Danny Chan for AWS Community Builders

Posted on Jan 28

Comprehensive re:Cap security practice on AWS

#security #awssecurity #aws #cloudsecurity

What is the Security Hub & AWS Partner solution?
What is Amazon Inspector?
How to apply delegated Administration on AWS?
GuardDuty Account Architecture
Overflow of enabled GuardDuty
Policy-as-Code
Best Practices Against Ransomware
Why is Infrastructure as Code (IaC) Needed?
How to set up limited access on AWS?
How to collect, store, and protect logs?
Monitor, detect, and react
IDS & IPS
Server-side Request Forgery (SSRF)
Cross-Site Scripting (XSS)
What is a Whaling attack?
Cloud Security Posture Management (CSPM)
Reference

What is the Security Hub & AWS Partner solution?

Security Hub

A centralized hub for your security alerts and compliance status across your AWS accounts.
Collects security findings from multiple AWS services like GuardDuty, Inspector, and Macie.
Also collects findings from AWS partner solutions.

Benefits of Security Hub

Pulls together security findings from AWS and third-party sources.
Allows you to apply industry and government standards/controls.
Automates alerts and remediations.
Enables you to set up and manage rules yourself.
Automatically centralizes data during an investigation.
Provides visualization through dashboards and investigation timelines.

Foundational Technical Review (FTR)

is an examination conducted by AWS to assess the performance of a solution offered by an AWS Partner.

To become an AWS Partner, the following requirements must be met:

Submission of an automatically generated security report.
Completion of a self-assessment form.

There are various AWS Partner Network (APN) programs available, including:

AWS Competency Program.
AWS Service Ready Program.

What is Amazon Inspector?

It is an automated and continuous vulnerability management tool.
It focuses on identifying software vulnerabilities and unintended network exposures.
Amazon Inspector automates security scans and assessments for software vulnerabilities.
It can be enabled at the AWS Organization level for multi-account management.
It provides automated discovery and continuous scanning capabilities.
It can work in conjunction with Patch Manager in AWS Systems Manager.
It supports the deployment of new instances with patches in immutable environments.

How to apply delegated Administration on AWS?

1 Landing Zone

Establish a well-architected, multi-account AWS environment.
It serves as a starting point for implementing identity and access management, data security, network design, and logging.
Allows for the quick and secure launch of applications.
Account Factory utilize templated account vending by environment.
Isolate resources and workloads into multiple AWS accounts.

Benefits:

Reduces the scope of impact.
Examples include data isolation, limit allocation, and billing.

Security controls:

Implement preventative measures such as Service Control Policies (SCPs).
Employ detective controls like AWS Config for continuous monitoring.
Utilize proactive measures like CloudFormation hooks.

Real-world example:

Different applications may have varying security profiles, such as Payment Card Industry (PCI) compliance for payment systems.

2 AWS Control Tower

Multi-account:

It enables the governance of a secure multi-account AWS environment.
It incorporates multi-account best practices and centralizes identity and access management.
It provides prescriptive blueprints that simplify multi-account compliance governance.
Cross-account security audits can be conducted using AWS Identity and Access Management (IAM) and AWS IAM Identity Center.
The Account Factory feature facilitates the provisioning of new accounts.

Compliance:

AWS Control Tower offers AWS-provided guardrails and compliance policies.
It establishes pre-configured governance rules for security.

Centralization:

It provides a central dashboard for monitoring and compliance status.
AWS Control Tower centralizes logging from AWS CloudTrail and AWS Config.

Automation:

It automates account provisioning with consistent baseline configuration.
It automates the creation of a well-architected AWS multi-account framework.
It automates new account provisioning within the organization.

3 Guardrails

Guardrails are pre-configured and prescriptive governance rules.
They are designed to enforce and detect compliance in a multi-account environment.

To utilize guardrails:

Associate a guardrail with the Organizational Unit (OU).
Detect any violations of the guardrail.
Take measures to mitigate the identified issues.
Analyze the configuration to ensure compliance.
Maintain a compliance history for reference.

4 Protective Guardrails

Least privilege access:
Service - IAM roles and policies.

Root users and IAM users with administrative privileges:
Service - MFA.

Monitor environments for security and remediation actions:
Service - AWS Config.

