Network Security Flashcards
AWS Organizations - Service Control Policy (SCP).
The SCP allows the designated master account to define policies that restrict, at the account level, what services and actions member-account users, groups, and roles can take, including the account root user.
AWS Organizations - Programmatic Account Creation
When you use AWS Organizations to create a new account within an organization, the new account is created with an administrative role, typically called OrganizationAccountAccessRole, which you assume to access the new account.
AWS CloudFormation
Cloud formation stacks extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using an administrator account, you define and manage an AWS CloudFormation template and use the template as the basis for provisioning stacks into selected target accounts across specified regions.
AWS Service Catalog
Create a curated portfolio of products
Used combination IAM roles termed launch constraints and CFT to deliver fined grained control of access and configuration during the provisioning process.
AWS Service Catalog executes a template to generate the new AWS account, create the VPC enclave, build the VPN, and apply the restrictive SCP. With this approach, creation and configuration of a new account is completely automated. Moreover, the process is standardized, repeatable, and auditable.
Edge Locations
Tool to prevent DDOS attacks
Infra is monitored for anomalies
First all traffic is scored across a set of dimensions to prioritize the flow of legitimate traffic.
Second, the global scale of the edge infrastructure allows AWS to absorb attacks by diffusing the incoming traffic flows across multiple edge locations.
Third, many services running in an edge location have the ability to apply geographic isolation and restriction; that is, both automated and manual whitelisting and blacklisting of source traffic is possible.
Route 53 - Shuffle Sharding
Shuffle sharding is a technique designed to minimize correlated failures by simultaneously leveraging the traditional benefits of sharding (such as fault isolation and performance scaling) and the effects of randomized, or shuffled, assignment.
Route 53 - Anycast Striping
Anycast striping is another availability mechanism built into Amazon Route 53. Anycast is the notion that multiple systems respond to the same IP address. In practical terms, anycast means that when your DNS resolver initiates a connection to an Amazon Route 53 DNS server, the actual responder to which you connect could be in any of several locations across the globe advertising the same anycast address.
example: If a TLD (Top Level Domain) - R53 provides multiple anywise servers to a request
Route 53 - Packet Filters
Amazon Route 53 also provides mechanisms to block invalid or unwanted requests. As part of the edge infrastructure, packet filters are applied that drop invalid DNS requests. If you wish to block requests further, Amazon Route 53 provides geolocation routing policies that give you control over the responses provided to DNS resolvers based on their source IP addresses.
Amazon Cloudfront - OAI
Origin Access Identity - Special cloud front user you can associate with a distro
You grant permission to OAI
Require access to the CDN using the OAI you preclude bypassing network security that you grant (or revoke) from the OAI
Cloudfront - Custom HTTP headers
Can manipulate headers being passed to the origin. You can restrict access to distros you designate
Example: Add customer headers so that the origin can authenticate incoming traffic from the CDN. If not there then you can deny it.
Cloudfront - TLS enforcement/signed URLs,cookies
Can encrypt using TLS, can required signed URLs or cookies
You are responsible for generating the tokens. Can also restrict valid dates/times
Cn also use Zcloudfronts field level encryptions to encrypt sensitized data (e.g. cc numbers).
Cloudfront - AWS Lambda@Edge
Can execute lambdas inside of a CDN
Can be used to populate custom headers
A similar use case involves validation of consumer-provided authorization tokens. You can use AWS Lambda@Edge to inspect headers and authorization tokens. For example, if you experienced an application layer attack (Layer 7), you could leverage AWS Lambda@Edge to validate the format and validity of the asserted session or authorization tokens to distinguish between accepting valid traffic and dropping malicious traffic. As
AWS Certificate Manager
Create TLS certs for Cloudfront, ELBs, Elastic Beanstalk
Can use ACM generated or uploaded certs
Provides SHA-256 cert valid for 13 months
must use fully qualified domain name (FQDN), can also use wildcards
These are regional
Free, you cannot download the private key, the key is encrypted at rest with the KMS service
For cloud front these tasks are in the N Virginia region
AWS WAF - ACLs
With AWS WAF, you implement Web Access Control Lists (ACLs) to control your HTTP and HTTPS traffic. Web ACLs are composed of rules, and rules are composed of conditions.
Filters are OR-ed. If one meets then it is enforced
AWS WAF Conditions - Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS), enables you to match web requests containing scripts that might exploit vulnerabilities in your applications. This condition allows you to search for XSS in common parts of the request data, including the HTTP method, header, query string, Uniform Resource Identifier (URI), or body.
AWS WAF Conditions - IP Addresses
The second condition, IP addresses, allows you to match on IPv4 and IPv6 addresses. For IPv4 addresses, AWS WAF will only filter /8, /16, /24, and /32. For IPv6 addresses, AWS WAF will only filter /24, /32, /48, /56, /64, and /128.
AWS WAF Conditions - Size Constraints
size constraints, allows you to match requests on the basis of length. This condition will evaluate common parts of the request data, and it allows you to apply the same transformations available in XSS. With this condition, you specify the byte size and the comparison operator (for example, equals, not equals, greater than, or less than).
AWS WAF Conditions - SQL Injections, Geographic match, string match
Can look for SQL Injection patterns
Geographic location - Allow and block request based on the region where the requests originates from
Strong match - can loo at the request data and look for string matches (different operators on strings e.g. regex). Can only look at the first 8k, max match size is 50 bytes
AWS WAF rate based rules (once condition is matched)
Can be regular or rate based
Rate bases - rule takes into account the number of matching requests that arrive from a given IP address in a 5 min interval
The rate limit must be > 2000 requests in 5 min interval
Can have multiple rules which are AND-ed
If no conditions then a rate based rule will match all requests against all IPs
can apply all to multiple resources
AWS WAF regular based rules (once condition is matched)
Regular rules can Also, Block, or Count the request.
