AWS Security - Quick Notes

The following is the summary of the various features/capabilities of Directory Service:

Provides multiple ways to use Microsoft Active Directory (AD) with other AWS services such as EC2, RDS for SQL Server, FSx for Windows File Server, and IAM Identity Center
Directories store information about users, groups, and devices, which can be used to manage access to information and resources
The following are the three different choices:

AWS Managed Microsoft AD
- A managed service for AD that is powered by Windows Server
- Highly available pair of Domain Controllers connected to the customer VPC
- The Domain Controllers run in different availability zones in a Region
- Host monitoring, recovery, replication, snapshots, and software updates are automatically configured and managed
- One can also configure a Trust Relationship with the customers existing on-prem AD
- Integration with on-prem needs a VPN or Direct Connect connection
- The trust relationship with on-prem provides users and groups with access to resources in either domain using single sign-on
- Enables authentication and authorization for many AWS services, such as, Management Console, RDS, QuickSight, WorkDocs, Workmail, Workspaces, etc
- Best choice if there are more than 5000 users
- One can also enable MFA with RADIUS
AD Connector
- Is a proxy service that provides an easy way to connect a customers existing on-prem AD to AWS
- Integration with on-prem needs a VPN or Direct Connect connection
- Allows one to map AD identities to IAM roles
- Redirects directory request to the on-prem AD
- Enables authentication and authorization for compatible AWS services, such as, EC2 for Windows Server, Management Console, QuickSight, WorkDocs, Workmail, Workspaces, etc
- Best choice if one wants to use an existing on-prem AD
Simple AD
- Is an AD-compatible directory that is powered by Samba 4
- Supports basic AD features such as user accounts, group memberships, joining a Linux domain or Windows based EC2 instances
- Provides support for Kerberos-based single sign-on (SSO)
- A fully managed, standalone directory in the AWS cloud

The following is the summary of the various features/capabilities of Cognito:

Is a user directory for web and mobile app authentication and authorization
Is an OpenID Connect (OIDC) identity provider (IdP)
Supported authentication using OAuth, OIDC, SAML
The following are the two important entities within Cognito:

Cognito User Pool
- Allows one to easily and securely add sign-up and sign-in functionality for apps
- Supports a user directory for storing users identity
- Support for federated identity with external authentication providers such as Facebook, Google, etc
- Support for Multi-Factor authentication (MFA)
Cognito Identity Pool
- Allows apps to get temporary credentials that grant users access to specific AWS resources
- Integrates with Cognito User Pool
- IAM Policies to be applied for the credentials are defined in Cognito
- IAM Policies can be customized based on the user identity for fine-grained control
- Can also have default IAM Roles which can be used if there are no defined IAM Policies
Users are authenticated by the Cognito User Pool to get a JWT token, which is then used by Cognito Identity Pool to map to am IAM role for temporary access

The following is the summary of the various features/capabilities of Key Management Service:

Is a managed service that makes it easy for one to create and control the cryptographic keys that are used to encrypt and decrypt data
Uses Hardware Security Module (HSM) to protect and validate the AWS KMS keys
Fully integrated with IAM for authorization
Is SCOPED to a Region
One can audit KMS key usage using CloudTrail
Integrates seemlessly with most AWS services (S3, RDS, etc)
KMS keys can be Symmetric or Asymmetric

Symmetric Key

Uses AES-256
Same key for both encryption and decryption
All AWS services integrated with KMS use this type
Users NEVER get access to the key

Asymmetric Key

Uses Elliptic Curve (ECC) or RSA key pairs - public and private
Public key to encrypt and private key to decypt
Public key can be downloaded, while the private key CANNOT be accessed

AWS Owned Keys are free to use. Examples include SSE-S3, SSE-SQS, SSE-DDB. Users have NO control
AWS Managed Keys are free to use. Examples include aws/rds, aws/ebs, aws/dynamodb
Customer Managed Keys costs $ 1.00 per month
API calls to KMS cost $ 0.03 per 10000 calls
Support for automatic key rotation of AWS managed keys every 1 year
Support for automatic key rotation of Customer managed keys MUST be enabled and will be every 1 year
KMS Key Policies allows one to control access to KME keys (similar to S3 bucket policies)
Default KMS key policy allows every user in an AWS account access
Custom KMS key policy can be used for cross-account access
To limit the keys for specific resources, use the kms:ViaService condition in policy
KMS Multi-Region Keys
- KMS primary key from a region is replicated to other Regions
- Identical keys in different Regions so that one can encrypt in one Region and decrypt in another Region
- Has the same key ID, same key material, and automatic rotation
- Useful for global client-side encryption, encrypting specific data attributes on client side before storing in global dynamodb or global aurora
Sharing Encrypted AMI
- Modify the image attribute to add a Launch Permission corresponding to the target AWS account
- Share the KMS key with the target AWS account via key policy
- Ensure the IAM user/role in the target AWS account has the appropriate permissions

The following is the summary of the various features/capabilities of Parameter Store:

