Security Services Flashcards
Cognito
Web/mobile application lmanagement and authentication service
Authenticate users through an external identity provider
Provides temporary security credentials
Cognito ID token is a JSON Web token
Cognito user pools
Cognito identity pools
Use cases:
Enable your users to authenticate with a user pool.
After successful user Pool sign in, your Web or mobile app will receive user pool tokens from Amazon Cognito. You can use those tokens to control access to your server-side resources.
Access resources with API gateway and lambda with a user pool. API gateway validates the tokens from a successful user pool authentication and uses them to grant your users access to resources, including lambda functions, or your own API.
After a successful, user pool, authentication, your Apple will receive user pool tokens from Amazon Cognito. You can exchange them for temporary access to other AWS services with them with an identity provider.
Enable your users access to AWS’s services through an identity pool. And exchange, the identity, pool, grand, temporary AWS credentials, that you can use to access other AWS services.
Grant your users access to AWS appsync resources with tokens from a successful Amazon Cognito authentication from a user pool or an identity pool.
Amazon Cognito is also commonly used together with AWS amplify, a framework for developing web, and mobile applications with AWS services
Cognito Sync and Sync Store
Cognito sync:
Store and sync data across devices using Cognito sync.
You can programmatically trigger the sync of data sets between client devices and the Amazon Cognito sync store by using the synchronize() method in the AWS Mobil SDK. The synchronize method reads the latest version of the data available in the Amazon Cognito sync store and compares it to the local cached copy. after comparison, the synchronize method writes the latest updates as necessary to the local data store, and the Amazon Cognito sync store.
The Amazon Cognito sync store is a key value pair store linked to an Amazon Cognito identity. There is no limit to the number of identities you can create in your identity pools and sync store.
Each user information store can have a maximum size of 20 MB. Each data set within the user information start and contain up to 1 MB of data within a data so you can have up to 1024 keys.
With Cognito streams, you can push sync store data to a kinesis stream in your AWS account.
Cognito advanced security features
When Cognito detects unusual sign in activity, it assigns a risk, score to the activity and let you choose to either prompt users for additional verification or block the sign in request.
Users can verify their identities using SMS or a time based one time password generator
Ring Cognito detects users have entered credentials that have been compromised elsewhere, your prompts a password change
Cognito integration with lambda
You can create an AWS lambda function, and then trigger that function during user pool operations, such as user, sign up, confirmation, and sign in with a lambda trigger
Cognito invokes, lambda functions synchronously. When you called, your lambda function must respond within five seconds. If it does not, Amazon Cognito retries the call. After three unsuccessful attempts, the function times out.
You can create a lambda function as a back end to Cognito that serves authentication
Challenges to users signing in.
Amazon Detective - investigate security findings
Investigate security findings and identify the root cause
Detective needs to be enabled on a per region basis and enables you to quickly analyze activity across all your accounts within each region
Detective is a multi account service
Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
• Can be integrated with AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub as well as partner security products to identify potential security issues, or findings.
• Amazon Detective can analyze trillions of events from multiple data
sources such as VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time.
This allows you to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause of a security concern.
• Amazon Detective’s prebuilt data aggregations, summaries, and context help you to quickly analyze and determine the nature and
extent of possible security issues.
Amazon Detective vs Guardduty vs AWS security hub
Guard duty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
With security hub, do you have a single place that aggregates, organizes, and prioritizes, your security alerts, or findings, with multiple AWS services, such as Amazon, guard, duty, Amazon, inspector, and Amazon Maci, as well as from AWS partner solutions.
Amazon detective simplifies the process of investigating security findings and identifying the root causes
GuardDuty - threat detection
Intelligent threat detection and reporting service
Analyzes cloudtrail, VPC, flow logs, and DNS logs
Generates findings when it detects unexpected and potentially malicious activity in your AWS environment.
Findings include:
Summary
Resources affected.
Action.
Actor.
Details such as threat purpose.
Resource type affected
Findings can be filtered.
Guard duty is a regional service
CloudTrail Event Source
• GuardDuty analyzes CloudTrail management events and S3 data events.
• GuardDuty processes all CloudTrail events that come into a region, including global events that CloudTrail sends to all regions, such as AWS IAM, AWS STS, Amazon CloudFront, and
Route 53.
VPC Flow Logs Event Source
• VPC Flow Logs capture information about the IP traffic going to and from Amazon EC2 network interfaces in your VPC.
DNS Logs Event Source
• If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers.
Using other DNS resolvers will not provide GuardDuty access to its DNS logs.
GuardDuty vs Macie
• Amazon GuardDuty provides broad protection of your AWS accounts, workloads, and data by helping to identify threats such as attacker reconnaissance, instance compromise, and account compromise. Amazon Macie helps you protect your data in Amazon S3 by helping you classify what data you have,
the value that data has to the business, and the behavior associated with access to that data.
o Trusted IP lists consist of IP addresses that you have
whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists.
• At any given time, you can have only one uploaded trusted IP list per AWS account per region.
• Threat lists consist of known malicious If addresses.
GuardDuty generates findings based on threat lists.
• At any given time, you can have up to six uploaded threat lists per AWS account per region.