Prevent unwanted actions, restrict access:
Service - AWS Organizations and control policies (SCPs).

Restrict network traffic:
Service - VPC security groups, network ACLs.

Centrally log and monitor activity to detect anomalies:
Services - AWS CloudTrail, CloudWatch, GuardDuty.

Allowlist approved IP addresses/ranges:
Services - AWS WAF, S3 bucket policies.

Protect data at rest:
Services - KMS and EBS encryption for S3, EBS, and snapshots.

Control access to APIs:
Service - Lambda authorizer functions with API Gateway.

5 Detective Guardrails

Detecting issues and providing alerts/insights to facilitate remediation.
Preventing non-compliant actions from occurring in the first place.
Enforcing policies to ensure alignment with compliance standards and governance.
Implementing preventative measures using service control policies and IAM permissions boundaries.
Detecting policy violations and compliance issues, and generating alerts for them.

Services:

These guardrails are implemented using AWS Config Rules and AWS Lambda functions.
The relevant services for these guardrails include AWS Config, AWS Security Hub, Amazon GuardDuty, AWS Trusted Advisor, and Amazon Inspector.

6 Examples of Control Tower Guardrails

Disallow the creation of access keys for the root user.
Disallow internet connection through Remote Desktop Protocol (RDP).
Disallow public write access to S3 buckets.
Disallow Amazon Elastic Block Store (Amazon EBS) volumes.

7 Amazon GuardDuty:

Utilizes machine learning and intelligence for threat detection.
Continuously monitors for malicious or unauthorized activity across AWS accounts.
Provides effective monitoring capabilities.
Monitors AWS Control Tower managed environments using GuardDuty.
Monitors workload for malicious activity and unauthorized behavior.
Utilizes machine learning and integrated threat intelligence to identify abnormal behavior and suspected attackers.
Utilizes AWS CloudTrail, Amazon Virtual Private Cloud (VPC) Flow logs, and Domain Name System (DNS) logs.

8 GuardDuty Delegated Administrator:

Enabled in an AWS organization.
The organization's management account acts as the GuardDuty "delegated administrator" account.
Manages multiple GuardDuty accounts in an AWS Organization.
Includes existing AWS Control Tower accounts as GuardDuty members of the GuardDuty administrator in the same region.

9 AWS Service Catalog:

Account Factory Customization (AFC) is a feature of AWS Control Tower.

10 AWS Config

AWS Config continuously monitors and records the configurations of AWS resources.
It captures configuration details, including relationships between resources.
It assesses how configuration changes impact resources and checks for compliance.
AWS Config allows auditing of resource configurations to detect drift from desired configurations.
It records configuration history, enabling the checking of past configurations of resources.

11 AWS Config Rule

AWS Config rules specify how AWS resources should be configured.
They evaluate configurations and check for any compliance or drift issues.
When a non-compliant resource is detected, AWS Config sends notifications.
AWS Config rules automate the monitoring of resource configurations and compliance.

Example:
S3 bucket policy can have the "Block Public Access" setting applied at the account level or bucket level.

GuardDuty Account Architecture

Master account:

Utilizes Service Control Policies (SCPs) and AWS Single Sign-On (SSO).
The delegated GuardDuty administrator account serves as the AWS Control Tower audit account.

Log archive account:

Uses S3 to store CloudTrail and AWS Config logs.

Audit account:

Receives security and compliance notifications from Amazon CloudWatch Events, AWS CloudTrail, and AWS Config.
Control Tower utilizes Amazon Simple Notification Service (SNS) to send alerts via email.
Contains findings from all member accounts in all Regions.

Overflow of enabled GuardDuty

Step 1:
All AWS accounts in the AWS Control Tower environment are added as members of the GuardDuty administrator account, with GuardDuty enabled automatically in each member account.

Step 2:
The auto-enable setting is turned on in the GuardDuty administrator account to automate the addition of new AWS Control Tower accounts as members.

Step 3:
A S3 bucket is created in the AWS Control Tower log archive account.
A customer-managed KMS key is established in the GuardDuty management account in the same Region.
Member accounts encrypt their data using this KMS key before sending it to the S3 bucket.

Policy-as-Code

Guardrails, also known as Policy-as-Code, can be implemented using tools such as AWS CloudFormation Guard.

