Quick reference for AWS Security speciality certification

aws-security-notes.md

KMS

• Highly available key generation, storage, management, and auditing solution to encrypt or digitally sign data within applications or control the encryption of data across AWS services.

• Enable Private DNS Name makes the standard AWS KMS DNS hostname (https://kms.region.amazonaws.com) resolve to VPC endpoint.

• Supports Symmetric (256-bit key that is used for encryption and decryption) and Asymmetric CMKs (an RSA key pair that is used for encryption and decryption or signing and verification but not both, or an elliptic curve (ECC) key pair that is used for signing and verification).

• Asymmetric customer managed CMKs - the key material can only be generated within AWS KMS HSMs and no option for automatic key rotation.

• Symmetric CMKs and the private keys of Asymmetric CMKs never leave AWS KMS unencrypted and AWS KMS does not store, manage, or track data keys.

• Cryptographic Operations

  • Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GenerateRandom, ReEncrypt, Sign, Verify
  • GenerateRandom does not use any CMK.

• Customer Master Key (CMK)

  • Logical representation of a master key.
  • Includes metadata, such as the key ID, creation date, description, and key state.
  • Contains the key material used to encrypt and decrypt data. Cannot be changed.
  • Alias - friendly name. Can be used in KMS operations (including cryptographic). Use single alias to refer to different CMKs in different Region. Can add, change, and delete an alias without affecting the associated CMK.

• AWS Managed CMK

  • Partial control. Track in account, choose which ones to use, track usage via Cloudtrail.
  • Mandatory rotation in 1095 days/3 yrs.
  • No monthly fee.
  • Do not count against resource quotas on the number of CMKs in each Region.
  • DescribeKey API response, the KeyManager value is AWS.
  • Cannot edit the key policy.

• Customer Managed CMK

  • Full control. Define access control and usage policy for each key, grant permissions to other accounts and services.
  • Key material can be generated in KMS, CloudHSM or be from outside AWS.
  • Optional rotation 365 days/1 yr.
  • Incur a monthly fee and a fee for use in excess of the free tier.
  • Counted against quota for number of CMKs in each Region.
  • DescribeKey API response, the KeyManager value is Customer.
  • Use key policy to add, remove, or change permissions at any time.

• AWS owned CMK

  • CMKs that an AWS service owns and manages for use in multiple AWS accounts.
  • Not in your AWS account but AWS service can use it to protect the resources in account.

• Key Rotation

  • Manual only - asymmetric, CMK with imported key material, CMKs in custom key stores (ex- using CloudHSM).
  • Automatic - yearly for customer managed CMK (disabled by default).

• Key Deletion

  • Schedule key deletion - 7 days (min) to 30 days (max, default).
  • Key scheduled for deletion cannot be used for cryptographic operations.
  • CMK with imported key material - can delete the key material immediately. CMK can be re-enabled by reimporting the key material.
  • Deleted CMK may not impact mounted encrypted EBS immediately as EC2 uses plain data-key in memory to manage I/O. The EBS cannot be reused as next mount option will fail.

• Grants - very specific, easy to create/revoke. Useful to provide temporary or granular permissions on CMKs.

  $ aws kms create-grant \
      --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
      --grantee-principal arn:aws:iam::111122223333:user/exampleUser \
      --retiring-principal arn:aws:iam::111122223333:role/adminRole \
      --operations GenerateDataKey \
      --constraints EncryptionContextEquals={Purpose=Test}
  

• Key Policies - This policy delegates all access to IAM, root does not necessarily represent the root user here. Refer

  {
    "Sid": "Enable IAM User Permissions",
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
    "Action": "kms:*",
    "Resource": "*"
  }
  

• Envelope Encryption

  • Encrypting plaintext data with a data key, and then encrypting the data key under another key.
  • Protects keys - safe to store the encrypted data key alongside the encrypted data.
  • Encrypting the same data under multiple master keys - instead of re-encrypting raw data multiple times with different keys, re-encrypt only the data keys that protect the raw data.
  • Combining the strengths of multiple algorithms.

• Encryption Context

  • (Optional) Key–value pairs containing additional contextual information (AAD) about the data.
  • Same encryption context is required to decrypt (or decrypt and re-encrypt) the data as provided while encypting it.
  • Not secret, appears in plaintext in CloudTrail.
  • Do not use for sensitive data.
  • Use to limit access to CMKs. Use as a constraint in grants and as a condition in policy statements.
  • Example - encrypted EBS snapshots use volume-id as encryption context.

CloudHSM

• Securely generate, store, and manage cryptographic keys used for data encryption.
• Keys are accessible only by you (owner).
• Each HSM appears as a network resource in VPC. Can only be provisioned within a VPC.
• No free tier.
• No reserved instance pricing.
• Physical and digital tamper detection.

IAM

• Always pick temporary credential option like IAM Role over long term access like Access Key/Secret Key.
• Least Permission model - never assign more than the bare minimum required permissions.
• MFA on root - must.
• AWS Org SCP policy can deny actions to member account root users.
• Policy evaluation flow = deny all > org scp > resource based policy > iam permission boundary > session policy > identity based policy.
• Confused Deputy - always use an externalId when allowing third party to assume IAM role in your account.

