AWS Security And Compliance

Cloud security, also known as cloud computing security, is a collection of security measures designed to protect cloud-based infrastructure, applications, and data. These measures ensure user and device authentication, data and resource access control, and privacy. AWS Compliance empowers customers to understand the robust rules AWS uses to maintain security and data protection in the AWS Cloud. When systems operate in the AWS Cloud, AWS and customers share compliance responsibilities.

Shared Responsibility on AWS

This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the service’s facilities. As with any cloud service, there is a shared responsibility for security. The availability of data and workloads in a cloud service is also shared.

• AWS responsibility – Security of the Cloud
• Protecting infrastructure (hardware, software, facilities, and networking) that runs all the AWS services
• Managed services like S3, DynamoDB, RDS, etc. Performing automated backups of Amazon RDS instances is the responsibility of AWS, according to the AWS shared responsibility model.
• Customer responsibility – Security in the Cloud. Awareness and training along with Configuration management are shared under the AWS shared responsibility model.

The cost of application software licenses is the direct responsibility of an ecommerce company that has migrated its IT infrastructure from an on-premises data center to the AWS Cloud.

• For EC2 instance, the customer is responsible for the management of the guest OS (including security patches and updates), firewall & network configuration, IAM
• Encrypting application data • Shared controls:
• Patch Management, Configuration Management, Awareness & Training

The customer is responsible for updating and patching an Amazon WorkSpaces virtual Windows desktop according to the AWS shared responsibility model. AWS has the responsibility to patch the host operating system of an Amazon EC2 instance, according to the AWS shared responsibility model.

It is the company’s responsibility to establish a regular maintenance window that tells AWS when to patch the DB instance operating system if a company is using an Amazon RDS DB instance for an application that is deployed in the AWS Cloud if they require regular patching of the operating system of the server where the DB instance runs.

Resource configuration management and Employee awareness and training are shared controls that apply to both AWS and the customer, according to the AWS shared responsibility model. Suppose a company wants to migrate its on-premises Microsoft SQL Server database server to the AWS Cloud and the company has decided to use Amazon EC2 instances to run this database. In that case, Security patching of the guest operating system is the responsibility of the company according to the AWS shared responsibility model.

AWS Shield DDoS Protection

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.

• AWS Shield Standard: protects against DDOS attacks on your website and applications for all customers at no additional costs
• AWS Shield Advanced: 24/7 premium DDoS protection
• AWS WAF: Filter specific requests based on rules. AWS WAF contains built-in engines to protect web applications that run in the cloud from SQL injection attacks and cross-site scripting.
• CloudFront and Route 53:
• Availability protection using global edge network
• Combined with AWS Shield, provides attack mitigation at the edge
• Be ready to scale – leverage AWS Auto Scaling

AWS WAF Firewall

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. A WAF protects web applications by targeting Hypertext Transfer Protocol (HTTP) traffic. Targeting HTTP differs from a standard firewall, which provides a barrier between external and internal network traffic. A WAF sits between external users and web applications to analyze all HTTP communication. Amazon CloudFront and Amazon API Gateway can use AWS WAF to protect against common web exploitations.

• Protects your web applications from common web exploits (Layer 7) • Layer 7 is HTTP (vs. Layer 4 is TCP)
• Deploy on Application Load Balancer, API Gateway, CloudFront
• Define Web ACL (Web Access Control List):
• Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
• Protects from common attacks – SQL injection and Cross-Site Scripting (XSS) • Size constraints, geo-match (block countries)
• Rate-based rules (to count occurrences of events) – for DDoS protection

AWS WAF can be used to create a custom rule that blocks SQL injection attacks for a retail company that has recently migrated its website to AWS, uses an Application Load Balancer to distribute traffic to multiple Amazon EC2 instances, and wants to ensure that it is protected from SQL injection attacks.

AWS KMS Managed Encryption Keys

AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect data. The service is integrated with other AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS supports several types of KMS keys: symmetric encryption keys, symmetric HMAC keys, asymmetric encryption keys, and asymmetric signing keys. KMS keys differ because they contain different cryptographic key materials. AWS KMS is used to provide encryption for Amazon EBS.

• Anytime you hear “encryption” for an AWS service, it’s most likely KMS
• KMS = AWS manages the encryption keys for us
• Encryption Opt-in:
• EBS volumes: encrypt volumes
• S3 buckets: Server-side encryption of objects • Redshift database: encryption of data
• RDS database: encryption of data
• EFS drives: encryption of data
• Encryption Automatically enabled:
• CloudTrail Logs – A company can use AWS CloudTrail logs with Amazon CloudWatch to report on events that involve the specific AWS services that the company uses.
• S3 Glacier
• Storage Gateway

AWS Key Management Service (AWS KMS) can be used to encrypt data at rest.

