AWS Series #2: AWS Security Layer — Network & Web Apps Detection & Protection
AWS Guard Duty:
Guard Duty is an Intelligent Threat detection to protect your AWS Accounts , Workloads and Data (stored in AWS S3). It is not a defensive mechanism but a detection to enable other services to protect such as Shield or WAF. It does not impact performance as it runs standalone from other services and does not run as part of the service in its critical path. This is not a free service and the cost is based on what all logs and data points you want to analyze. Every organization should have a clear architecture for collecting the logs that enables intelligent threat detection and a proper mechanism to read the logs and send summary to respective personnel who has the authority to act on that information and a clear management summary must be sent to the top management. Guard Duty must be enabled at all times and must never be switched off — if enabled and running, Guard Duty will continuously analyzing the logs (refer to the log types below) and that logs can be further analyzed either using Kibana / Splunk / any other ML algorithm.
Guard Duty supports 3 C’s
- Continuous -> Continuously monitor your AWS environment and alerts you on any malicious activities.
- Comprehensive -> Analyses multiple data sources including Cloud Trial events and VPC log flows.
- Customizable -> Customize by adding own threat lists and trusted IP addresses.
You can simply enable Guard Duty.
The Data sources that can be monitored continuously by Guard Duty:
- VPC Flow Logs
- DNS Logs
- Event Logs
- AWS Cloud Trial S3 event logs
- AWS CloudTrial Management Event Logs etc.
It also find outs and lists malicious IP addresess and domains or any unexpected visitor by unauthorized user and any malicious activity that might have happened in your / your organization’s AWS environment such as EC2 Instances or API calls etc.
Collecting different types of Logs are great — but that is only the Input — what do you do with that input to gain insights and identify threat and inturn improve your secuirty protocol is extremely important. Every organization must have in-house and / or product based Log analytics that provides actionable insights and summary. The team who is responsible for Organization’s security, must have set up Real-time log analysis and should have clear threat detection algorithms and auto reporting to top management and concerned authorities. These algorithms are not written-once and run always, it needs to keep on improving. Such effective log analysis is your effective way to improve the security architecture of your organization.
- Kibana Log Analytics (ELK Stack)
- Splunk Log Analytics
- DataDog Log Analytics
- AWS ElastiSearch solution for Log Analytics
Above is not the only list, there are several products and offerings covering Multi-Cloud Log Analytics that enables effective monitoring and messaging and provides actionable insights.
AWS Web Application Firewall (WAF):
WAF is a Web Application Firewall. It helps protect your web applications or API’s against common web exploits that may
- Affect availability
- Compromise Security
- Consume excessive resources
This gives you control over the traffic that reaches your application by enabling security rules that block common attack patterns such as
- SQL Injections
- Cross-Site Scripting.
- Filter-out defined patterns as rules
Managed rules for managed WAF, a pre-configured set of rules managed by AWS or AWS marketplace sellers. Managed rules for WAF addresses issues like the OWASP top 10 security risks. AWS WAF pays as you use is based on the number of rules configured.
Can also be deployed as part of the CloudFront CDN solution, the application load balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateways.
As in the image above, AWS WAF secures web applications from common web exploits. Set up protection for Amazon CloudFront distributions, Application Load Balancers, and/or Amazon API Gateway stages in under 5 minutes.
- Agile Protection against Web attacks
- If attacker gets into the server and disrupts the server — WAF takes care of it. If the attacker overloads the server in a brute force way DDoS with a focus to bring down the servers — SHIELD is your go to defense.
- Can be integrated with AWS CloudWatch
- Can be used on websites not hosted on AWS
- AWS WAF Bot gives protection against bot traffic
- Save time with managed rules
- Improved web traffic visibility
- Ease of deployment and maintenance
- Can be deployed on different services such as CloudFront (CDN), Application Load Balancer (ALB), API Gateways, AppSync etc.
- AWS WAF is HIPPA eligible
- Rate-based rules (Rate Limiting algorithm) based on different points can be configured as part of WAF and the same can be used for DDoS.