S3

• Bucket ACL

  • Grant basic read/write permissions to other AWS accounts. Limited permissions available.
  • Cannot grant permissions to users in same account.
  • Cannot grant conditional permissions.
  • Cannot explicitly deny permissions.

• Object ACL

• Bucket Policy

• IAM Policy

• SSE-S3

  • S3 manages the data and master encryption keys.

• SSE-C

  • Customer manages the encryption key.

• SSE-KMS

  • AWS manages the data key but customer manages the master key (CMK) in AWS KMS.

  • The AWS KMS CMK must be in the same Region as the bucket.

  • All GET and PUT requests for an object protected by AWS KMS fail if they are not made via SSL or TLS, or without SigV4.

  • Bucket Keys

    • Used to create unique data keys for objects.
    • Used for a time-limited period within Amazon S3, reducing the need to make requests to KMS to complete encryption operations.
    • Reduces the cost of KMS operations.
    • S3 uses the bucket ARN as the encryption context instead of the object ARN if using bucket keys.

  • Replication

    • If source object uses S3 Bucket Keys & destination bucket uses default encryption, replica object maintains its S3 Bucket Key encryption settings in the destination bucket.
    • If source object is not encrypted & destination bucket uses S3 Bucket Key with SSE-KMS, replica object is encrypted with an S3 Bucket Key using SSE-KMS. This results in the ETag of the source object being different from the ETag of the replica object.

ACM

• Public/private SSL/TLS certs for AWS services and other internal connected resources. Auto renewals for ACM issued certs.
• Not for imported 3rd party certs.
• Cannot issue or renew certificates using DNS validation if CNAME record is removed.
• Contact support to revoke a public issued cert via ACM.
• ACM issued certs cannot be copied between regions.
• ACM does not have an SLA.
• Public ACM certificates can be used only with specific AWS services.
• To use an ACM certificate with Amazon CloudFront, request the certificate in the US East (N. Virginia).
• Private Certs
  • Secure communication between connected resources on private networks.
  • Private CA renews the cert, but user needs to retrieve and depoy to the private resources.
  • Steps -
    • Install OpenSSL & Generate private key.
    • Generate CSR with the new key.
    • Call ACM issue-certificate with CSR.
    • Call ACM get-certificate to get the issued private cert.
    • Required IAM Permissions - acm-pca:GetCertificate and acm:IssueCertificate.

AWS Web Application Firewall (WAF)

• Configure rules to allow, block, or monitor (count) web requests based on defined conditions - IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
• Runs on edge if applied to CloudFront.
• Runs in region if applied to API GW, ALB, AppSync etc.
• Rate-based rule - allow spefic number of hits for particular condition (IP, Path, Headers or a combination). Mitigate DDoS.
• Configure a “count” action for rules, which counts the number of web requests that meet rule conditions.
• Managed rules - OWASP, bots, or CVEs.

Amazon Macie

• Detects sensitive data like including personally identifiable information (PII) such as names, addresses, and credit card numbers.
• Supports custom-defined data types using regular expressions.
• Constant visibility of the data security and data privacy of data stored in Amazon S3.
• Regional service - needs to be enabled per region.
• Can also be enabled from AWS Org for multiple accounts.

AWS Trusted Advisor

• Automated weekly checks for business/enterprise support accounts and email notifications.
• Basic support - S3 Bucket Permissions, Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots. Other supports - full access.
• Does not monitor continuously - periodic refreshes.

AWS CloudTrail

• GUI - Last 90 days' events (management events) for current region.

• For >90 days visibility configure a CloudTrail trail.

• A CloudTrail trail can deliver CloudTrail events to Amazon S3, Amazon CloudWatch Logs, and Amazon CloudWatch Events.

• Data Events, Management Events, Read-Only Events.

• Trail for all regions will capture any newly created regions as well.

• 5 Trails/region.

• Captures auto/manual trusted advisor check refreshes.

• Unsuccessful sign-in events by the root user are not logged by CloudTrail.

• Does not log HSM device or access logs. These are available in CloudWatch Logs.

• AWS does not log the entered IAM user name text when the sign-in failure is caused by an incorrect user name. The user name text is masked by the value HIDDEN_DUE_TO_SECURITY_REASONS.

• Has a history of all AWS WAF API calls made on account.

• Deliver logs to S3

  • Encrypted with SSE-S3 by default. Can be configured to use SSE-KMS too.
  • CloudTrail must have the required permissions on bucket. Attach a policy for using existing bucket.
  • It cannot be a Requester Pays bucket.
  • CloudTrail automatically attaches the required permissions to a new bucket when creating or updating a trail from console.
  • Older bucket policy using CloudTrail account IDs for each region (New use service principle cloudtrail.amazonaws.com) can cause log delivery issues.
  • A bucket policy with an incorrect prefix can prevent cloudtrail from delivering logs.

AWS Config

• Fully managed service that provides AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.