AWS CloudHSM Hardware Encryption

AWS CloudHSM lets you manage and access your keys on FIPS-validated hardware, protected with customer-owned, single-tenant HSM instances that run in your VPC. The difference between KMS and CloudHSM is that you control your keys with CloudHSM. CloudHSM gives a single-tenant multi-AZ cluster, and it’s exclusive to you. KMS is multitenant; however, it uses HSMs within, but those exist across customer accounts, so it’s not entirely exclusive.

• KMS => AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware (HSM = Hardware Security Module)
• You manage your encryption keys entirely (not AWS)
• HSM device is tamper resistant, FIPS 140-2 Level 3 compliance

By Encrypting data using AWS Key Management Service (AWS KMS), a user’s security on AWS will be enhanced.

AWS Certificate Manager

AWS Certificate Manager (ACM) is a service that lets you efficiently provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. Certificate Manager lets you directly and programmatically request publicly-trusted TLS certificates in the root of trust stores used by major browsers, operating systems, and applications. You can use these TLS certificates to authenticate and encrypt internet traffic.

• Let you quickly provision, manage, and deploy SSL/TLS Certificates
• Used to provide in-flight encryption for websites (HTTPS)
• Supports both public and private TLS certificates
• Free of charge for public TLS certificates
• AutomaticTLS certificate renewal
• Integrations with (loadTLS certificates on) • Elastic Load Balancers
• CloudFront Distributions
• APIs on API Gateway

AWS Certificate Manager (ACM) is the AWS Service that a company can use when it wants to secure its consumer web application by using SSL/TLS to encrypt traffic.

AWS Artifact Compliance Reports

AWS Artifact is a web service that lets you download AWS security and compliance documents such as ISO certifications and SOC reports. User Guide. Describes key concepts of AWS Artifact and provides instructions for using the features of AWS Artifact. AWS Artifact provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports. AWS Artifact allows users to download security and compliance reports about the AWS infrastructure on demand.

• Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
• Artifact Reports – This allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports
• Artifact Agreements – This allows you to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA) or the Health Insurance Portability and Accountability Act (HIPAA) for an individual account or in your organization
• Can be used to support internal audit or compliance

AWS Artifact provides AWS ISO certifications. AWS Artifact can be used by a company to determine which AWS services abide by regional regulatory requirements for an application that will be delivered to residents in European Counties when building an application that uses AWS services.

AWS GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors hostile activity and unauthorized behavior to protect your AWS accounts, EC2 workloads, container applications, and data stored in Amazon Simple Storage Service (S3). Amazon GuardDuty Malware Protection adds file scanning for workloads utilizing Amazon Elastic Block Store (EBS) volumes to detect malware that can compromise resources, modify access permissions, and exfiltrate data.

• Intelligent Threat discover y to Protect AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data • One click to enable (30 days trial), no need to install software
• Input data includes:
• CloudTrail Events Logs – unusual API calls, unauthorized deployments
• CloudTrail Management Events – createVPCsubnet, createtrail
• CloudTrail S3 Data Events – getobject, listobjects, deleteobject

A company that needs an AWS service that will continuously monitor the company’s AWS account for suspicious activity and initiate automated actions against threats that are identified in the security findings should use Amazon GuardDuty.

• VPC Flow Logs – unusual internal traffic, unusual IP address
• DNS Logs – compromised EC2 instances sending encoded data within DNS queries • Kubernetes Audit Logs – suspicious activities and potential EKS cluster compromises
• Can setup CloudWatch Event rules to be notified in case of findings
• CloudWatch Events rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks

Amazon GuardDuty provides a company with threat detection on its AWS infrastructure, even when the company does not want to deploy additional software. Amazon GuardDuty monitors AWS accounts for security threats.

EC2 Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

• Automated Security Assessments • For EC2 instances
• Leveraging the AWS System Manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities
• For Containers pushed to Amazon ECR
• Assessment of containers as they are pushed
• Reporting & integration with AWS Security Hub • Send findings to Amazon Event Bridge

Amazon Inspector offers companies an automated security assessment report that will identify unintended network access to Amazon EC2 instances. The report also identifies operating system vulnerabilities on those instances. The date and time when an IAM user’s password was last used to sign in to the AWS Management Console and whether multi-factor authentication (MFA) has been enabled for an IAM user is found on an AWS Identity and Access Management (IAM) credential report.

