Security on AWS

# Security Engineering on AWS :::info [toc] ::: **Keywords** :::warning ::: ### Security Overview **Securtiy Engineering Pillers** :::success - Identity & Accounts - Data Protection & Infrastructure Protection - Monitor, Detect and Respond ::: **Threat Modelling** :::success - **[CIA](https://www.csoonline.com/article/568917/the-cia-triad-definition-components-and-examples.html)** - **Confidentiality**: Only authorized users and processes should be able to access or modify data - **Integrity**: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously - **Availability**: Authorized users should be able to access data whenever they need to do so - **STRIDE** ![StrideLM-2785573541-owasp](https://hackmd.io/_uploads/SJrTmfAz1x.png) :dart: ***Further Read:*** *1. https://owasp.org/www-project-threat-and-safeguard-matrix/* *2. https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/* ::: #### Risk assessment In a risk assessment exercise, you identify assets as well as vulnerabilities and threats. Assets include people (employees and customers), property (tangible and intangible), and information (like databases, software code, and company records). :::success 1. What are you trying to protect? – Assets identified in the data flow table/diagram. 2. What do you need to protect against? – Threats identified during the threat modeling session. 3. Is there a weakness in a service or system? – Identifying and documenting vulnerabilities. 4. How much time, effort, and money are you willing to spend to obtain adequate protection? – Calculating risks. ::: #### Module References :::warning - https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-design.html - https://aws.amazon.com/partners/programs/msp/ - https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ ::: ### Access and Authorization on AWS #### [IAM](https://aws.amazon.com/iam/) :::info - Users - Groups - [Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) - Identity-based policies - Resource-based policies - Organizational SCPs - Permission Boundaries - inline policies - session policies - Roles - Temporary elevated priviliges - Federated access - Services/applications trying to access a AWS ::: #### Key Takeaways :::info - Permission Bounaries - STS - ::: #### Module References :::warning - [NIST Recommends New Rules for Password Security](https://cybersecuritynews.com/nist-rules-password-security/) - [NIST - SP 800-63B](https://pages.nist.gov/800-63-4/sp800-63b.html) - [AWS re:Inforce 2022 - Designing a well-architected identity & access management solution (IAM309)](https://www.youtube.com/watch?v=qrQzUzDyjks&t=6s) - [Deep Dive with Security: AWS Identity and Access Management (IAM) (Includes Labs)](https://explore.skillbuilder.aws/learn/course/internal/view/elearning/7647/deep-dive-with-security-aws-identity-and-access-management-iam-includes-labs) ::: --- ### Logging and Monitoring --- #### Services :::success - CloudWatch - Amazon Detective - AWS Config - ::: #### Module References :::warning - [Monitor AWS CloudTrail Log Data in Amazon CloudWatch ](https://www.youtube.com/watch?v=6b_ENVFgCpA) - [AWS re:Invent 2020: Monitoring and troubleshooting network traffic](https://www.youtube.com/watch?v=Ed09ReWRQXc) - [Analyze Log Data with CloudWatch Logs Insights](https://www.youtube.com/watch?v=2s2xcwm8QrM) - [Enforce Compliance with AWS Config](https://www.youtube.com/watch?v=X_fznJtSyV8) - [Get More Out of AWS Config by Using Multi-Account, Multi-Region Advanced Queries](https://www.youtube.com/watch?v=By7GAhp2OyI) - [Manage Configuration Compliance at Scale Using AWS Config Conformance Packs](https://www.youtube.com/watch?v=YCUNNQuGZfg) - [Remediate Non-Compliance Using AWS Config Rules and a Custom SSM Document](https://www.youtube.com/watch?v=CyyNlyAHs0A) - [Deploy AWS Config Conformance Packs Using CloudFormation](https://www.youtube.com/watch?v=baA5eN5zyrg) - [Send VPC Flow Log Data to Splunk Using Amazon Kinesis Data Firehose | Amazon Web Services](https://www.youtube.com/watch?v=idizFTiOqUE) - [Demo: Amazon Kinesis Data Firehose to Amazon OpenSearch Service | Amazon Web Services](https://www.youtube.com/watch?v=7a3_zhI1jvY) - [AWS re:Invent 2020: Top 5 best practices for data streaming with Amazon Kinesis](https://www.youtube.com/watch?v=UE34CWAhT3o) ::: ### Security Workshops :::warning - [IAM Troubleshooting Workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/a9661c42-97f6-400a-8dee-a8396e8d418f/en-US) - [IAM policy evaluation workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/6dc3124a-6bd4-46eb-b5c4-be438a82ba3d/en-US) - [Refining IAM Permissions Like A Pro](https://catalog.workshops.aws/refining-iam-permissions-like-a-pro/en-US) - [Okta with AWS IAM Identity Center](https://okta.awsworkshop.io/) - [Deep dive on AWS IAM Roles Anywhere](https://catalog.workshops.aws/deep-dive-on-roles-anywhere/en-US) - [AWS Direct Connect + Hybrid DNS Workshop](https://catalog.workshops.aws/dxhybrid/en-US) - [AWS Gateway Load Balancer](https://catalog.workshops.aws/gwlb-networking/en-US) - [AWS Observability - Skillbuilder](https://explore.skillbuilder.aws/learn/course/internal/view/elearning/14688/aws-observability) ::: ### Security Whitepapers :::warning - [Introduction to AWS Security](https://docs.aws.amazon.com/pdfs/whitepapers/latest/introduction-aws-security/introduction-aws-security.pdf#welcome) - [AWS Fault Isolation Boundaries](https://docs.aws.amazon.com/pdfs/whitepapers/latest/aws-fault-isolation-boundaries/aws-fault-isolation-boundaries.pdf) ::: :::danger :warning: *Disclaimer: The content provided here is for informational purposes only and is based purely on my own understanding, knowledge and experience. This is **NOT** an official AWS documentation.* :::