Amazon Inspector - security assessment service
• An automated security assessment service that helps you test the network accessibility of your EC2 instances and the security state of
your applications running on the instances.
• Inspector uses IAM service-linked roles.
• Inspector provides an engine that analyzes system and resource configuration and monitors activity to determine what an assessment target looks like, how it behaves, and its dependent components. The combination of this telemetry provides a complete picture of the assessment target and its potential security or compliance issues.
Amazon Macie - detects PII and intellectual property
• A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PI) or intellectual property.
Amazon Macie allows you to achieve the following:
• Identify and protect various data types, including PII, PHI, regulatory documents, API keys, and secret keys
• Verify compliance with automated logs that allow for instant
auditing
• Identify changes to policies and access control lists
• Receive notifications when data and account credentials leave
protected zones
• Detect when large quantities of business-critical documents are
shared internally and externally
AWS Artifact - security and compliance reporting.
AWS Audit manager- helps audit your AWS usage on a regular basis
Certificate Manager - SSL/TLS certificates
• A service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources.
Certificate manager is integrated with the following services:
• Elastic Load Balancing
• Amazon CloudFront - To use an ACM certificate with CloudFront, you must request or import the certificate in the US East (N.
Virginia) region.
• AWS Elastic Beanstalk
• Amazon API Gateway.
• AWS CloudFormation
• AWS Certificate Manager manages the renewal process for the certificates managed in ACM and used With ACM-integrated services.
• You can import your own certificates into ACM, however, you have to renew these yourself.
Hey CM certificates are X.509 version three certificates. Each is valid for 13 months.
Each ACM certificate must include at least one fully qualified domain name.
AWS Shield - DDOS protection service
Protects against Layer 3/4 attacks
Shield Advanced with EIPs to protect NLBs
Shield Advanced protects Cloudfront and Route 53
AWS WAF
Web application firewall protects web applications or APIs against flood, XSS, SQL injection Attacks
Uses WACLs - web application control lists
Layer 7 attacks
AWS Network Firewall
AWS Network Firewall is a managed network firewall service for your Amazon Virtual Private Clouds. This network security service is a managed network firewall that comes with intrusion prevention and detection capabilities. The AWS Network Firewall service allows you to filter traffic within the perimeter of your Amazon VPCs.
This service is commonly used in various network security use cases such as inspecting VPC-to-VPC traffic filtering outbound traffic, securing both AWS Direct Connect connection and VPN traffic as well as filtering t Internet traffic. AWS Network Firewall also offers fine-grained network security controls for interconnected VPCs via the AWS Transit Gateway.
You can also use this to filter your outbound traffic to prevent unwanted data loss, block malware, and satisfy your strict network security compliance requirement. A single AWS Network Firewall can be configured with thousands of rules that can filter out network traffic routed to known bad IP addresses or suspicious domain names. It can also protect the AWS Direct Connect or VPN traffic that originates from client devices and your on-premises environments. The AWS Network Firewall can ensure that only authorized sources of traffic are granted access to your mission-critical VPC resources. It is also capable of performing the same activities as your Intrusion Detection Systems and Intrusion Prevention Systems or IDP/IPS. This is achieved by inspecting all inbound Internet traffic using features such as ACL rules, stateful inspection, protocol detection, intrusion prevention etcetera,
3 basic components:
Firewall
Firewall policy
Rule Group
A firewall is a resource that you create in AWS Network Firewall. This firewall is connected to the Amazon VPC of your choice, where a network filter will be implemented based on the behavior defined in your firewall policy.
Your firewall can have one firewall policy only, which contains rule groups that you define.
You can deploy the firewall in multiple Availability Zones and to one subnet per zone. Each subnet that is associated with your firewall must have at least one available IP address. Afterward, you must update your VPC route tables to send incoming and outgoing traffic through the firewall endpoints.
The second component is the firewall policy. This is a policy that defines the behavior of your firewall using a collection of stateless and stateful rule groups. A firewall policy can be associated with one or more firewalls.
However, a firewall can only have one firewall policy. Changing a firewall policy affects all other firewalls that reference it.
The third component in AWS Network Firewall is called a rule group. This is basically a collection of stateless or stateful rules that define how to inspect and handle the network traffic in your VPC. A rules configuration includes 5-tuple network values and domain name filtering. The 5-tuple format includes the source IP address, source port, destination IP address, destination port, and protocol.
AWS Network Firewall has two types of rules which could be stateless or stateful. The first one is stateless in the sense that it does not have any context of the packet’s traffic flow. A stateless rule just checks the packet itself. On the contrary, a stateful rule knows the context or the state of the packet, including its direction flow and other information that is not provided by the packet itself. Each rule in your stateful rule group has an associated order for its evaluation sequence. This concept is similar to network access control lists and security groups. A network ACL is stateless, while a security group is stateful.
You can also choose how you want the AWS Network Firewall to handle the packets that match your rule criteria. You can either pass or drop a packet that was filtered by the network firewall. A packet can also be forwarded to another stateful rule group for re-evaluation. Setting up custom actions is possible as well. A custom action can be configured to publish data to CloudWatch metrics for future network analysis.