AWS Security


Shared Responsibility Model

Security in Data Configuration - Customers are responsible for security in the Cloud

Security of Hardware, Operations of Managed Services and Global Infrastructure - AWS is responsible for security of the Cloud.

AWS Compliance Programs

A set of internal policies and procedures of a company to comply with laws, rules and regulations or to uphold business reputation.

Health Insurance Portability and Accountability Act of 1996 is US legislation that provides data privacy and security provisions for safeguarding medical Information.

The Payment Card Industry Data Security Standard (PCI DSS) - When we want to sell things online and we need to handle credit card information.

AWS Artifact

How do we prove AWS meets a compliance?

No cost, self-service portal for on-demand access to AWS compliance reports. On-demand access to AWS security and compliance reports and select online agreements. These checks are based on global compliance frameworks.

On Services menu, search artifact and click AWS Artifact. Next page, choose our desired compliance program. Accept and download the compliance document.

Amazon Inspector

How do we prove an EC2 Instance is harden?

Hardening - An act of eliminating as many security risks as possible.

AWS Inspector runs a security benchmark against specific EC2 instances. We can run a variety of security benchmarks.

Can perform both Network and Host Assessments

  1. Install the AWS agent on our EC2 instances.
  2. Run an assessment for our assessment target.
  3. Review our findings and remediate security issues.

One very popular benchmark we can run is by CIS which as 699 checks.

AWS Web Application Firewall (WAF)

It protects our web applications from common web exploits. Write our own rules to ALLOW or DENY traffic based on the contents of an HTTP request. Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace. WAF can be attached to either CloudFront or an Application Load Balancer.

Protect web applications from attacks covered in OWASP Top 10 most dangerous attacks:

  1. Injection
  2. Broken Authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security misconfigurations
  7. Cross Sites Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with known vulnerabilities
  10. Insufficient logging and monitoring

AWS Shield

It is a managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS.

What is a DDoS attack?

A malicious attempt to disrupt normal traffic by flooding a website a large amount of fake traffic.

All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge.

Whe we route our traffic through Route53 or CloudFront, we are using AWS Shield Standard.

Protects against Layer 3, 4, and 7 attacks

Shield Standard is Free and covers for protection against most common DDoS attacks, and access to tools and best practices to build a ddoS resilient architecture.

Automatically available on all AWS services.

Shield Advanced cost 3000 USD per year and gives additional protection against larger and more sophisticated attacks, visibility into attacks and 24x7 access to DDoS experts for complex cases.

Available on:

  • Amazon Route 53
  • Amazon CloudFront
  • Elastic Load Balancing
  • AWS Global Accelerator
  • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer).

Penetration Testing

An authorized simulated cyber attack on a computer system performed to evaluate the security of the system.

Can we perform pen testing on AWS? Yes

Permitted Services

  1. EC2 instances, NAT Gateways and ELB
  2. RDS
  3. CloudFront
  4. Aurora
  5. API Gateways
  6. AWS Lambda and Lambda@Edge functions
  7. Lightsail resources
  8. Elastic Beanstalk environments

Prohibited Activities

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS.
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)

For Other Simulated Events, we will need to submit a request to AWS. A reply could take up to 7 days.


What is IDS/IPS?

Intrusion Detection System and Intrusion Protection System. A device or software application that monitors a network or systems for malicious activity or policy violations.

How do we detect if someone is attempting to gain access to our AWS account or resources?

Guard Duty is a threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior. It uses Machine Learning to analyze the following AWS logs:

  • CloudTrail Logs
  • VPC Flow Logs
  • DNS Logs
  • It will alert us of Findings. We can then automate an incident response via CloudWatch Events or with 3rd Party Services.

Key Management Service (KMS)

A managed service that makes it easy for us to create and control the encryption keys used to encrypt our data.

  • KMS is a multi-tenant HSM (hardware security module)
  • Many AWS services are integrated to use KMS to encrypt our data with a simple checkbox.
  • KMS uses Envelope Encryption.

KMS integrates with other AWS services, including:

  • S3 and Glacier
  • Storage Gateway
  • EBS and RDS
  • DynamoDB
  • SNS
  • CloudTrail

Envelope Encryption

Wen we encrypt our data, our data is protected but we have to protect the encryption key. For that we encrypt our data encryption key with a master key as an additional layer of security.

Amazon Macie

Macie is a fully managed service that continuously monitors S3 data access activity for anomalies and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.

Macie works by uses Machine Learning to Analyze our CloudTrail Logs.

Macie has a variety of alerts

  • Anaonymized Access
  • Config compliance
  • Credential Loss
  • Data Compliance
  • File Hosting
  • Identity Enumeration
  • Information Loss
  • Location anomaly
  • Open permissions
  • Privilege Escalation
  • Ransomware
  • Service Disruption
  • Suspicious Access

Macie's will identify our most at-risk users which could lead to a compromise.

Security Groups Vs NACLs

Security Groups act as a firewall at the instance level. SG implicitly deny all traffic. We create ALLOW rules. Eg. Allow an EC2 instance access on port 22 for SSH.

NACLs - Network Access Control Lists - Act as a firewall at subnet level. We create ALLOW or DENY rules. Eg. Block a specific IP address known for abuse.


Virtual Private Network (VPN) lets us establish a secure and private tunnel from our network or device to AWS global network.

AWS Site to Site VPN securely connect on-premises network or branch office site to AWS VPC.

AWS Client VPN securely connect users to AWS or on-premises networks.

AWS Quick Start Example: Linux Bastion Host

We can access an EC2 instance via public IP and then use that instance to bastion on resources that reside in private subnet.

AWS Analytics

Amazon Athena

Athena is a serverless interactive query service use to analyze data in S3 using standard SQL. Because Athena is serverless, there is no infrastructure to manage. Athena is billed only for queries that we run.

Amazon EMR (Elastic Map Reduce)

It provides a managed Hadoop framework. Amazon EMR is designed for processing broad sets of big data, including log analysis, web indexing, machine learning and financial analysis.

Other AWS Services

AWS Lightsail

Lightsail is a private virtual server (instance) aimed at developers to provide everything needed to launch a service or project quickly. There are a number of quick start prepackaged setups to support a variety of operating systems and solutions.

AWS Rekognition

It provides video/image analysis. The service can identify objects, people, text, etc, in image/video. Rekognition also supports facial recognition and analysis.

Amazon Device Farm (mobile lab)

It provides physical devices that can be used to test and troubleshoot applications on mobile devices, as well as help simulate real-world customer conditions.

AWS Mechanical Turk

It is a crowdsourcing marketplace that simplifies outsourcing of processes and jobs to a distributed workforce. Practically any task that can be performed remotely (virtually) can be tasked via Mechanical Turk. Crowdsourcing is great for manual, time-consuming tasks that can be completed by distributed workers.

Is your account compromised?

If your account is compromised (or you think it is), follow these steps:

  1. Change your AWS root account password
  2. Change all IAM users passwords
  3. Delete or rotate all programmatic (API) access keys.
  4. Delete any resources in your account that you did not create.
  5. Respond to any notifications you received from AWS through the AWS support center and / or contact AWS Support to open a support case.

Next: Variation Study