Tags Archives: Trusted Advisor

AWS Security Services

Services that provide DDOS Protection on AWS

 

AWS Shield Standard, free of charge, is activated by default

 

AWS Shield Advanced – 24×7 premium protetion, fee charged and access to AWS DRP DDOS Response Team v expensive about 3000 USD per month.

 

AWS WAF filters specific requests based on rules – layer 7 http – for app load balancer, api gateway and CloudFront
you can define web acl : geo block, ip address blocks, sql injection etc

 

 

CloudFront and Route 53: uses global edge network, combined with Shield can provide attack mitigation at the edge

 

You can utilize AWS AutoScaling to leverage up if there is an attack.

 

You get full DDOS protection by combining Shield, WAF, CloudFront and Route53.

 

 

Penetration testing can be carried out by customers for 8 services eg EC2, RDS, CF etc – you don’t need any authorization to do this but you cannot do simulated ddos attacks on your system or dns zone walking on route 53, nor flooding tests

 

important note:
for any other simulated attacks, contact aws first, to check, otherwise it is not authorized – and could be seen as an infrastructure attack on aws!  

 

AWS Inspector:

 

chargable, first 15 days free. not cheap. cost per instance or image scanned.

 

does automated security assessments, eg for EC2

 

sends reports to security hub and event bridge

 

leverages the System Manager SSM agent

 

for Containers pushing to ECR –  assesses containers as they are moved to ECR

 

it is ONLY for EC2 and container infra. But only done when needed.

 

checks packages against CVE – package vulnerability scan

 

also does network reachability for EC2

 

that is all.

 

 

Logging on AWS – quick overview

 

aws services generate a wide range of logs

 

cloudtrail trails, config rules, cw logs vpc flow logs, elb access logs cloud front logs, waf logs,

 

 

exam question!
LOGS can be analyzed using AWS Athena if stored on S3.

 

you should encrypt logs stored on S3 and control the access to them by deploying iam and bucket policies plus mfa.

and always remember:
don’t log a server that is logging! otherwise you create an endless logging loop!

 

and move logs to glacier for cost saving

 

and also use glacier vault which locks the logs so they cant be tampered with.

 

 

AWS Guard Duty

 

this uses intelligent threat discovery and ML learning to detect

 

no need to install any software, works in the backend, only need to activate, but it chargeable
esp analyses cloudtrail, vpc flow logs, dns logs, kubernetes audit logs, looks for unusual api calls etc

you can set up cloudwatch events rules to connect to labda or sns

exam q
also can protect against cryptocurrency attacks, has a dedicated function for it. – comes up in exam

 

 

AWS Macie

a fully managed data security and data privacy service which uses ML pattern matching to protect your data

 

helps identify and alert esp re PII – personal identifiable information

 

can notify event bridge

 

 

 

AWS Trusted Advisor – only need to know overview for the exam

 

no need to install, is a service

 

core checks and recommendations — available for all customers, these are free

 

can send you a weekly email notification

 

full trusted advisor for business and enterprise – fee based
and can then create cloudwatch alarms or use apis

 

cost optimization

 

looks for underutilized resources – but cost optimizn is not in the free core checks, so you need to upgrade for this.

 

performance

ec2s ebs cloud front

 

security

 

mfa security used or not, iam key rotation etc, exposed access keys
s3 bucket permissions, security group issues, esp unrestricted ports

 

fault tolerance — eg abs snapshot age,

service limits

Continue Reading

AWS Additional Monitoring Tools

 

AWS Config

 

 

AWS Config is an AWS fully managed change management solution within AWS. It allows you to track the change history of individual resources and configure notifications when a resource changes.

 

This is achieved by means of config rules. A config rule represents the desired state that the resource should be in.

 

Config rules allow you to monitor for systems that fall outside of your set baselines and identify which changes caused the system to fall out of compliance with the baseline. AWS Config is enabled on a per-region basis, so you need to enable it for every region in which you want to use it.

 

Bear in mind that AWS Config is a monitoring tool and does not actually enforce baselines, nor does it prevent a user from making changes that cause a resource to move out of compliance.

 

AWS Config enables you to capture the configuration history for your AWS resources, maintain a resource inventory, audit and evaluate changes
in resource configuration, and enable security and governance by integrating notifications with these changes. You can use it to discover AWS resources in your account, continuously monitor resource configuration against desired resource configuration, and check the configuration details for a resource at a given point in time.

