eavesdr opping Possibility of damage= risk remove vulnerabilities protect from threat Confidenti ality Integrity Availability Information confidential data、code、 financial data bad settings, etc.
of persons with valid rights (authorized persons) to use the information. The information has not been modified (by someone who does not have a valid right). Ability to use information when needed
user? = Authentication、What can they use? = Authorization • IAM manages Authentication and Authorization • IAM has following basic resources • IAM User: create and authenticate for individually • IAM Group:manage multiple users in one group • IAM Policy:write about authorization information, can attach to User, Group, Role • IAM Role:can attach to AWS resources and the resource has a permission IAM User also be able to assume a Role IAM User IAM Group IAM Role IAM Policy IAM User belong Instance IAM Role IAM Policy IAM Policy assume
IAM Policy define what can we access(Resource), which operation(Action), Allow/Deny(Effect) in a policy add Condition as necessary { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*" ], "Resource": [ "arn:aws:s3:::test-data”, “arn:aws:s3:::test-data/*" ], "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} } ] } Data in a ‘test-data’ S3 bucket Operations beginning with Get. Allow MFA is enabled
that means who can use it in an IAM Role trust policy, Bucket policy, etc. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Principal": { "Service": [ "ec2.amazonaws.com" ] } } ] } IAM Role IAM Policy trust policy EC2 can use this IAM Role • If you know basic resources such as Resource、Action、Effect、Condition、Principal、you can extensively understand AWS policies such as a Bucket policy, KMS key policy. Instance assume
accounts • Can manage accounts by groups by using Organizational Unit (OU) • Has aggregation feature and automatic enablement of security services • Can apply preventive guardrails with Service Control Policy(SCP) • Can share resources with AWS Resource Access Manager(RAM) AWS Organizations Management Organizational unit (OU) Organizational unit (OU) SCP IAM Policy SCP IAM Policy Valid policy IAM Policy Aggregate to 1 account & automatically enable services GuardDuty GuardDuty GuardDuty GuardDuty GuardDuty
a best-practice multi-account environment • Automatically configures IAM Identity Center, CloudTrail, Config, and SNS Topic for notifications • Easily configure and manage preventive and detective guardrails • Can apply multi regions AWS Control Tower Management S3 • CloudTrail Logs • Config Logs Log Archive Audit AWS Config Aggregator AWS Organizations AWS IAM Identity Center Prod Security Baseline Amazon VPC (Network Baseline) Amazon SNS Security OU Workloads OU CloudTrail AWS Config
(who, when, what) • You need to configure additionally for data events such as S3 • By default, 90 days of events are stored by the service • You need to set up a trail for more 90 days and store in S3 buckets or CloudWatch Logs プログラム AWS Management Console Instance IAM CloudTrail S3 Logs Store operation history
(what, when, how) • By default, 7years (2,557days) of events are stored by the service Application AWS Management Console t3.small S3 Deliver history Store configuration history AWS Config t3.large IAM Policy IAM Policy Change Change
configuration settings • For example, you can check following configurations • Trail in CloudTrail is enabled • SSH port is not exposed in Security Group • You can set up auto-remediation • Automation in Systems Manager can be used as an auto-remediation action. AWS Config Rule Security group Instance ①check Automation (auto-remediation) ②remediate
metrics and logs • CloudWatch has basic features such as Metrics, Logs, Alarms • CloudWatch has Events feature but new EventBridge is should be used • Synthetics, RUM, Evidently are relatively new features in CloudWatch • You can use CloudWatch with on-premise servers by installing agent Instance or Logs Amazon CloudWatch Server Application Amazon Aurora Metrics CloudWatch (Agent) Alarm Notification
processing when any event occurs in AWS • EventBridge is used for event-driven applications, but it is also widely used for security-related notifications and incident response • Security services such as GuardDuty also use EventBridge for notification Notification CloudTrail Event EventBridge SNS Topic Lambda function Connect specific operation as events Use SNS Topic for a notification Lambda function can be used as a target
accounts, you can use it by only enabling it • Inputs are VPC Flow Logs, CloudTrail, S3 data access logs, DNS logs, Kubernetes audit logs, EBS(Malware), RDS activities • EventBridge is used for a notification GuardDuty Flow logs CloudTrail Amazon RDS Amazon EKS S3 Amazon EBS DNS Logs Detect Event EventBridge Notification SNS Topic 2022/1 2020/7 2022/7 2023/3
(Hub) for various AWS security services • You can also aggregate 3rd-Party Security service’s information • You can check according to industry standards and best practices • CIS AWS Foundations Benchmark • Payment Card Industry Data Security Standard (PCI DSS) • AWS Foundational Security Best Practices GuardDuty Amazon Macie Amazon Inspector AWS Config AWS Security Hub Aggregate etc.. AWS Config (Rules) Deploy Config rules as standard checks Deploy rules
be used with EC2 instances, ECR(Container images), Lambda Functions(New!) • Package vulnerability scans and network reachability scans are available • You need to install Systems Manager (SSM) agent with scanning packages in EC2 Amazon Inspector SSM Agent Amazon EC2 Amazon ECR Image AWS Lambda Scan vulnerability 2022/12
