AWS Security and Monitoring

John

Topics covered in this post

  • Shared Responsibility Model
  • Risk and Compliance
  • CloudWatch
  • CloudTrail
  • KMS
  • Signature Version 4 Signing Process
  • Trusted Advisor
  • Config

 

 

AWS has split responsibilities between them and users. Shared Responsibilities Model describes what customers of AWS need to follow.

Customers / Users are responsible for patching, antivirus etc. It is recommended to do MFA and use SSL/TLS.

 

Compliance

AWS has several compliance audits such as:

  • SOC
  • FISMA DIACAP, FedRAMP
  • PCI DSS (for allowing credit card processing)
  • ISO 27001
  • ISO 9001
  • ITAR
  • FIPS 140-2
  • HIPA

Storage Decommissioning

When storage device reaches end of life, AWS follows policies to decommission. These include DoD 5220 and NIST 800-88 which specify the proper process of decommissioning devices. Also known as disk zeroing.

Transmission Protection

AWS supports HTTPS/SSL/TLS. VPN connections must be IPSEC VPN.

Unauthorized Port Scanning

IP Spoofing is blocked by AWS. You cannot send traffic with a souce IP or MAC address different than what it is. Also AWS  does not allow port scans by EC2, if done it will violate the Acceptable Use Policy. If this is required, you must contact AWS to do vulnerability scans.

AWS vs Amazon.com

The eCommerce Amazon.com network is segregated separately

Credentials

  • Passwords – for root account or IAM users
  • MFA – for root account or IAM users
  • Access keys – digitally signed requests to AWS APIs (using AWS SDK, CLI or API)
  • Key Pairs – SSH login to EC2
  • X.509 certs – CloudFront supports ssl certs

Trusted Advisor

See Account Management section for more details. This is a free service that checks your account for the following categories:

  • Cost Optimization
  • Performance
  • Security
  • Fault Tolerance
  • Service Limits

EC2

AWS has not access to customer instances. There is no way they can access them. When customers terminate instances, AWS does full disk zeroing of their data and will not make it available to others until its done.

Risk

AWS Security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities. AWS notifies the appropriate parties to remediate any identified vulnerabilities. External threat assessments are also performed regularly by independent security firms.

Customers can request permission to conduct scans of their cloud infrastructure.

Design for Failure

Rule of thumb: be pessimist when designing architectures and assume things will fail. Always design implement and deploy for automated recovery from failure. Netflix is good at this by doing real time failover tests in production.

Decouple Components

Build components that do not have tight dependencies. Use services like SQS so that components can fail and recover.

Elasticity

Proactive Cyclic Scaling – periodic scaling that occurs at fixed interval (day vs night)

Proactive Event based Scaling (black friday)

Auto-scaling based on demand

 

 

CloudWatch

Note that CloudWatch is for performance monitoring, CloudTrail is for auditing.

Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.

The CloudWatch home page automatically displays metrics about every AWS service you use. You can additionally create custom dashboards to display metrics about your custom applications, and display custom collections of metrics that you choose.

You can create alarms which watch metrics and send notifications or automatically make changes to the resources you are monitoring when a threshold is breached. For example, you can monitor the CPU usage and disk reads and writes of your Amazon EC2 instances and then use this data to determine whether you should launch additional instances to handle increased load. You can also use this data to stop under-used instances to save money.

With CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health.

CloudWatch supports only the following monitoring plans

  • Basic – free
  • Detailed – additional costs

Namespaces

namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.

There is no default namespace. You must specify a namespace for each data point you publish to CloudWatch. You can specify a namespace name when you create a metric. The AWS namespaces typically use the following naming convention: AWS/service. For example, Amazon EC2 uses the AWS/EC2 namespace.

Metrics

Metrics are the fundamental concept in CloudWatch. A metric represents a time-ordered set of data points that are published to CloudWatch. Think of a metric as a variable to monitor, and the data points as representing the values of that variable over time. For example, the CPU usage of a particular EC2 instance is one metric provided by Amazon EC2. The data points themselves can come from any application or business activity from which you collect data.

