AWS Certified Solutions Architect Pro – Study Notes Domain 6

By | December 3, 2016

Domain 6.0: Security (20% of exam)

6.1 Design information security management systems and compliance controls

6.2 Design security controls with the AWS shared responsibility model and global infrastructure

6.3 Design identity and access management controls

6.4 Design protection of Data at Rest controls

6.5 Design protection of Data in Flight and Network Perimeter controls

  • AWS Directory Services (3 flavors) – https://aws.amazon.com/directoryservice/faqs/
    • AD connector:
      • Essentially a custom federation proxy
      • connects to your existing MS AD structure
      • once connected, end users use existing corporate creds to log into AWS applications
      • existing security policies can be enforced consistently
        • password expiration/history
        • account lockouts
      • supports MFA, can use to integrate with existing RADIUS-based MFA infrastructure
      • no information is cached on AWS (unless you have an AD server on AWS obviously)
      • availability is tied to your networking – if connection goes down, you lose AD capabilities
      • Comes in 2 sizes:
        • Small (up to 500 users)
        • Large (up to 5000 users)
      • Manage AWS resources via IAM role-based access on the console
    • Simple AD:
      • Used for new AD deployments
      • Managed directory powered by Samba 4 Active Directory compatible server
      • MFA not supported
      • Only 2 domain controllers (in 2 different AZs)
        • Can’t add additional domain controllers
      • No forest/domain trust relationships
      • Can’t transfer FSMO roles
      • Can domain-join EC2 instances
      • Provides Kerberos based SSO
      • No LDAP-S support
      • Schema extension not supported
      • Comes in 2 sizes:
        • Small (up to 500 users)
        • Large (up to 5000 users)
    • Microsoft AD
      • AWS managed (Nothing to install, AWS handles patching & updates)
      • Powered by windows 2012 R2
      • Supports up to 50k users (200k directory objects)
      • Run directory aware windows workloads
      • Create trust relationships between MS AD domains in AWS cloud & on-prem.
      • Deployed across multiple AZs
      • Monitors & automatically detects/replaces failed DCs
      • Data replication & automated daily snaps are configured out of the box
    • Grants users limited & temporary access to AWS resources. Users can come from 3 sources:
      • Federated temporary access to AWS resources (typically Active Directory)
        • Uses SAML 2.0
        • User doesn’t need to be in IAM, grants access based on AD creds
        • SSO allows user to log into AWS console w/out assigning IAM creds
      • Federation w/ Mobile Apps
        • Use FB/Amazon/Google or other OpenID providers to log in
      • Cross account access
        • Let’s users from one AWS account access resources in another
          • E.g. Users from “Dev” account can access resources in “Prod” account
        • Steps to create cross account access
          • In dev account create a user & group
          • Copy account ID
          • Switch to prod – create new role “DevAccess”
          • Assign permissions (policies) to new role
          • Copy role ARN
          • On Dev account create new policy using policy generator, service – AWS Security Token Service
          • Use ARN from DevAccess role
          • In dev account attach new policy to group
          • Use IAM user sign-in link from prod account to sign in Dev user, paste role switch URL into browser to switch over to prod
      • Steps for setting up SSO for App X:
        • Employee logs into application (enters username/pwd)
        • App X calls an Identity Broker
        • The Identity Broker checks with LDAP to confirm that the user account is valid
        • ID Broker initiates a call to the AWS Security Token Service (STS). The call must include an IAM policy and a duration (1 to 36 hours), along with a policy that specifies the permissions to be granted.
        • STS will (on validation) return back 4 values:
          • Access Key
          • Secret Access Key
          • The Token
          • The duration (15 min – 12 hr default – 36 hr max)
        • ID Broker returns the token to the application
        • App X uses the token to call to AWS resource (say S3)
        • S3 uses IAM to verify credentials
        • IAM verifies credentials & gives S3 the go-ahead to perform the operation
      • Terminology:
        • Federation = joining lists of users from 1 directory service to another (AD, IAM, FB, Google)
        • Identity Broker = trusted 3rd party broker that you can use to federate multiple directories
        • Identity Store = list of users
        • Identities = users
  • Monitoring your Network
      • Retrieve a history of API calls and other events for all regions in your account
        • Can be enabled on a per region basis
      • Use Cases:
        • Security Analysis
        • Track & Monitor changes to AWS resources (great in conjunction with AWS Config)
        • Compliance Aid
        • Troubleshoot operational issues (answers who, what, when, where)
      • Not enabled by default
      • Recorded info includes:
        • Identity of the API caller
        • Time of the API call
        • Source IP of the API caller
        • Request parameters
        • Response elements returned by the AWS service
      • Delivers logs to an S3 bucket in JSON format
      • Configured on a per region basis & can include global services
