This blog focuses on maintaining and monitoring AWS applications to ensure they are operating at required utilization thresholds, and are protected from any external threats. I will be covering fundamentals of AWS CloudTrail, AWS Config, AWS Trusted Advisor, AWS CloudWatch, AWS Health Dashboards, AWS Identity and Access Management(IAM), AWS Web Application Firewall(WAF), AWS Firewall Manager and AWS Shield.
AWS services used to manage and monitor cloud
The service has been designed to record and capture resource changes within your environment, allowing you to perform a number of actions against the data that helps to find answers to the questions that we highlighted previously.
Q.What can AWS Config do?
- It can capture resource changes. So any change to a resource supported by Config can be recorded, which will record what change along with other useful metadata all held within a file known as a configuration item, a CI.
- It can store configuration history for individual resources.Acting as a resource inventory.
- The Simple Notification Service(SNS) is used with AWS Config to capture a configuration stream of changes, enabling you to process and analyze the changes to resources. It can provide the information on who made the change and when, through AWS CloudTrail integration.
- A number of security resources can be recorded and when this is coupled with rules relating to security, such as encryption checks, this can become a powerful analysis tool.
AWS Config is region-specific.
For more information about AWS config,
CloudTrail is a service that has a primary function to record and track all AWS API requests made. These API calls can be programmatic requests initiated from a user using an SDK, the AWS Command Line Interface, from within the AWS management console, or even from a request made by another AWS service.
Well there are a number of ways you can use the data captured by CloudTrail to help you enhance your AWS environment.
- It can be used very effectively as a security analysis tool. CloudTrail events provide very specific information about where an API call originated from and who, or what initiated the request.
- Using built-in filtering mechanisms, it’s possible to quickly find who, what and when a particular API was used, which could have potentially caused an outage or service interruption.
For more information about AWS cloudtrail,
3. AWS Trusted Advisor:
The main function of Trusted Advisor is to recommend improvements across your AWS account, to help optimize and hone your environment based on AWS Best Practices.
- Cost Optimization, which helps to identify ways in which you could optimize your resources to save money.
- Performance, this scans your resources to highlight any potential performance issues across multiple services.
- Security, this category analyzes your environment for any potential security weaknesses or vulnerabilities.
- Fault Tolerance, which suggests Best Practices to maintain service operations by increasing resiliency should a fault or incident occur across your resources
There are also a number of other features that everyone has access to, including those outside of the Enterprise and Business support plans.
For more information about AWS Trusted Advisor,
4.AWS Cloud Watch:
The primary function of Amazon CloudWatch is to provide a means of monitoring your resources that you’re running within AWS via a series of metrics which are individual to each service that you are using. This allows you to quickly react to events, and diagnose, and dynamically adjust any availability or scalability issue that you might be experiencing.
Each service and resource sends data to your CloudWatch dashboard as metrics. The metrics are very dependent, as each service is used differently, and as such contains different metric variables. CloudWatch offers you two modes of recording your metric data,
- Basic monitoring is the default monitoring type when configuring Amazon CloudWatch, which records metrics every five minutes.
- Detailed monitoring for instance types ensures the metric data is recorded at one minute intervals, as opposed to five minutes with basic monitoring.
It’s great that CloudWatch is constantly monitoring the environment, but we need to create alarms to respond to events that occur within your environment and across your resources. Think of alarms as predefined thresholds. An alarm has three possible states,
- The first one being ‘OK’.
- ‘Alarm’, this status means that the metric is outside of the threshold level.
- ‘Insufficient data’, this indicates that the metric has not collated enough available data to determine the alarm state.
For more information about AWS Cloud Watch,
5.AWS Personal Dashboard:
AWS offers two dashboards that can help you identify issues that may affect your infrastructure and the resources that you’re running within your AWS accounts, these being the AWS Service Health Dashboard and the Personal Health Dashboard.
- The AWS Service Health Dashboard provides a complete health check of all services in all regions at any one time.
- The Personal Health Dashboard differs to that of the Service Health Dashboard, in that it will notify you of any services interruptions that may affect the resources and services that you are using within your own AWS account.
For more information about AWS Personal Dashboard,
AWS services used to secure cloud
1.AWS Identity and Access Management(IAM):
AWS IAM service is used to centrally manage and control security permissions for any identity requiring access to your AWS account and its resources.