- CDN custom error page can be configured via WAF
- Very quick configuration and manage rules for WAF
- Real-time metrics of WAF are stored on Amazon CloudWatch — you can configure expiration policy
Related Services in WAF:
- AWS Shield Advanced — Managed Distributed Final of Service (DDoS) protection service that safeguards applications running on AWS.
- AWS Kinesis — Use Kinesis to store full logs of requests analyzed by web ACLs to do further analysis.
- AWS Firewall Manager — Security management service which allows you to centrally configure and manage firewall rules.
- AWS CloudWatch — Use CloudWatch to collect monitoring and operational data in the form of logs, metrics, and events.
AWS Shield managed DDoS protection (Distributed Denial Of Service) protection. Service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. if attacker gets into the server and disrupts the server — WAF takes care of it. If the attacker overloads the server in a brute force way DDoS with a focus to bring down the servers — SHIELD is your go to defense.
Two Tiers of AWS Shield
AWS Shield Standard:
- Provides Network and Transport Layer protection
- Automatic protections at no cost
- Defends against the most common, frequently occurring network and Transport Layer DDoS attacks that target your website or application.
- Comprehensive protection when used with CloudFront or Route 53.
AWS Shield Advanced:
- For EC2, ELB, CloudFront, Global Accelerator, Route 53
- Standard + Additional detection and mitigation against large and sophisticated DDoS Response Time (DRT) and
- Protection against DDoS-related spikes in Amazon EC2, ELB, CloudFront, AWS Global Accelerator, and Amazon Route 53 changes.
- Available globally on all Amazon CloudFront, AWS Global Accelerator, Amazon Route 53 edge locations.
AWS Inspector is another detection mechanism that helps to analyze any known vulnerabilities on your running OS instances. It tries to detect against unintended network access. Since it actively detects the OS instances, this must be installed on the running instances such as EC2 instances regardless of it being used as application, web or database server.
In light of discussing detecting (Guard Duty, AWS Inspector) and protecting (AWS Shield, AWS WAF), it is imperative to audit and record the findings for compliance of AWS services and resources. There are no deny rules, such that the AWS Config does not disallow you to do anything, however, it just audits so that other protection and detection services can make use of it.
ACM- AWS Certificate Manager
When you are publishing an AWS web page or transferring data from one cloud provider to another or transfer data from ETL to Database, it is imperative that you do it via secured channels. One of the established Industry-standard certifications is the Public / Private SSL / TLS X.509 Certification. The Certificate Manager of AWS enables you to renew or upgrade the certificate using the Certificate Manager, it acts as a one-stop-shop instead of having to go to the provider to renew the certificate when in need. ACM (AWS Certificate Manager) works across accounts, singular or multiple domain names, wildcard domains, or a combination of these. ACM Wildcard certificates can protect an unlimited number of subdomains. You can export a private ACM certificate and ACM Keys and use them anywhere.
It offers two services:
- AWS Certificate Manager (ACM) — for customers who need secure web access.
- ACM Private CA — for enterprise customers building a Public Key
In a nutshell, ACM enables you to Provision, Manage and Deploy SSL / TLS Certificates.
Usage 1: Enabling ACM to your website
Usage 2: Using ACM in a multi-account environment
What is the role of STS here:
AWS Secure Token Service (STS) is a web service that enables you to request
(2) Limited Privilege Credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate — Federated users.
ACM works with STS.
- Enables you to provision private and public SSL
- Both Private, Public, imported certificates are possible. All certificates are protected securely.
- Eliminates manual processing from renewing — directly use ACM and the renewal can happen within AWS itself.
- Quite simple to use ACM — just enable and request SSL / TSL certificate.
- You can use ACM with multiple AWS services such as Elastic Load Balancer (ELB), CloudFront (CDN), API Gateway, Elastic Beanstalk, CloudFormation etc.
- DNS or Domain validation prior to issuing a certificate.
- Same certificate can be used across multiple certificates.
- You can use lambda to check and validate certificate and renew within AWS.
Refer to the AWS Multi-part series article.