a

AWS Cloud Practitioner - 3

Security

Subhi Dweik. Chapter Eindhoven '22 X Rockademy
a

Index

  • Shared responsibility model
  • Well Architected
  • IAM
  • Organizations
  • Encryption
  • Sec services
  • Questions
a

Shared responsibility model

a

Well Architected

  • 6 Pillars leading to proper software and competent organizations
  • A series of best practices AWS has learned over time operating the platform
  • Has a tool which helps your org validate all parts of your organization/workload
  • Meant as something you keep in mind when building software, and review regularly
a

Terminology

  • Component: Piece of a workload.
  • Workload: Generally the smallest unit the business talks about.
  • Architecture: How components work together in a workload
  • Milestone: Key changes to your achitecture
  • Technology portfolio: Collection of workloads the business rquires to operate.
a

Pillars - 1

  • Operational Excellence
    • Essentially how you deal with software and its deployment
  • Security
    • Least privilege, Zero trust, Audit...
  • Reliability
    • Automate failure recovery, Stop guessing capacity
a

Pillars - 2

  • Performance Efficiency
    • Serverless first, multi-region, delegate when possible
  • Cost optimization
    • Don't overprovision, make sure people have insights in costs
  • Sustainability
    • Reduce waste, be aware of whether something is necessary
a

IAM

  • Least privilege by default

a

Roles

  • A role can be assumed
  • Services can assume roles
  • Not all services can assume roles
  • Role permissions are not in addition to your own roles
a

Policies

  • Declaration of one or more permissions
  • Evaluated at time of request
  • IAM Policies only control access to AWS services
a

Policy eval order

a

Policy example

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "limitedSize",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",                                                          
            "Condition": {
                "ForAnyValue:StringNotLike": {
                    "ec2:InstanceType": [
                        "*.nano",
                        "*.medium"
                    ]
                }
            }
        }
    ]
}
a

Policy actions

"Action": "ec2:StartInstances"
"Action": "iam:ChangePassword"
"Action":["sqs:SendMessage", "sqs:ReceiveMessage"]
"Action":"s3:List*"
a

Policy Conditions

"Condition": {
  "DateGreaterThan": {"aws:CurrentTime":"2016-11-30T11:00:00Z"},
  "DateLessThan": {"aws:CurrentTime":"2016-11-30T15:00:00Z"},
  "IpAddress": {"aws:SourceIp":["192.0.2.0/24", "203.0.113.0/24"]}
}

"Action":"s3:ListBucket",
"Effect":"Allow",
"Resource":["arn:aws:s3:::mybucket"],
"Condition":{"StringLike":{"s3:prefix":["home/${aws:username}/*"]}}
a

Policy Anatomy

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow", # Can be explicit allow, or explicit deny
         "Action":[
            "s3:GetObject", # API action(s) to allow, supports wildcards
         ],
         "Resource":"arn:aws:s3:::awsexamplebucket1/*" # What resource(s) to allow this on
         "Principal": {
            "AWS":"arn:aws:iam::257973423188:root" # Allow this for a specific principal. Usually on the "Receiving side"
         }
         "Condition" : {
            "StringEquals" : {
               "aws:username" : "johndoe" # Only apply this policy if the username is "johndoe"
            }
         }
      }
   ]
}
a

AWS Credentials chain

The AWS SDK looks for credentials in a certain order, from top to bottom:

  • Overrides
    • For cli: flags (e.g. --profile)
    • For SDK: arguments to constructor
  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE, etc.)
  • Java only: aws.accessKeyId and aws.secretKey properties
  • Web identity token (used for EKS for example)
  • The default credentials file (~/.aws/credentials and ~/.aws/config IF AWS_SDK_LOAD_CONFIG is set)
  • AWS ECS Container credentials
  • EC2 Instance profile credentials
a

AWS Organizations

  • Manage multiple accounts from a single root account
  • Consolidated billing
  • SCPs
a

Encryption

  • KMS
    • AWS owned/AWS managed/C-KMS
  • CloudHSM
    • Single tenant hardware encryption keys
    • Turns out, not that expensive anymore
  • SSM
    • Secrets management, supports automatic rotation, optionally by a custom lambda
a

Traffic security

  • WAF
    • Inspects traffic, drops malicious traffic
    • Has to be able to look into traffic, so ssl termination required
  • Shield
    • Standard: applies to CloudFront, ELB, and Route53, free and automatic
    • Advanced: Supports EC2, GA, etc.. $3000/m, minimum of 1 year.
a

Sec adjacent

  • Artifact
    • Stores compliance reports for aws services
  • Cognito
    • User management. Register users, or federate via an IDP with SAML/OIDC
a

Assorted sec services

  • Config: Realtime change monitoring in AWS
  • Macie: Scan for PII
  • GuardDuty: Anomaly detection
  • Inspector: Scan the contents of VMs, lambda, and Containers for vulnerabilities.
a

Questions?