AWS Security Best Practices

#aws #security ### AWS shared responsibility model ![[Image-10-04-2025.png]] **Security OF the cloud** - AWS manages the global infrastructure providing cloud services. - AWS undergoes ongoing audit and assurance programs. - AWS maintains the protection of the global infrastructure running AWS services and service endpoints. - AWS has a culture of security and improvement. **Security IN the cloud** - The customer manages their workload in the AWS cloud. - Customers must configure AWS-provided network configurations. - Customers can implement and manage their own controls. - Customers can choose to deploy additional assurances above the already provided AWS controls. - Customers have access to a mature vendor marketplace. ### Vulnerability, threat, and risk - A vulnerability is a weakness. - A threat is a possibility for an event or act to exploit a vulnerability. - A risk is the potential for loss, damage, or destruction of resources due to a threat #### Vulnerabilities CVE - **Common Vulnerabilities and Exposures (CVE) system** #### Threats - Denial-of-service attacks - Malware infections - Unauthorized access or insider threats - Misconfigurations and poor change control #### Misconfigurations: Easy to make, hard to detect According to the 2020 Cloud Security Report from CheckPoint, 68% of organizations ranked misconfiguration of the cloud platform the highest security threat in their public cloud environments. Misconfiguration can create a variety of vulnerabilities that result in compromise. #### Malware-based threats **Ransomware** is a type of malware that uses encryption to hold information for ransom. **Cryptomining malware, or cryptojacking**, is a malware attack that uses the target's computing resources to mine cryptocurrencies. #### Threats to availability A distributed denial of service (DDoS) attack is an attack in which multiple compromised systems attempt to flood a target, such as a network or web application, with traffic. #### Risks 1. Quantitative risk analysis uses mathematical models and simulations to assign monetary values to risk. 2. Qualitative risk analysis relies on a person's subjective judgment to build a theoretical model of risk for a given scenario. This is often expressed based on two key factors: likelihood and impact of the threat being assessed. #### Addressing threats with risk management - **Mitigate** it by applying controls. - **Avoid** the risk altogether (which might mean forgoing benefits or significantly altering operations). - **Accept** it, assuming the organization can absorb the potential impacts if the threat is realized. - **Transfer** it to another party to manage. ### Frameworks and Standards #### Standards-based approach With standards-based approach, organizations can benefit from the knowledge and experience of a wide range of industry best practices to secure their workloads. ![[Image-10-04-2025-1.png]] # AWS Well-Architected Framework The Well-Architected Framework is based on six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. ![[Image-10-04-2025-2.png]] **Security pillar** - Infrastructure protection - Detection - Data protection - Identity and Access Management (IAM) - Incident Response #### **Infrastructure** **protection** - **Amazon Virtual Private Cloud (Amazon VPC)** - **Tiered subnet deployments** - **Route tables** - **Network access control lists (network ACLs)** - **Security groups** - **Elastic Load Balancing (ELB)** - **AWS Shield** - **AWS WAF** - **Amazon GuardDuty** - **AWS Firewall Manager** ### **Detection** - **AWS Trusted Advisor** - **AWS Audit Manager** - **AWS CloudTrail** - **Amazon CloudWatch** - **VPC Flow Logs** ### **Data protection** - Hardening - Always encrypting data (at rest or in transit) - Using the most secure remote access methods possible ### **Identity and Access Management** With IAM, you can manage access to AWS services and resources securely. Using IAM, you can implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. ### **Incident response** https://aws.amazon.com/blogs/publicsector/building-a-cloud-specific-incident-response-plan/ #### Cloud Adoption Framework (CAF) - The Cloud Adoption Framework (CAF) identifies stakeholders that are critical to cloud adoption. - It groups related stakeholders into six perspectives. - The perspectives help us understand cloud adoption from the view of those stakeholders. ![[Image-10-04-2025-3.png]] ## CAF security perspective Goal: Help structure your selection and implementation of controls that are right for your organization. ##### Directive controls example: - **Account