Modified External Notes

Module 1: Introduction to Bastion Hosts

Bastion Host → “Jump Box” from the public to the private subnet.

User needs to have access for jump box and the private instance.

Private keys should never be hosted on this server

SSH Agent forwarding - research

Module 2: Virtual Private Networks

VPN enables you to route traffic from yourself towards destination through itself.

Something similar to Proxy.

In Corporate environments, VPN is used to connect to instances in Private Subnet.

VPN Server resides in the Public Subnet and you route your traffic via VPN server to instances in Public Subnet.

vpn (1).png

Module 3: Site to Site VPN Tunnels

A Site to Site (S2S) VPN allows two networking domains to communicate securely between each other over an untrusted network like the Internet.

The two sites can be AWS and on-premise data-center or even two different VPC’s

CGW is just a termination point, FW, Router, whatever

A Virtual Private Gateway (VGW) has built-in high-availability for VPN connection.

AWS automatically creates 2 HA endpoints, each in a different AZ. HA managed by AWS.

Must add routing in the route table to be able to reach on prem!!

Module 4: VPC Peering

VPC peering is a network connection between two VPC that enables the communication between instances of both the VPC.

VPC Peering is now possible between regions.

Unsupported VPC Peering Configurations - 1

You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks.

Unsupported VPC Peering Configurations - 2

You have a VPC peering connection between VPC A and VPC B (pcx-aaaabbbb), and between VPC A and VPC C (pcx-aaaacccc).

There is no VPC peering connection between VPC B and VPC C. You cannot route packets directly from VPC B to VPC C through VPC A.

Module 5: VPC Endpoints

Earlier for EC2 instances to be able to access public resources like S3, the traffic needed to be pass via Internet Gateway or even via NAT.

Simplifying this approach, AWS introduced a feature called “VPC Endpoints” are secure and highly reliable connection that provides a secure connection to services like S3.

This EC2 instance within private VPC can now connect to such services without any need of NAT gateway or even Private Gateways.

EC2 to DynamoDB Communication via VPC Endpoint

Gateway VPC Endpoints

In the Gateway endpoints approach, the VPC endpoint was created outside your VPC and traffic was routed via route table.

Thus, it was not possible to use it directly from VPN’s or Direct connects.

Access policy was controlled through IAM like the JSON document,

VPC Endpoints are not accessible via VPN or DX cause it needs EC2 route table

AWS S3 endpoint ls will show ALL worldwide buckets, without specifying region

But actually lsing the inside of a bucket in another region will not work

Interface VPC Endpoint

Interface VPC Endpoints are next-generation VPC endpoints.
VPC endpoints are created inside your VPC.
They have an ENI and Private IP associated.
Access control through security groups.

Gateway Endpoints are only S3 and DDB

Module 6: Network ACL

Network ACL are stateless in nature.
They operate at the subnet level instead of instance-level like Security Groups.
All subnets in VPC must be associated with NACL.
By default, Network ACL contains full allow in INBOUND and OUTBOUND.
Can block one IP via ACL unlike SG which can't!! For specific attacks etc
Can be associated with subnets
Lower the rule number, the higher the priority it has! (100, 200, 205, etc)
Matches the first rule applicable, after is ignored
If you create a custom NACL the default is all DENY, as opposed to default NACL which is ALLOW

Firewalls

Client that initiates request chooses the ephemeral return port
0-1023 = Well Known or Reserved
Range varies on OS
- Many Linux use 32768-61000
- Request originating from ELB uses 1024-65535
- Windows XP uses 1025-5000

Module 7: IPTABLES and Instance Meta Data

Instance Meta-Data can provide a lot of sensitive information that includes temporary credentials like AWS Access Key / Secret Key and Session Token

To view all categories of instance metadata from within a running instance, use the following URI.

http://169.254.169.254/latest/meta-data/

Any user who has access to the server will be able to fetch that information. This can lead to a security risk.

