / AWS IAM Roles
• Use API rate limiting / throttling.
  • This can protect from abusive use

Trusted Advisor

[2]

Runs security checks on accounts.

• MFS on root account
• S3 Bucket permissions
• Public EBS snapshots
• Public RDS snapshots
• open access on security groups
• IAM users in use
• Service limits

• Every account has trusted advisor.

Checks five areas:

• • Cost optimization - Can you save money?
  • Performance - Anything overutilized.
  • Security - Weaknesses in the account?
  • Fault tolerance - Adequate resiliency?
  • Service Limits - Are you close to 80% of allotted limits

Detection Evasion

ClouidTrail

• CloudTrail Will capture all events [3]
• A bad actor will first try to disable cloudtrail logs.
  • A service control policy SCP can prevent this.
  • The SCP is pushed down from the organization's top and affects all accounts.
  • Another method is to enable cloud trail log file integrity. Log file validation option.

• Coudtrail shows who did what - think of it as the AWS black box.

CloudWatch

• Cloudwatch can provide proactive monitoring.

IAM Policys

• Principal - who is allowed or denied access.
• Wildcard can be used - designated by a *
  • If the principal or resource of a policy has a wildcard, the policy would be vulnerable.

• Policies should be defined with least privilege in mind.

• Policy variables can be used in the JSON policy document.
  • Prevents hardcoding the resource into the document.

Vunerable AWS Credentials

• Access keys and secret keys could be vulnerable.
  • They should be rotated.
  • They are tied to users and inherit the users' rights.

• Create a policy to rotate keys every 90 days.

• Check to ensure secrets are not hard coded.
  • git-secrets can do this

• Use AWS Security Token Service [4]

DDoS Protection

Types of attack

Not tested in exam

• SYN Flood
• HTTP Flood
• Ping of death
• Reflection attack

WAF

• Use a WAF - Web application firewall [5]
  • Load balancers and CDNs such as CloudFront should be behind the WAF

• The WAF uses rules to block web requests.

• AWS WAF will protect against malicious attacks defined in the OWASP top 10.

WAF has three components:

• WEB ACL - Protect resources using rules and rule groups.
• Rules - If / Then statements - what to inspect and block.
• Rule Groups - Permits rules to be grouped together.

Security automations for WAF help deploy preconfigured rules to protect against:

• SQL Injection
• Cross Site Scripting
• HTTP Floods
• Scanners and Probes
• Known attackers (Based on Ip Reputation)
• Bots and scrapers

AWS Shield

• Can protect against more complex attacks than the WAF
• Shield is targeted for DDoS attacks:
  • Such as volumetric attacks [6]
  • Sate exhaustion attacks [7]

It comes in two Flavors:

• AWS Shield Standard
  • Stanard comes with every AWS account
• AWS Shield Advanced
  • Advanced cost more for additional features
  • Advanced provides more complex protection against attacks.

CPSA - Cloud Security Posture Assessment

• Need to give read-only permissions on the tool performing the assessment.
• This is done using a role.

• CPSA thoroughly looks at the cloud security posture.
• Uncovers weaknesses that can be exploited.

Common vulnerabilities discovered are:

• RDS - backups not enabled
• EC2 - Instance exposed to the internet
• CloudTrail - log validation not enabled.
• IAM - No multifactor on Root account

Security Best Practices

• Use a strong identity foundation
  • Least privilege
  • Segrigate user and group roles by job function permissions.

• Enable traceability - See what is happening and record it.

• Security at all layers - layered security.
  • Defense in-depth approach.
  • Implement security controls at every boundary, not just the edge.

• Automate security
  • Infrastructure as code - enables rapid rebuild and recovery
  • Automated response to security incidents.

• Protect data at rest - Disk encryption.
• Protect data in transit - SSL.

• Keep people away from data.
  • Tight controls over who / what has access.
  • Mimimise expose of data
  • Need to know / Need to access
  • Only enough rights to perform a specific function.

• Be ready for security events - they will happen.
  • Policy and process in place before an event occurs.

Incident Response

• Preparation
  • Be ready to detect and respond to incidents
  • Playbooks and runbooks.
  • Automated responses.
  • Focus on a rapid response to incidents.

• Operations
  • When an incident has occured.
  • Follow NIST phases
    • Detect > Analyze > Contain > Eradicate > Recover

• Post-incident
  • Understand what happened.
  • Lessons learned.

Containment

AWS Recommends a containment policy

• Stops / Prevents damage
• Preserves evidence
• Response will take time to implement
• Unsure of the effectiveness of the response
• Unsure how long the response will be effective

Destination containment:

• Can shut down an instance
• Detach the instance from an ASG or network.
• NCAL Deny rules - Contain at the network level

Technique and access containment:

• Limit actions of IAM principals on resources
  • This can involve removing keys
  • Remove previously generated access privileges

Common Approach to an Infrastructure security incident

• Capture - Get metadata/logs before making changes.
• Protect - Prevent the EC2 instance from being terminated while under investigation.
• Isolate - Modify the security group or update the NACL
• Detatch - Remove from autoscaling groups
• Deregister - Remove from any ELB
• Snapshot - Take a snapshot of EBS volumes
• Tag - Use tags to mark the instance for investigation.

Logging

Logging allows a baseline to be established.

• What is normal
• What is abnormal

• Allows to get the state of the environment before, during, and after the attack.

• logs should be readily available to the audit and security teams when needed.

Eventbridge

• Can trigger actions on other services. [8]

Amazon Detective

• This is a security service
• Uses machine learning for statistical analysis

• Collects logs from several services
  • VPC Flow logs
  • Cloud Watch
  • Amazon Guard Dury

Amaazon Guard Duty

• Region managed service
• Powered by machine learning
• Monitors logs from other services
  • VPC Flow logs
  • Cloud Trail Event logs

• Guard duty looks at the logs to uncover unusual activity.

Amazon Macie

• Machine learning service
• Used to classify sensitive data that may contain PII
• Enables you to fix and tighten security policies.

AWS Security Hub

• Integrates the security tools
• Works with AWS and partner tools

• Think of it as a window into the security infrastructure.
• Displays all the security statical data in one place.
• This is an always-on service.
• Can work across multiple accounts
  • With multiple accounts, this is a primary/subordinate relationship.

• Find weaknesses early
• Find compliance early
  • • Avoid vulnerabilities

If you suspect unauthorized activity

• Have any new resources been created?

• Any access or changes to the account?

• Check IAM service for unauthorized changes.

• Run a credential report on the account - when was the last time a password/key was used

• Run trusted advisor reports - look for new violations.

• Go to Cost Explorer, where any services spun up or down.

What to do if you find abuse

Access keys

• Rotate and delete any access keys

• • Create new access kets and secret keys in IAM

• • This approach uses IAM to lock the user out (Change the keys to the house!)

• Issue new keys to 'authored applications

• • Deactivate the original key

• • • Do not delete the original key

• • Verify apps are functional

• • • Remove the original key

• delete any root account access keys you did not use or create

Credentials=

• Delete any uses that you did not create.

• Select each user

• • Add the permission AWS ExposedCrdentialPolicy_DO_NOT_REMOVE

• • If this policy is already attached, rotate the access keys.

• • Repeat for all valid users

• Change all passwords for all users

Verify your AWS account information

• Account name and email.

• Contact information.

• Alternate Contacts.