ownership and contact information** - Example control: Assign AWS accounts to business units - **Change and asset management** - Example control: Assign customer-specific tags to resources. - **Least privilege access** - Example control: Assign AWS roles to staff allowing only required permission to specified resources. ##### Preventive controls example: - **Identity and access** - Example control: Deny **ec2::CreateVpc** to all AWS Identity and Access Management (IAM) users except those with a justified need. - **Infrastructure protection** - Example control: Deny packets from a public subnet to a sensitive subnet. - **Data protection** - Example control: Require multi-factor authentication (MFA) for a delete action on sensitive Amazon Simple Storage Service (Amazon S3) bucket. ##### Detective controls example: - **Logging and monitoring** - Example control: Log all AWS application programming interface (API) activity through CloudTrail. - **Asset inventory** - Example control: Alert cloud administrators if any AWS Config rules are noncompliant. - **Change detection** - Example control: Alert on denied IAM API requests. ##### Responsive controls example: - **Vulnerabilities** - Example control: Initiate operating system security patching. - **Privilege escalation** - Example control: Revert dangerous changes in IAM. - **DDoS attack** - Example control: Deny source IPs. # AWS and the NIST Cybersecurity Framework The CSF offers a simple construct consisting of three elements: - Core - Tiers - Profiles. According to the AWS shared responsibility model, AWS manages security OF the cloud; the customer is responsible for your security IN the cloud. To support your implementation of shared responsibilities, AWS has created **Quick Start solutions powered by AWS CloudFormation**. They use a single click to automate your deployment of important technologies in the AWS Cloud. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a workload that addresses the compliance requirements of security standards and frameworks such as NIST 800-53. ### CSF core functions Overall, the NIST CSF provides many benefits including: - It is designed to be size, sector, and country agnostic. - It references globally accepted standards, guidelines, and practices. - Organizations across the world can use it to efficiently operate in a global environment. #### CSF Core security functions ##### Identify ****Control categories:**** - Asset Management (ID.AM) - Business Environment (ID.BE) - Governance (ID.GV) - Risk Assessment (ID.RA) - Risk Management Strategy (ID.RM) **Example outcomes:** - Identifying physical and software assets to establish an asset management program - Identifying cybersecurity policies to define a governance program - Identifying a risk management strategy for the organization ##### Protect ****Control categories:**** - Identity Management, Authentication, and Access Control (PR.AC) - Awareness and Training (PR.AT) - Data Security (PR.DS) - Information Protection Processes and Procedures (PR.IP) - Maintenance (PR.MA) - Protective Technology (PR.PT) **Example outcomes:** - Establishing data security protections to safeguard confidentiality, integrity, and availability - Managing protective technology to ensure the security and resilience of systems and assists - Empowering staff within the organization through awareness and training ##### Detect ****Control categories:**** - Anomalies and Events (DE.AE) - Security Continuous Monitoring (DE.CM) - Detection Processes (DE.DP) **Example outcomes:** - Implementing security continuous monitoring capabilities to monitor cybersecurity events - Ensuring anomalies and events are detected and their potential impact is understood - Verifying the effectiveness of protective measures ##### Respond ****Control categories:**** - Response Planning (RS.RP) - Mitigation (RS.MI) - Communications (RS.CO) - Analysis (RS.AN) - Improvements (RS.IM) **Example outcomes:** - Ensuring response planning processes are run during and after an incident - Managing communications during and after an event - Analyzing effectiveness of response activities ##### Recover ****Control categories:**** - Recovery Planning (RC.RP) - Improvements (RC.IM) - Communications (RC.CO) **Example outcomes:** - Ensuring the organization implements recovery planning processes and procedures - Implementing improvements based on lessons learned - Coordinating communications during recovery activities # Establishing Security Best Practices **CIA triad** ![[Image-10-04-2025-4.png]] Confidentiality - Amazon EBS encryption Integrity - Amazon CloudTrail log file