Security Flashcards
Web Application Firewall WAF
• Let’s you monitor HTTP/HTTPS requests that are forwarded through:
○ CloudFront
○ ELB
○ Gateway.
• Uses ACL to protect resources and control access to content.
• Layer 7 protection
• Can see more information than a typical firewall
• Can configure conditions as to what IP addresses are allowed to make request or what query string params need to be passed to request
○ Then the above systems will either allow content or you get back HTTP 403.
• WAF allows 3 behaviors
○ Allow all requests except those specified
○ Block all requests except those specified
○ Passive mode of gathering requests that match specified properties.
WAF protections
• Protects against specific conditions: ○ IP address ○ Country that requests ○ Values in headers ○ Strings that appear in the text through regex or otherwise ○ Length of request ○ Presence of SQL code (SQL injection) ○ Presence of malicious script (XSS)
AWS Shield
AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications.
For higher levels of protection against attacks, including Automated application (layer 7) traffic monitoring, you can subscribe to AWS Shield Advanced.
AWS Secrets Manager
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Store encrypted credentials and perform on-demand retrieval safety.
Encryption SDK
The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It enables you to focus on the core functionality of your application, rather than on how to best encrypt and decrypt your data. The AWS Encryption SDK is provided free of charge under the Apache 2.0 license.
Provides the following:
A default implementation that adheres to cryptography best practices
A framework for protecting data keys with master keys
A formatted message that stores encrypted data keys with the encrypted data.
Does not store credentials.
Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.
Detective
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Security Hub
AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. There are a range of powerful security tools at your disposal, from firewalls and endpoint protection to vulnerability and compliance scanners.
Inspector
AWS Inspector assesses the security and compliance of your EC2 instances.
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, it produces a detailed list of findings prioritized by level of severity. Reports are available via the Amazon Inspector console or API. It’s an agent installed on your EC2 instance.
Key Management System (KMS)
Regional and managed
• Regional secure key management and encryption/decryption
• Manages customer master keys. CMK is logical representation of Key.
Manager Parameter Store
• Encrypt/Decrypt data upto 4KB in size
• Integrated with most AWS services
• Pay per AWI call (like listing keys, encrypting/decrypting).
• Audit capability using CloudTrail delivered to S3.
• FIPS 140-2 Level 2.
○ Level 3 is CloudHSM
• Concept of regional is important. Need to decrypt and encrypt to move to another region
KMS types
§ Customer Managed
□ Only you can create. Full control of lifecycle and permission of who can use the keys.
□ Key rotation important
§ AWS Managed CMK
□ Free. Created auto when making encrypted resource. Can track usage of CMK but lifecycle and permissions managed CMK
§ AWS Owned CMK
□ That AWS owns and manages for use in multiple AWS accounts. Not in your account but AWS can use own CMK to protect resources.
KMS Encryption
□ By default.
□ Same key used for enc/dec
□ Never leaves AWS unencrypted
□ Must call KMS API to use it
□ All services integrated with KMS uses symmetric CMK.
□ Encrypt/decrypt and re-encrypt data
□ Generate data keys, data key pairs, random byte strings
□ Import own key material
§ Asymmetric
□ Mathematically related public/private key pair
□ RSA and ECC algorithm.
□ Private never leaves AWS unencrypted.
□ Must call KMS API to use private
□ Download public and use outside API by users who can’t call KMS API
AWS services integrated with KMS do not support asymmetric CMK
Network Access Control List (NACL)
NACL can be configured to enhance security at the subnet level.
Stateless
Security Group
Acts as a virtual firewall by controlling traffic from both inbound and outbound. Acts at instance level.
Stateful
Security Manager verification
Security Group
