Security Flashcards
CloudTrail
Console shows past 90 days
Default UI only shows Create, Modify and Delete events
Can create a CloudTrail
Get detailed list of all events you choose, can include events happening at the object level in S3
Can store trail events in S3 for further analysis
Can be region specific or global (IAM etc)
If something is deleted look in CloudTrail
CloudTrail Delivery to S3
- Can enable versioning
- Can use encryption SSE-S3, SSE-KMS
- MFA Delete Protection
- S3 Lifecycle policy (Glacier, IA)
- Object locks to protect from delete or modify
- Can do sha-256 for hashing and signing verifying the content is as expected
CloudTrail delivery notifications
Could be setup through:
- CloudTrail directly sns -> sqs, lambda
- S3 events sns, sqs, lambda
CloudTrail - MultiAccount, Multi Region
For Write need Bucket Policy
For Reads and Gets need either Cross Account role + AssumeRole OR bucket policy
CloudTrail Alerts for API calls
CloudTrail -> CW Logs -> Metric Filter -> CW Alerts -> SNS
Ex:
- Count number of API calls of type or per user
- Detect high number of denied API calls
CloudTrail Speed
Can take 15 minutes to deliver events
- CW events - fastest most reactive, single API call
- Delivery to CW Logs - streamed, aggregated, multiple API calls
- Delivery to S3 - can check integrity, cross account, glacier, more comprehensive (athena)
AWS KMS
AWS manages key for you, integration with IAM for authorization.
Only able to encrypt up to 4KB per call
if > 4KB, use Envelope Encryption using DTK
All API calls recorded to CloudTrail
AWS KMS Acess
- Need Key policy
- IAM policy to allows KMS API calls
AWS KMS CMK
CMK is used to encrypt/decrypt put can never be seen. Can be rotated
KMS keys
Customer Managed
- Create, manage, user, enable/disable
- Rotate, old is kept new added every year
- Key policy
- Leverage for envelope encryption
AWS Managed
- Used by AWS services
AWS Parameter Store
- Securely store configuration and secrets
- Mostly free, seamless KMS integration, serverless
- Version tracing of configurations/secrets
- Can notify of changes via CW events
- Dynamic parameter interpolation for CloudFormation
AWS Parameter Store Paths
- Can retrieve secrets from Secrets manager using parameter store API, using pre-defined special path
- Special paths include retrieving latest ami id
- IAM integration on configuration path level
- GetParameters/GetParametersByPath
AWS Secrets Manager
- Can automatically rotate secrets every X days
- Integration with RDS (admin passwords etc)
- Encrypted with KMS
RDS Security at rest
KMS Encryption at rest for underlying EBS volume/snapshots
RDS Security TDE
TDE for Oracle and Sql Server only
RDS Security in transit
In transit ssl encryption for all databases
RDS Security Authorization
Using database authorization
RDS Security Authentication
IAM autheNTICATION only for mysql and psql
RDS Security CloudTrail
Cannot track queries using CloudTrail
RDS Secuirty Snapshots
Can copy un-encrypted RDS snapshot into an encrypted one
SNI (Server Name Indication) SSL handshake
Only supported in NLB, ALB and CloudFront, NOT in CLB
AWS and MINM Attacks
- Don’t use HTTP
- Use DNS with DNSSEC, so protect your domain using DNSSEC
Route53 DNSSEC
- Does not support for DNS service only for domain registration.
- Must use another DNS Service Provider, e.g. custom DNS server on EC2 (Bind, dnsmasq, KnotDNS, PowerDNS)
AWS ACM
- Buy own SSL certs and store using cli
- Provision new or renew SSL certs using ACM (free)
- Integrates seamlessly with by provisioning and maintaining certs on:
- Load Balancers
- CloudFront
- APIs on API Gateway
- Renewal automatic or manual depends on external or internal
ACM and regions
ACM is regional, cannot use certs cross region
Must issue ssl certificates for each region needed for a global application with Load Balancers (also regional)
Not needed for CloudFront cause it is a global distribution
