AWS Security for Noobs

This post covers the very basics of how Amazon web services work and will cover a little bit about AWS security also. I have created some notes(after watching some videos) here which will you get started and gain a simple understanding of what is AWS and some of it’s components.

In olden times, we used to have physical data centres to store user data, and for the overall data collection and logging for various activities.

Physical Data centres created some issues:

To mitigate some of these issues, companies started to shift to various cloud alternatives as they were more cheaper and reliable.

Some popular cloud providers now are Amazon AWS, GCP and Azure.

AWS advantage:

AWS provides elasticity. (Search for the term ESXi)No need to over provision hardwareNo need of rack and cable.Cost contracts automatically with usage.Regions : It is a geographical location.Availability zones: one or more data centres with a region. Applications can span multiple AZ’s.

We should put in place where more customers are there to reduce latency.

Hypervisor allows multiple virtual machines to run on the same physical server.VM’s are completely independent.Ec2 instance is a virtual server that run on physical server in amazon datacenter.Extremely scalable.

We have several EC2 instance types for different purposes like General purpose, Accelerated computing, Storage optimised etc.

AMI : Amazon machine image provided by amazon like ubuntu image.

Disks for EC2 instances .Can be used to boot the instance.Can have multiple EBS in single instance.

IOP’s : Input/ Output per second.

Types:

General Purpose SSD (gp2)

Cost effective storage.Supports Bursting meaning can serve demands during high peak demands occasionally.Performance is based on volume size.Burst credit 3000 IOP’s per 30 min.

Provisioned IOP’s SSD (io1)

Designed high intensive I/O workloads like dbs.Provides consistent performance.

Hard disk based storage

Not ssd so less speed.

st1:Throughput optimized HDD

Low cost, supports bursting

Note: EC2 can’t be booted via st1.

sc1: Cold HDD

Lowest cost, lowest performance, reduced bandwidth and bursting.

It is an isolated network within AWS cloud . We can use it to provide secure connectivity to virtual servers.

Bastion hosts are used as a middle men from which external hosts can connect and it acts as a management to interact with internal hosts.

It is stateful firewall.It analyses based on rule and either allow or disallowed.Dynamically allows return traffic through.Outbound traffic is allowed by default.We can provide network ACL’sControls traffic based on IP and port no.StatelessApplied at subnet level.Place to store files like videos and images.Can’t install db/images etcMax file size is 5 TB.Glacier backups: Long term backups.Helps in media transcoding.

RDS

Multi Az RDS:

Even if RDS in one zone fails, the system will transfer and work from other AZ.Read replica: Can create duplicate of master RDS in one AZ.

Managing users and groups

Configuring IAM policies .

Managed vs Unmanaged Services:

Security in Cloud vs Security OF the cloud

AWS compliance solutions guidePentest rulesHave to request permission to them .

provided by AWS .

Can define rules/predefined rules.Can be applied to cloudfront or load balancer and detects signature.Also available in AWS marketplace.AWS does not charge for IAM .Used to create users, groups, policies, roles etc.IAM USER: Represent a person or appln. within which will interact with aws.They access AWS using password, ssh etc.But it’s not scalable . We can set permission for 100’s of users. So we have IAM groups.IAM GROUP: helps for assigning and managing permission for multiple users.It puts users into groups .Groups get permissions.we CANNOT put group inside a group .

IAM ROLE: Use this to minimise the blast radius in case of attack/sensitive leak .

User logins to authenticate but does not get permissions. Permission are only accessible through allowed roles.

FOR IAM we have AWS policy generator.