 

AWS Config is used to assess compliance as according to your set internal guidelines for maintaining resource configurations, as well as enabling compliance auditing, security analysis, resource change tracking, and assisting with operational troubleshooting.

 

AWS Trusted Advisor

 

AWS Trusted Advisor service analyzes and checks your AWS environment in real-time and gives recommendations for the following four areas:

 

Cost optimization
Performance
Security
Fault tolerance

 

Trusted Advisor or TA integrates with AWS IAM so you can control access to checks as well as to categories.

 

The current status of these checks is displayed in the TA dashboard as follows:

 

Red: Action recommended
Yellow: Investigation recommended
Green: No problem detected

 

Where the colour is red or yellow, TA provides alert criteria, recommended actions, and relevant resource details, such as details of the
security groups allowing unrestricted access via specific ports.

 

Six core checks are available for all AWS customers free of charge.

 

Five checks for security plus one check for performance:

 

eg:
service limits
IAM use
security groups-unrestricted ports
MFA on root account
Elastic block storage public snapshot
RDS public snapshot.

 

 

 

AWS Inspector

 

AWS Inspector provides for the automation of security assessments. The assessments can be set to run on a schedule or when an event occurs that is monitored by Amazon CloudWatch, or also via an API call. The dashboard shows the assessments, as well as the findings from the various scans that have run.

 

Amazon Inspector makes use of assessment templates that define which sets of rules you want to run against your environment.

 

Two types of assessments are offered by AWS Inspector: network assessments and host assessments.

 

Network assessments don’t require any agent to be installed. However if you want detailed information about processes running on a specific port then you need to install the AWS Inspector Agent.

 

Host assessments however require the Inspector Agent to be installed. These assessments are far more detailed and scan for things such as vulnerable versions of software, violations of security best practices, and areas that should be system hardened. You can select these assessments set up AWS Inspector.

 

You create an assessment template in Inspector which you then use to assess your environment by means of an Assessment Run which will then report on its findings.

 

Templates contain one or more rules packages. A rules package defines what you are checking for. Note that you can’t create custom rules packages; you can use only the rules packages provided by AWS. Currently, these are the rules packages available, listed by assessment type:

Network assessments

Network Reachability: This rules package checks your environment’s network configurations, including your security groups, network access control lists (NACLs), route tables, subnets, virtual private cloud (VPC), VPC peering, AWS Direct Connect and virtual private gateways (VPGs), Internet gateways (IGW), EC2 instances, elastic load balancers (ELBs), and elastic network interfaces (ENIs).

 

Host assessments

Common Vulnerabilities and Exposures (CVE): This rules package checks your systems to see if they are vulnerable to any of the CVEs reported.

 

Center for Internet Security (CIS) Benchmarks: This rules package assesses your systems against CIS benchmarks specific to your OS.

 

There are Level 1 and Level 2 checks. Level 1 is usually safe to implement; Level 2 is more risky as the settings in Level 2 may have unintended side effects. Level 2 is usually used in environments where a very high level of security is required.

 

Security Best Practices: This rules package assesses how well your environment confirms to security best practices. Eg, it will check that a Linux EC2 instance cannot be logged into via SSH.

 

Runtime Behavior Analysis: This rules package identifies risky behaviors on your systems, such as using insecure protocols for connecting or open ports that are not in use.

 

 

 

AWS GuardDuty

 

GuardDuty is the AWS intrusion detection system (IDS) or intrusion prevention system (IPS). It uses threat intelligence feeds and analyzes logs from multiple sources, such as VPC flow logs, AWS CloudTrail event logs, and DNS logs.

 

GuardDuty can alert you to suspicious activity that could indicate potential issues such as leaked user account credentials, privilege escalation attacks, and possible command-and-control type activities.

 

GuardDuty scans specifically for three types of activity:

 

Reconnaissance
Instance compromise
Account compromise

 

Reconnaissance is the first step of an attack and was defined in the “Cyber Kill Chain”, developed by Lockheed Martin. During the reconnaissance
phase, an attacker is learning about your environment through actions such as vulnerability scans to probe for IP addresses, hostnames, open ports, and misconfigured protocols.

 

GuardDuty can detect also utilize threat intelligence feeds to detect IP addresses known to be malicious. You can use findings reported by GuardDuty to automatically remediate the vulnerability become it develops into a security violation.

 

The next type of activity is instance compromise. This consists of several indicators that may be present, such as malware command and control, crypto miners, unusual traffic levels or unusual network protocols, or communication with a known malicious IP.

 

 

Continue Reading