Benefits:

Compliance administrators can define rules using a policy-as-code language.
CloudFormation templates can be validated against these rules.

Preventative Controls:

Ensure S3 Block Public Access is used.
Configure server-side encryption for S3 buckets.
Utilize AWS managed keys for encryption of data in S3 buckets.
Enforce HTTPS(TLS) connections only when reading or writing data using a bucket policy.
Enforce server-side encryption during object puts/writes to the bucket using a bucket policy.
Ensure automatic rotation of the AWS KMS key used with the S3 bucket.
Do not allow cross-account key access in the AWS KMS key policy.

Detective Controls:

Use Cloud Control API, AWS Config, and cfn-guard (AWS CloudFormation Guard) to validate deployed workloads against cfn-guard policies.
Cloud Control API standardizes AWS application programming interfaces (APIs).

Responsive Controls:

Utilize AWS Systems Manager and AWS Config to remediate non-compliant resources as they are detected.

Tool 1

Open Policy Agent (OPA):
Developed by Fugue.
Regula is a command-line tool that uses OPA's Rego language to evaluate rules.
Can be integrated into CI/CD pipelines such as GitHub Actions, GitLab CI/CD, and Bitbucket Pipelines.

Tool 2

cfn-guard and checkov:
Used for validating AWS CDK and CloudFormation templates in a CI/CD pipeline.

Tool 3

CFN Lint
Used to validate AWS CloudFormation YAML/JSON templates.

Best Practices Against Ransomware

Identity Management:

Identity and Access Management (IAM):

Grant IAM users and roles the minimum required permissions.

Key Management Service (KMS):

Encrypt data at rest and in transit.
IAM User:
Enforce strong password policies or Multi-Factor Authentication (MFA).

Security Posture Management

Amazon Inspector:

Detects newly launched instances, Lambdas, and container images on Elastic Container Registry (ECR).
Continuously scans AWS workloads to identify potential security issues.
Scans for unintended network access.
Utilize open-source products such as OWASP Dependency-Check, Snyk, and OpenVAS.

AWS Security Hub:

A centralized hub for security state and vulnerability management across AWS accounts.
Integrates data from Inspector and Patch Manager.

Amazon GuardDuty:

Monitors for unusual and potentially unauthorized activity.
Detects potential vulnerabilities or exploits.

Amazon Macie:

Helps protect data stored in S3 buckets by discovering and classifying sensitive data like Personally Identifiable Information (PII).
Can alert on buckets that are publicly accessible.

Patch Software Vulnerabilities:

AWS Systems Manager Patch Manager:

Automates the process of patching managed instances.
Defines patch baselines that specify which patches should be installed.

Codebase

Amazon CodeGuru:

Scans code and provides recommendations for remediating common security issues.
Apply OWASP Foundation Source Code Analysis Tools (SAST tools).

Network Security

AWS Network Firewall:

Provides stateful firewalling at the network level.
Offers intrusion detection and network security controls.
Allows centralized configuration and application of security policies across VPCs.
Supports Suricata-based Intrusion Prevention System (IPS) rules.

AWS Network Firewall Flow Logs:

Monitors network traffic and provides visibility into traffic flowing into and out of VPCs, subnets, and network interfaces.

Amazon VPC Security Groups:

Control traffic at the instance level.

Amazon GuardDuty:

Provides threat detection and monitors for unusual traffic patterns, malicious activity, and unauthorized access.
Automatically triggers blocking rules in response to detected threats.

AWS Shield Advanced:

Blocks malicious traffic.
Filters out known bad IP addresses and requests.

Network Security Cases

Case 1: Blocking Malicious Traffic

AWS Shield Advanced, AWS WAF, and AWS Network Firewall rules can be used to filter out known bad IP addresses and requests.
GuardDuty can automatically trigger blocking rules in response to detected threats.

Case 2: Intrusion Detection

AWS Network Firewall supports Suricata-based IPS rules for intrusion detection.
GuardDuty monitors for unusual traffic patterns of malicious activity.

Case 3: Firewall Capabilities

Network Firewall provides stateful firewalling at the network level.
Security Groups control traffic at the instance level.