- Identity management: Identities such as AWS usernames are required to authenticate to your AWS account. Authorization determines what an identity can access within your AWS account once it’s been authenticated to it
- Access management, relates to authorization and access control. Access control can be classed as a mechanism of accessing a secured resource.
This is achieved by using different features within IAM consisting of:
1.Users are simply objects representing an identity which are used in the authentication process to your AWS account.
Once your user identity is created, you can view a summary of the object by selecting user, from within the user page of the console.
2.IAM Groups they are used to authorize access to AWS resources, through the use of AWS Policies. IAM Groups contain IAM Users, and these groups will have IAM Policies associated that will allow or explicitly deny access to AWS resources.
By applying permissions to the group instead of individual users, it makes it easy to modify permissions for multiple users at once. All you would need to do is modify the permissions of a group, and all users associated with the group would inherit the new access.
3.IAM Roles allow users and other AWS services and applications to adopt a set of temporary IAM permissions to access AWS resources.
IAM roles do not have any access keys or credentials associated to them. Instead, when used, these credentials are dynamically assigned by AWS. There are currently four different types of roles that can be created, all of which serve a different purpose,
- The AWS Service Role would be used by other services that would assume the role to perform specific functions based on a set of permissions associated with it.
- Once you have selected your service role, you would then need to attach a policy with the required permissions, and set a role name to complete its creation.
- Examples of AWS Service Role: Amazon EC2, AWS Lambda, etc
- The AWS Service-Linked Role are very specific roles that are associated to certain AWS services.
- They are pre-defined by AWS, and the permissions can’t be altered in any way, as they are set to perform a specific function.
- Once you have selected your service-linked role, you simply need to assign it a name and complete the creation.
- Examples of these AWS Service-Linked Roles: Amazon Lex-Bots, and Amazon Lex-Channels.
- The Cross-Account Access offers two options. Providing access between AWS accounts that you own, and providing access between an account that you own and a third party AWS account.
- This access is managed by policies that establish trusting and trusted accounts that explicitly allow a trusted principal to access specific resources.
- Role for Identity Provider Access offers three different options.
- Grant access to web identity providers. This is used to create a trust for users using Amazon Cognito, Amazon, Facebook, Google, or any other open ID connect provider.
- Grant web single sign on to SAML providers. This allows access for users coming from a SAML provider, which stands for Security Assertion Markup Language.
- Grant API access to SAML providers.
4.IAM policies are used to assign permissions to users, groups, and roles.
- Version: This going to the policy language version.
- Statement: it defines the main element of the policy, which will also include other sub-elements, including Sid, Action, Effect, Resource, and Condition. These elements will identify the level of access, granted or denied, and to which resource.
- The Statement ID(Sid) is simply a unique identifier within the Statement array.
- Action is the action that will either be allowed or denied, depending on the value entered for the Effect element.
- Effect: it will either grant or restrict access for the previous Actions defined in the statement.By default, access to your resources are denied and, so therefore, if this is set to allow, it replaces the default deny.
- Resource: it specifies the actual resource you wish the “Action” and “Effect” to be applied to. AWS uses unique identifiers, known as Amazon Resource Names(ARNs) to specify specific resources.
- Partition: it relates to the partition that the resource is found in. For standard AWS regions, this section would be AWS.
- Service: it reflects the specific AWS service. For example, s3 or ec2.
- Region: This is the region that the resource is located.
- Account-id: This is your AWS account-id, without hyphens.
- Resource: The value of this field will depend on the AWS service you are using.
- Condition: This is an option element that allows you to control when the permissions will be effective based upon set criteria.
- The element itself is made up of a condition and a key-value pair. And all elements of the condition must be met for the permissions to be effective.
Two different types of IAM policies available. These being Managed Policies and In-line Policies,
1.Managed policies come in two different flavors, AWS Managed Policies and Customer Managed Policies.
The AWS Managed policy have been pre-configured by AWS and made available to you to help with some of the most common permissions that you may wish to assign.
The great thing about these AWS Managed policies is that you are able to edit them and make tweaks and changes before saving it as a new policy. This then becomes a Customer Managed policy.
2.An Inline Policy is directly embedded into a specific User, Group, or Role, and as a result, it is not available to be used by multiple identities.
Inline policies are typically used when you don’t want to run the risk of the permissions being used in the policy for any other identity.
