Network Security

Question 1

AWS Organizations - Service Control Policy (SCP).

Answer 1

The SCP allows the designated master account to define policies that restrict, at the account level, what services and actions member-account users, groups, and roles can take, including the account root user.

Question 2

AWS Organizations - Programmatic Account Creation

Answer 2

When you use AWS Organizations to create a new account within an organization, the new account is created with an administrative role, typically called OrganizationAccountAccessRole, which you assume to access the new account.

Question 3

AWS CloudFormation

Answer 3

Cloud formation stacks extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using an administrator account, you define and manage an AWS CloudFormation template and use the template as the basis for provisioning stacks into selected target accounts across specified regions.

Question 4

AWS Service Catalog

Answer 4

Create a curated portfolio of products
Used combination IAM roles termed launch constraints and CFT to deliver fined grained control of access and configuration during the provisioning process.
AWS Service Catalog executes a template to generate the new AWS account, create the VPC enclave, build the VPN, and apply the restrictive SCP. With this approach, creation and configuration of a new account is completely automated. Moreover, the process is standardized, repeatable, and auditable.

Question 5

Edge Locations

Answer 5

Tool to prevent DDOS attacks

Infra is monitored for anomalies

First all traffic is scored across a set of dimensions to prioritize the flow of legitimate traffic.

Second, the global scale of the edge infrastructure allows AWS to absorb attacks by diffusing the incoming traffic flows across multiple edge locations.

Third, many services running in an edge location have the ability to apply geographic isolation and restriction; that is, both automated and manual whitelisting and blacklisting of source traffic is possible.

Question 6

Route 53 - Shuffle Sharding

Answer 6

Shuffle sharding is a technique designed to minimize correlated failures by simultaneously leveraging the traditional benefits of sharding (such as fault isolation and performance scaling) and the effects of randomized, or shuffled, assignment.

Question 7

Route 53 - Anycast Striping

Answer 7

Anycast striping is another availability mechanism built into Amazon Route 53. Anycast is the notion that multiple systems respond to the same IP address. In practical terms, anycast means that when your DNS resolver initiates a connection to an Amazon Route 53 DNS server, the actual responder to which you connect could be in any of several locations across the globe advertising the same anycast address.

example: If a TLD (Top Level Domain) - R53 provides multiple anywise servers to a request

Question 8

Route 53 - Packet Filters

Answer 8

Amazon Route 53 also provides mechanisms to block invalid or unwanted requests. As part of the edge infrastructure, packet filters are applied that drop invalid DNS requests. If you wish to block requests further, Amazon Route 53 provides geolocation routing policies that give you control over the responses provided to DNS resolvers based on their source IP addresses.

Question 9

Amazon Cloudfront - OAI

Answer 9

Origin Access Identity - Special cloud front user you can associate with a distro

You grant permission to OAI

Require access to the CDN using the OAI you preclude bypassing network security that you grant (or revoke) from the OAI

Question 10

Cloudfront - Custom HTTP headers

Answer 10

Can manipulate headers being passed to the origin. You can restrict access to distros you designate

Example: Add customer headers so that the origin can authenticate incoming traffic from the CDN. If not there then you can deny it.

Question 11

Cloudfront - TLS enforcement/signed URLs,cookies

Answer 11

Can encrypt using TLS, can required signed URLs or cookies

You are responsible for generating the tokens. Can also restrict valid dates/times

Cn also use Zcloudfronts field level encryptions to encrypt sensitized data (e.g. cc numbers).

Question 12

Cloudfront - AWS Lambda@Edge

Answer 12

Can execute lambdas inside of a CDN

Can be used to populate custom headers

A similar use case involves validation of consumer-provided authorization tokens. You can use AWS Lambda@Edge to inspect headers and authorization tokens. For example, if you experienced an application layer attack (Layer 7), you could leverage AWS Lambda@Edge to validate the format and validity of the asserted session or authorization tokens to distinguish between accepting valid traffic and dropping malicious traffic. As

Question 13

AWS Certificate Manager

Answer 13

Create TLS certs for Cloudfront, ELBs, Elastic Beanstalk

Can use ACM generated or uploaded certs

Provides SHA-256 cert valid for 13 months

must use fully qualified domain name (FQDN), can also use wildcards

These are regional

Free, you cannot download the private key, the key is encrypted at rest with the KMS service

For cloud front these tasks are in the N Virginia region

Question 14

AWS WAF - ACLs

Answer 14

With AWS WAF, you implement Web Access Control Lists (ACLs) to control your HTTP and HTTPS traffic. Web ACLs are composed of rules, and rules are composed of conditions.