AWS services send metrics to CloudWatch, and you can send your own custom metrics to CloudWatch. You can add the data points in any order, and at any rate you choose. You can retrieve statistics about those data points as an ordered set of time-series data.

Metrics exist only in the Region in which they are created. Metrics cannot be deleted, but they automatically expire after 15 months if no new data is published to them. Data points older than 15 months expire on a rolling basis; as new data points come in, data older than 15 months is dropped.

Dimensions

dimension is a name/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric.

Every metric has specific characteristics that describe it, and you can think of dimensions as categories for those characteristics. Dimensions help you design a structure for your statistics plan. Because dimensions are part of the unique identifier for a metric, whenever you add a unique name/value pair to one of your metrics, you are creating a new variation of that metric.

Alarms

You can use an alarm to automatically initiate actions on your behalf. An alarm watches a single metric over a specified time period, and performs one or more specified actions, based on the value of the metric relative to a threshold over time. The action is a notification sent to an Amazon SNS topic or an Auto Scaling policy. You can also add alarms to dashboards.

Events

State changes in AWS resources

Pricing

You can get started with Amazon CloudWatch for free. Most AWS Services (EC2, S3, Kinesis, etc.) vend metrics automatically for free to CloudWatch. Many applications should be able to operate within these free tier limits.

There is no up-front commitment or minimum fee. You simply pay for what you use and will be charged at the end of the month for your usage. Paied tier depends on

  • Metrics
  • Dashboards
  • Alarms
  • Logs
  • Events
  • Contributor Insights
  • Canaries

 

CloudTrail

AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history.

Visibility into your AWS account activity is a key aspect of security and operational best practices. You can use CloudTrail to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can identify who or what took which action, what resources were acted upon, when the event occurred, and other details to help you analyze and respond to activity in your AWS account. Optionally, you can enable AWS CloudTrail Insights on a trail to help you identify and respond to unusual activity.

CloudTrail does not log all AWS services. Some AWS services do not enable logging of all APIs and events. Even if you configure logging all management and data events in a trail, you will not create a log with all possible AWS events.

Event History

An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail.

Event history allows you to view, search, and download the past 90 days of activity in your AWS account. In addition, you can create a CloudTrail trail to archive, analyze, and respond to changes in your AWS resources. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events.

Types

You can create two types of trails for an AWS account:

A trail that applies to all regions

When you create a trail that applies to all regions, CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket that you specify. If a region is added after you create a trail that applies to all regions, that new region is automatically included, and events in that region are logged. This is the default option when you create a trail in the CloudTrail console.

A trail that applies to one region

When you create a trail that applies to one region, CloudTrail records the events in that region only. It then delivers the CloudTrail event log files to an Amazon S3 bucket that you specify. If you create additional single trails, you can have those trails deliver CloudTrail event log files to the same Amazon S3 bucket or to separate buckets.

Data events provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. Example data events include:

  • Amazon S3 object-level API activity (for example, GetObjectDeleteObject, and PutObject API operations).
  • AWS Lambda function execution activity (the Invoke API).

 

Key Management Service (KMS)

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

With AWS KMS you can also perform the following cryptographic functions using master keys:

  • Encrypt, decrypt, and re-encrypt data
  • Generate data encryption keys that you can export from the service in plaintext or encrypted under a master key that doesn’t leave the service
  • Generate random numbers suitable for cryptographic applications

Customer Managed Keys (CMKs)

Customer master keys are the primary resources in AWS KMS.

customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. Symmetric CMKs and the private keys of asymmetric CMKs never leave AWS KMS unencrypted.

There are three types of CMKs in AWS accounts: customer managed CMKs, AWS managed CMKs, and AWS owned CMKs.

Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grantsenabling and disabling them, rotating their cryptographic materialadding tagscreating aliases that refer to the CMK, and scheduling the CMKs for deletion.

AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS.

AWS owned CMKs are not in your AWS account. They are part of a collection of CMKs that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned CMKs to protect your data.

