AWS Security & Encryption

Why encryption?

Encryption in flight (TLS/SSL)

• Data is encrypted before sending and decrypted after receiving
• TLS certificates help with encryption
• Encryption in flight ensures no MITM(man in the middle attack) can happen

Server-side encryption at rest

• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key
• The encryption/decryption keys must be managed somewhere, and the server must have access to it

Client-side encryption

• Data is encrypted by the client and never decrypted by the server
• Data will be decrypted by a receiving client
• The server should not be able to decrypt the data
• Could leverage Envelope Encryption

---

AWS KMS(Key Management Service)

• Anytime you hear "encryption" for an AWS service, it's most likely KMS
• AWS manages encryption keys for us
• Fully integrated with IAM for authorization
• Easy way to control access to your data
• Able to audit KMS Key usage using CloudTrail
• Seamlessly integrated into most AWS services
• Never ever store your secrets in plaintext, especially in your code
• KMS Keys Types
  • KMS Keys is the new name of KMS Customer Master KEy
  • Symmetric (AES-256 Keys)
    • Single encryption key that is used to Encrypt & Decrypt
    • AWS services that are integrated with KMS use Symmetric CMKs
    • Never get access to the KMS Key unencrypted (Must call KMS API to use)
  • Asymmetric (RSA & ECC key pairs)
    • Public & Private Key pair
    • Used for Encrypt/Decrypt, or Sign/Verify operations
    • The public key is downloadable, but you can't access the Private Key unencrypted
  • Automatic Key rotation
    • AWS-managed KMS Key : automatic every 1 year
    • Customer-managed KMS key : automatic every 1 year
    • Imported KMS Key : only manual rotation possible using alias
• KMS Key Policies
  • Control access to KMS keys, "similar" to S3 bucket policies
  • Difference : cannot control access without them
• KMS Multi-Region Keys
  • Identical KMS keys in different AWS Regions that can be used interchangeably
  • Multi-Region keys have the same key ID, key material, automatic rotation
  • Encrypt in one Region and decrypt in other Regions
  • No need to re-encrypt or making cross-Region API calls
  • KMS Multi-Region are NOT global
  • Each Multi-Region key is managed independently
• SSM Parameter Store
  • Secure storage for configuration and secrets
  • Optional Seamless Encryption using KMS
  • Serverless, scalable, durable, easy SDK
  • Version tracking of configurations / secrets
  • Security through IAM
  • Notifications with Amazon EventBridge
  • Integration with CloudFormation

---

AWS Secrets Manager

• Newer service, meant for storing secrets
• Capability to force rotation of secrets every X days
• Automate generation of secrets on rotation
• Integration with Amazon RDS
• Secrets are encrypted using KMS
• Mostly meant for RDS integration
• Multi-Region Secrets
  • Replicate Secrets across multiple AWS Regions
  • Secrets Manager keeps read replicas in sync with the primary Secret
  • Ability to promote a read replica Secret to a standalone Secret

---

AWS Certificate Manager

• Easily provision, manage, and deploy TLS Certificates
• Provide in-flight encryption for websites
• Supports both public and private TLS certificates
• Free of charge for public TLS certificates
• Automatic TLS certifiacte renewal
• Integrations with 
  • Elastic Load Balancers
  • CloudFront Distributions
  • APIs on API Gateway
    • Edge-Optimized(default) : For global clients
      • Requests are routed through the CloudFront Edge locations
      • The API Gateway still lives in only one region
    • Regional
      • For clients within the same region
      • Could manually combine with CloudFront
    • Private
      • Can only be accessed from your VPC using and interface VPC endpoint
      • Use a resource policy to define access
• Cannot use ACM with EC2

---

AWS WAF - Web Application Firewall

• Protects your web applications from common web exploits
• Layer 7 is HTTP
• Deploy on
  • Application Load Balancer
  • API Gateway
  • CloudFront
  • AppSync GraphQL API
  • Coginto User Pool
• Define Web ACL Rules :
  • IP Set up
  • HTTP headers, HTTP body, or URL strings Protects from common attack - SQL injection and Cross-Site Scripting
  • Size constraints, geo-match (block countries)
  • Rate-based rules - for DDos protection
• Web ACL are Regional except for CloudFront
• A rule group is a reusable set of rules that you can add to a web ACL
• Fixed IP while using WAF with a Load Balancer
  • WAF does not support the Network Load Balancer 
  • We can use Global Accelerator for fixed IP and WAF on the ALB

---

AWS Shield : protect from DDos Attack

• DDos : Distributed Denial of Service - many requests at the same time
• AWS Shield Standard :
  • Free service that is activated for every AWS customer
  • Proivdes protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3 / layer 4 attacks
• AWS Shield Advanced:
  • Optional DDos mitigation service
  • Protect against more sophisticated attack on EC2, ELB, CloudFront, Global Accelerator, and Route53
  • 24/7 access to AWS DDos response team
  • Protect against higher fees during usage spikes due to DDos
  • Shield Advanced automatic application layer DDos mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

---

AWS Firewall Manager

• Manage rules in all accounts of an AWS Organization
• Security policy : common set of security rules
  • WAF rules
  • AWS shield advanced
  • security groups for EC2, Application Load Balancer and ENI resources in VPC
  • AWS Network Firewall
  • Amazon Route 53 Resolver DNS firewall
  • Policies are created at the region level
• Rules are applied to new resources as they are created across all and future accounts in your Organization

---

WAF vs Firewall Manager vs Shield

• WAF, Shield and Firewall Manager are used together for comprehensive protection
• Define your WEB ACL rules in WAF
• For granular protection of your resources, WAF alone is the correct choice
• If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use Firewall Manager with AWS WAF
• Shield Advanced adds additional features on top of AWS WAF, such as dedicated suppor t from the Shield ResponseTeam (SRT) and advanced reporting.
•  If you’re prone to frequent DDoS attacks, consider purchasing Shield Advanced

---

Amazon GuardDuty

• Intelligent Threat discovery to protect your AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable, no need to install software
• Input data includes :
  • CloudTrail Events Logs
  • VPC Flow Logs
  • DNS Logs
  • Optional Features
• Can setup EventBridge rules to be notified in case of findings
• EventBridge rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks

---

Amazon Inspector

• Automated Security Assessments
• Reporting & integrations with AWS Security Hub
• Send findings to Amazon Event Bridge
• ONLY FOR EC2, Container Images & Lambda functions
• Continuous scanning of the infrastructure, only when needed
• Package vulnerabilites - database of CVE
• Network reachability
• A risk score is associated with all vulnerabilites for prioritization

---

AWS Macie

• Fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
• Helps identify and alert you to sensitive data, such as personally identifiable information