With IPTABLES, you can block access to the instance meta-data for the common users within servers.

iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

Module 8: IDS/IPS

Firewall:-

It keeps everyone out who tries to sneak in via basement windows, backside doors, etc BUT if someone enters through the official door, the entry is given.

IDS / IPS:-

It can search the people to check if they are carrying weapons with them.

Have your private key on IDS so it can inspect encrypted traffic

![Screen Shot 2020-10-11 at 9.38.50 AM.png](../../../../_resources/Screen Shot 2020-10-11 at 9.38.50 AM.png)

The architecture of IDS/IPS in AWS:

You have an IDS / IPS agents installed in the EC2 instance which will communicate to the central IDS / IPS appliance.

Module 9: EBS Security

Use EBS Encryption for in-flight to disks themselves, and at rest

i) Before terminating an instance, customers can wipe the data in EBS.

ii) AWS also wipes the data immediately before the EBS is made for re-use.

iii) When the storage device has reached its end of use, they are decommissioned via detailed steps mentioned in NIST 800-88 or DoD 5220.22-M

Module 10: CloudFront Origin Access Identity

CloudFront Origin Access Identity allows users to only access the contents of an S3 bucket via the CloudFront distribution.

When OAI is enabled, CloudFront will add a bucket policy to the S3 bucket which will allow access only via the CloudFront distribution.

SNI in TLS

Research, STUDY

Multiple websites running in same server (IP), each needs own cert
Now client sends server name it wants (wireshark)
- Client Hello
- Extension: server_name
Prior to SNI a website needed to have a dedicated IP address in order to have a SSL certificate installed
With SNI multiple websites can share a single UP each with their own cert
Some legacy clients do not support SNI, breaks sites

Module 11: CloudFront Signed URLs

CloudFront Signed URLs mandates users to provide signed URLs or signed cookies to access the private content.

CloudFront signed URLs can be generated by the trusted signers assigned in your AWS account, in CloudFront distribution creation. With a special access key pair (ID and .pem), generated in root account in CloudFront Keypairs in My Account

Module 12: AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) service that safeguards the workloads running on AWS against DDoS attacks.

There are two tiers of AWS Shield:

Shield Standard
Shield Advanced

AWS Shield standard provides basic level protection against most common network and transport layer DDoS attacks.

For a higher level of protection, we can subscribe to the Shield Advanced. Shield Advanced protects against large and sophisticated DDoS attacks with near-real-time visibility into the attacks that might be occurring.

AWS Shield Advanced also gives customers 24x7 access to the AWS DDoS Response Team (DRT) during ongoing attacks.

12.1 AWS Shield Costs and Credits

AWS Shield Advanced costs 3000$ per organization and requires Business or Enterprise Support. Reimburses ELB, CloudFront, Cloudfront

One interesting part about AWS Shield Advanced is that during the attack, if your infrastructure has scaled, AWS will return you the amount that occurred during scaling in the form of credits. This is also referred to as Cost protection.

Module 13: Mitigating DDoS

There are four major pointers that need to be remembered

Be ready to scale as traffic surges.
Minimize the attack surface area.
Know what is normal and abnormal.
Create a Plan for Attacks.
Be Ready to Scale

Your infrastructure should be designed to scale when the traffic increases.

It not only helps in Business but also during DDOS Attacks.

Example :

Whenever CPU load is more than 70% in Application servers, automatically add one more Application server to meet the needs.

AWS Services: ELB, Auto Scaling

2. Minimize the attack surface area.

Decouple your infrastructure.

Example :

Application and Database should not be on the same server.

AWS Services: SQS, Elastic BeanStalk

3. Know what is normal and abnormal

Key metrics need to be defined to understand the behavior.

Example :

Website getting a huge surge in traffic in the middle of the night at 3 AM

AWS Services:- CloudWatch, SNS.

4. Create a Plan for Attacks.

For example :

Check whether the Source IP Address is the same.
Check from which country the increased traffic is coming from.
Nature of the attack ( SYN Flood, Application Level )
Can it be blocked with NACL or Security Group level

It is recommended to have AWS Support. At-least Business Support.