Also referred to as SSM Parameter Store
Provides secure, hierarchical storage for configuration data and secrets management
Highly scalable, available, and durable
One can store configuration data such as passwords, database urls, and license codes as parameter values
Parameter values can be stored either as plain text or encrypted data
One can reference the parameters in scripts, commands, and configuration and automation workflows by using the unique name that was specified when the parameter was created

The following is the summary of the various features/capabilities of Secrets Manager:

Helps one manage, retrieve, and rotate database credentials, application credentials, OAuth tokens, API keys, and other secrets throughout their lifecycles
Many of the AWS services store and use secrets in the Secrets Manager
One can configure an automatic rotation schedule for the secrets, which will use a AWS Lambda function to update the secret
Integrated with RDS, Aurora, Redshift, DocumentDB for secrets management
Multi-Region secrets means the primary secret in a Region is replicated to other Regions (replica) and kept in sync

The following is the summary of the various features/capabilities of the Certificate Manager:

Helps one create, store, manage, and renew publicly trusted SSL/TLS certificates that protect secure websites and applications
Support for both public and private SSL/TLS certificates
Public certificates are signed by the AWS public Certificate Authority (CA)
One can create their own private CA in ACM
Support for automatic renewal of SSL/TLS certificates
Integration with Elastic Load Balancers (ELB), CloudFront distributions, API Gateway, Elastic Beanstalk
CANNOT be used with EC2 Instances
One can also import a public SSL/TLS certificate created externally, but will not have the automatic renewal feature
On can request a public SSL/TLS certificate
- List single or multiple domain names including wildcards (fully qualified like api.example.com as well as wildcard *.example.com)
- Select the validation method - DNS (preferred) or Email
- For DNS validation will need a CNAME record
- Must setup a CNAME or an Alias in Route 53
- After validation (takes few hours), the public certificate will be setup with automatic renewal (60 days before expiry)

The following is the summary of the various features/capabilities of Web Application Firewall:

Allows one to protect web applications (Layer 7) from common exploits (SQL Injection, Cross-Site Scripting)
One can protect resources such as CloudFront distributions, API Gateway, Application Load Balancer (ALB), Cognito User Pool, Async GraphQL API
One needs to define a Web Access Control List (Web ACL) to protect web resources and can be based on
- Geo-location - country of origin
- IP Set - based on IP addresses (upto 10000 IP addresses)
- HTTP headers, body, or URI string
- Request size constraints
- Rate based rules (max request per sec - for DDoS protection)
Web ACL are REGIONAL except for CloudFront
Each Rule contains a statement that defines the inspection criteria and an action to take if the criteria is met
A Rule Group is a reusable set of rules one can add to a Web ACL

The following is the summary of the various features/capabilities of Shield:

Provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4) and the application layer (layer 7)
The following are the two levels of protection against DDoS attacks:

AWS Shield Standard
- Free service that is activated for all AWS customers
- Protection from SYN/UPD flooding, Reflection attack, and other Layer 3/4 attacks
AWS Shield Advanced
- Optional DDoS mitigation service - costs $ 3000 per month for 1 year commitment per organization
- Protection from more sophisticated attacks on EC2, ELB, CloudFront, Global Accelerator, and Route 53
- 24/7 access to AWS DDoS response team
- Automatically creates, evaluates, and deploys AWS WAF rules to mitigate Layer 7 attacks

The following is the summary of the various features/capabilities of Firewall Manager:

Simplifies the administration and maintenance of rules across all the accounts and resources of an AWS organization
Can set the security policy (a common set of security rules) for a variety of protections, including WAF, Shield Advanced, Security Groups for resources in VPC, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall
Policies/Rules created at a Region level
One needs to set up the protections just once and the service automatically applies them across all accounts and resources, EVEN for future new accounts and resources
Costs $ 100 per month for the service

The following is the summary of the various features/capabilities of GuardDuty:

Is an intelligent and continuous security monitoring service that can help identify unexpected and potentially unauthorized or malicious activity in an AWS account
It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify malicious activity
Processes events from various sources, such as, CloudTrail, VPC flow logs, DNS logs, RDS login activity, S3 logs, EBS volumes, EKS logs, Lambda network activity, etc
One can setup EventBridge rules to notify in case of any findings
Can detect compromised EC2 instances and container workloads that are used for Crypto mining
If the service is DISABLED, it deletes all the data (findings, config) related to the service

The following is the summary of the various features/capabilities of Inspector:

Is an automated security vulnerability assessment service that helps improve the security and compliance of the AWS resources
Can be configured to run on a schedule
Automatically assesses resources for vulnerabilities or deviations from best practices, and then produces a detailed list of security findings prioritized by level of severity
Automatically discovers and scans running EC2 instances, container images in Elastic Container Registry (ECR), and Lambda functions for known software vulnerabilities and unintended network exposure
The findings are sent to the AWS Security Hub, which provides a comprehensive view of the security state in AWS environment