Filters are OR-ed. If one meets then it is enforced

Question 15

AWS WAF Conditions - Cross-Site Scripting (XSS)

Answer 15

Cross-Site Scripting (XSS), enables you to match web requests containing scripts that might exploit vulnerabilities in your applications. This condition allows you to search for XSS in common parts of the request data, including the HTTP method, header, query string, Uniform Resource Identifier (URI), or body.

Question 16

AWS WAF Conditions - IP Addresses

Answer 16

The second condition, IP addresses, allows you to match on IPv4 and IPv6 addresses. For IPv4 addresses, AWS WAF will only filter /8, /16, /24, and /32. For IPv6 addresses, AWS WAF will only filter /24, /32, /48, /56, /64, and /128.

Question 17

AWS WAF Conditions - Size Constraints

Answer 17

size constraints, allows you to match requests on the basis of length. This condition will evaluate common parts of the request data, and it allows you to apply the same transformations available in XSS. With this condition, you specify the byte size and the comparison operator (for example, equals, not equals, greater than, or less than).

Question 18

AWS WAF Conditions - SQL Injections, Geographic match, string match

Answer 18

Can look for SQL Injection patterns

Geographic location - Allow and block request based on the region where the requests originates from

Strong match - can loo at the request data and look for string matches (different operators on strings e.g. regex). Can only look at the first 8k, max match size is 50 bytes

Question 19

AWS WAF rate based rules (once condition is matched)

Answer 19

Can be regular or rate based

Rate bases - rule takes into account the number of matching requests that arrive from a given IP address in a 5 min interval

The rate limit must be > 2000 requests in 5 min interval

Can have multiple rules which are AND-ed

If no conditions then a rate based rule will match all requests against all IPs

can apply all to multiple resources

Question 20

AWS WAF regular based rules (once condition is matched)

Answer 20

Regular rules can Also, Block, or Count the request.

Count - counts each rule that are matched

All can be recorded in cloud watch

WAF against CDN only available in (N. Virginia)

Question 21

AWS Shield - standard

Answer 21

Protection against common attacks - no cost always on
Majority of level 3,4 attacks
Limited view of attacks by customers

Question 22

AWS Shield - Advanced

Answer 22

Provide level 3,4 and 7 (application layer) protection
DDOS detection
Real time metric reporting, 24x7 assistance during and attack
EDOS (Economic Denial of Sustainability) attacks
Financial harm as a result of an attack, cost of resources because customer pay for what resources are consumed
AWS provides some cost protection that are limited to Route 53 hosted Zones, cloud front, Ec2 and ELBs
Mitigate through custom mitigations and DRT (DDos Response team)
DRT will help id attack signatures and patterns. With permission can deploy mitigations to you WAF

Question 23

Elastic Load Balancing

Answer 23

Distribute traffic across multiple resources
Provides level of protection filter ports and protocols through listeners (only incoming traffic)
Can protect against attacks allowing only known traffic to come through (well formed TCP connections)

When you use Application Load Balancer to provide access from the Internet to your VPC resources, the load balancer forwards traffic into your VPC using private IPv4 addresses from the subnet on which its network interfaces reside. Network Load Balancer, however, will propagate the originating, public source IPv4 address. While Internet-facing load balancers have public IP addresses, resources in your VPC are not required to use publicly-routable IP addresses.