Backup:

Back up data to a location separate from the production environment.
Identify critical data (customer, financial records, source code repositories).
Store data in different AWS accounts/regions or on-premises storage.
Utilize Amazon S3 for object storage backups.
Take Amazon EBS snapshots for database/file system backups.
Use AWS Storage Gateway for on-premises backups.
Encrypt data at rest using SSE-S3 on S3 and EBS encryption.
Configure automated, scheduled backups using AWS Backup.
Verify backup integrity by periodically testing restore processes.
Enforce strict access controls through IAM policies to retrieve backup data.
Consider offsite/offline backups for disaster recovery.
Retain multiple backup copies based on recovery point and time objectives (RPO/RTO).

Restore and Data Recovery Plan

Use AWS Backup to create a restore testing plan.
Specify the recovery points, source backups, and frequency of restore testing.
Trigger restore jobs based on the configured schedule.
Restore selected recovery points to a predefined S3 bucket for testing.
Validate that the backed-up data can be successfully recovered.
Monitor the status of restore jobs via CloudWatch.

Security Incident Response Plan

Use redeployment mechanisms to address misconfigurations by redeploying resources with the proper configurations.
Automate response mechanisms wherever possible to programmatically respond to common events.
Choose scalable solutions to ensure the scalability of your organization's approach to cloud computing.

Address incidents in the Service domain

Check configurations and resource permissions before deployment.
Infrastructure domain: Utilize digital forensics/incident response (DFIR) tooling to acquire incident-related data for forensic analysis.

Address incidents in the Application domain:

Employ cloud threat detection and response playbooks to prevent incidents related to application code or software deployed to services.

Why is Infrastructure as Code (IaC) Needed?

IaC, such as CloudFormation and Terraform, is necessary because most vulnerabilities relate to misconfiguration rules.
Terraform has built-in misconfiguration detection.
It enables risk monitoring of asset vulnerabilities and cloud infrastructure misconfigurations.

How to set up limited access on AWS?

AWS Users:
These are identities within an AWS account and are provided with unique credentials to access AWS services.

Credentials:
Each user is assigned an access key ID and secret access key to authenticate AWS API requests.

Groups:
Groups are containers for managing multiple users and applying common policies.

Roles:
Roles define a set of permissions that can be assumed by entities such as users and AWS services.

Policies:
Policies are JSON documents that define permissions and can be attached to users, groups, and roles.

Methods:

Apply policies to groups and roles.
Use federated SSO to grant individual access to AWS through an existing SSO solution.
Regularly rotate access keys.
Delete unused credentials.
Use temporary security credentials (STS).

How to collect, store, and protect logs?

Collect 1: CloudTrail

CloudTrail provides auditing, monitoring, and governance of AWS account activity. It records and stores API call activity and related events, providing visibility into user and resource activity.

Benefit:
Create a trail for all regions and send all your logs to an S3 bucket to allow your trail to show activity from every AWS region.

Collect 2: VPC Flow Logs

VPC Flow Logs show data on the IP traffic going to and from the network interfaces in your virtual private cloud (VPC).

Benefit:
VPC Flow Logs can help identify intra-VPC port scanning, network traffic anomalies, and known malicious IP addresses.

Store: AWS Route 53

AWS Route 53 is a highly available domain name system (DNS) web service that allows you to control the routing of internet traffic to your domain names. It is used for registering domain names, configuring DNS settings, and resolving domain names to IP addresses.

Benefit:
Route 53 can log DNS queries for auditing purposes.

Protect: Encrypt log files with SSE-KMS

(Server-Side Encryption with AWS Key Management Service) is a data encryption feature that protects data at rest. It uses the AWS Key Management Service (KMS) to generate and manage encryption keys, ensuring data security and compliance.

Benefit:
Encrypting log files with SSE-KMS provides an additional level of defense by enabling server-side encryption.

Monitor, detect, and react

CloudWatch alarms

Set up CloudWatch alarms to send an email to the team if the system has unauthorized API calls or VPC changes.

Benefit:
The team can immediately react to the identified risks.

GuardDuty

GuardDuty uses CloudTrail, VPC Flow Logs, and DNS logs to detect and alert suspicious behavior.

Benefit:
GuardDuty helps monitor security at all network levels.

Security Information and Event Management (SIEM)

SIEM provides real-time monitoring, correlation, and analysis of security events and logs from various sources to identify and respond to security incidents and threats. It can detect and investigate security events and generate alerts.