• Config rules

  • Desired config for a resource. Evaluated against config changes on relevant resources, as recorded by AWS Config.
  • AWS managed or Customer managed.
  • 150 rule limit - can submit an extension request.
  • Change-triggered rule (based on tag, resource type or resource id) or a periodic rule (1,3,6,12,24 hrs).
  • Try to update the rule (& lambda) instead of deleting it and creating a new rule. New rule result in charges.

• Conformance pack

  • Collection of Config rules and remediation actions.
  • A framework to build and deploy compliance packages.
  • Deploy at scale across accounts.

• Resource configuration history

  • Relate config changes with AWS CloudTrail events that made the change.
  • Useful to get info like “Who made the change?”, “From what IP address?”

• AWS Security Hub vs AWS Config conformance packs - If compliance is already present in AWS Security Hub, then it is the easiest way to operationalize it. Go with Config conformance pack if need is to have something custom.

• Aggregate AWS Config data from multiple accounts and regions into a single account and a single region. However it cannot be used for provisioning rules across multiple accounts. It is purely a reporting capability.

• Also record configuration changes to Operating System updates, network configuration, installed applications, etc within EC2 instances, virtual machines (VMs), or on-prem servers.

• AWS Config sends notifications only when the compliance status changes. If a resource was previously non-compliant and is still non-compliant, Config will not send a new notification. If the compliance status changes to “compliant”, you will receive a notification for the change in status.

• Does not evaluate rules prior to provisioning a resource or prior to making configuration changes on the resource.

• Does not guarantee that resources will be compliant or prevent users from taking non-compliant actions. Can make them compliant after the change though via remediation actions.

• Can connect to ServiceNow and Jira Service Desk instances to AWS Config using AWS Service Management Connector.

Amazon Inspector

• Automated security assessment service that can test the network accessibility of EC2 instances and the security state of applications running on the EC2.
• Agent needed on EC2 for Host assessment. Rules packages include Common Vulnerabilities and Exposures (CVE), Center for Internet Security (CIS) Operating System configuration benchmarks, and security best practices.
• No agent necessary for the network reachability rules package that checks for network accessibility of EC2.
• Only the pre-defined rules are currently allowed for assessment runs. No custom rules possible.
• Generates a findings report (exec summary) or a full report (complete details) after assessment run.
• Periodic - Set up custom schedules with either a fixed recurring rate or a more detailed Cron expression through CloudWatch Events.
• Event based - Use Amazon CloudWatch Events to create event patterns which monitor other AWS services for actions to trigger an assessment.

Cloudwatch

• EC2 instance agent to send application logs to cloudwatch.
• Errors
  • Log rotation method not supported.
  • No internet connectivity to cloudwatch API.
  • Fingerprinting - log-identifying hash.
  • Permission - no access via role, no role etc.
  • Timestamp - events do not begin with timestamp, log path incorrect, cannot push from multiple logs to a single log stream.

AWS GuardDuty

• Analyzes continuous streams of meta-data generated and network activity in AWS CloudTrail, Amazon VPC Flow Logs, and DNS Logs.
• Threat intelligence such as known malicious IP addresses, anomaly detection etc.
• Identify threats such as attacker reconnaissance, instance compromise, account compromise, and bucket compromise.
• GuardDuty security findings remain in the same region where the underlying data was generated.
• Aggregation - self managed via CloudWatch Events, S3 etc.
• Multiple account feature - All security findings are aggregated to master account for review and remediation. CloudWatch Events are also aggregated to master account in this case.
• GuardDuty cannot access and process data from a 3rd party DNS resolver (non Route53).

VPC

• Security Groups

  • Stateful - need only inbound rule, outbound is allowed if inbound is allowed.
  • Use if need to allow an IP.

• Network Access Control Lists (NACL)

  • Stateless - need both inbound/outbound rule to allow traffic
  • Use if need to block an IP

• Flow Logs

  • Abstracted data - do not allow for full package reconstruction
  • Capture source/destination IP, ports, protocol, start/end time, no of packets, no of bytes, action etc.

EC2

• Disable source/destination check attribute for instances running services such as network address translation, routing, or a firewall. Enabled by default.
• IPtables can be used to restrict access to ec2 metadata service. Prefer access rules over deny rules.
• Launch the instance with --metadata-options set to HttpEndpoint=disabled to disable metadata service.
• Packet capture - Marketplace AMI, route all traffic though it.
• AWS does not support virtual instances running in promiscuous mode.
• Select ciphers to use for SSL connections by creating a custom ELB security policy (cannot edit default).

AD Authentication

• Reference

DynamoDB Encryption

• Server-side encryption

  • By default - encrypts all tables, cannot be disabled.
  • Uses AWS owned CMK.
  • Encrypts all table and related data incl primary keys, local/secondary indexes, backups, global tables etc.

• DynamoDB Encryption Client

  • Does not encrypt entire items. primary keys, attributes are still in plain text.
  • Customer managed CMK (incl custom crypographic data from cloudHSM).
  • Use with Java/Python.

Others

• AWS Artifact - audit artifact retrieval portal that provides AWS’ compliance documentation and AWS agreements.

REFERENCES

• AWS Security Best Practices
• AD Authentication FLow
• Security related trainings
• Exam Readiness
• Sample Question
• Exam Guide