AWS Security Services

Services that provide DDOS Protection on AWS

 

AWS Shield Standard, free of charge, is activated by default

 

AWS Shield Advanced – 24×7 premium protetion, fee charged and access to AWS DRP DDOS Response Team v expensive about 3000 USD per month.

 

AWS WAF filters specific requests based on rules – layer 7 http – for app load balancer, api gateway and CloudFront
you can define web acl : geo block, ip address blocks, sql injection etc

 

 

CloudFront and Route 53: uses global edge network, combined with Shield can provide attack mitigation at the edge

 

You can utilize AWS AutoScaling to leverage up if there is an attack.

 

You get full DDOS protection by combining Shield, WAF, CloudFront and Route53.

 

 

Penetration testing can be carried out by customers for 8 services eg EC2, RDS, CF etc – you don’t need any authorization to do this but you cannot do simulated ddos attacks on your system or dns zone walking on route 53, nor flooding tests

 

important note:
for any other simulated attacks, contact aws first, to check, otherwise it is not authorized – and could be seen as an infrastructure attack on aws!  

 

AWS Inspector:

 

chargable, first 15 days free. not cheap. cost per instance or image scanned.

 

does automated security assessments, eg for EC2

 

sends reports to security hub and event bridge

 

leverages the System Manager SSM agent

 

for Containers pushing to ECR –  assesses containers as they are moved to ECR

 

it is ONLY for EC2 and container infra. But only done when needed.

 

checks packages against CVE – package vulnerability scan

 

also does network reachability for EC2

 

that is all.

 

 

Logging on AWS – quick overview

 

aws services generate a wide range of logs

 

cloudtrail trails, config rules, cw logs vpc flow logs, elb access logs cloud front logs, waf logs,

 

 

exam question!
LOGS can be analyzed using AWS Athena if stored on S3.

 

you should encrypt logs stored on S3 and control the access to them by deploying iam and bucket policies plus mfa.

and always remember:
don’t log a server that is logging! otherwise you create an endless logging loop!

 

and move logs to glacier for cost saving

 

and also use glacier vault which locks the logs so they cant be tampered with.

 

 

AWS Guard Duty

 

this uses intelligent threat discovery and ML learning to detect

 

no need to install any software, works in the backend, only need to activate, but it chargeable
esp analyses cloudtrail, vpc flow logs, dns logs, kubernetes audit logs, looks for unusual api calls etc

you can set up cloudwatch events rules to connect to labda or sns

exam q
also can protect against cryptocurrency attacks, has a dedicated function for it. – comes up in exam

 

 

AWS Macie

a fully managed data security and data privacy service which uses ML pattern matching to protect your data

 

helps identify and alert esp re PII – personal identifiable information

 

can notify event bridge

 

 

 

AWS Trusted Advisor – only need to know overview for the exam

 

no need to install, is a service

 

core checks and recommendations — available for all customers, these are free

 

can send you a weekly email notification

 

full trusted advisor for business and enterprise – fee based
and can then create cloudwatch alarms or use apis

 

cost optimization

 

looks for underutilized resources – but cost optimizn is not in the free core checks, so you need to upgrade for this.

 

performance

ec2s ebs cloud front

 

security

 

mfa security used or not, iam key rotation etc, exposed access keys
s3 bucket permissions, security group issues, esp unrestricted ports

 

fault tolerance — eg abs snapshot age,

service limits