performance, security, fault tolerance, and service limitations according to AWS best practices • Requires Business Support or higher support plan to use • Recommended to be viewed proactively as it is automatically enabled and free of charge
into a virtual private network • There are public subnets that communicate directly with the Internet and private subnets that cannot communicate directly with the Internet • You can control access with Network ACL and Security Group • VPC Flow Logs can store in S3 or CloudWatch Logs • VPC endpoints are used for private connections to AWS services Virtual private cloud (VPC) Public subnet Private subnet Security group Instance Security group ALB NACL NACL Flow logs S3 Logs Endpoints S3 Security Group Network ACL Setting target Resources such as EC2 instance Subnets Default All Deny All Allow Allow/Deny Can configure only Allow Can configure Allow/Deny Stateful/ Stateless Stateful (set one direction) Stateless (set back and forth) 「Differences between Security Groups and Network ACL」
can protect from Application attacks such as SQL Injection and Cross Site Scripting • WAF (WEB ACL) can be attached to Amazon CloudFront, Amazon API Gatewa, ALB, AWS AppSync, Amazon Cognito User pool • WEB ACL is like a box, you can add rules or rule groups in WEB ACL • AWS and Security companies provide managed rules, You can create rules such as IP restrictions Managed rule Rule WEB ACL ALB API Gateway CloudFront AppSync Cognito Attach 2022/8 2020/10
manages keys used to encrypt data in AWS • KMS keys often used by other AWS services without user’s knowing • You can control access with Key Policy • KMS has an auto-rotation feature • Server-side encryption and Client-side encryption • AWS CloudHSM provides dedicated hardware, you can mange keys in VPC 「Encryption with S3 Bucket」 Application S3 「Client-side encryption」 Application Encrypt S3 「Server-side encryption」 Encrypt
your data-key with envelope encryption • Data is encrypted by data-key, data-key is encrypted by KMS-key • You can’t decrypt your data without KMS key, so you can store both of data-key and data in a database • KMS-key is called when data is decrypted Data Key Encrypted Data AWS KMS KMS Key Encrypt Encrypt
You can control access with IAM Policy and Bucket Policy, Access Control List (ACL) • ACL is currently deprecated and is used only with per-object control https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-alternatives-guidelines.html • S3 has an object default encryption feature, you can encrypt objects by enabling it and can use KMS-key IAM Policy S3 Bucket Object Object ACL Access Bucket Policy Encrypt
with Secrets Manager • Applications can connect to databases using credentials stored in Secrets Manager • Systems Manager and Parameter Store are similar, but they have following differences Secrets Manager Parameter Store Target data Credentials A wide range of configuration data Data can be encrypted with Secure String Auto-rotation Yes no Database integration Support for RDS, Redshift, etc. no Price A charge Standard is free *KMS encryption and Advanced is a charge Instance アプリ AWS Secrets Manager Password Amazon RDS 1. Get credentials 2. Connect
security and compliance documents • AWS ISO certifications, Payment Card Industry (PCI) reports are provided • You can submit the documents to your auditors or regulators • You can manager agreements such as a Business Associate Addendum (BAA) agreement is required for companies that are subject to the Health Insurance Portability and Accountability Act (HIPAA) • You can manage agreements for multiple accounts with Organizations AWS Artifact Compliance documents Agreement download accept
only EC2 instances, it now has many features to manage many resources in AWS • Key security-related features are following • Patch Manager: automates the process of patching • Inventory: provides visibility of software metadata • Session Manager: connect EC2 instances with IAM, without opening SG • Parameter Store: can store data such as passwords, database strings • OpsCenter: can manage operational work items as OpsItems related to AWS • Incident Manager: can manage events, escalation flows • Automation: can execute operations registered as Document • I can't show you everything of Systems Manger this page, so please refer to the official documents for more details https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
sources such as S3 • You can run developer related SQL queries ad hoc with low cost storages • From security perspective, analysis of CloudTrail and VPC Flow Logs can be used • Table schemas are managed by AWS Glue Data Catalog Flow logs CloudTrail ALB Amazon CloudFront S3 Athena Logs SQL Query AWS Glue Data Catalog
You can see information related to IAM User, Role, IP addresses along with time-series information • For example, you can see what a particular IAM User was doing between 10:00~12:00 9:00 10:00 11:00 12:00 13:00 GuardDuty Security Hub Detective Threat at a point in time A period of time Assessment at a point in time Attack
and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis. • Amazon OpenSearch is managed by AWS • From security perspective, you can aggregate logs and analyze security events • Multiple logs can be imported for correlation analysis and graphing • There is a solution “SIEM on Amazon OpenSearch Service” • At re:Invent 2022 OpenSearch serverless was announced SIEM on Amazon OpenSearch Service https://github.com/aws-samples/siem-on-amazon-opensearch-service
strong identity foundation • Maintain traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events AWS Well-Architected Framework Security Design principles https://docs.aws.amazon.com/wellarchitected/latest/framework/sec-design.html