integrity validation (hashing with digital signing) Availability - Elastic Load Balancing (ELB) # Defense in depth in action ![[Image-10-04-2025-5.png]] # Compliance in AWS Customer Responsibilities: - Understanding what workloads need to be regulated by which applicable standard or organization - Discovering applicable controls or checklist items that apply to workloads - Mitigating risk and applying applicable controls - Verifying the applied controls are deployed and functionally tested against the workload **Layers in focus** ![[Image-10-04-2025-6.png]] ![[Image-10-04-2025-7.png]] # AWS Security Best Practices: Network Infrastructure ![[Image-10-04-2025-8.png]] - monitor - isolate - protect ## Amazon Virtual Private Cloud ### Basic VPC and subnet segmentation options - **Larger VPCs and subnets** are more flexible, but they are harder to scale and manage and make it more difficult to maintain access controls. - **Smaller VPCs and subnets** are simpler to secure effectively but might prove less efficient for some business use cases. ### Benefits of segmentation - Limiting the spread and impact of potential attacks by creating smaller impact areas - Improving control over traffic movement and device access - Reducing the scope when auditing for specific requirements - Improving visibility and control of external access and traffic movement #### Choosing a VPC address range - Every VPC has a private IP address space (by default). - The VPC Classless Inter-Domain Routing (CIDR) block size can be from /16 to /28. - You can associate additional (secondary) IPv4 address blocks. - You can associate IPv6 address blocks. #### Selecting an IP addressing strategy - Primary VPC CIDR blocks cannot be modified after they are created, but additional space can be added. - Consider address overlaps and shortages before committing to a CIDR block (with on-premises or existing VPCs). - Do not waste address space, but be careful not to constrain future growth. ## Design considerations You can use any IPv4 address range, including RFC 1918 or publicly routable IP ranges, for your primary CIDR block. You can also add up to four secondary CIDR blocks, although certain restrictions apply. - Private IP blocks are only reachable by the virtual private gateway and cannot be accessed over the internet through the internet gateway. - AWS does not advertise customer-owned IP address blocks to the internet by default. - You can allocate an Amazon-provided IPv6 CIDR block to a VPC. # Best practice suggestions ****_Use multiple Availability Zone deployments for high availability._**** **Inside the VPC:** - Plan for a unique CIDR for each VPC. - Use RFC 1918 addressing (class A/B/C). - Plan for growth and reserve spare ranges/IPs. **Inside the Availability Zone:** - Role-based addressing scheme (such as): - Remote management/loopbacks - Service based - Device-based - Route summarization - Using separate route tables (based on subnet/security segments) # Connectivity Review **Controlling traffic** Examples of requirements to consider are: - Does the component require internet accessibility (inbound and outbound)? - Does the component require connectivity to other VPCs? - Does the component require connectivity to edge services or external data centers? ## Ways to connect These are some of the common solutions to meet the connectivity requirements of your workload. - Internet gateway - NAT gateway or egress-only internet gateway - VPC peering - AWS PrivateLink - VPC endpoints - Virtual Private Network (VPN) Connections - AWS Direct Connect - AWS Transit Gateway - AWS Cloud WAN ## ## Gateway varieties **Internet gateway** By default, there is no outside connectivity provided to or from a VPC. To achieve internet connectivity (or connection to other AWS or on-premises assets), a gateway of the desired traffic type must be associated with a VPC. In the case of internet connectivity, an internet gateway must be associated. Hosts can use Elastic IP addresses (as shown), or dynamic public IP addresses to communicate with the internet gateway. ![[Image-10-04-2025-9.png]] **Egress-only internet gateway (IPv6)** IPv6 addresses are globally unique, and are therefore public by default. If you want your instance to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway. To do this, create an egress-only internet gateway in your VPC. And then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway. IPv6 traffic in the subnet that's associated with the route table is routed to the egress-only internet gateway. ![[Image-10-04-2025-10.png]] **NAT Gateway (IPv4 only)** When you create a NAT gateway, you specify one of the following connectivity types: Public (default): Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. Private: Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway. You can route traffic from the NAT gateway through a transit gateway or a virtual private gateway. You cannot associate an Elastic IP address with a private NAT gateway. You can attach an internet gateway to a VPC with a private NAT gateway. But if you route traffic from the private NAT gateway to the internet gateway, the internet gateway drops the traffic. ![[Image-10-04-2025-11.png]] ## VPC peering VPC peering is point-to-point connectivity, and it **does not support transitive routing.