AWS Config Tracking

AWS Config can track changes in the configuration of your AWS resources and regularly sends updated configuration details to an Amazon S3 bucket that you specify. For each resource type that AWS Config records, it sends a configuration history file every six hours. AWS Config sends email-friendly notifications about changes to your AWS resources. AWS Config allows you to turn on Amazon SNS notifications for changes to your AWS resources. AWS IAM Access Analyzer identifies whether an Amazon S3 bucket or an IAM role has been shared with an external entity.

• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• Possibility of storing the configuration data into S3 (analyzed by Athena)
• Questions that AWS Config can solve:
• Is there unrestricted SSH access to my security groups? • Do my buckets have any public access?
• How has my ALB configuration changed over time?
• You can receive alerts (SNS notifications) for any changes • AWS Config is a per-region service
• Can be aggregated across regions and accounts

A company can use AWS Systems Manager Session Manager to improve its security and audit posture by limiting Amazon EC2 inbound access instead of accessing instances remotely by opening inbound SSH ports and managing SSH keys.

AWS Macie S3 Bucket Inspection

Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Amazon Macie is a security service that uses machine learning to automatically find, classify and protect sensitive data in the Amazon Web Services (AWS) Cloud. It only supports Amazon Simple Storage Service (Amazon S3), but more AWS data stores are coming.

• Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally identifiable information (PII)

Amazon Macie uses machine learning to help discover, monitor, and protect sensitive data that is stored in Amazon S3 buckets.

AWS CloudTrail API Call Tracking

AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs, continuously monitor, and retain account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and research.

AWS Security Hub

AWS Security Hub is a cloud security service that performs security best practice checks, aggregates alerts, and enables automated remediation. AWS Security Hub aggregates and prioritizes your findings from multiple AWS services and AWS Partner solutions, allowing you to assess the security posture across your AWS accounts quickly.

• Central security tool to manage security across several AWS accounts and automate security checks
• Integrated dashboards showing current security and compliance status to take action quickly
• Automatically aggregates alerts in predefined or personal findings formats from various AWS services & AWS partner tools:
• GuardDuty
• Inspector
• Macie
• IAMAccessAnalyzer
• AWS Systems Manager
• AWS Firewall Manager
• AWS Partner Network Solutions
• Must first enable the AWS Config Service

Amazon Detective

Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to conduct faster and more accurate security investigations efficiently.

• GuardDuty, Macie, and Security Hub are used to identify potential security issues or findings. Amazon Macie can identify personally identifiable information (PII), such as credit card numbers, from data that is stored in Amazon S3.
• Sometimes, security findings require deeper analysis to isolate the root cause and take action – it’s a complex process
• Amazon Detective analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs, CloudTrail, and GuardDuty and creates a unified view

AWS Abuse

AWS Abuse addresses many different types of potentially abusive activity like phishing, malware, spam, and denial of service (DoS)/ distributed denial of service (DDoS) incidents. When abuse happens, customers are alerted so they can take the necessary remediation action.

• Spam – receiving undesired emails from AWS-owned IP addresses, websites & forums spammed by AWS resources
• Port scanning – sending packets to your ports to discover the unsecured ones
• DoS or DDoS attacks – AWS-owned IP addresses attempting to overwhelm or crash your servers/software
• Intrusion attempts – logging in on your resources
• Hosting objectionable or copyrighted content – distributing illegal or copyrighted content without consent
• Distributing malware – AWS resources distributing software to harm computers or machines

If a company discovered unauthorized access to resources in its on-premises data center and found that the requests originated from a resource hosted on AWS, they should contact the AWS Abuse team to report this issue.

AWS Root User

When you first create an Amazon Web Services (AWS) account, you begin with one identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. You can sign in as the root user using the email address and password you used to create the account.

• Root user = Account Owner (created when the account is created)
• Has complete access to all AWS services and resources
• Lock away your AWS account root user access keys!
• Do not use the root account for everyday tasks, even administrative tasks

• Actions that can be performed only by the root user:
• Change account settings (account name, email address, root user password, root user access keys) • View specific tax invoices
• CloseyourAWSaccount
• Restore IAM user permissions
• Change or cancel your AWS Support plan
• Register as a seller in the Reserved Instance Marketplace
• Configure an Amazon S3 bucket to enable MFA
• Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID
• Sign up for GovCloud

Security software vendors can offer its security software as a service on AWS using the AWS Marketplace when a company wants to migrate to AWS and use the same security software it uses on premises.