File Integrity Monitoring (FIM)

FIM is a security practice that involves monitoring and detecting unauthorized changes. It compares the current state of files (permissions, size, and checksums) against a known baseline to identify any modifications, deletions, or additions. FIM can indicate potential security breaches or unauthorized activities.

IDS & IPS

What is a Virtual Patch?

A Virtual Patch proactively repairs the part of the code that causes the vulnerability patching.
Virtual Patching started with IPS (Intrusion Prevention System) Vendors.
It helps prevent malicious payloads from accessing the vulnerable system.

Intrusion Detection Systems (IDS)

IDS monitors networks and systems for malicious activity or policy violations.

Intrusion Prevention Systems (IPS)

IPS is placed behind firewalls and provides an additional layer of security.
It scans and analyzes suspicious content for potential threats.

Benefits of IDS and IPS

IDS and IPS alert administrators of possible incidents.
They report activity to systems administrators and event management (SIEM) systems.

Protection Against Attacks

Dropping malicious packets.
Blocking traffic from the source address.
Resetting the connection.

Detecting Vulnerabilities

Host Intrusion Detection Systems monitor inbound and outbound packets.

Industry Standards for Security Controls

Center for Internet Security (CIS) Controls.
SANS Critical Security Controls (SANS Top 20).
NIST, ISO 27001, NERC CIP, or IEC 62443.

Server-side Request Forgery (SSRF)

SSRF allows an attacker to cause the server-side application to make requests to an unintended location.
It is a web application vulnerability that can allow unauthorized access to sensitive resources by manipulating the target server to send a crafted request.
It can bypass security controls.

Protection Against SSRF

Validate user input.
Limit the scope of what a server can access.
Use the Security Token Service (STS) AssumeRole API to provide temporary security credentials and limit actions and resources.
Use VPC endpoints to access services over the Amazon private network, preventing external access.
Implement a Web Application Firewall (WAF) to block suspicious web requests, such as those containing suspicious patterns or injected payloads.
Apply a firewall to AWS CloudFront, Elastic Load Balancing, or Amazon API Gateway.
Keep software up to date.

Cross-Site Scripting (XSS)

XSS is a system vulnerability that allows an attacker to inject malicious scripts.
It occurs due to a lack of proper input validation and sanitization in code.
Types of XSS include stored XSS, reflected XSS, DOM-based XSS, and phishing-based XSS.

Protection Against XSS

Prevention of XSS

Implement Content Security Policy (CSP) using security libraries and frameworks like OWASP ESAPI and Spring Security.
Use AWS Web Application Firewall (WAF) to create rules that block XSS attack patterns.
Utilize AWS Shield for protection against DDoS attacks, XSS, and SQL injection.

Web Application Firewall (WAF)

WAF covers SQL Injection, XSS, and OWASP Top 10 vulnerabilities.
It applies rules to filter web traffic based on conditions, including IP addresses.
It provides an additional layer of protection from web attacks and blocks common web exploits.

Virtual Private Cloud (Amazon VPC) Security Groups

Security groups allow control of network access.
They enable adding rules that control inbound and outbound traffic.

What is a Whaling attack?

It is a phishing attack that targets high-profile or senior individuals, such as CEOs.
The goal is to deceive the target into sharing sensitive information or performing actions like transferring money.
The attacker impersonates trusted contacts of the target through spoofed emails.
They may use urgent requests for wire transfers or password resets.
It is a social engineering attack that relies on deceiving users.

Cloud Security Posture Management (CSPM)

CSPM involves continuously monitoring and managing the security posture of cloud environments.
It assesses, identifies, and remediates security risks and misconfigurations.
CSPM can automatically fix misconfigurations as soon as they are detected.
It flags issues before anything is deployed and ensures compliance with security best practices.
It observes cloud configurations against security policies and baselines to identify vulnerabilities.
CSPM generates reports and alerts to notify security teams.

Benefits of CSPM

Unifying AWS with on-premises security.
Enhancing the organization's cybersecurity posture.
Consolidating security data in one set of tools.
Automating the deployment of new AWS infrastructure ensures compliance with the baseline.
It automatically flags or terminates infrastructure that is not in compliance.