** **When to use VPC peering** VPC peering is best for situations where: - Resources in one VPC must communicate with resources in another VPC. - The environment of both VPCs is controlled and secured. - The number of VPCs to be connected is less than 10. - VPC peering offers the lowest overall cost compared to other options for inter-VPC connectivity. ###### VPC peering example 1 VPCs from other accounts or Regions can be peered to your VPC and routes created between them. - VPC A and B are peers. - VPC B and C are peers. - VPC A and C are **NOT** peers. ![[Image-10-04-2025-12.png]] ###### VPC peering example 2 VPC peering is nontransitive, so additional VPC peers must be created to connect each pair of VPCs. - VPC A and B are peers. - VPC B and C are peers. - VPC A and C are peers. ![[Image-10-04-2025-14.png]] ## Using VPC endpoints A VPC endpoint makes connections between a VPC and supported services without requiring that you use an internet gateway, NAT device, VPN connection, Direct Connect connection, or public infrastructure. VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. There are different types of VPC endpoints used to connect to supported AWS services: **interface endpoints, Gateway Load Balancer Endpoints, and gateway endpoints.** **A gateway endpoint is a gateway that is a target for a route in your route table used for traffic destined to either Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB. There is no charge for using gateway endpoints, and Amazon S3 supports both gateway endpoints and interface endpoints.** ![[Image-10-04-2025-15.png]] ## AWS PrivateLink AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet using interface VPC endpoints - Network traffic that uses PrivateLink doesn't traverse the public internet. This reduces exposure to brute force and distributed denial-of-service attacks and other threats. - You can use private resource IPs to connect. You can also associate security groups and endpoint policies (a type of IAM resource policy) to control precisely who has access to a specified service. - AWS connections powered by PrivateLink, such as interface VPC endpoints and Gateway Load Balancer endpoints, deliver security, scalability, and performance. ![[Image-10-04-2025-16.png]] ## **Connecting to on-premises environments** ###### AWS managed VPN Amazon VPC provides the option of creating an IPsec VPN connection between your remote networks and Amazon VPC over the internet, as shown in the following diagram. A virtual private gateway is nothing but a VPN connector on the AWS side of the site-to-site VPN connection. The virtual private gateway is a logical network device that permits you to create an IPsec VPN tunnel from your VPC to your on-premises environment. ![[Image-10-04-2025-17.png]] ###### AWS Direct Connect With Direct Connect, you can connect your on-premises network and AWS environment using the following types of connections to a local Direct Connect facility (which connects securely to the AWS global infrastructure): **Dedicated connections:** 1/10/100 Gbps **Hosted connections:** 50/100/200/300/400/500 Mbps and 1/2/5/10 Gbps ![[Image-10-04-2025-18.png]] ## AWS Transit Gateway Transit Gateway is a highly available and scalable service to consolidate the VPC routing configuration for a Region with a hub-and-spoke architecture. ![[Image-10-04-2025-19.png]] ![[Image-10-04-2025-20.png]] Transit gateways permit you to consolidate connections into a single point by attaching: - One or more VPCs - A connect SD-WAN or third-party network appliance - An AWS Direct Connect gateway - A peering connection with another transit gateway - A VPN connection to a transit gateway ## AWS Cloud WAN AWS Cloud WAN simplifies building and operating VPCs and wide area networks that connect your data centers and branch offices. ![[Image-10-04-2025-21.png]] # DNS Operations and Security ## Domain Name System (DNS) A Domain Name System (DNS) service must be highly available and DDoS resilient. AWS offers a DNS service called Amazon Route 53 ### Review: DNS basic operations and options The default VPC, or any VPC created using the Amazon VPC wizard in the Amazon VPC console includes two DNS settings: - DNS hostnames: This setting means that AWS will assign DNS names to every EC2 instance in your VPC. - DNS resolution: This setting means that AWS does the DNS for you. Most customers choose to have AWS provide their DNS resolution. Additionally, default Dynamic Host Configuration Protocol (DHCP) options set in a VPC include: - domain-name-servers=AmazonProvidedDNS - domain-name=domain-name-for-your-region The Amazon provided DNS server is at the 169.254.169.253 IPv4 address (or the reserved IP address at the base of the VPC IPv4 network range plus two). ### DNS hostnames Based on the **DNS Hostname** setting, any EC2 instance in a VPC can be assigned two DNS names. One is internal, which means that it resolves to the private IP address of your instance. The other is an external DNS name resolving to a public IP address. (This is assuming the instance is configured to receive a public IP address). These resolutions are handled by the Amazon Route 53 service, so you don't have to set up or manage a DNS server. See the example below. ![[Image-10-04-2025-22.png]] ## Hosted zones There are two types of hosted zones: public hosted zones and private hosted zones. - If you need be able to allow traffic from the internet to find your AWS resources, but you do not want to manage your own DNS, you can use a public hosted zone. - If you need to use DNS names within your various VPCs to refer to resources (but these DNS names will not be reachable from the internet), you can use a private hosted zone. **Public hosted zone** A public hosted zone is a container that holds information about how you want to route traffic on the internet for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). **Private hosted zone** A private hosted zone is a container that holds information about how you want Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service. ## DNS Security **Domain Name Security Extensions (DNSSEC) helps prevent DNS attacks like DNS cache poisoning and DNS spoofing** **Route 53 Resolver DNS Firewall** Route 53 Resolver DNS Firewall is a service that is deployed and configured by the customer but managed by AWS. The DNS Firewall provides protection for outbound DNS requests from your VPCs. - Only filters on domain name (not IP address) - Only filters UDP DNS traffic (not HTTPS, TLS, SSH or other protocols) - Integrates with and can be managed with AWS Firewall Manager # Defense in Depth Review ![[Image-10-04-2025-23.png]] **Using defense in depth, a layering approach to security, you can ensure:** - All interconnected systems only communicate through the approved traffic flow policies - All interconnected systems can only communicate through essential capabilities, based on functions, ports, protocols, and services as defined in the configuration management policy # AWS Network Security Mechanisms **Network ACL** The following are some recommendations and considerations when using network ACLs: - Configure the network ACL to narrow the scope of traffic permitted between layers (define both inbound and outbound rules). - Inbound rules can only specify a traffic source (it is implied that the destination is within the VPC or subnet behind the network ACL). - Outbound rules have a source and destination (they can apply to one or many IPs destined to broad or specific destinations). - Create rules using increments (for example, increments of 10 or 100) so that you can insert new rules where you need to later. **Network ACL Best Practices** - VPCs come with a default Network ACL that allows all inbound and outbound rules. For custom NACLs, both inbound and outbound rules are denied. Remember that if you have not created a custom network ACL, any resources in the VPC will be associated with the default network ACL. This will allow all traffic to into and out of the network, which is often overly permissive. - Rules meant to deny traffic that are either misconfigured, or ineffectual inadvertently promote overly-permissive access to a VPC. Be mindful of the order of the deny rules within your network ACLs as they are evaluated in order. - Know the limitations of applying network ACLs before configuring them. For example, there is a default limit of 20 rules per list for both inbound and outbound network ACLs. AWS can provide additional rules on request, but the absolute maximum is 40. - Configure