Data Keys

Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys.

Data Key Pairs

Data key pairs are asymmetric data keys that consist of a mathematically-related public key and private key. They are designed to be used for client-side encryption and decryption or signing and verification outside of AWS KMS.

Asymmetric CMKs and asymmetric data key pairs are supported in all AWS Regions that AWS KMS supports except for China (Beijing) and China (Ningxia).

Encryption text is a set of key/value pairs that you can pass to AWS KMS when you call the encrypt , decrypt, recrypt, generate datakey and generate datakey without plaintext API.

If ever having decryption errors using KMS, it could be that plaintext was encrypted along with an encryption context, and you are providing the identical encryption context when calling the Decrypt API. Or it could be that the ciphertext you are trying to decrypt is not valid.

Envelope Keys

AWS KMS uses envelope encryption to protect data. It creates a data key, encrypts it under CMK and returns plaintext and encrypted versions of data key to you. AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs never leave AWS KMS unencrypted but data keys can.

 

Signature Version 4 Signing Process

Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key. These two keys are commonly referred to as your security credentials. For details on how to obtain credentials for your account, see Understanding and Getting Your Security Credentials.

Important

When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the security credentials you specify when you configure the tools. When you use these tools, you don’t need to learn how to sign requests yourself. However, when you manually create HTTP requests to access AWS services, you must sign requests that require signing yourself.

 

Trusted Advisor

AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits.

  • Cost Optimization: See how you can save money on AWS by eliminating unused and idle resources or making commitments to reserved capacity.
    • Idle ELB
    • Underutilized EBS / EC2
    • RDS Idle
  • Security: Improve the security of your application by closing gaps, enabling various AWS security features, and examining your permissions.
    • Security Groups – unrestricted ports or access
    • IAM Use
    • MFA on root
    • EBS Snapshots
    • IAM polices
  • Fault Tolerance: Increase the availability and redundancy of your AWS application by take advantage of auto scaling, health checks, multi AZ, and backup capabilities.
    • EBS Snapshots
    • EC2 AZ balance
    • ELB optimization
    • Auto Scaling groups
    • RDS backups / multi-AZ
    • S3 bucket logging
  • Performance: Improve the performance of your service by checking your service limits, ensuring you take advantage of provisioned throughput, and monitoring for overutilized instances.
    • High utilization of EC2
    • EBS provisioned IOPS
    • Large number of rules in Security Group
    • EC2 and EBS throughput optimization
  • Service Limits: Checks for service usage that is more than 80% of the service limit. Values are based on a snapshot, so your current usage might differ. Limit and usage data can take up to 24 hours to reflect any changes.

 

 

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Common Use Cases

  • Audit and Compliance
    • Maintain history of configuration changes, verify configuration changes do not violate policies
  • Operational Governance
    • DevOps compliance, cost optimization (terminate unused resources)
  • Security Intelligence
    • Security incident/breach analysis, identify unencrypted resources
  • Integration with ITSM / CMDB
    • Integrate with asset/inventory management systems, change management, incident management

Config Aggregator

An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from the following:

  • Multiple accounts and multiple regions.
  • Single account and multiple regions.
  • An organization in AWS Organizations and all the accounts in that organization which have AWS Config enabled.

Use an aggregator to view the resource configuration and compliance data recorded in AWS Config.

An aggregator collects AWS Config data from multiple accounts and regions.

Advanced Queries

You can use AWS Config to query the current configuration state of AWS resources based on configuration properties for a single account and Region or across multiple accounts and Regions. You can perform ad hoc, property-based queries against current AWS resource state metadata across all resources that AWS Config supports. The advanced query feature provides a single query endpoint and a powerful query language to get current resource state metadata without performing service-specific describe API calls. You can use configuration aggregators to run the same queries from a central account across multiple accounts and AWS Regions.

 

 

 

 

References

AWS Docs
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html

AWS Docs
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html

Share Responsibility Model
https://aws.amazon.com/compliance/shared-responsibility-model/