AWS Fundamentals: Addressing Security Risk

Network Isolation :

AWS has placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic.These customer access points are called endpoints. An endpoint is a URL that is the entry point for a web service.

Some services, such as IAM, do not support Regions. Therefore, their endpoints do not include a Region. If a service supports Regions, those resources in that Region are independent. For example, US-West-2 is an entry point for all AWS services in that Region. Endpoints allow secure HTTP access, or we call HTTPS, which allows you to establish a secure communication session with your resources running in AWS services.

AWS offers the Amazon Virtual Private Cloud, which provides a private network within the AWS Cloud. Amazon VPC provides not only isolation from other customers in the private cloud, it also provides Layer 3 isolation from the internet, as well. Your Amazon VPC uses IP address spaces, allocated by you. These can be used to build a private infrastructure, where networks are isolated from the internet. You can connect your on-premises environment or other VPN infrastructures to Amazon VPC using IPSec tunnels and AWS Direct Connect. And of course, you can allow resources in your VPC to talk to the internet, if you choose to do so.

Amazon Virtual Private Cloud (VPC) :

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Network access control lists contain IPs, which are allowed or denied access to the subnet. They are also stateless, so if you allow something in, you must explicitly allow it out via a rule.

Security groups act as firewalls for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.The difference being that security groups are stateful, so return traffic is automatically allowed, regardless of any rules.

More information is available at: https://aws.amazon.com/vpc/ 

Q. How do you secure them further when sending traffic between VPCs ?

VPC endpoints or private links allows you to route your data through a secure endpoint in one VPC and to another. This means they do not leave your AWS infrastructure, and do not go through the Internet resulting in a safer path of travel.

Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

More information including pricing for AWS Direct Connect is available at: https://aws.amazon.com/directconnect/ .

A route table which contains a set of rules or routes that are used to determine where network traffic is directed. A default main route table is set up for a VPC, and you must associate a subnet with an actual route table. It doesn’t have to be the main table, and you can create a custom route table to route traffic accordingly.

Detective and Auditing :

Detective controls is a term that describes a continued improvement in monitoring of events and processing of blocks that allow for auditing, automated analysis, and alarming. Detective control are an essential part of governance frameworks and can be used to support improvement process of your security operation, a legal or compliant obligation, and for identification and response efforts. These control are important reactive factors that can help your organization identify and understand the scope of anomalous activity.

Auditing :

1.AWS CloudTrail :

It enables you to see who is doing what in your AWS infrastructure. You can track user usage of the console API calls, AWS SDKs, command line tools, and other AWS services themselves, so that you know who’s interacting with your infrastructure. The best part is that it’s enabled by default and you can view account activity for the past 90 days right in the CloudTrail console.

You can even go further and direct CloudTrail events to Amazon S3, Amazon CloudWatch Events logs, and events. This allows you to perform analysis, archive events, and even remediate on an unexpected change.

You can use CloudTrail to monitor activity related to changing an EC2 security group, and trigger an Amazon CloudWatch alarm when configuration changes happen. Also, don’t forget that you can use CloudWatch Logs to monitor, store, and access your log files from multiple sources.

Use cases :

1. to collect and store application logs and server operation system logs.
2. use CloudTrail to capture API activities and send to them CloudWatch Logs.
3. to log Route 53 DNS queries into CloudWatch Logs.
4. use CloudWatch Logs to retain and archive log data in S3.
5. use CloudWatch Logs Insights to interactively search and analyze your log data

More information about AWS CloudTrail can be found at: https://aws.amazon.com/cloudtrail/ .

2.AWS Config :

This fully managed service records your AWS configuration, changes to that configuration, or a history, if you want to think about it, and even change notifications, so you’re notified proactively.

Fire up Config, and it will discover these existing AWS resources and generate a full inventory, along with all the actual configuration details, for you. You can then determine how a resource was configured at any point in time. You can even tie this into the aforementioned AWS CloudTrail, so that you gain full visibility into who made the actual change at that point in time and what the change was.

More information about AWS Config can be found at: https://aws.amazon.com/config/

3.AWS Inspector :

This Inspector helps to improve security and compliance of your AWS deployed applications by running an automated security assessment, to check on deviations of security best practices, exposure of EC2 instances, even vulnerabilities.

The service consists of three parts –

1. a network configuration reach-ability piece; It works by running an assessment based on your specific configuration choices and then outputting a list of findings for potential security issues.
2. The resulting findings are displayed in the Amazon Inspector console, and they are presented with a detailed description of the security issue and a recommendation on how to fix it.
3. you can retrieve findings through an API, so as to go towards the best practice of automating your remediation processes.

More information on Amazon Inspector can be found at: https://aws.amazon.com/inspector/ 

4.Trusted Advisor :

This service assists you in provisioning your AWS resources using best practices. It then produces a report under five different categories –

1. cost optimization
2. performance
3. security
4. fault tolerance
5. service limits

Once you run Trusted Advisor, you will be presented with a report that you can then drill-down into. Each category will produce traffic light-based recommendations. These go in increasing severity, where green means no action recommended, orange for investigation needed, and red for action recommended

More information about AWS Trusted Advisor can be found at: https://aws.amazon.com/premiumsupport/technology/trusted-advisor/ 

Amazon Guard Duty :

It is a threat-detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and resources. This service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.

You can aggregate Guard Duty findings across multiple accounts. You can also integrate Guard Duty with AWS CloudWatch Events or your current event management system to alert your security team, Amazon Guard Duty provides three severity levels – low, medium, and high – to help you prioritize responses to potential threats.

1. A low severity level indicates suspicious or malicious activity that was blocked before it compromised your resource.
2. A medium severity level indicates suspicious activity. For example, a large amount of traffic being returned to a remote host that is behind a hidden network.
3. A high severity level indicates that the resource in question is compromised and is being actively used for unauthorized purposes. An example of this could be that an EC2 instance has been compromised or a set of IAM user credentials has been stolen.

Amazon Guard Duty offers HTTPS APIs, CLI tools, and Amazon CloudWatch Events to support automated security responses to security findings. You can automate the response workflow by letting Guard Duty send the findings to CloudWatch Events as an event source to trigger an AWS Lambda function to update the security group.

More information about Amazon GuardDuty can be found at: https://aws.amazon.com/guardduty/ 

AWS Security Hub :

With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, as well as from AWS partner solutions. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance check based on the AWS best practices and industry standards that your organization follows.

More information about AWS Security Hub can be found at: https://aws.amazon.com/security-hub/