AWS Services for DDoS Mitigation:

Following are some of the key AWS services involved in DDoS attack mitigation

AWS Shield
Amazon CloudFront
Amazon Route53
AWS WAF
Elastic Load Balancing
VPC & Security Groups

API

![Screen Shot 2020-10-17 at 1.30.07 PM.png](../../../../_resources/Screen Shot 2020-10-17 at 1.30.07 PM.png)

You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.

When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint. The default TTL value for API caching is 300 seconds.

Module 14: EC2 Key Pair Troubleshooting

Whenever we create an EC2 instance, we generally specify the associated key-pair

There is two specific troubleshooting scenario that we should be aware of:

i) Deleting the key-pair from the console will not delete the associated key from the EC2 instance.

ii) If we create a new instance from AMI of older instance, the public key specified while AMI creation will be appended to the authorized_keys. Good way to keep same istance if you lose the original keypair!

Module 15: EC2 Tenancy Attribute

Every EC2 instance that we launch in the VPC has a specific tenancy attribute associated with it. There are three tenancy attributes which are available:

i) Shared Tenancy

In this approach, your EC2 instance is launched on the shared hardware where EC2 instances of other customers also run.

ii) Dedicated Instance

Dedicated Instances are EC2 instances that run on the hardware which is dedicated to a single customer.

Dedicated instances may share the hardware with other EC2 instances that belong to the same AWS accounts.

iii) Dedicated Hosts

Dedicated Host is a physical server that allows us to use our existing per-socket, per-core or even per-VM based software licenses which includes Windows Server, SUSE, and various others.

With dedicated hosts, we can use the same physical server over time, even if the instance is stopped and started.

Module 16: AWS Artifact

The AWS Artifact portal provides on-demand access to AWS' security and compliance documents, also known as audit artifacts.

Lots of AWS services are compliant against various compliance like PCI DSS, HIPAA and others.

If the organization is using certain AWS services, then the auditor will ask the organization to show a certificate that the service is compliant.

Module 17: Lambda@Edge

Lambda@Edge lets you run Lambda functions to customize content that CloudFront delivers.

You can use Lambda functions to change CloudFront requests and responses at the following points:

After CloudFront receives a request from a viewer (viewer request)
- Executed on every request before CloudFront cache is checked
- ex: Modify urls, cookie query strings, perform authentication and auth checks
Before CloudFront forwards the request to the origin (origin request)
- Executed on a cache miss, before forward to origin
- ex: dynamically select origin basedo n request headers
After CloudFront receives the response from the origin (origin response)
- Executed on a cache miss, after a response is received from origin
- ex: modify response headers, intercept and replace 4xx and 5xx errors from the origin
Before CloudFront forwards the response to the viewer (viewer response)
- Executed on all the responses received from either the origin or the cache
- ex: modify the response headers before caching of response happens, so it doesn't get cached

Module 18: AWS SES

AWS SES is a highly scalable platform that AWS offers for sending and receiving emails.

Many organization has generic emails like [email protected] which is used to send emails to users upon registration or others.

We need a mail server for that. This can be installed in EC2 instance as well, however by default AWS will throttle email traffic over port 25.

To remove the throttle, we can make use of non-default ports or fill out the form to remove email sending limitations.

To access the AWS SES interface, we need to have an SES SMTP username and password.

SMTP works on port number 25, 465 or 587.

SMTP credentials should be used when we connect to the AWS SES SMTP endpoint.

Module 19: DNS Support in VPC

There are two important attributes in VPC that determines DNS related aspects;

Two cases to understand it in a better way:

If both attributes are set to TRUE, the following occurs:

Instances with a public IP address receive corresponding public DNS hostnames.

The Amazon-provided DNS server can resolve Amazon-provided private DNS hostnames.

If both attributes are set to FALSE, the following occurs:

Instances with a public IP address do not receive corresponding public DNS hostnames.

The Amazon-provided DNS server cannot resolve Amazon-provided private DNS hostnames.

PreviousNotes NextEverything

Last updated 3 years ago

Was this helpful?