        • Logs from different regions can be sent to the same S3 bucket
      • Calls & events made by the AWS mgmt. console, command line tools, AWS SDKs, or other AWS services (i.e. CloudFormation)
      • Used for auditing and collecting a history of API calls, NOT a logging service
      • Can integrate with SNS, CloudWatch & CloudWatch Logs to send notifications when a specific API event occurs
      • Monitoring service for AWS cloud resources & the applications running on AWS
      • Gain system wide visibility into resource util
      • Collect/track/monitor metrics/logs, and set alarms.
      • Automatically react to changes in AWS resources
      • Can monitor:
        • EC2 instances
        • DynamoDB tables
        • RDS DB instances
        • Custom metrics generated by apps & services
        • Any log file an application can generate
        • Operational health
        • Application performance
      • By default, CloudWatch Logs will store log data indefinitely
        • You can change retention for each log group @ any time
        • CloudWatch Alarm history stored for 14 days
        • CloudTrail logs can be sent to CloudWatch Logs for real-time monitoring
          • Can use CloudWatch Log metric filters to eval for specific terms, phrases or values in CloudTrail logs
    • You can monitor events & ship those logs to
      • CloudWatch
      • Central logging system (Splunk, SumoLogic, etc)
      • Script your own logs & store on S3
      • Avoid storing logs on non-persistent storage
        • Root device volume on EC2 instance
        • Ephemeral storage
        • Best answers are usually S3 or CloudWatch Logs
      • CloudTrail can be used across multiple accounts in a single S3 bucket (w/ cross account access)
      • CloudWatch Logs can be used across multiple accounts (w/ cross account access)
    • VPC Flow Logs
      • Can be turned on at the VPC/Subnet/EC2Instance level
      • Can be filtered for all/accepted/rejected traffic
      • Can dump logs to CloudWatch for alerting
  • Cloud Hardware Security Modules (HSM’s) https://aws.amazon.com/cloudhsm/
    • Physical device that safeguards and manages digital keys
    • Used to protect high value keys
    • Onboard secure cryptographic key generation, storage & mgmt.
    • Offloading app servers for asymmetric and symmetric cryptography
    • Upfront fee for each device & hourly cost afterwards
    • Single tenant (1 physical device per customer)
    • Must be used within a VPC
    • Can use VPC peering to connect to a CloudHSM
    • Can use EBS volume encryption, S3 object encryption & key mgmt. w/ HSM, but this requires custom scripting
    • If you need FT, you need to get 2 devices & build a CloudHSM cluster
    • Can integrate with RDS (Oracle & SQL) as well as Redshift
    • Monitor via Syslog
    • How to Mitigate DDoS?
      • Minimize the attack surface –
        • fewer/hardened entry points
          • Place instances inside of private subnets where possible
        • Bastion hosts w/ white list IP accessability
        • WAF = Web Application Firewall – L7 Firewall
        • Use ELB/CloudFront to distribute load to apps
        • Multi-Tier app architecture provides layered protection against attacks
      • Scale to absorb the attack
        • Design your infra to scale as needed
          • Auto Scaling (for both WAFs and Web Servers)
          • CloudFront
          • Route 53
          • ELBs
          • WAFs
          • CloudWatch
        • Horizontal
        • Vertical
      • Safeguard exposed resources when you can’t eliminate Internet entry points. 3 services that can help with this:
        • CloudFront
          • Built in ability to absorb and deter DDoS attacks
          • Solves UDP and SYN flood DDoS attacks
          • Geo Restrictions – whitelists/blacklists
          • Origin Access ID
        • Route 53
          • Alias Record Sets to redirect traffic to CloudFrount or different ELB or “DDoS resilient environment”
          • Private DNS
        • WAFs (Web Application Firewall) – controls input & shows what the traffic is doing and where it is coming from. Many WAFs have built in IDS
          • Solves DDoS attacks that happen @ the app layer
          • Filters traffic and can ID/prevent injection attacks
          • DDoS mitigation
          • Malware protection
          • Dataloss prevention
          • Detect suspicious activity and block/report
          • “WAF sandwich”
      • Learn normal behavior (IDS/WAFs)
        • Allows you to ID abnormal behavior faster (duh)
      • Create a plan for attacks:
        • Validate design of architecture in the event of the different attacks
        • Know what techniques to employ when you get attacked
        • Know who to contact when you get attacked
    • Amplification/Reflection Attacks
      • NTP, SSDP, DSN, SNMP, Chargen
      • Attacker sends a 3rd party server a spoofed IP request.
    • Application Attacks (L7)
      • Flood of GET requests
      • Slowloris attack
  • IDS & IPS
    • IDS inspects all inbound/outbound network traffic & IDs suspicious patterns that can indicate a network or system attack
      • Monitors only, isn’t proactive
    • IPS is a network threat prevention technology that examines network traffic to detect & prevent exploitation of systems.
    • IDS/IPS appliance usually sits in public subnet w/ agents installed on all EC2 instances it is monitoring. Feeds data either to SOC or S3 bucket.
    • Good video to watch on this: https://www.youtube.com/watch?v=wZ8sB7hfyvw