By default, all access to a resource is denied. Access will only be allowed if an explicit “Allow” has been specified within a policy associated with an identity. If a single “Deny” exists within any policy associated to the same identity against the same resource, then that “Deny” will override any previous “Allow” that may exist for the same resource and action.
The responsibility of implementing secure, robust and tight security within your AWS account using IAM is yours, the owners of the AWS account. The initial dashboard of the IAM console will display,
- Information relating to the IAM uses sign-in link and this is a URL link that you can send to users who will need to gain access to your AWS management console.
- IAM Resources, it provides an overview of your IAM resources using a simple count of the number of users, groups, roles, customer manage policies and identity providers you have configured within IAM.
- Security Status, it is populated with five best practices from a security perspective that AWS IAM recommends you configure when using IAM which may include activate MFA on your root account, create individual IAM users, use groups to assign permissions, apply an IAM password policy and rotate your access keys.
IAM covers all regions.
Other features of IAM
- You can add another layer of security attached to the identity, Multi-Factor Authentication (MFA) is used to create an additional factor for authentication in addition to your existing methods, such as password, therefore, creating a multi-factor level of authentication.
- Identity federation allows you to access and manage AWS resources even if you don’t have a user account within IAM.
- Identity federation allows users from identity providers which are external to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account.
To know more about IAM,
2.AWS Web Application Firewall (WAF):
The AWS WAF is a service that helps to prevent web sites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting. It is also used to identify how Amazon CloudFront distributions and application load balancers respond to web requests based upon specific conditions.
The services work together to filter both HTTP and HTTPS by distinguishing between legitimate and harmful inbound requests that will then either be allowed or blocked with an HTTP 403 error code which is a Forbidden error.
So there are a number of essential components relating to WAF, these being,
A.Conditions allow you to specify what elements of the incoming HTTP or HTTPS request you want WAF to be monitoring for. Currently, these are defined as follows:
- Cross-site scripting, these scripts are embedded within web pages that are normally trusted and so the client browser has no reason to suspect foul play and the script is then executed.
- Geo Match, it allows you to specify which countries and geographic locations that you would like AWS WAF to filter on.
- IP addresses, this condition allows you to specify a single IP address or a range of IP addresses that you want to either allow or block as you configure the WAF rules.
- Size constraints, this condition allows you to block traffic based on the size of parts of the request.
- SQL injection attacks, these attacks can alter and read data within a database. SQL attacks are performed by inserting a SQL query via a client into an entry field to a remote application database where it is then executed.
- String and Regex Matching. This allows you to identify web requests based on strings that are contained within the request itself, for example, a string within the request header.
B.AWS Rules, A WAF rule allows you to compile one or more of these conditions into a list that acts as a rule. This gives you fine-grained control of very specific source targets. When creating your rule you will be asked to select a Rule Type, a Regular Rule or a Rate-Based Rule.
C. Web Access Control List (Web ACL), is the final component in the decision process as to whether the request traffic is blocked or allowed on through to the associated CloudFront distribution or application load balancer. Within the Web ACL, an action is applied to each rule, these actions can either be Allow, Block or Count.
- When a request is allowed, it is forwarded onto the relevant CloudFront distribution or Application Load Balancer.
- When a request is blocked, the request is terminated there and no further processing of that request is taken.
- A Count action will do exactly that, it will count the number of requests that meet the conditions within that rule.
For more information about AWS Web Application Firewall,
3. AWS Firewall Manager:
Firewall Manager has been designed to help you manage WAF in a multi-account environment with simplicity and control.
It allows you to protect your vulnerable resources across all of your AWS accounts within your AWS Organization. It can group and protect specific resources together, for example, all resources with a particular tag or all of your CloudFront distributions. One key benefit of Firewall Manager is that it automatically protects certain resources that are added to your account as they become active.
For more information about AWS Firewall Manager,
4. AWS Shield:
AWS Shield has been designed to help protect your infrastructure against distributed denial of service attacks, commonly known as DDoS.
There are a number of different types of DDoS takes that can take place, such as A SYN Flood or DNS Query Flood.
AWS Shield itself is available at two different levels of features, AWS Shield Standard and AWS Shield Advanced, and AWS shield advanced have a lot more power and protection on offer than standard.
AWS Shield Standard is free to everyone, and it offers DDoS protection against some of the more common layer three, the network layer, and layer four, transport layer, DDoS attacks. This protection is integrated with both CloudFront and Route 53.
For more information about AWS Shield,
Let me know where i could improve?