outbound rules to limit access to the required ports or port ranges. **Security groups** **Default security group (default state):** - Permits inbound traffic from network interfaces and instances that are assigned to the same security group. (rule present) - Permits all outbound traffic (rule present) **Custom security group (default state):** - Permits no inbound traffic (no rule present) - Permits all outbound traffic (rule present) **Security groups only support "ALLOW":** - Many firewall systems (including AWS network ACLs) will have “DENY” rules or options; security groups block everything unless there is a rule specifically allowing it to go through. **AWS Network Firewall** AWS Network Firewall is a managed network protection service that provides the following: - Stateful firewall - Web filtering - Intrusion protection - Central management and visibility - Rule management and customization - Partner integrations **Security group best practices** - Never keep unattached security groups. Unattached security groups could be applied unnoticed or inadvertently, resulting in security concerns such as an EC2 instance being exposed to the internet. - Track the rate of change in security groups creation in production environments—security groups that are created and deleted quickly may indicate suspicious activity. This is something that can be accomplished with AWS Config, for example. - Security groups with large ranges of ports open expose resources and may result in unintended access. They also make attacks on exposed vulnerabilities very difficult to investigate. - Use Elastic Load Balancers to receive all incoming traffic from the Internet and forward it your web servers (or other internet facing resource). Then limit incoming traffic for those web servers (or other resources) to allow only ELB traffic - Limit active security group modifications to only certain IAM roles. You should only authorize specific users to modify resource-specific security groups according to the principle of least privilege. - Do not forget about outbound rules of security group; set restrictions. Security groups attached to resource within a particular layer of your architecture should only allow egress connections to the layer(s) where connectivity is needed. **General VPC and AZ availability guidance** - ELB distributes traffic over a group of resources in one or more Availability Zone. - Deploy ELB with AWS Application Auto Scaling, AWS Auto Scaling, or Amazon EC2 Auto Scaling. - Choose the type of load balancing device you need. - **(Best practice)** Use security groups to protect ELB. # AWS Security Services ## **Distributed Denial of Service (DDoS) attacks** ![[Image-10-04-2025-24.png]] ## AWS Shield **Shield Standard** provides always-on network flow monitoring to defend against layers 3 and 4 DDoS attacks. AWS Shield inspects incoming traffic using a combination of traffic signatures, anomaly algorithms, and other analysis techniques. This inline attack mitigation can defend against common, frequently occurring infrastructure attacks and is available to all AWS customers at no additional charge. **Shield Advanced** includes the standard features of Shield Standard, with the addition of tailored detection based on application traffic patterns, health-based detection, advanced attack mitigation, visibility and attack notification, DDoS cost protection, and proactive event response. Shield Advanced provides globally available centralized protection management and specialized support. ## AWS WAF DDoS attacks also occur at layers 6 and 7, and even though they are less common than infrastructure DDoS attacks, they also tend to be more sophisticated. In addition to protection against DDoS, AWS WAF can filter based on the following criteria: - IP address origin of the request - Country of origin of the request - String match or regular expression (regex) match in a part of the request - Size of a particular part of the request - Malicious SQL code or scripting **AWS WAF rules and rule groups** ![[Image-10-04-2025-25.png]] ## AWS Firewall Manager If you are using multiple AWS accounts and use AWS organizations, AWS Firewall Manager can streamline and standardize the management of firewalls that are deployed across the accounts. AWS Firewall Manager is integrated with AWS organizations so you can enable and manage AWS WAF rules, Shield Advanced protections, VPC security groups, AWS Network Firewalls, and Route 53 Resolver DNS Firewall rules across multiple AWS accounts and resources from a single place. **Solutions working together** ![[Image-10-04-2025-26.png]]