Elastic Load Balancing has options for connections over Secure Sockets Layer (SSL)/TLS with Classic Load Balancers and HTTPS both for Classic Load Balancer and Application Load Balancer. As part of the configuration process, you provide a certificate, and you can use AWS Certificate Manager for this process. You also select the security policies used on incoming connections. Security policies allow you to select from a suite of ciphers for various SSL/TLS protocol versions.

Question 24

Elastic Load Balancing Sandwich

Answer 24

2 tiers of load balancers
Internet facing load balancer received traffic
Traffic load balanced to a fleet of EC2 instances
EC2 instanced running security processes (e.g. firewall, content filters or data load prevention)
Fleet of instances forwards traffic internal load balancers that send traffic to the application

Can revers this process for outbound traffic

Question 25

Four levers of fined grained control

Answer 25

Route tables, ACLs, Security groups and IAM roles

Question 26

Routing to ensure internal trafficVPC peering

Answer 26

Routing to VPC endpoints
VPC peering
Private Link

Use Amz infra for availability

Question 27

Hybrid cloud security (IPSEC)

Answer 27

VPN IPsec - VPN and VPN over DC
Easiest way AWS hosted VPN over public VIF. Configure your edge routers as a customer gateway
Traffic -> IPSEC connection -> VGW

Question 28

Hybrid Cloud Security (VFR)

Answer 28

Virtual routing and forwarding on the customer gateway to create an IPsec connection of VGW, terminating in your VPC running VPN SW

Question 29

Security Groups/ACLs

Answer 29

Security groups are stateful network layer (Layer 3)/transport layer (Layer 4) firewalls that you apply to network interfaces in your VPC. Network ACLs are stateless network layer (Layer 3)/transport layer (Layer 4) filters that you apply to subnets within your VPC.

SG - Abstract security into a group and assign where necessary

Sep of duties - workload owner manages SG, network group controls the ACL

Question 30

EC2

Answer 30

Shared responsibility model (items are the customer responsibility)

• Encrypt traffic between VPC resources (SSH, TLS etc)
• Network configuration (instances that have both public and private interfaces)
• operating system firewalls
• AWS can’t use a Switched Port Analyzer however on-instance agents to achieve the same outcome. OS can capture packet data and stream it to a data collecevr. Can use IDS/IPS on instances (e.g. ec2 instantiated security protocols)

Question 31

Regional Services

Answer 31

Regional services outside of the VPC (etc SQS) should have encrypted communications

Question 32

Amazon GuardDuty

Answer 32

Threat detection system
Analyzes events from cloudtrail, flow logs and DNS logs
No agents are required. No extra footprint
Uses malicious IP / domain lists. Machine learning to detect threats
Example: Can detect the scanning of EC2 instances, or look for unusual GEO locations as a source of traffic
Also look for activity in accounts (e.g. using a region not normally used), wearing password requirements in an account
When detected delivers detail notification

Question 33

Amazon Inspector

Answer 33

Amazon Inspector is a security service that allows you to analyze your VPC environment to identify potential security issues.

Utilize instance tags, create an assessment template with rules and then run

Question 34

Amazon Macie

Answer 34

recognized personally identifiable data (PII) or IP
Provides dashboard on how data is being accessed
Used User and Entity Behavioral Analytics (UEBA) and Support Vector Machine to classifier to automate document classification
Looks at history access activity. When it detect anomalous activity and generates a report
Also looks for API and SSH keys appearing in your buckets (they should not be in there)

Question 35

Services to detect SSH filed/malicious login attempts

Answer 35

CloudWatch - Alarms, notification, login
CloudTrail - records API calls. Delivered to a bucket.
IAM - control access to AWS resources
AWS Lambda - run code without provisioning servers
SNS - deliver of messages to subscribed endpoints.

Question 36

Network Traffic Analysis

Answer 36

Elastic Elastisearch - Elasticsearch is a popular, open source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analytics.

Kibana -allows you to visualize data in Amazon Elasticsearch Service. Kibana is a popular open source visualization tool designed to work with Elasticsearch.

Kinesis Firehouse - delivers managed, real-time streaming data to destinations such as Amazon S3, Amazon Redshift, or Amazon Elasticsearch Service.

AWS Lambdas

VPC Flow Logs