Count - counts each rule that are matched
All can be recorded in cloud watch
WAF against CDN only available in (N. Virginia)
AWS Shield - standard
Protection against common attacks - no cost always on
Majority of level 3,4 attacks
Limited view of attacks by customers
AWS Shield - Advanced
Provide level 3,4 and 7 (application layer) protection
DDOS detection
Real time metric reporting, 24x7 assistance during and attack
EDOS (Economic Denial of Sustainability) attacks
Financial harm as a result of an attack, cost of resources because customer pay for what resources are consumed
AWS provides some cost protection that are limited to Route 53 hosted Zones, cloud front, Ec2 and ELBs
Mitigate through custom mitigations and DRT (DDos Response team)
DRT will help id attack signatures and patterns. With permission can deploy mitigations to you WAF
Elastic Load Balancing
Distribute traffic across multiple resources
Provides level of protection filter ports and protocols through listeners (only incoming traffic)
Can protect against attacks allowing only known traffic to come through (well formed TCP connections)
When you use Application Load Balancer to provide access from the Internet to your VPC resources, the load balancer forwards traffic into your VPC using private IPv4 addresses from the subnet on which its network interfaces reside. Network Load Balancer, however, will propagate the originating, public source IPv4 address. While Internet-facing load balancers have public IP addresses, resources in your VPC are not required to use publicly-routable IP addresses.
Elastic Load Balancing has options for connections over Secure Sockets Layer (SSL)/TLS with Classic Load Balancers and HTTPS both for Classic Load Balancer and Application Load Balancer. As part of the configuration process, you provide a certificate, and you can use AWS Certificate Manager for this process. You also select the security policies used on incoming connections. Security policies allow you to select from a suite of ciphers for various SSL/TLS protocol versions.
Elastic Load Balancing Sandwich
2 tiers of load balancers
Internet facing load balancer received traffic
Traffic load balanced to a fleet of EC2 instances
EC2 instanced running security processes (e.g. firewall, content filters or data load prevention)
Fleet of instances forwards traffic internal load balancers that send traffic to the application
Can revers this process for outbound traffic
Four levers of fined grained control
Route tables, ACLs, Security groups and IAM roles
Routing to ensure internal trafficVPC peering
Routing to VPC endpoints
VPC peering
Private Link
Use Amz infra for availability
Hybrid cloud security (IPSEC)
VPN IPsec - VPN and VPN over DC
Easiest way AWS hosted VPN over public VIF. Configure your edge routers as a customer gateway
Traffic -> IPSEC connection -> VGW
Hybrid Cloud Security (VFR)
Virtual routing and forwarding on the customer gateway to create an IPsec connection of VGW, terminating in your VPC running VPN SW
Security Groups/ACLs
Security groups are stateful network layer (Layer 3)/transport layer (Layer 4) firewalls that you apply to network interfaces in your VPC. Network ACLs are stateless network layer (Layer 3)/transport layer (Layer 4) filters that you apply to subnets within your VPC.
SG - Abstract security into a group and assign where necessary
Sep of duties - workload owner manages SG, network group controls the ACL
EC2
Shared responsibility model (items are the customer responsibility)
- Encrypt traffic between VPC resources (SSH, TLS etc)
- Network configuration (instances that have both public and private interfaces)
- operating system firewalls
- AWS can’t use a Switched Port Analyzer however on-instance agents to achieve the same outcome. OS can capture packet data and stream it to a data collecevr. Can use IDS/IPS on instances (e.g. ec2 instantiated security protocols)
Regional Services
Regional services outside of the VPC (etc SQS) should have encrypted communications
Amazon GuardDuty
Threat detection system
Analyzes events from cloudtrail, flow logs and DNS logs
No agents are required. No extra footprint
Uses malicious IP / domain lists. Machine learning to detect threats
Example: Can detect the scanning of EC2 instances, or look for unusual GEO locations as a source of traffic
Also look for activity in accounts (e.g. using a region not normally used), wearing password requirements in an account
When detected delivers detail notification
Amazon Inspector
Amazon Inspector is a security service that allows you to analyze your VPC environment to identify potential security issues.
Utilize instance tags, create an assessment template with rules and then run
Amazon Macie
recognized personally identifiable data (PII) or IP
Provides dashboard on how data is being accessed
Used User and Entity Behavioral Analytics (UEBA) and Support Vector Machine to classifier to automate document classification
Looks at history access activity. When it detect anomalous activity and generates a report
Also looks for API and SSH keys appearing in your buckets (they should not be in there)
Services to detect SSH filed/malicious login attempts
CloudWatch - Alarms, notification, login
CloudTrail - records API calls. Delivered to a bucket.
IAM - control access to AWS resources
AWS Lambda - run code without provisioning servers
SNS - deliver of messages to subscribed endpoints.
Network Traffic Analysis
Elastic Elastisearch - Elasticsearch is a popular, open source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analytics.
Kibana -allows you to visualize data in Amazon Elasticsearch Service. Kibana is a popular open source visualization tool designed to work with Elasticsearch.
Kinesis Firehouse - delivers managed, real-time streaming data to destinations such as Amazon S3, Amazon Redshift, or Amazon Elasticsearch Service.
AWS Lambdas
VPC Flow Logs
